问答博客资讯标签用户活动
logo极客观点logo项目管理logoHarmonyOS
开发者社区
javascript
前端
python
node.js
react
vue.js
php
laravel
go
人工智能
mysql
linux
ios
java
android
css
typescript
spring
程序员
logoONES 研发管理logo思否企业问答logo安谋科技 XPU

生命末期的 CVEs?

  • Node.js and CVE IDs: The Node.js project filed CVE IDs for end of life products. This is exciting for vulnerability nerds as historically EOL things didn't get such IDs. There are different views - some think it's a great idea while others worry it'll destroy modern society.
  • Tracking EOL software: There's no good place to track EOL software currently. Some datasets are being worked on but are new. CVE could be a place but it's not a simple conversation.
  • Against CVE rules: This goes against CVE rules and can frame the discussion. Many dangerous things are also against CVE rules.
  • Biggest fear: The potential volume of IDs that could be unleashed is a big concern. There's a lot of EOL software, especially open source, and we don't know how big the list could be.
  • The CVE project: On the main stage, the CVE project controls the ecosystem with an iron fist. They don't listen to others and assume they know more. They seem odd, like not wearing pants. They mostly give each other high fives and don't care about Node.js EOL IDs.
  • Vulnerability data: Near the stage are the vulnerability data groups. They enrich CVE data but already can't handle the existing volume. They don't like EOL CVE IDs as it'll add more work.
  • Operating systems: Half of the operating system folks are sleeping as they think nothing will change. The other half are distroless container kids who shout about legal requirements and have very small pants. They don't know the meaning of EOL CVE.
  • Vulnerability scanners: Near the door, vulnerability scanner folks have empty whiskey bottles and energy drink cans. Some think EOL CVE is a great or terrible idea. They have an unclear pants situation.
  • Compliance analysts: This group has to deal with compliance and adding more EOL CVE IDs means more work. They know the process is broken but are at the mercy of others.
  • Open source: At the back, open source folks give away pants as others don't want them. They suggest working on new pants but are laughed at. There's a debate about trusting community data.
  • Will anything change: The real question is if EOL CVE IDs will actually change anything. It's uncertain. It's suggested to look at why people are complaining - it's often due to overwork and stress. There's a Discord server for discussing vulnerabilities.
CVEs for End of Life?
https://opensourcesecurity.io/2025/01-cve-for-end-of-life/
阅读 6
0 条评论
得票最新