Conversation
bmuenzenmeyer
requested review from
RafaelGSS,
mhdawson and
vdeturckheim
as code owners
|
I see some CI failures regarding dates, which i did not touch - i'd like advice how to resolve edit: looks like we allowed it before, like in https://github.com/nodejs/security-wg/pull/1492/checks I wonder if this logic in where the |
RafaelGSS
left a comment
RafaelGSS
left a comment
There was a problem hiding this comment.
It looks like most (if not all) of the critical-scored CVEs were dealt with as high by the Node.js team back in the day. The reason that NVD is scoring it as CRITICAL is unknown to me. I'd change them to the score Node.js chose.
|
You can ignore the |
we will chose Node.js categorization if there is a conflict
we will chose Node.js categorization if there is a conflict
| "all" | ||
| ], | ||
| "severity": "unknown" | ||
| "severity": "critical" |
There was a problem hiding this comment.
confirmed critical on our blog
we will chose Node.js categorization if there is a conflict
|
@RafaelGSS I combed through all the critical ratings to either confirm or downgrade to what the blog states. there is the one outstanding question then on |
2 participants
closes #1501
In all, I hope this better reflects the security environment and communication we are proposing within nodejs/nodejs.org#7990
CVE Severity Assignment
The following table provides severity ratings for Node.js CVEs that were marked as "unknown" and their new severity, based on information from the National Vulnerability Database (NVD). In cases when the their was conflict, NVD was used, not GitHub.
I verified all of these by hand. 13 unknowns remain, mostly because their entries have no CVE listed.
Example
{ "cve": [], "vulnerable": "5.x || 4.x || 6.x", "patched": "^5.12.0 || ^4.5.0 || ^6.2.1", "ref": "https://github.com/nodejs/node/pull/7562", "description": "ignore negative allocation lengths", "affectedEnvironments": [ "all" ], "severity": "unknown" }