On Fri, 2023-06-02 at 23:10 +0200, [email protected] wrote: > I like the VEX proposal from Sanjay. > > - It is a standard that can be supported by many tools and requested by > customers. One use case I see is where a vendor sells a product with an > SBOM. The customer can then match the open vulnerabilities to the > current state of the NIST database using a standard tool based on SBOM. > Aligning the categories to a standard would be helpful for this. > (Yocto's CVE check is great for Yocto, but cannot be used independently > of Yocto.) > - A minimum number of categories is defined. All details can be added > to the REASON variable.
I think you could map some of the status items I proposed to VEX statuses but I'm not convinced it makes sense to go directly to that. Anything we don't have a status for is effectively "under investigation", anything we don't list is fixed or not affected and if we know something is affected, a fix would likely follow very quickly. The data set doesn't really fit what we're able to do or the wrkflows we can follow, even if it is what some product customers would want to know. Part of the issue is we're not the actual product here. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182341): https://lists.openembedded.org/g/openembedded-core/message/182341 Mute This Topic: https://lists.openembedded.org/mt/99007092/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
