Received: from mail-ot1-f51.google.com (mail-ot1-f51.google.com
 [209.85.210.51])	by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id
 28378781A9C	for <~alpine/devel@lists.alpinelinux.org>; Wed, 24 Jul 2019
 02:57:09 +0000 (UTC)
Received: by mail-ot1-f51.google.com with SMTP id j11so22042688otp.10       
 for <~alpine/devel@lists.alpinelinux.org>; Tue, 23 Jul 2019 19:57:09 -0700
 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc:content-transfer-encoding;
        bh=QxSxMX6BC/6UDRwHEokico1CzK0m4TUvCFP0RgfwGts=;
        b=aZ7MlCXeH2zTKVrvHc+fULjI4LmJpYtJuBjnkUY4kzAcmyQOf8wB3eTCSjaDN3Ivan
         L9SfAQVwryqTodBCt2wSvbKn9ajFzLMVz3xawNXoro3h6WK4ZxSNyGCGnh9lzYVRT/Cj
         Jmpf17rG1xPoyjdJvDyZQNsOq8i7nmWU7+W14fY9XSyVWclBq+S8yUocW767HjYGTqve
         ue3ILP+rz/JPZgU9apcx+QfWZJafntwFR55V8xmddHqsHScthVomeXVJPKV14V3f9AVo
         ihOr/Ardi3zs4Zc6e4E6AsN6Pg5MbwnwDoGhIZQ/ZgfM+oy4x+cUl+Su0jFoHOKMzxgA
         l4Bw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc:content-transfer-encoding;
        bh=QxSxMX6BC/6UDRwHEokico1CzK0m4TUvCFP0RgfwGts=;
        b=ExrpL5vJNVASipaN2e3afk0I4vY6c0/UXxG96EjJNCGC0WJLnRimX6F55g1SvhmqRy
         1WkF7l9F7+JCH1sA7vWqPw3yeDh8opS3rXX96Ak7BpwVHdQP1saezlL8eeeMWkg8BgPH
         kZzXP5rY5TA+eAUdOXQr0/nXiWmtNrtNmiyDEQYdIDPqkaYgIxsrWhLwqlKZj3OARHy4
         W84ZFxJErBrxzzlT010XSV2Fd3zp99DyrlHXM6cUm/nb+sYL41aZwT8Wrm1Csjahjxe/
         PIlb638G9t2cBISmlJyzdhMsMfo5pw6aUtsyk2/yCZ9cezP6hDpzPwOYNITf/7dG7I0I
         UX0A==
X-Gm-Message-State: APjAAAVt8GG746A/jRV1596jYVOCtRS+X4rZsLYBckoLNoUugfZ+FZi3
	rv/n6GjEMOANdOcwpM88p8k7+znHK6VkCA47wxg=
X-Google-Smtp-Source: =?utf-8?q?APXvYqzMRuOiRkmpvb48IROLxYQjO3abj9KvjdmEZWh2?=
 =?utf-8?q?viCa+eRja2pgNgUkXtjHHXB926qRrVgpi9onWq3XNbJES+M=3D?=
X-Received: by 2002:a9d:4c8b:: with SMTP id
 m11mr37214561otf.293.1563937028682; Tue, 23 Jul 2019 19:57:08 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CAD59NR0X7w6N-8o+rGUPcyH+gbBLc6CGPRVRZy_UsAB73s3tTA@mail.gmail.com>
 <20190723091240.733103de@ncopa-desktop.copa.dup.pw>
 <CAD59NR0z51BV+n3T0NJOdURG6AVu=x0e89eXv8ZZU+-PkcGBMA@mail.gmail.com>
 <CA+cSEmNmtj3m458Gu4ZYh4VwtMFw2xEGq38bs_+vcLosNr2ZRg@mail.gmail.com>
 <CAD59NR2GuL0hAEp70DCf2WvL8zKQKHTGfxoeng4wLE3SB1xNnQ@mail.gmail.com>
 <20190723111532.5a18f982@ncopa-desktop.copa.dup.pw>
In-Reply-To: <20190723111532.5a18f982@ncopa-desktop.copa.dup.pw>
From: Teppei Fukuda <knqyf263@gmail.com>
Date: Wed, 24 Jul 2019 11:56:57 +0900
Message-ID: 
 <CAD59NR1rMTYu06Gd4fjxhpPJSYyCwFZv9WDm35MbQxHJN2NqzQ@mail.gmail.com>
Subject: Re: Security Issues in Redmine
To: Natanael Copa <ncopa@alpinelinux.org>
Cc: Carlo Landmeter <clandmeter@alpinelinux.org>,
 ~alpine/devel@lists.alpinelinux.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi Copa,

I appreciate your polite explanation. I understand.

Currently, my program collects the following data:
1. the secfixes comments in APKBUILD
2. alpine-secdb (maybe the same as above)
3. the security tickets of Redmine (will be replaced with the issues of Git=
Lab)
4. git diff APKBUILD (only commits related with the above issues)

I think we can generate the security advisories by checking all git
log like No. 4. For example, the following commit fixes
CVE-2019-13636.
https://github.com/alpinelinux/aports/pull/9642/files

Watching this diff of main/patch/APKBUILD, we can detect the version
update from 2.7.6-r4 to 2.7.6-r5. This is my source code doing it.
https://github.com/knqyf263/vuln-list-update/blob/d8aefa60155637561a8a2d3fe=
b486bbb675c996c/alpine/alpine.go#L404-L450

I know this way is not perfect. There may be false positive/negative.
However, this process can be automated and the maintenance cost is
low. It may be a good way as a first step of the security advisory. It
is better if the format of the commit message is fixed. e.g.
[os_version] pkgname: fix CVE-ID.

I want the security database of Alpine strongly and can help you in
the task of investigating it and writing an automation program. But,
It is difficult to do manual operation (e.g. I continue to fill the
security information manually).

Best,
Teppei

2019=E5=B9=B47=E6=9C=8823=E6=97=A5(=E7=81=AB) 18:18 Natanael Copa <ncopa@al=
pinelinux.org>:
>
> On Tue, 23 Jul 2019 17:54:40 +0900
> Teppei Fukuda <knqyf263@gmail.com> wrote:
>
> > Hi Carlo,
> >
> > Yes, it is. However, alpine-secdb is database of backported fixes as
> > README says.
> > >It is not a complete database of all security issues in Alpine.
> >
> > I need a complete database of all security issues.
>
> We currently don't have that. I do think we have much or maybe even
> most of the needed data, but its spread.
>
> We need someone who can figure out the pieces that is missing and find
> a way to collect and store it in a way that makes it as simple as
> possible to fix and roll out fixes.
>
> We could for example use the secfixes comments in APKBUILD and data
> from gitlab issues and generate a database from that, and have someone
> fill in the missing data, or we could turn it around, have someone
> collect all the data in a database and generate issues from that and
> maybe automatically add secfixes comments from it.
>
> But we need someone who can investigate and come up with a good plan.
>
> -nc