Package: security-tracker
Severity: wishlist
These days the scopes of CNAs are usually narrow and scoped to a specific
vendor.
We should leverage this for pre-processing incoming data and to reduce toil.
We can do this by extending the "automatic update" job to automatically
annotate CVEs assigned
by a given CNA as NFU entries. As an example all CVEs coming from the
"Wordfence" CNA should
be automatically added as "NOT-FOR-US: WordPress plugin". This avoids
cumbersome manual
triage (and review would still happen on the commited entries).
Same for many commercial software vendors, e.g. a company like SAP which has no
ties to
FLOSS everything coming from their CNA should automatically be added as
"NOT-FOR-US: SAP"
without human interaction. We should only extend this on a case-by-case basis.
E.g. Oracle
has a lot of propietary software, but they also maintain mysql, Java and
virtualbox, so
they need manual review still.
Cheers,
Moritz
