[ubuntu-hardened] Usage of Ubuntu Security Data in VulnerableCode
Grant Knoetze
grantknoetze at outlook.com
Thu Jan 26 06:14:18 UTC 2023
Good day
I wonder if you could help me with something? I am researching CVE-2016-0741 and I am looking for the commit(s) to fix it, if any.
There is so much on GitHub, and I am searching, I am following Ubuntu security, and any guidance would be helpful.
Kind regards,
Grant Knoetze | +27 81 456 9004 (South Africa)
-----Original Message-----
From: ubuntu-hardened <ubuntu-hardened-bounces at lists.ubuntu.com> On Behalf Of Seth Arnold
Sent: Tuesday, January 24, 2023 10:32 PM
To: Tushar Goel <tushar.goel.dav at gmail.com>
Cc: ubuntu-hardened at lists.ubuntu.com; jmhoran at nexb.com; Philippe Ombredanne <pombredanne at nexb.com>
Subject: Re: [ubuntu-hardened] Usage of Ubuntu Security Data in VulnerableCode
On Wed, Jan 11, 2023 at 06:27:38PM +0530, Tushar Goel wrote:
> We would like to integrate the Ubuntu usn data[1][2] and Ubuntu
> security data (OVAL format)[3] in vulnerablecode[4] which is a FOSS db
> of FOSS vulnerability data. We were not able to know under which
> license this security data comes.
> We would be grateful to have your acknowledgement over usage of the
> ubuntu security data in vulnerablecode and have some kind of licensing
> declaration from your side.
Hello Tushar, we do not have an explicit license on this data.
We share our data with the intention that others will use it. Please feel free to use it for the general furtherance of security.
Much of the data that's contained within our databases is sourced from third parties, who also shared their data with the intention that others will use it. I'm not sure what it would look like to try to put a license on data that is crowd-sourced from thousands of contributors. (If you were to start such a project today, it'd probably be one of the first things to formalize. But when CVE was started two decades ago, the primary goal was sharing knowledge and simplifying the vulnerability remediation process, and licensing the data was, as far as I can remember, not considered.
Sharing was the goal.)
I will ask that vulnerablecode 'be nice' to our infrastructure that hosts the databases -- some automated uses of our infrastructure by vulnerability scanner tools has lead to significant load and engineering effort. In general, please prefer a small handful of systems updating mirrors roughly twice a day rather than thousands of hosts pulling data hourly.
Thanks
More information about the ubuntu-hardened
mailing list