Hello Richard and Andrej, Recently, I have observed the OpenEmbedded team is going beyond "patched" status for CVE. This change is required and helps to capture additional status. We can identify and define the reason for a whitelisted or CVE that are not "patched".
Customers can get this reason and identify whether their product is vulnerable or not with a specific vulnerability. VEX is the standard tool used by many customers to check the vulnerability of the product. I suggest we adopt the VEX standard instead of "Ignored" or "Not applicable". ○ NOT AFFECTED – No remediation is required regarding this vulnerability. ○ AFFECTED – Actions are recommended to remediate or address this vulnerability. ○ FIXED – These product versions contain a fix for the vulnerability. ○ UNDER INVESTIGATION – It is not yet known whether these product versions are affected by the vulnerability. An update will be provided in a later release. The main four categories of VEX standard cover all possible cases, which are required to consider all potential cases. We can expand the cve-check to validate main VEX standard and we can use sub-status information as a possible reason for reference. Please find below reference information on how VEX and SBOM can work together: https://www.rezilion.com/guides/vulnerability-exploitability-exchange-vex-a-guide/ More information on VEX standards and use cases: https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_Aprill2022.pdf Thanks, Sanjay -----Original Message----- From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Andrej Valek via lists.openembedded.org Sent: Friday, May 19, 2023 6:49 PM To: openembedded-core@lists.openembedded.org; michael.opdenac...@bootlin.com Cc: Marko, Peter <peter.ma...@siemens.com> Subject: Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Hello Michael, I wanted to use a "CVE_STATUS_REASON", but it was advised here https://lists.openembedded.org/g/openembedded-core/message/181037 by Richard. So I was thinking, that it has to correct. Regards, Andrej On Fri, 2023-05-19 at 15:09 +0200, Michael Opdenacker wrote: > Hi Andrej, > > On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote: > > - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] > > to be more flexible. CVE_STATUS should contain flag for each CVE > > with accepted values "Ignored", "Not applicable" or "Patched". It > > allows to add a status for each CVEs. > > - Optional CVE_STATUS_REASONING flag variable may contain a reason > > why the CVE status was used. It will be added in csv/json report > > like a new "reason" entry. > > > I'm not a native English speaker, but what about just > "CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"? > > "Reasoning" is a mental process if I understand correctly. See > https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm. > It seems to me that the term "reason" should be sufficient, as the > "reason" flag that you're using. > > I'd be interested in what others think about this... > Thanks in advance > Cheers > > Michael. >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181636): https://lists.openembedded.org/g/openembedded-core/message/181636 Mute This Topic: https://lists.openembedded.org/mt/99008417/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
