During the month of July, I have worked on the following task for LTS and ELTS: - CSAF v2.0 documents generator PoC + CSAF is a spec to publish security advisories in a machine read-able way + A PoC was implemented in Perl - https://salsa.debian.org/kanashiro/csaf-poc - It was tested againt all DLAs in data/DLA/list (security-tracker repo) - The generated document was validated with one well known security scanner: trivy (https://trivy.dev/latest/) + 3 new Perl modules were uploaded to NEW to support this PoC - libcvss-perl - liburi-packageurl-perl - libcsaf-perl - VEX documents generator PoC + VEX is a machine read-able format to provide users additional info on whether a product (package in our case) is impacted byt a specific vulnerability (CVE) + VEX is used as part of a SBOM + No good external library implementing any VEX spec + OpenVEX is minimal spec for VEX which I have considered to use - Similar to what distros have been doing - Easier to create our own tooling based on the published JSON schema + WIP - Re-write of the CSAF PoC in python + Python codebase is better for future maintainence + No external library needed + Using datamodel-codegen to generate Pydantic 2 models based on the JSON schema provided by the spec + Re-use the same codebase to also extend it to support VEX - Debci bug found in ELTS infra + Debian bug #1107645 + Investigated with terceiro during DebConf 25 - Not reproducible with trixie, where a newer version of ActiveRecord (rails gem) is available. - In order to properly fix it in bookworm, we would probably need to bisect ActiveRecord code - We considered it not worthy, and replied to the bug saying that the easiest solution is to upgrade to trixie. - Debian LTS team BoF during DebConf 25 + Hosted the BoF with Santiago + After the BoF we had an informal meeting with the LTS contributors present - Debian LTS security-tracker sprint during DebCamp 25 + Some of what was done was already covered above but I am publishin my full report here: + During the DebCamp 25 LTS team security tracker sprint I spent 30 hours working on the following tasks: - Uploaded all Perl dependencies for the CSAF generator to unstable (NEW). + libcvss-perl + liburi-packageurl-perl + libcsaf-perl - Guided new contributors attending the sprint, giving them context and helping them to find some work to do. - Attended DebCamp standup to tell what we were doing and to invite others to join us. - Engaged in trivy upstream discussion about being picky with the minor releases in debian [1]. - Guided a newcomer through salsa issue #61 [2], to create a script to check consistency when generating an advisory. He gave up since this requires too much interaction with the security team for a newcomer. - This newcomer (Sebastien - pipoprods) worked on [3], after looking carefully at the list provided by Roberto. - Tried to find a Perl module to also handle VEX. I did not find any, and ideally we should have a single codebase for CSAF and VEX. - Investigated go-vex library. Does not do any kind of validation, not what I was expecting. - Experimented with our CSAF generator PoC in python, without any external dependencies. Using datamodel-codegen to generate pydantic 2 models based on the JSON schema. We could use the same approach for VEX. - Discussed with Santiago and Samule Henrique about the non-issue/not-exploitable new status and VEX specification. References [1] https://github.com/aquasecurity/trivy/discussions/8165 [2] https://salsa.debian.org/lts-team/lts-extra-tasks/-/issues/61 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812410