Hi, On Wed, Jan 12, 2022 at 09:22:45AM +0000, Neil Williams wrote: > On Wed, 12 Jan 2022 12:44:14 +0800 > Paul Wise <p...@debian.org> wrote: > > > On Tue, 2022-01-11 at 11:20 +0000, Neil Williams wrote: > > > > > I might need to brush up on my Perl and make a patch for lintian > > > which downloads the sec tracker JSON and checks the CVE list in the > > > .changes file - warnings from lintian are more likely to get fixed > > > prior to upload. Depends if you think this happens sufficiently > > > often that it is a problem worth solving. (Considering how long > > > it's been since I did that amount of code in Perl, maybe I'm better > > > filing the bug against lintian and seeing if someone else can come > > > up with a patch... - again, only if it happens sufficiently often.) > > > > > > > FTR, lintian does not do any network requests, so this approach won't > > be accepted. The best option you can get is a script to do the > > download at the lintian release time. Unfortunately this means the > > data will get outdated quickly and make the check less useful. > > > > This check could be added to devscripts, debsecan or duck. > > debsecan looks promising. It already has support for reporting a list > of CVEs by source_package name, directly from > https://security-tracker.debian.org/tracker/ and it's Python3. I'll > have a look at a patch which accepts a .changes file or d.changelog > entry and verifies if all listed CVEs actually exist for the source > package of that change.
To jump in in that part of the discussion: debsecan's scope is different what we want to tackle here. Its a tool which is used on user systems to generate a list of vulnerabilities which affect the installed Debian system, gathering data from the security-tracker and comparing on what is installed. Regards, Salvatore