undefined | Better HN

0 pointsmasklinn4mo ago0 comments

Yup, and people get real stupid with it too. I’ve seen people request an update to fix redos vulnerabilities in a go package using the stdlib only. Because some time some where a bot flagged the regex and a CVE was opened with no consideration that it was nonsensical.

You explain that the CVE makes no sense, and you’re met with the response that “ok but did when”

0 comments

rpcope14mo ago

The Black Duck scanner in particular I've found is really easy to misconfigure to siphon up all sorts of crazy shit. Did some coworker write a one-off support script that uses an ancient container in some random repository? Oops now you've got to answer to why you've got a dozen Debian or Alpine vulns in a product that ships on bare metal RHEL. If your build process is not 100% lunar lander clean, which in the era of ship trash as fast as possible, it's not going to be, you inevitably end up with an absolute deluge of things flagged that you have no idea where they came from or how to explain to some suit that no we're not shipping Debian Jessie in 2025, calm down.

masklinnOP4mo ago

*fix not did (damn you autocorrect)

j / k navigate · click thread line to collapse

0 pointsmasklinn4mo ago0 comments

You explain that the CVE makes no sense, and you’re met with the response that “ok but did when”

0 comments

rpcope14mo ago

masklinnOP4mo ago

*fix not did (damn you autocorrect)

j / k navigate · click thread line to collapse