On Thu, 21 Sept 2023, 11:03 Matsunaga-Shinji, <shin.matsun...@fujitsu.com> wrote:
> CVEs that are currently considered "Patched" are classified into the > following 3 statuses: > 1. "Patched" - means that a patch file that fixed the vulnerability > has been applied > 2. "Out of range" - means that the package version (PV) is not subject to > the vulnerability > 3. "Undecidable" - means that versions cannot be compared to determine if > they are affected by the vulnerability Hello, Thank you for your patch. I'm wondering what you use case is. What do you do with that data? Currently in YP we aim to do as much as automatic classification as we can. We only adjust the classification manually when it is clearly wrong. Now, in this piece of code I don't see setting up 'out-of-range', while it is possible to separate the not affected case and the case when we apply a patch. I do not understand the 'undecideable' classification. Could you give an exemple of a situation when it makes sense to use it? On the naming side, I'd prefer 'Not Affected' for out-of-range, because that term is often used in error conditions. In this case there is no error at all. Kind regards, Marta >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#188666): https://lists.openembedded.org/g/openembedded-core/message/188666 Mute This Topic: https://lists.openembedded.org/mt/101496298/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
