Hello Michel and Neal, firstly Michel thanks to work on the PR. Secondly I'm sorry to hear about the false positives. May I have your help sending some recent examples of such cases off-list please? I'm interested in investigating that so we can improve such communication avoiding false positives. Thanks, Marco Benatto Red Hat Product Security secalert@xxxxxxxxxx for urgent response On Tue, Nov 26, 2024 at 9:53 PM Neal Gompa <ngompa13@xxxxxxxxx> wrote: > > On Tue, Nov 26, 2024 at 6:08 PM Michel Lind <michel@xxxxxxxxxxxxxxx> wrote: > > > > On Tue, Nov 26, 2024 at 12:11:27PM -0300, Marco Benatto wrote: > > > Hello all, > > > > > > We recently noticed there's a couple of PRs opened to fix > > > vulnerabilities in EPEL8 python-django3 with no response from the > > > maintainer (CC'ed). This is an important update as it fixes 4 > > > different CVEs. > > > > > > https://src.fedoraproject.org/rpms/python-django3/pull-request/2 > > > > > > I have raised a bugzilla bug asking for contact according > > > https://docs.fedoraproject.org/en-US/fesco/Policy_for_nonresponsive_package_maintainers/ > > > > > > https://bugzilla.redhat.com/show_bug.cgi?id=2328973 > > > > > > may i please have your help in contacting the maintainer? > > > > > That PR was never in a state where it's merge-able, FYI > > > > - nothing provides python3.6dist(asgiref) >= 3.3.2 needed by python3-django3-3.2.25-1.el8.noarch from @commandline > > > > There are also other avenues to ask for help - note that this package is > > co-maintained by the EPEL Packagers SIG, and I don't see any attempt to > > reach out on the epel-devel list. > > > > While I have the attention from someone on prod sec, could you all fix > > your CVE scanners to *not* file Javascript bugs against packages that > > have JS code in their source code only as part of documentation and not > > in any binary packages? 90% of CVEs in my inbox are false positives > > > > Yeah, I have a variation of this problem too. I have gotten piles of > false positive CVE bugs to the point that I've started ignoring them > unless someone points to me specifically about them or if I receive > other intelligence indicating they are important. What pushed me over > the edge was almost six months of false positive CVE bug reports a > couple years ago on various packages about ffmpeg vulnerabilities that > didn't apply to anything we shipped. > > Now, I filter them and only worry about them if I receive secondary > intelligence. I know that's probably not the intended purpose here, > but it's a lot of work to validate vulnerabilities and the > vulnerability rate doesn't match the reported rate for me in practice. > :( > > > > -- > 真実はいつも一つ!/ Always, there's only one truth! > -- > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue