Re: [Development] Monitoring of upstream vulnerabilities
> On 19. Jun 2018, at 23:15, Jason H wrote: > > > >> Sent: Tuesday, June 19, 2018 at 4:50 PM >> From: "Thiago Macieira" >> To: development@qt-project.org >> Subject: Re: [Development] Monitoring of upstream vulnerabilities >> >> On Tuesday, 19 June 2018 13:15:18 PDT Jason H wrote: >>>> Currently, we use https://github.com/clearlinux/cve-check-tool. This is >>>> going to be replaced with CVEMAN - >>>> https://github.intel.com/kcwells/cveman. Both tools consume the feed from >>>> the National Vulnerability Database from the US NIST - >>>> https://nvd.nist.gov/. >>> >>> Is that intel server publicly accessible? >> >> The dashboard the tool produces isn't, but I also don't see why you'd want >> that. It's not applicable to Qt. The only people who would want access to it >> are the people who are working on the distribution and will apply the >> patches. > > !? > > The first link is a publicly accessible project. I thought you were referring > to a replacement project. I wanted to see what CVEMAN was, why it was better, > etc., (having never hard of it before) and see if it was something I might be > interested in. But if it's not publicly accessible I wonder how open Qt is if > we can't use all the tools Qt does. It could be valid that I don't need to > worry, but how does the bind Qt to a private tool? > > I don't want to make a mountain out of a mole hill, but with all the > transparency in Qt, I just expected it to be accessible is all. These tools are currently not used for Qt. Thiago is talking about "what we use in Clear Linux”, where “we” has nothing to do with the Qt Project. -- Eike Ziller Principal Software Engineer The Qt Company GmbH Rudower Chaussee 13 D-12489 Berlin eike.zil...@qt.io http://qt.io Geschäftsführer: Mika Pälsi, Juha Varelius, Mika Harjuaho Sitz der Gesellschaft: Berlin, Registergericht: Amtsgericht Charlottenburg, HRB 144331 B ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] Monitoring of upstream vulnerabilities
On Tuesday, 19 June 2018 14:22:56 PDT Bernhard B wrote: > On a side note: Do you know an estimated timeframe for when it will be > publicly available? > Would be really interested in the details. I didn't know it existed until this morning, so no. And, of course, we began discussing the logo the tool should use, so... The cve-check-tool should suffice for now. Or reading directly from the NIST database, with specific filters for the software that Qt has as third-party. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] Monitoring of upstream vulnerabilities
> > Because I didn't realise the tool wasn't public. I saw github and thought > it > was. Sorry about that. > > Well, CVEMAN will be made public some time, hopefully. It's still in > development. For now, the other tool works. > Many thanks for the clarification! On a side note: Do you know an estimated timeframe for when it will be publicly available? Would be really interested in the details. 2018-06-19 23:13 GMT+02:00 Thiago Macieira : > On Tuesday, 19 June 2018 14:04:45 PDT Bernhard B wrote: > > Sorry, I don't get it. But what's the point of providing a link to the > > Intel github rpo if we can't access it? > > Because I didn't realise the tool wasn't public. I saw github and thought > it > was. Sorry about that. > > Well, CVEMAN will be made public some time, hopefully. It's still in > development. For now, the other tool works. > > -- > Thiago Macieira - thiago.macieira (AT) intel.com > Software Architect - Intel Open Source Technology Center > > > > ___ > Development mailing list > Development@qt-project.org > http://lists.qt-project.org/mailman/listinfo/development > ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] Monitoring of upstream vulnerabilities
> Sent: Tuesday, June 19, 2018 at 4:50 PM > From: "Thiago Macieira" > To: development@qt-project.org > Subject: Re: [Development] Monitoring of upstream vulnerabilities > > On Tuesday, 19 June 2018 13:15:18 PDT Jason H wrote: > > > Currently, we use https://github.com/clearlinux/cve-check-tool. This is > > > going to be replaced with CVEMAN - > > > https://github.intel.com/kcwells/cveman. Both tools consume the feed from > > > the National Vulnerability Database from the US NIST - > > > https://nvd.nist.gov/. > > > > Is that intel server publicly accessible? > > The dashboard the tool produces isn't, but I also don't see why you'd want > that. It's not applicable to Qt. The only people who would want access to it > are the people who are working on the distribution and will apply the patches. !? The first link is a publicly accessible project. I thought you were referring to a replacement project. I wanted to see what CVEMAN was, why it was better, etc., (having never hard of it before) and see if it was something I might be interested in. But if it's not publicly accessible I wonder how open Qt is if we can't use all the tools Qt does. It could be valid that I don't need to worry, but how does the bind Qt to a private tool? I don't want to make a mountain out of a mole hill, but with all the transparency in Qt, I just expected it to be accessible is all. ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] Monitoring of upstream vulnerabilities
On Tuesday, 19 June 2018 14:04:45 PDT Bernhard B wrote: > Sorry, I don't get it. But what's the point of providing a link to the > Intel github rpo if we can't access it? Because I didn't realise the tool wasn't public. I saw github and thought it was. Sorry about that. Well, CVEMAN will be made public some time, hopefully. It's still in development. For now, the other tool works. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] Monitoring of upstream vulnerabilities
Sorry, I don't get it. But what's the point of providing a link to the Intel github rpo if we can't access it? Am Dienstag, 19. Juni 2018 schrieb Thiago Macieira : > On Tuesday, 19 June 2018 13:15:18 PDT Jason H wrote: > > > Currently, we use https://github.com/clearlinux/cve-check-tool. This > is > > > going to be replaced with CVEMAN - > > > https://github.intel.com/kcwells/cveman. Both tools consume the feed > from > > > the National Vulnerability Database from the US NIST - > > > https://nvd.nist.gov/. > > > > Is that intel server publicly accessible? > > The dashboard the tool produces isn't, but I also don't see why you'd want > that. It's not applicable to Qt. The only people who would want access to > it > are the people who are working on the distribution and will apply the > patches. > > -- > Thiago Macieira - thiago.macieira (AT) intel.com > Software Architect - Intel Open Source Technology Center > > > > ___ > Development mailing list > Development@qt-project.org > http://lists.qt-project.org/mailman/listinfo/development > ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] Monitoring of upstream vulnerabilities
On Tuesday, 19 June 2018 13:15:18 PDT Jason H wrote: > > Currently, we use https://github.com/clearlinux/cve-check-tool. This is > > going to be replaced with CVEMAN - > > https://github.intel.com/kcwells/cveman. Both tools consume the feed from > > the National Vulnerability Database from the US NIST - > > https://nvd.nist.gov/. > > Is that intel server publicly accessible? The dashboard the tool produces isn't, but I also don't see why you'd want that. It's not applicable to Qt. The only people who would want access to it are the people who are working on the distribution and will apply the patches. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
Re: [Development] Monitoring of upstream vulnerabilities
> Sent: Tuesday, June 19, 2018 at 3:46 PM > From: "Thiago Macieira" > To: development@qt-project.org > Subject: [Development] Monitoring of upstream vulnerabilities > > As part of the discussion on 3rdparty and security at QtCS, I took an action > to look into what we use in Clear Linux to monitor for reported > vulnerabilities. > > Currently, we use https://github.com/clearlinux/cve-check-tool. This is going > to be replaced with CVEMAN - https://github.intel.com/kcwells/cveman. Both > tools consume the feed from the National Vulnerability Database from the US > NIST - https://nvd.nist.gov/. Is that intel server publicly accessible? ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
[Development] Monitoring of upstream vulnerabilities
As part of the discussion on 3rdparty and security at QtCS, I took an action to look into what we use in Clear Linux to monitor for reported vulnerabilities. Currently, we use https://github.com/clearlinux/cve-check-tool. This is going to be replaced with CVEMAN - https://github.intel.com/kcwells/cveman. Both tools consume the feed from the National Vulnerability Database from the US NIST - https://nvd.nist.gov/. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center ___ Development mailing list Development@qt-project.org http://lists.qt-project.org/mailman/listinfo/development
