Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
On Sun, 2023-06-04 at 09:59 +, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote: > Hi Richard, > > Thank you for acknowledgement on my proposal. > Please consider my additional input for VEX standard. > > There is total four main VEX standard status: > - Fixed >
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
2023-06-04
Thread
Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
mikko.rap...@linaro.org; Marko, Peter ; Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) Subject: Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs On Fri, 2023-06-02 at 23:10 +0200, adrian.freiho...@gmail.com wrote: > I like the VEX proposa
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
On Fri, 2023-06-02 at 23:10 +0200, adrian.freiho...@gmail.com wrote: > I like the VEX proposal from Sanjay. > > - It is a standard that can be supported by many tools and requested by > customers. One use case I see is where a vendor sells a product with an > SBOM. The customer can then match the
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hi I like the VEX proposal from Sanjay. - It is a standard that can be supported by many tools and requested by customers. One use case I see is where a vendor sells a product with an SBOM. The customer can then match the open vulnerabilities to the current state of the NIST database using a
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
On Mon, 2023-05-29 at 07:32 +, Valek, Andrej wrote: > Hello again Richard, > > Maybe this email was little bit unclear..., so I will try to recap it here. > There are 2 open points, where some final decision has to be made. > > - Could we rename the CVE_STATUS_REASONING -> CVE_STATUS_REASON?
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hello again Richard, Maybe this email was little bit unclear..., so I will try to recap it here. There are 2 open points, where some final decision has to be made. - Could we rename the CVE_STATUS_REASONING -> CVE_STATUS_REASON? The first idea came from you. - What is the final enum for
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hello Richard, Could you please take a look on the latest revision a make a decision there? There are still bunch of unclear statements. So please make a final design and we will try to implement it. Thank you, Andrej On Mon, 2023-05-22 at 10:57 +0300, Mikko Rapeli wrote: > Hi, > > On Fri, May
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hi, On Fri, May 19, 2023 at 03:11:57PM +0200, Marta Rybczynska wrote: > I'm missing a status to cover the situation when the NVD (or any other > database) has an incorrect entry. We have quite many of those. This might > be a temporary situation, but not always. > > SPDX (the 3.0 draft) has some
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hello Marta, On Fri, 2023-05-19 at 15:11 +0200, Marta Rybczynska wrote: Thank you for this work. I think we are going in a good direction. My comments in the text. In general, I would like that we come with the fixed list of possible statuses and avoid adding new ones too frequently. Changing
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Thank you for this work. I think we are going in a good direction. My comments in the text. In general, I would like that we come with the fixed list of possible statuses and avoid adding new ones too frequently. Changing them will break my parsing and status scripts each time. On Fri, May 19,
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hi Andrej On 19.05.23 at 08:24, Andrej Valek via lists.openembedded.org wrote: - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be more flexible. CVE_STATUS should contain flag for each CVE with accepted values "Ignored", "Not applicable" or "Patched". It allows to add a
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hi, Looks really good but could you split the documentation to separate patch and send to d...@lists.yoctoproject.org instead of oe-core? Thanks! -Mikko On Fri, May 19, 2023 at 08:24:18AM +0200, Andrej Valek wrote: > - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be >
[OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be more flexible. CVE_STATUS should contain flag for each CVE with accepted values "Ignored", "Not applicable" or "Patched". It allows to add a status for each CVEs. - Optional CVE_STATUS_REASONING flag variable may contain a
