On Mon, Apr 1, 2024 at 10:04 PM Marta Rybczynska <[email protected]> wrote: > > Hello all, > The NVD has published an official status as promised at VulnCon: > https://nvd.nist.gov/general/news/nvd-program-transition-announcement > > This does not include much more information. NVD manager was > presenting at VulnCon, but without clear details on the way forward. > They are not stopping, but this is not sure when the analysis will be > back (they do the CPE and CVSS analysis plus handling emails that are > apparently in big numbers). > > Until there is a solution around NVD, I propose that we run a weekly > bulletin of which packages require update for our various branches, > taking from the CVE data, oss-security and other sources. If there are > more volunteers, we can do it more frequently. This is important work > and I would prefer not to be the only one doing this :) > > Let's discuss tomorrow during the call. > Hello all, An early prototype of how it might be working in the future: tooling: https://github.com/mrybczyn/cvelistv5-tools-poc overrides repo with direct fixes in CVE entries: https://github.com/mrybczyn/cvelistV5-overrides
The tool is very simple, it just gets one product/vendor/version and outputs status of all CVEs found. It takes around 30s on my machine because it loads the whole CVE database out of 300k JSON files. I also have a version integrated with the data format of the VEX work, but it would require way more code to show. This snapshot gives the idea... Comments, ideas, fixes welcome! Regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1993): https://lists.openembedded.org/g/openembedded-architecture/message/1993 Mute This Topic: https://lists.openembedded.org/mt/105274401/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-architecture/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
