On Thu, Jan 30, 2020 at 11:20:48AM +0000, Richard W.M. Jones wrote:
> On Thu, Jan 30, 2020 at 08:39:05AM +0530, Huzaifa Sidhpurwala wrote:
> > Do we want to continue the same condition as described here:
> > https://mivehind.net/2020/01/28/Fedora-has-too-many-security-bugs/
>
> Maybe?
>
> The problem with this analysis is we don't know how many of these are
> actual current security issues, and of those how many are > low impact
> (because honestly low impact security issues should just be ignored).
I can't tell you how many are current issues, but we can do the
breakdown of severity easily enough.
Taking the BZ query linked from that blog and capturing the bug
"severity" field, which IIUC correlates to the CVE severity (just
with different terminology) we can get:
EPEL 6
Critical: 1
Important: 35
Moderate: 183
Low: 103
EPEL 7
Critical: 4
Important: 130
Moderate: 480
Low: 311
EPEL 8
Critical: 0
Important: 3
Moderate: 13
Low: 2
Fedora 30:
Critical: 1
Important: 40
Moderate: 134
Low: 67
Fedora 31:
Critical: 0
Important: 40
Moderate: 151
Low: 57
Fedora rawhide:
Critical: 0
Important: 2
Moderate: 6
Low: 10
There were also still open CVEs against Fedora 25, 26, 27 which
surprised me, as I thought we had a script which auto-closed
all bugs against EOL distros.
As a approximate summary for Fedora
Low: 32%, Moderate 55%, Important 12%
The breakdown is practially the same for EPEL on aggregate.
Ignoring low bugs in the expectation that they'll be fixed
"for free" in the next Fedora release is a reasonable for
maintainers.
Even if they do that though, it won't address the CVE mountain
we have, because Moderate/Important bugs still make up 67% of
what's left.
Ignoring low bugs also probably isn't a viable stragegy
for EPEL, because that's a long life distro stream, and
so won't automatically get low CVE fixes via a rebase
in 6 months like we do in Fedora. So the CVE mountain
is even bigger for EPEL, and also more serious due to its
long lifecycle.
> We have a security team which is very rigorous about filing bugs for
> every CVE, which is a great thing. However we don't have an automated
> system for clearing up bugs which are naturally fixed through rebases.
Regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
import csv
import re
from collections import defaultdict
with open("bugs-2020-01-30.csv", "r") as f:
db = list(csv.DictReader(f))
summary = {
"urgent": 0,
"high": 0,
"medium": 0,
"low": 0,
}
prodsummary = {}
prods = {}
for bug in db:
prod = bug["Product"]
ver = bug["Version"]
sev = bug["Severity"]
comp = bug["Component"]
mingw = comp.startswith("mingw")
#if not mingw:
# continue
# Why are these still open. lets ignore them ?
if prod == "Fedora" and ver in ["25", "26", "27"]:
continue
if prod not in prods:
prods[prod] = {}
prodsummary[prod] = {
"urgent": 0,
"high": 0,
"medium": 0,
"low": 0,
}
if ver not in prods[prod]:
prods[prod][ver] = {
"urgent": 0,
"high": 0,
"medium": 0,
"low": 0,
}
prods[prod][ver][sev] = prods[prod][ver][sev] + 1
prodsummary[prod][sev] = prodsummary[prod][sev] + 1
summary[sev] = summary[sev] + 1
print("== Totals ==")
print(" Critical: %d" % summary["urgent"])
print(" Important: %d" % summary["high"])
print(" Moderate: %d" % summary["medium"])
print(" Low: %d" % summary["low"])
print("\n\n\n")
for prod in prods:
for ver in prods[prod].keys():
print("%s %s:" % (prod, ver))
print(" Critical: %d" % prods[prod][ver]["urgent"])
print(" Important: %d" % prods[prod][ver]["high"])
print(" Moderate: %d" % prods[prod][ver]["medium"])
print(" Low: %d" % prods[prod][ver]["low"])
print("\n")
print("== Totals %s: ==" % prod)
print(" Critical: %d" % prodsummary[prod]["urgent"])
print(" Important: %d" % prodsummary[prod]["high"])
print(" Moderate: %d" % prodsummary[prod]["medium"])
print(" Low: %d" % prodsummary[prod]["low"])
print("\n\n\n")
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
