Hi,
I would like to use the vector string to do some analysis and prioritization of CVEs and have found that the vector string is better than using the CVSS score. I would argue that in embedded contexts, the environment that a device is used in will result in a different scoring of the vector. The most easy example is a standalone device that does not have any network connections will likely prioritize physical over network attacks, which I believe is opposite to how the CVSS score is determined. I would like for the vector string to be included in the outputs so it is also cached. Post-build tooling could use the NIST API to pull down the vector string, but I would like to avoid hitting the API for what I imagine are the same reasons caching is already done for cve-check. As others have noted in this thread, the NIST API has been rather unreliable lately. I agree that the fetch is likely what is failing the build, since I had to bump the database filename to refresh the contents with the correct vector string. I didn't test_image_json locally, but I did run builds that included fetching the nvd database and everything seemed to have been working. Thanks, Colin
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#208017): https://lists.openembedded.org/g/openembedded-core/message/208017 Mute This Topic: https://lists.openembedded.org/mt/109805499/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
