Dear Richard and Adrian, I appreciate efforts of Andrej and Peter, you guys have done a great job for improvement in CVE specific security area.
As I mentioned information and importance of VEX status for future use case: https://patchwork.yoctoproject.org/project/oe-core/patch/[email protected]/#10797 I can see community members are also in favour of VEX: https://patchwork.yoctoproject.org/project/oe-core/patch/[email protected]/#11120 We can start looking in that direction, because to adopt initial VEX template we just required minor modifications with development of Andrej. In current implementation we have main three categories of status: "Patched", "Ignored" and "Unpatched". On top of which we want to add comment information which can be added in JSON format to process further. VEX have main 4 category: Fixed, Not Affected, Affected and Under Investigation. Richard has rightly mentioned that we don't require affected status as those CVEs would fix in near future once fix is available in source of specific package. We can map our existing status as below with VEX status. Existing Status | VEX adoption ------------------------------------------- Patched | Fixed Ignore | Not Affected Not required | Not Affected Unpatched | Under Investigation Fixed and Under Investigation don't require any sub-status as their status is sufficient to explain their case. To get more information on possible sub-status of not affected status, we can follow one of below reference document. https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf : 2.0 Status Justifications Overview This document covers all the possible cases which are already discuss or may come in future development. Thank you, Richard, for considering my request. I would appreciate comment from you and community people for the adoption of VEX. Thanks, Sanjay Chitroda -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Andrej Valek via lists.openembedded.org Sent: Tuesday, June 20, 2023 7:46 PM To: [email protected] Cc: Andrej Valek <[email protected]>; Peter Marko <[email protected]> Subject: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs - Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible. The CVE_STATUS should contain an information about status wich is decoded in 3 items: - generic status: "Ignored", "Patched" or "Unpatched" - more detailed status enum - description: free text describing reason for status Examples of usage: CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows" CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally" CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" CVE_CHECK_STATUSMAP[fixed-version] = "Patched" Signed-off-by: Andrej Valek <[email protected]> Signed-off-by: Peter Marko <[email protected]> ---
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183167): https://lists.openembedded.org/g/openembedded-core/message/183167 Mute This Topic: https://lists.openembedded.org/mt/99644855/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
