Skip to content

Add high_consequence flag to template #65

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add high_consequence flag to template #65

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ The audience for the linux-cve-analysis project is human reviewers who are respo

While the impact of a particular vulnerability will vary based on how the kernel is being used, we have found that there is factual, objective information which describes the effect of code defects and is generic across use cases. This project seeks to compile those factual, objective descriptions while avoiding vendor-specific or subjective evaluations of those vulnerabilities. Inclusion of subjective or use-case specific analysis is generally discouraged but may be included in the Notes field. CVSS Scores are considered use-case specific and therefore discouraged for this repo.

The one field which is intended for subjective review is the field `high_consequence`. This field should be used to suggest that reviewers spend additional time to understand the potential consequences of this vulnerability in their environments, either because there's a known exploit or if the exploit appears to be easily used to gain privileges. This flag can be set even if we would expect most distributions may not have this feature enabled or the code compiled; the intent is to describe the consequence of having this vulnerability unpatched, not the expected impact for any particular usage. Specific vendor-assessed impact scores may be published by individual impacted vendors. The exact definition of high consequence is left intentionally vague; this flag is intended to allow reviewers within the cloud-lts community to flag particular vulnerabilities for additional analysis.

The following guidelines may be helpful in filling out the `template.yml` description:
- Strict adherence to the yaml format is not required, but following the template is generally encouraged.
- Any field may be left blank
Expand Down
3 changes: 3 additions & 0 deletions template.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,9 @@ privileges_required: |
[ true, false ] Privileges (root/CAP_*) required to reach vulnerable code.
False if an unprivileged user can trigger the vulnerability, such as with
an unprivileged module load.
high_consequence: |
[ true, false ] True if reviewers recommend this vulnerability receive
heightened scrutiny, e.g. an exploit is known. This field is subjective.
notes: |
Free form text, can be used to elaborate on anything of the above, or provide
a more accurate description of the issue.
Expand Down