=== codingkoopa3 is now known as codingkoopa
lunanew podcast later today?08:08
amurrayluna: hey - podcast just went live :)11:57
lunaamurray: thanks will listen when helping with some 23.04 Alpha testing then :)11:59
lunaand doing QA of my Swedish for ubuntu-desktop-installer12:03
Guest6198700Hello, I am seeing only fixable CVEs (USNs) in the Ubuntu Oval data. Is it not including unfixable CVEs? Is there anywhere we can get unfixable CVEs except for the git lunchpad data? Thank you!15:55
hankthis is also relevant to my interests16:28
ebarrettoGuest6198700, hank USN OVAL data only contains data based on USN, which means CVEs we fixed. If you want a CVE based OVAL you can download, just alter the name file from 'usn' to 'cve', e.g.: com.ubuntu.bionic.cve.oval.xml.bz2. CVE OVAL will show you a lot of vulnerabilities as it has the entirety of CVEs that affect us and that might not been fixed yet or never will 17:13
Guest6198700Thank you! That's very helpful!17:16
hankare the "never" advisories called out?17:18
hankthat is to say, can I tell the difference between "unfixed" and "unplanned"17:19
ebarrettohank, probably not, some CVEs will continue to have a needs-triage until upstream decides to fix it, if upstream is dead, that CVE will continue living until the package is dropped from debian/ubuntu17:20
ebarrettoor if we decide to ignore them all, then you won't see it anymore in OVAL17:21
hankso there's no way to tell that an in-support package is planned to be updated, but hasn't yet?17:23
ebarrettonot in oval 17:35
ebarrettoyou could try to get more info the cve pages17:35
hankis there a way to get that in a machine format that's not the git repo?17:36
ebarrettonot that I know of, the page does provide a json for each cve, but then you will need to query a bunch of them 17:38
ebarrettoalso tbh our git repo doesn't exactly show if it is planned or not 17:38
=== sdeziel_ is now known as sdeziel

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!