> On 6 Jun 2023, at 06:57, Marta Rybczynska <[email protected]> wrote: > > Hello all, > I'm drafting a fetcher for kernelcves > (https://github.com/nluedtke/linux_kernel_cves/) and the data conflicts in a > certain way with cve-extra-exclusions.inc. With multiple fetchers we'll need > to have a way to say which data set has priority. > > For now I can see examples of two cases (in all cases we go for a specific > kernel version): > > Case one: > NVD says unfixed > linux_kernel_cves says unknown > cve-extra-exclusions.inc says IGNORE > > Case two: > NVD says unfixed > linux_kernel_cves says fixed > cve-extra-exclusions says IGNORE > > In the first case, the solutions is IGNORE (some old CVEs), in the second one > it's PATCHED. > > The questions I have: Should cve-extra-exclusions always have priority? > Should we allow the user to set priority of fetchers? > > What I'm going to test is use the kernel_cves fetcher for all kernel CVEs and > NVD for all the rest. Should it be an option? > > I'd like to avoid adding too many options that make cause mistakes…
I’d suggest that the order of priority goes NVD, linux_kernel_cves, then metadata (typically cve-extra-exclusions). With data from kernelcves being pulled in we should be able to purge most of the data in cve-extra-exclusions and only use it when we’ve backported/resolved a CVE that hasn’t been merged upstream. Very pleased you’re working on fetching from kernelcves too, as manually maintaining the exclusions is tiresome. Ross
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#182470): https://lists.openembedded.org/g/openembedded-core/message/182470 Mute This Topic: https://lists.openembedded.org/mt/99358001/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
