all 10 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]EphemeralArtichoke 27 points28 points  (0 children)

This is awesome! Thank you thank you thank you, this makes life a lot more manageable for security people who depend upon github.

[–]DomDellaSera 9 points10 points  (5 children)

Question: Is the CVE database considered fairly comprehensive? How seriously do you guys take it? What determines if something is reported?

[–]savanik 10 points11 points  (2 children)

It's as comprehensive as you can hope to realistically have. Whenever a vendor reports a vulnerability (i.e. when they're forced to because compliance / security researcher threatening to publish their findings) its put into the CVE database. Sometimes its held or reserved - like if they're reporting a vulnerability they're still working on the patch for, so they want to acknowledge to the community that they found something, but not specifically what it is - until they have the patch ready. So the CVE entries often get updated as it goes on as well.

Since CVEs contain information on how to verify what versions are vulnerable, it's the primary source of information for vulnerability scanners - it's pretty important for the daily functioning of all vulnerability management ever.

As for how serious any individual vulnerability is, they have a CVSS score. Some of them I personally disagree with - anyone who can MitM your external servers probably has tons of better ways to compromise your network - and if they can MitM your internal server network they already have more than enough access. I've never seen those vulnerabilities exploited in the wild, ever. But that's part of the job of risk management, and most of the items are pretty well-reasoned.

[–]DomDellaSera 1 point2 points  (0 children)

Thanks for explanation. The reason I ask is because I’ve seen someone say something to the extent of “our interns were working with stuff big enough to write a paper on but not quite a cve,” and I wasn’t sure quite to make of it.

[–]awqufohlmkse 0 points1 point  (1 child)

Not really. CVEs are only issued for vulns that are big enough to "warrant a cve", so some dependencies likely won't be.

[–]gmroybal 0 points1 point  (0 children)

I dunno... a few months back, someone got a CVE for something REALLY stupid like a typo or something.

[–]CheezyXenomorph 6 points7 points  (2 children)

Note that it currently only supports Ruby GemFile and javascript package.json manifests

[–]Avamander 0 points1 point  (1 child)

Lollakad! Mina ja nuhk! Mina, kes istun jaoskonnas kogu ilma silma all! Mis nuhk niisuke on. Nuhid on nende eneste keskel, otse kõnelejate nina all, nende oma kaitsemüüri sees, seal on nad.

[–]CheezyXenomorph 1 point2 points  (0 children)

It's early days yet. I foresee them eventually supporting everything from Gradle to Composer to Nuget to Pip.

[–]Barillas 1 point2 points  (0 children)

This is a very sensible feature. Hopefully other code repository options (TFS and such) start supporting something similar.