Fun, another "critical severity" (9.3 CVSS score) CVE for zlib that only affects a reference program that's not shipped.
The CVE in the meantime has been adjusted with a lower score, but too late for the security scanners to start reporting and us receiving reports like:
> we found a CRITICAL CVE in the OS level
Another small improvement. Instead of showing packages that are no longer available in the repositories with a red background, they are shown with a yellow background.
This makes it easier to see which repositories still need to be fixed.
Before, after:
1. Get notified by a low severity CVE in a bundled dependency in npm
2. Receive an MR to update npm
3. MR gets merged
4. Day later, get notified about a high severity CVE in a bundled dependency in updated version of npm
🤦
I've just deployed a new version of the secfixes-tracker (software behind https://security.alpinelinux.org).
It fixes the issue where fixed vulnerabilities where still shown as vulnerable in various lists.
For example, https://security.alpinelinux.org/branch/edge-main now shows just 60 entries instead of 818.
Working on improving the interface of security.alpinelinux.org.
Most lists are in nondeterministic order (database insertion order), which makes it hard to follow, so I'm trying to improve that.
Screenshots from before and after.
Anyone has more ideas how to improve this list further?
#AlpineSecurity #AlpineOps #ux
Kevin