what happens if a vuln is loaded in error?

Jacques A. Vidrine nectar at FreeBSD.org
Mon Jan 24 07:58:34 PST 2005

On Mon, Jan 24, 2005 at 10:47:28AM -0500, Dan Langille wrote:
> On 23 Jan 2005 at 9:58, Dan Langille wrote:
> > I'm looking over the design of how FreshPorts handles VuXML
> > changes.  A thought comes to mind.  If a vuln turns out to be
> > false (i.e not a vulnerability at all, for whatever reason), what
> > changes would be made to the VuXML data?  How would this situation
> > be fixed?
> This commit answers my question:
> http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vuxml/vuln.xml.diff?r1=1.515&r2=1.516&f=h

Yep, I made that one just for you (^_^).  But seriously, let me draw
your attention to the following comments in the VuXML document model
DTD (http://www.vuxml.org/dtd/vuxml-1/vuxml-model-11.mod):

| A given `vuln' element may represent either an active issue
| or a cancelled issue.  Active `vuln's contain the full set
| of sub-elements (topic, affects, and so on).  Cancelled `vuln's
| may contain only a single `cancelled' element.
| A `vuln' should be cancelled only when it was issued in error.

| If a `vuln' is issued in error, it may be cancelled by replacing its
| content with a single `cancelled' element.  The optional `superseded'
| attribute with a VuXML ID value may be used to indicate that another
| `vuln' entry replaced this one.
| Example.
|   <vuln vid="f1d20b27-835f-11d8-a41f-0020ed76ef5a">
|     <cancelled superseded="1ed556e6-734f-11d8-868e-000347dd607f" />
|   </vuln>

Jacques A Vidrine / NTT/Verio
nectar at celabo.org / jvidrine at verio.net / nectar at FreeBSD.org

More information about the freebsd-vuxml mailing list