[LTP] Query: LTP CVE test cherry picking

[LTP] Query: LTP CVE test cherry picking

[Pankaj Vinadrao Joshi]

Hi,
I know LTP covers CVE tests but i want to know does LTP covers all CVE tests, how  LTP cherry picks it ??


Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.linux.it/pipermail/ltp/attachments/20201223/f34b4f5f/attachment.htm>

[LTP] Query: LTP CVE test cherry picking

[Cyril Hrubis]

Hi!
> I know LTP covers CVE tests but i want to know does LTP covers all CVE
> tests, how  LTP cherry picks it ??

There is not much to cherry pick. We write tests for CVEs if it's
feasible. That usually means that there is a public reproducer for the
CVE that could be turned into automated testcase, which is not always
the case.

We are sometimes notified about such cases by developers that are
working on security and it usually ends up as a github issue. We do have
a few of these there with a tag "reproducer" with a link to reproducer
and description. These issues then hangs in the issue until someone has
time to work on that.

To sum it up, implementation of CVE testcases in LTP is best effort and
we are trying to cover as much as possible with the manpower we have.

-- 
Cyril Hrubis
chrubis@suse.cz