Date: Tue, 17 Aug 2004 21:18:33 +0200 From: Oliver Eikemeier <eikemeier@fillmore-labs.com> To: FreeBSD-vuxml@FreeBSD.org Subject: portaudit wishlist Message-ID: <3AF421B2-F082-11D8-924A-00039312D914@fillmore-labs.com>
next in thread | raw e-mail | index | archive | help
Ok, things that I think would be really useful (incomplete list): - csh-style braces. When this is not the right syntax, this could be done with <optional>ja-</optional>bugzilla or <alternate><choice>ja-</choice><choice>kr-</choice></alternate>cups but we have many slave ports which just differ in prefixes/suffixes, and it would be easy to expand them when reading the file. Yes, portaudit does linear searches. Besides, this will greatly diminish the size of the database. I'm even willing to sacrifice glob patterns `*' and `?' for that, although they can be quite convenient sometimes. - 1.* notation as the `smallest 1.x version possible'. 1.a is not the smallest, besides it is not completely transparent why .a is chosen in the range. When the `*' is the problem, this could be easily changed to a random character, or even a <ger></ger> (greater equal range) tag (ok, the name is silly), but I want to have some standard way like >= 1.* < 2.* to match all 1.x and nothing else. No, I don't think >= 1.a < 2.a is good here. - make `discovery' optional. It's a nice-to-have, but sometimes hard to find out, and dummy entries like entry = discovery do not help anyone. (ok, superseeded by another thread). - make `description' optional. It is in the way of `quick' entries which should be researched later. Of course it is acceptable to fill it with a dummy value, but in this case it shouldn't be present IMHO and the dummy value should be provided by the rendering code. Or will an empty tag do? - make a `severity' field available. Of course it might be inaccurate, and software might want to ignore it and provide it's own data. Yet it is useful when you only have time for a quick glance (notify me immediately of severe vulnerabilities, all others should only appear in fridays report). It is a valuable guidance for the users, although I'm aware it is very error-prone. - add a classification into remote/local exploitable - add a `fixed' field that lists a version where the vulnerability is fixed. This could be used for a recommendation message, like "upgrade to version xxx" or "no upgrade is available, please deinstall the port or proceed with caution". This could also realized as an alternate <lt> tag. - Also we should add tags for the most popular references. Speaking of references, I would prefer something like <bid num="10499">CVS Multiple Vulnerabilities</bid>, which means they canbe rendered with a meaningful line (but most not, so <bid num="10499"/> is legal too). Ok, too many threads now. I have too look into this a little closer. -Oliver
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AF421B2-F082-11D8-924A-00039312D914>