On Mon, Jul 22, 2024 at 11:15 PM Marko, Peter <[email protected]> wrote:
> > > > I think that there is a fundamental change in behavior here. > > > Previously we were taking (NVD) DB as base and only vulnerable CVEs > were compared annotated with CVE_STATUS or our presence of CVE patches. > > > Now we take the CVE_STATUS and CVE patches as base and add entries > from DB only if they were not annotated yet. > > > > This was a little more complicated than that. get_patched_cves() was > taking a part of CVE_STATUS at the beginning of the process, then applying > the NVD database. > > The change is to import the totality and then update the status in the > process. Now, the entries in CVE_STATUS had priority before, and they still > have. > > Now it is explicit, before it was hidden in the code. I do not see > changes in the end result, do you have a case in mind? > > If with current master I add following to any recipe: > CVE_STATUS[2025-0001] = "not-applicable-config: test" > CVE_STATUS[2025-0002] = "fixed-version: test" > then the resulting build/tmp/log/cve/cve-summary.json which shows all CVEs > for this recipe regardless of CVE status, it will NOT contain reference to > these test entries. > But when I apply your patch, they will be both added to the report. > So your code changes the behavior a lot (in a good direction from my point > of view). > > Hello Peter, Got it. This is how I changed the description in the last version. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202344): https://lists.openembedded.org/g/openembedded-core/message/202344 Mute This Topic: https://lists.openembedded.org/mt/107228576/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
