Hey list.

I've a question about the secfixes comments in the APKBUILD spec. Do I
understand right that all false-positives CVEs (the CVEs not
affecting a package) in Alpine are listed with the version as "0"?

Examples:
- https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssh/APKBUILD#L88-89
- https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssl/APKBUILD#L113-118

I tried to look for this in the docs, but couldn't find a note about
this. Apologies in case I missed it.

Thanks in advance,
Guilherme

On Sat Nov 16, 2024 at 11:35 AM CET, Guilherme Macedo wrote:
> Hey list.
>
> I've a question about the secfixes comments in the APKBUILD spec. Do I
> understand right that all false-positives CVEs (the CVEs not
> affecting a package) in Alpine are listed with the version as "0"?
>
> Examples:
> - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssh/APKBUILD#L88-89
> - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssl/APKBUILD#L113-118

Yes, it has become somewhat a norm to mark them as 0. However the right place for
such false-positives is at https://gitlab.alpinelinux.org/alpine/security/security-rejections

>
> I tried to look for this in the docs, but couldn't find a note about
> this. Apologies in case I missed it.
>
> Thanks in advance,
> Guilherme

On Sat, 16 Nov 2024 12:46:55 +0100
"fossdd" <fossdd@pwned.life> wrote:

> On Sat Nov 16, 2024 at 11:35 AM CET, Guilherme Macedo wrote:
> > Hey list.
> >
> > I've a question about the secfixes comments in the APKBUILD spec.
> > Do I understand right that all false-positives CVEs (the CVEs not
> > affecting a package) in Alpine are listed with the version as "0"?
> >
> > Examples:
> > - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssh/APKBUILD#L88-89
> > - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssl/APKBUILD#L113-118  
> 
> Yes, it has become somewhat a norm to mark them as 0. However the
> right place for such false-positives is
> at https://gitlab.alpinelinux.org/alpine/security/security-rejections
> 

Thanks for the explanation and for pointing to the rejections repo. I
wasn't aware of it. It seems, unfortunately, that it's not in sync with
the ones marked in the individual APKBUILDs.

Do you know if there is any effort or plans to build automation around
this to keep them in sync?

> >
> > I tried to look for this in the docs, but couldn't find a note about
> > this. Apologies in case I missed it.
> >
> > Thanks in advance,
> > Guilherme  
> 

On Sat Nov 16, 2024 at 1:01 PM CET, Guilherme Macedo wrote:
> On Sat, 16 Nov 2024 12:46:55 +0100
> "fossdd" <fossdd@pwned.life> wrote:
>
> > On Sat Nov 16, 2024 at 11:35 AM CET, Guilherme Macedo wrote:
> > > Hey list.
> > >
> > > I've a question about the secfixes comments in the APKBUILD spec.
> > > Do I understand right that all false-positives CVEs (the CVEs not
> > > affecting a package) in Alpine are listed with the version as "0"?
> > >
> > > Examples:
> > > - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssh/APKBUILD#L88-89
> > > - https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/openssl/APKBUILD#L113-118  
> > 
> > Yes, it has become somewhat a norm to mark them as 0. However the
> > right place for such false-positives is
> > at https://gitlab.alpinelinux.org/alpine/security/security-rejections
> > 
>
> Thanks for the explanation and for pointing to the rejections repo. I
> wasn't aware of it. It seems, unfortunately, that it's not in sync with
> the ones marked in the individual APKBUILDs.
>
> Do you know if there is any effort or plans to build automation around
> this to keep them in sync?

Yeah, i guess some developers prefer the 0-method more than the other,
since it's easier to add. I don't think that someone plans to merge
them anytime soon.

>
> > >
> > > I tried to look for this in the docs, but couldn't find a note about
> > > this. Apologies in case I missed it.
> > >
> > > Thanks in advance,
> > > Guilherme  
> >