- Obtain repo in BBVA's GitHub org (request to LEGAL dept.)
- git filter-branch pancho's email
- Add legal headers to code files
- Move repo to BBVA's
- Build a static release and publish it (this enables us to show it around)
- Integrate tool with Patton
- Build a pipeline to build the tool
- Build a pipeline for publishing GENERIC and any other release
- Document usage so that we can communicate with Ubuntu
- Contact Ubuntu and introduce the prj to them
- Cleanup: purge unused code from the PoC
- Implement CVSS parser
-
maybe contribute it to the Haskell community: Does not apply: we just tested for one case
-
- Implement Sources section wget http://ftp.ubuntu.com/ubuntu/dists/{bionic,eoan,focal,groovy,trusty,xenial}{,-security,-updates,-proposed,-backports}/{main,universe,multiverse,restricted}/source/Sources.xz
- CVEs in the vulnerabilities section should have their messages truncated to 69 characters, plus space, plus '...'. But not the entries TEMP-*, though. They are kept in full.
- Cleanup: Move things around to improve readability
- Normalize naming of haskell source filenames (suffix Impl)
- Rename "not vulnerable" to "non-vulnerable"
- ...
- Try to ensure a smooth out-of-the-box experience for ubuntu users of Debsecan (possibly sending Ubuntu a PR setting the default --source URL)
- Profit!
They have a decade-old issue still open.
-
Ubuntu adopts this trasformer and integrates it into its security pipeline to produce the required databases.
This scenario seems quite future-proof to us.
- Ubuntu does not accept this converter nor enhancing their pipeline with it In this case we would provide a container with the necessary elements to produce the report ourselves.