Reply to post:

Open Source Vulnerabilities database: Nice idea but too many Google-shaped hoops to jump through at present

Anonymous Coward
Anonymous Coward

I think if they de-Google the process and put it under common, public governance this approach has real value. I work in open source middleware/data processing, so I have to frequently put my Vulnerability Manager hat on for customers. While CVEs are valuable and are the lingua franca, they are _entirely_ beholden to the level of effort vendors or open source communities are willing to put into writing them. The first thing to go is bothering to check when the bug was really introduced. Just list the last couple of releases as "affected" and your latest release as "fixed" and call it a day. Bisection keeps this process honest.

Oh and what's that? Your upstream community uses a custom versioning scheme that you have to pass a course in cryptoversionology to understand? It was agreed by four guys in a Palo Alto sports bar in the mid 2000s? Well sure let me get right on automating the checks for which bits of our software - with our own bonkers versioning schemes - depend on the vulnerable bits of your software. Should only take me a few weeks per dependency. Articulating vulnerabilities based on git commits and release tags helps with this.

But if it stays this way it'll just go the way of CVE's own CPE - barely used, so barely useful.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon