Dear Debian Security Team,

My name is Yunhe Yang, and I am a Ph.D. student specializing in Computer Security. I am writing to discuss some observations and questions about the data on the Debian security tracker webpage and the downloadable JSON file for local database use.

In my research, I have been utilizing data from the Debian security tracker, which has been incredibly valuable. However, I have noticed some significant differences between the information available on the webpage and the data provided in the
downloadable JSON file:

Limited Information in JSON: The downloadable JSON file includes only the package name, ID, and a brief description of each vulnerability. In contrast, the webpage provides a much richer data set, including sources, release information, version, fixed
version, and status.

Advantages and Disadvantages: While the webpage's comprehensive source collection is highly beneficial for comparing different descriptions of the same vulnerability, the JSON file's limited information significantly reduces its utility. The absence of
crucial details like fixed versions and status in the JSON file makes it less useful than the webpage data.

Given the importance of detailed and comprehensive data for security research and analysis, I would like to know if there are plans to include more detailed information in the JSON file, similar to what is available on the webpage. This enhancement would
greatly aid researchers like myself in conducting thorough and efficient analyses.

I understand that maintaining and updating security databases requires significant effort, and I appreciate the valuable resources that Debian provides to the community. Any other information or insights you could give would be very helpful. Thank you
for your time and consideration. I'm looking forward to any guidance or information you can give me.


Best Regards,
Yunhe Yang

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Dec 13, 2023 at 07:08:45PM +0000, YUNHE YANG wrote:

Dear Debian Security Team,

My name is Yunhe Yang, and I am a Ph.D. student specializing in Computer Security. I am writing to discuss some observations and questions about the data on the Debian security tracker webpage and the downloadable JSON file for local database use.

[...]

You mean those, I assume:

https://security-tracker.debian.org/tracker/
https://security-tracker.debian.org/tracker/data/json

I suppose the web page enriches the JSON data with information
available from other Debian sources.

That said, this is Debian, so you get the source code for (nearly)
everything. The security tracker's source seems to be here:

https://salsa.debian.org/security-tracker-team/security-tracker/

...so you can perhaps study how the web page fills in the data
you are missing in the JSON. And you can contact the authors
in case of doubt.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZXqX2wAKCRAFyCz1etHa RmoAAJ4jnf7FIMgnV9rryg0MnPWoJSxJaACcDKz88wOmxa+4+kASFNcDaakQOi0=
=BZ7p
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Dec 14, 2023 at 06:51:23AM +0100, [email protected] wrote:

On Wed, Dec 13, 2023 at 07:08:45PM +0000, YUNHE YANG wrote:

Dear Debian Security Team,

My name is Yunhe Yang, and I am a Ph.D. student specializing in Computer Security. I am writing to discuss some observations and questions about the data on the Debian security tracker webpage and the downloadable JSON file for local database use.

[...]

You mean those, I assume:

https://security-tracker.debian.org/tracker/
https://security-tracker.debian.org/tracker/data/json

I suppose the web page enriches the JSON data with information
available from other Debian sources.

OK, now I feel I have to ask the original poster: what parts that
are available on the webpage are not available in the JSON file?
From a quick look, it seems to me that the JSON file contains
a lot of information about Debian releases, fixed versions of
the packages (when available), and other things also found on
the webpage.

That said, this is Debian, so you get the source code for (nearly) everything. The security tracker's source seems to be here:

https://salsa.debian.org/security-tracker-team/security-tracker/

...so you can perhaps study how the web page fills in the data
you are missing in the JSON. And you can contact the authors
in case of doubt.

That part is also true.

G'luck,
Peter

--
Peter Pentchev [email protected] [email protected] [email protected]
PGP key: http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13

-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmV7m90ACgkQZR7vsCUn 3xMYdg/+J5nqUh6NpsfFIFz1OwIO/+o6ggPSMjDZqxC1LTb17FP42enojHnjitWe ac5QXjsDzpdLCeDCMlo3o2PNUV61udNkupkpBh388lRo/ShvBGRxg182YW8OsmEX aGD+xR7zxLKJiiXHJ3kxR/2AV3FDiMGGurJQAIdc5w1eCoPRUDGq8eMS7y0SD3YC 1ZX+GYy9flnQp9zbUtrw6LULff1WP0PK/MxUX7QKRIGdqyQzpQIffkfGGnF2P/Y1 NI/biNPaCb+j3korAYCLAUWpF7w1o1NwfX3o2Q5bfcGtoI60/dWqOT/6js/LGaYM A//eVbfLKbjz+ulD0sGKLCcWQWmTqJTtqLkB43Z43XZtPf3Bl2D8sZmzwdsuF9v2 sUOwxH0UnZtbCc2YuZ8m+Bvh5f9QXcfJRFHVi52phItp3VBog4j7++c7acJ1+08Y 6OfheAPD9jzerRiUIY3HbJTRZo6PvRWD5oxSDE1D62AgoNpWcN/p8FEVnOHC+cQO 8geCGjQi/QQi7+jqlZRz0GIiAQ11oakNhz+hE3xJUqUg7zYUEHzTgI8KoSVnpdCE a8dQuh3M3nsAgccxIX0HP2/29mpSqGYLzD7eSjhR8NyraUPqYVqLKLJQouivWBWj K/1N7sKrCj4EH8qR4fQrLjEF0FR1/nc7S3fMLIEOYozIFO/iWCk=
=IlXj
-