When I’ve been mass-CC’d on irrelevant CVEs, I have been able to determine that it was due to a package-lock.json file, which names and pins the versions of all recursive dependencies, that was included with some example NodeJS project in the source tarball. I’ve had trouble with this on a handful of packages. I don’t recall whether it matters if the file is installed in a -doc subpackage with the other documentation and example files or only present in the sources, but I do remember that removing the package-lock.json file in %prep kept me from getting further irrelevant reports. Obviously, it would be better if the “targeting” of these automated reports were better so that these workarounds weren’t required. When bugs are to be filed for dozens of packages, the standard of care in verifying their applicability should perhaps be a little higher. On Wed, Nov 9, 2022, at 9:28 AM, Vít Ondruch wrote: > Dne 09. 11. 22 v 3:10 Ian McInerney via devel napsal(a): >> On Wed, Sep 7, 2022 at 7:45 PM Ben Cotton <bcotton@xxxxxxxxxx> wrote: >>> On Wed, Sep 7, 2022 at 2:05 PM Maxwell G via devel >>> <devel@xxxxxxxxxxxxxxxxxxxxxxx> wrote: >>> > >>> > Does anyone know how to reach prodsec about this? >>> >>> I'll reach out to the people I know and see what the best way to get >>> them in this conversation is. >>> >> >> Has this conversation been started yet? Because the CVE reporting system doesn't seem to have been improved at all - in fact a recent CVE bug (https://bugzilla.redhat.com/show_bug.cgi?id=2141029) was filed, had over 179 people added to the CC list, and there is no mention at all of which applications were identified as being affected or any other tracking bugs filed for those affected applications. So as a maintainer, I am then unsure why I was CC'd on the bug and which application prod sec wants me to examine for the vulnerability (especially since to my knowledge, none of the packages I maintain even use electron in any way or have its code contained inside of them). > > > Just FTR, when I was last time looking for answers why I was added on > some tracker, and it was probably due to package.json included in > source tarball, I was pointed to this project, which should be behind > creating these trackers: > > https://github.com/RedHatProductSecurity/component-registry > > But hard to tell how it is used in practice :/ > > > > Vít > > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > > Attachments: > * OpenPGP_signature _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue