Hello all, Following numerous discussions in Seattle and otherwise (and having an OK from Richard to announce the work :), there is important work in progress on the tooling around CVE checking.
1. Addition of VEX: Vulnerability Exploitability eXchange (VEX) allows to have a machine-readable information of vulnerabilities in a project or build. The JSON format of cve-check is a kind of a VEX, and we are working on a more standard one. The final format is not confirmed yet. What we have looks more like OpenVEX for now. This may change to CSAF. In all cases, it will be easy to add another format if people are interested. 2. cve-check over SPDX(+VEX): it will be possible to run cve-check over an existing SPDX file (with existing VEX) and get an updated status. Imagine re-assesing vulnerabilities for an image built 6 months ago... 3. cve-check standalone: as a side-effect, cve-check will become a separate tool (yes, you could use it to check a particular package) 4. In the response to the NVD situation, and using the work done above, we have a prototype using the CVE raw data, not the NVD data. This requires an override database to fix issues with some CVE entries. The submission of RFCs will come in a few week's time. I'm planning to publish the "4" override database and a simple script as a PoC this week. Our local copy is somewhat-functional for regular scanning of our repositories. If you have pending work around cve-check or spdx please please put us in copy of your submission so that we can re-integrate. We have already branched-off. And finally, there's the open letter you can sign: https://lists.openembedded.org/g/openembedded-architecture/message/1990 Let's discuss during the call today or by the mailing list if you have any questions! Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1991): https://lists.openembedded.org/g/openembedded-architecture/message/1991 Mute This Topic: https://lists.openembedded.org/mt/105689358/21656 Group Owner: openembedded-architecture+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-