> > I think that there is a fundamental change in behavior here. > > Previously we were taking (NVD) DB as base and only vulnerable CVEs were > > compared annotated with CVE_STATUS or our presence of CVE patches. > > Now we take the CVE_STATUS and CVE patches as base and add entries from DB > > only if they were not annotated yet. > > This was a little more complicated than that. get_patched_cves() was taking a > part of CVE_STATUS at the beginning of the process, then applying the NVD > database. > The change is to import the totality and then update the status in the > process. Now, the entries in CVE_STATUS had priority before, and they still > have. > Now it is explicit, before it was hidden in the code. I do not see changes in > the end result, do you have a case in mind?
If with current master I add following to any recipe: CVE_STATUS[2025-0001] = "not-applicable-config: test" CVE_STATUS[2025-0002] = "fixed-version: test" then the resulting build/tmp/log/cve/cve-summary.json which shows all CVEs for this recipe regardless of CVE status, it will NOT contain reference to these test entries. But when I apply your patch, they will be both added to the report. So your code changes the behavior a lot (in a good direction from my point of view). > > > > I am not arguing against it, I actually like it much more as we will be > > able to insert also CVEs not in DB into our reports. > > But I have two comments on this: > > * this should be explicitly described in commit message > > Yes, we can add it here. The logic will be documented more in the standalone > tool, because with the CVE database, the update rule is even more complex. > (this is also good, it forces to write the list of priorities) > > > * this makes global cve includes spill into all recipe reports, so this > > commit series should also get rid of cve-extra-exclusions.inc file finally > > (or at least add a comment into it with this sideeffect) > This is the plan. I do not want to push a series removing > cve-extra-inclusions.inc with this one, but maybe, as you suggest, we add a > warning to this file and then remove with a separate series?
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202324): https://lists.openembedded.org/g/openembedded-core/message/202324 Mute This Topic: https://lists.openembedded.org/mt/107228576/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
