-
Notifications
You must be signed in to change notification settings - Fork 182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Collect data from Yocto #1468
Comments
No, The |
@rossburton thanks! I also saw this repo https://github.com/yoctoproject/cve-cna-open-letter so there is some obvious problem: what data do you need exactly in Yocto/OpenEmbedded ? I see in https://github.com/yoctoproject/poky/blob/master/meta/classes/cve-check.bbclass that the mapping between a CVE and Yocto package seems to be based on an approximate query on the name and vendor? Could this be done better? We could track a Yocto PURL type instead in https://github.com/package-url/purl-spec/blob/master/PURL-TYPES.rst and provide here a clear mapping to Yocto's PN/PV(and then likely in other vulnerability databases) (closely related I have an oldie but goodie branch to detect Yocto/BB packages in https://github.com/nexB/scancode-toolkit/tree/1243-bitbake ) |
We have tooling that automatically searches the CVE database for issues with CPEs that we have recipes for, for example if we have a However, with the recent problems at NIST effectively zero new CVEs in the last few months have CPEs assigned, this is what the open letter is trying to encourage a resolution on.
Almost certainly!
Adding Yocto seems like a sensible thing to do. The fun will be that oe-core/poky is just a reference distro, so you might want to add a 'distro name' parameter to differentiate 'pure' oe-core from arbitrary vendor's derived distributions. |
@rossburton re:
This makes sense. I'll start a PR for PURL and will ping you and Richard there for review. |
These are useful qualifiers on kernel CVEs:
See:
@rossburton just curious... do you create this data entirely by hand?
The text was updated successfully, but these errors were encountered: