On Fri, Jun 21, 2024 at 3:18 PM Ross Burton via lists.yoctoproject.org <[email protected]> wrote:
> Hi Marta, > > On 31 May 2024, at 15:06, Marta Rybczynska via lists.yoctoproject.org > <[email protected]> wrote: > > > > How to use: > > 1. Download the database to use: > > - for NVD, use cve-update-nvd2-native.py > > - for the CVE database, get the CVEv5 git repository: either the > upsteam one at https://github.com/CVEProject/cvelistV5 or the one with > OE-related fixes at https://github.com/mrybczyn/cvelistV5-overrides > (recommended) > > This is the biggest issue that’s bothering me right now - the need for a > fork. Would it be possible to load the canonical cvelist and then augment > it with extra data (using the Authorized Data Publisher schema?) from > another repository that just contains that extra data? Having a fork of > cvelistV5 and having to rebase it feels like it will lead to problems and > be fragile. > Applying ADP (we'll add support just after finishing the tests in progress now) requires modifying JSONs for each affected entry. The only ADP today is CISA and their entries have been merged in the cvelistV5 repo. For us becoming an ADP would likely take time. Adding ADP clauses separately requires you to modify the entry, so you need to keep it somewhere. I see two options: either fork and modify, or copy separate files and modify in place. I didn't go for the second solution, because entries do actually change, and copies would likely mean more work (for example, they have recently converted all entries automatically to the 5.1 schema). For now, the rebase is actually working well (had a few issues after the 5.1 update but that was my fault). What I haven't done yet is submitting fixes for old entries - the number of affected CNAs is quite small so maybe we can lower the backlog quite rapidly. BTW The CISA extension adds a notion of the exploitability of the vulnerability - this is additional information we can report. Unfixed CVE that is exploited vs not exploited, this is well a different class of useful information. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201133): https://lists.openembedded.org/g/openembedded-core/message/201133 Mute This Topic: https://lists.openembedded.org/mt/106798238/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
