Skip to content

MeetingMinutes2023

Keshav Priyadarshi edited this page Feb 16, 2024 · 3 revisions

We meet online on Tuesdays at 16:00 UTC as a reference. See https://www.timeanddate.com/worldclock/meeting.html to get the time in your timezone.

Join us at https://meet.jit.si/VulnerableCode

The current meeting notes is at:

Here are the running meeting notes:

Meeting on Tuesday 2023-10-24 at 16:00 UTC

Agenda:

  • John: Issue of duplicate PackageURLs
  • Ziyad: Feedback on CVSS vector attribute presentation and PurlSync logo for package ecosystem
  • Philippe: Feedback from visit to hack.lu conference

Participants:

  • Ayan (@AyanSinhaMahapatra)
  • Dennis (@DennisClark)
  • John (@johnmhoran)
  • Keshav (@keshav-space)
  • Philippe (@pombredanne)
  • Tushar (@TG1999)
  • Ziyad (@ziadhany)

Discussions:

  • John found the issue of duplicate PackageURLs, arising due to use of JSONField for purl qualifiers https://github.com/nexB/vulnerablecode/issues/1278#issuecomment-1775922964. Philip: We aren't gonna use the qualifier 99% of the time, We should revert to using string for qualifier instead of JSONField We will implement this in 4 steps - Plain data migration where we construct a complete qualifier from existing JSONField and keep the qualifier string in the JSONField itself. - Create a new CharField qualifier2 and populate the value from step 1. - Delete the original qualifier field and rename qualifier2 to qualifier. - Relax the unique together constrain and fix the data quality (identify the fix based on pattern). Once the data quality is fixed, re-enable the unique together.

    John: When using PURL with a qualifier for query, we also get bunch of unrelated results.

    Philip: These are two separate issues, and we'll handle them independently. We need to differentiate the use case - When I do lookup I want the exact result or no result but when I do search I want to get the best possible result. At the UI level, we want to have the advanced search capability like we have in ScanCode.io, and We need to figure out how we can incorporate the lookup/search behavior in API. The advanced search capability enables the user to:

    • enter =string to get results with an exact match on a field
    • enter :string to get results where the field contains the string
    • enter ^string to get results where the field starts with the string
  • CVSS vector attributes are looking good, we should use Black color instead of Red.

  • Ziyad has added the logos to the package ecosystem in PurlSync, and it's looking great already. Philip: Maybe we can have a better name for PurlSync.

    Ziyad: Will try to come up with some suggestions on this in our next meet.

    Philip: We can separately sync up on how to go about the Pilot deployment of PurlSync and along with the campaign for the same, so folks from the community can give feedback.

  • Philip delivered 3 presentations at hack.lu <https://hack.lu/>_ conference.

    Philip: Most of the folks were from Threat Intelligence (CTI) and Incidence Response (CERT) and there seems to be consensus among the folks that SBOM/PURL if better leveraged at an early stage can save a lot of effort that goes into firefighting when thing hits the fan.

Meeting on Tuesday 2023-10-17 at 16:00 UTC

Agenda:

  • Ziyad: Feedback on CVSS vector color coding.
  • Hritik: VCIO data quality issue.

Participants:

  • Ayan (@AyanSinhaMahapatra)
  • Dennis (@DennisClark)
  • Hritik (@Hritik14)
  • John (@johnmhoran)
  • Keshav (@keshav-space)
  • Ziyad (@ziadhany)

Discussions:

  • Color coded CVSS vector attributes looking good. Ziyad will complete the implementation for displaying attributes in appropriate color.

  • Hritik found that VCIO is not displaying all the affected versions for given vulnerability. For example https://github.com/advisories/GHSA-fpcf-qr79-hjqp CVE-2023-43667 is affecting >= 1.4.0, < 1.8.0 but VCIO is only showing pkg:maven/org.apache.inlong/[email protected] in affected packages. Hritik will add an issue to track this bug.

Meeting on Tuesday 2023-10-03 at 16:00 UTC

Dennis:

  • CSAF format and Vulnerability reachability issues

Keshav:

  • Detaching CWE Fork

Ziad:

  • Adding support to CVSS vector to UI
  • Merging PRs for GSoC project

Philippe:

  • Features and setups in test suite
  • VulnTotal like approach for Vulnerablecode

Tushar:

  • Statuses on vulnerabilities

Hritik:

Meeting on Tuesday 2023-09-26 at 16:00 UTC

Ziad:

  • CVSS Vector - presentation in the UI
  • CWE

Tushar:

  • New releases in VCIO
  • Milestone review

Meeting on Tuesday 2023-09-19 at 16:00 UTC

John:

Ziad:

  • CWE exception in API
  • CVSS vector in OSV

Dennis:

Tushar:

Meeting on Tuesday 2023-09-12 at 16:00 UTC

Agenda:

  • History/ Changelog
  • Vulnerability status
  • CWE in API

Tushar:

  • Shown his progress regarding history/changelog for packages and vulnerabilities
  • Discussed the rejected status on NVD

Philippe:

  • We should use DISPUTED and other statuses as well on a vulnerability.

Ziad:

  • Discussed review comments on his PR for adding CWE support in API.

Meeting on Tuesday 2023-09-05 at 16:00 UTC

Agenda:

  • How to express empty values
  • Bug in univers
  • Milestone review
  • Ziad's GSoC project

Ziad:

  • Talked about the problems in testing and logical changes needed for his GSoC project

John:

  • Asked how we can express empty values, the solution that we got was to use None as value instead of nothing

Philippe:

  • Milestone review

Keshav:

Meeting on Tuesday 2023-08-22 at 16:00 UTC

Agenda:

  • Apache Tomcat failing test

Ziad:

  • Due to change in tomcat advisory HTML page the apache tomcat tests were failing
  • Discussed review comment on his PR

Philippe:

  • The current data in VCIO is not current.

Meeting on Tuesday 2023-08-15 at 16:00 UTC

Agenda:

  • Vers in purldb

Keshav:

  • Adding univers vers support in purlDB

Meeting on Tuesday 2023-08-08 at 16:00 UTC

Agenda:

  • Planning

Tushar:

  • Planning for the next milestone

Meeting on Tuesday 2023-08-01 at 16:00 UTC

Agenda:

  • UI for comparing and showing closest fix
  • YAML file changing format and pushing events from VCIO to activity pub server
  • purl.fyi and vulnerablecode insights
  • Vulnerability status

John:

  • Shown his progress on the closest and non-vulnerable fix, also got some feedback

Ziad:

  • Discussed the structure of YAML format for pushing events from VCIO to activity pub server

Dennis:

Meeting on Tuesday 2023-07-18 at 16:00 UTC

Agenda:

  • CVSS vector to scores
  • Allow searching by CVSS vectors and show CVSS vectors in UI
  • Passing package context while going from package to vulnerability

Ziad:

  • Pointed out the discrepancies in converting CVSS vector to score mapping

Philippe:

  • We should allow search by CVSS vectors and also show vectors in UI for a vulnerability.

Tushar:

  • Going from a package to vuln, we should pass package context to show only matching packages in the vulnerability view

Meeting on Tuesday 2023-07-04 at 16:00 UTC

Agenda:

  • API endpoint discussion for purl-sync project
  • Issues reported by Tom in VCIO

Ziad:

Philippe:

Meeting on Tuesday 2023-06-20 at 16:00 UTC

Agenda:

  • Insights on Vulnerablecode data

Hritik:

  • presented insights of VCIO data and discussed the other data sources that we should consider.

Meeting on Tuesday 2023-06-06 at 16:00 UTC

Agenda:

  • report feature in VCIO
  • discuss CVSS score transformation

Philippe:

  • Consider adding reporting feature in VCIO to submit a list of purls and getting vulnerabilities in those PURLs

Ziad:

  • Metrics to convert CVSSv2 to CVSSv3.

Meeting on Tuesday 2023-05-30 at 16:00 UTC

Agenda:

  • CVSS

Ziad:

  • Conversion of CVSSv2 to CVSSv3 scores.

Meeting on Tuesday 2023-05-16 at 16:00 UTC

Agenda:

  • Issues with Improver and importers
  • GoLang PackageURLs

Ziad:

  • Sorting of the affected version range in merge function in problematic

Philippe:

  • We should store name as is for GoLang purls and should not have namespaces for them.

Meeting on Tuesday 2023-05-09 at 16:00 UTC

Agenda:

  • Ruby Improver

Ziad:

  • Discussed the approach for ruby improver.

Meeting on Tuesday 2023-04-25 at 16:00 UTC

Agenda:

  • Severity Range
  • Ziad's PRs
  • Dropping CVSSv2
  • version 32

Ziad:

Dennis:

Tushar:

  • Talked about the release of version 32 of vulnerablecode.

Meeting on Tuesday 2023-04-18 at 16:00 UTC

Agenda:

  • Changelog on packages and vulnerabilities
  • Severity Range

Tushar:

  • Presented the current progress on the changelog structure of packages and vulnerabilities.

Ziad:

  • Presented screenshots and his work on severity range.

Meeting on Tuesday 2023-04-11 at 16:00 UTC

Agenda:

  • Cargo Version
  • Status on version 32
  • Refactor gem and make nuget hashable in univers
  • Dark mode in documentation

Ziad:

Dennis:

  • Asked about the status of v32 of vulnerablecode.

Philippe and Keshav:

Swastik:

Tushar:

Meeting on Tuesday 2023-03-28 at 16:00 UTC

Agenda:

  • Severity normalizer
  • Design a policy for vulnerabilities
  • Cargo Version Range
  • Release for CWE-2
  • Golang PURLs
  • Pending PRs

Dennis:

  • Discussed how we can normalize different severity scoring.

Ziad:

  • Talked about CargoVersionRange implementation in univers and release for CWE-2.

Tushar:

  • Discussed the removal of namespace for Golang purls and vulnerablecode pending PRs.

Meeting on Tuesday 2023-03-21 at 16:00 UTC

Agenda:

  • CWE imports
  • ActivityPub GSoC project idea
  • Univers release

Ziad:

  • Discussed how different vulnerability advisories store CWE data.
  • Discussed his approach for ActivityPub GSoC project idea.

Tushar:

  • Explained what's new in the univers release v30.10.0.

Meeting on Tuesday 2023-03-14 at 16:00 UTC

Agenda:

  • Pypi improver
  • CWE
  • ActivityPub
  • Improver Structure

John:

  • Where should we have the improver for pypi validation improver?
  • Decided that we will have all improvers in improvers directory

Ziad:

  • Discussed the release of CWE v3.0.0
  • Shared his proposal regarding ActivityPub.

Tushar:

  • Changes needed in improver structure to accomodate othe entities than advisories.

Meeting on Tuesday 2023-03-07 at 16:00 UTC

Agenda:

  • PypI API vulnerability data
  • GSOC ideas for vulnerablecode
  • State of Ziad PRs
  • Normalization and Comparison
  • Misbehaving Versions
  • More data sources

John:

  • Discussed limitations of PypI API to be an importer it should be an improver, which will collect additional data from the API for existing packages in vulnerablecode.

Ziad:

  • Presented states of his open PRs and also his approach for "Decentralized vulnerability data peer-review"

Keshav:

  • Shown the normalized vers and discrepancies in the PypiVersion and vulnerablecode data.

Hritik:

  • Discussed the condition of current data sources we have in vulnerablecode and which new data source we should consider to collect data.

Meeting on Tuesday 2023-02-21 at 16:00 UTC

Agenda:

  • normalizing the version ranges using spans
  • Conan version
  • extracting vulnerabilities from nuget API

Keshav:

  • Discussed approach to normalize version ranges using Span and also discusses how we can convert these spans into vers.

John:

  • Discussed the conan support in univers.

Philippe:

  • Nuget API now provide vulnerability data we should store that data in vulnerablecode.

Meeting on Tuesday 2023-02-14 at 16:00 UTC

Agenda:

  • Vulnerablecode Data
  • Goals and planning
  • CWE

Hritik:

  • Presented the report of the data and told various data sources which we can include in vulnerablecode.

Philippe:

Tushar:

Ziad:

  • Discusses the CWE PR

Meeting on Tuesday 2023-02-07 at 16:00 UTC

Agenda:

  • OSV
  • GSD
  • CWE API
  • Improvers
  • Vulnerablecode Token
  • Status

Ziad:

  • Will research how he can get the list of categories for CWE.
  • What to provide in data when name and description are not present for a CWE.
  • GSD data format.
  • Bug in univers gem version.

Hritik:

Tushar:

  • Status on milestone v32.0.0

Philippe:

Meeting on Tuesday 2023-01-24 at 16:00 UTC

Agenda:

  • OVAL XML
  • GSOC Ideas

Participants:

  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)

John:

  • Discussing the data format of OVAL.

Dennis:

Tushar:

  • Discussion of GSoC Ideas.
  • Adding heuristics to do static vulnerability scans.

Philippe:

  • Using something like this to get versions of packages to do static vulnerability scanning.
$ openssl version
OpenSSL 1.0.2g  1 Mar 2016
$ strings `which openssl` | grep "OpenSSL 1.0.2g  1 Mar 2016"
OpenSSL 1.0.2g  1 Mar 2016

Meeting on Tuesday 2023-01-17 at 16:00 UTC

Agenda:

  • Questions on SUSE
  • Tests and Confidence in improvers
  • CWE

Participants:

  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)

Ziad:

John:

  • Discussed how SUSE OVAL data is different from pre-existing OVAL data that vulnerablecode parse at the moment and changes needed in code to accommodate the changes in data.

Hritik:

Meeting on Tuesday 2023-01-10 at 16:00 UTC

Agenda:

  • Deduping constraints in version range
  • VulnTotal
  • Defensive publication using ActivityPub

Participants:

  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)

Philippe:

  • Planning to publish a defensive publication using activity-pub with vulnerablecode data.

John:

  • We should have support for deduping version constraints in univers.

Keshav:

  • Discrepancy in redhat data discovered through vulntotal.

Meeting on Tuesday 2023-01-03 at 16:00 UTC

Agenda:

  • Apache Tomcat
  • Status on current progress

Participants:

  • Philippe (@pombredanne)
  • Hritik (@hritik14)
  • Tushar (@tg1999)
  • Ziad (@ziadhany)
  • Keshav (@keshav-space)
  • John M. Horan (@johnmhoran)
  • Dennis M. Clark (@DennisClark)

Tushar:

  • Reviewed status on #597.

John

  • Follow-up questions by John on Apache Tomcat importer.
Clone this wiki locally