Hello all, I'm drafting a fetcher for kernelcves ( https://github.com/nluedtke/linux_kernel_cves/) and the data conflicts in a certain way with cve-extra-exclusions.inc. With multiple fetchers we'll need to have a way to say which data set has priority.
For now I can see examples of two cases (in all cases we go for a specific kernel version): Case one: NVD says unfixed linux_kernel_cves says unknown cve-extra-exclusions.inc says IGNORE Case two: NVD says unfixed linux_kernel_cves says fixed cve-extra-exclusions says IGNORE In the first case, the solutions is IGNORE (some old CVEs), in the second one it's PATCHED. The questions I have: Should cve-extra-exclusions always have priority? Should we allow the user to set priority of fetchers? What I'm going to test is use the kernel_cves fetcher for all kernel CVEs and NVD for all the rest. Should it be an option? I'd like to avoid adding too many options that make cause mistakes... Ideas? Comments? Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182413): https://lists.openembedded.org/g/openembedded-core/message/182413 Mute This Topic: https://lists.openembedded.org/mt/99358001/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
