Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses

2023-10-26 Thread Luca Ceresoli via lists.openembedded.org
Hello Matsunaga-Shinji, On Wed, 25 Oct 2023 14:13:44 +0900 "Matsunaga-Shinji" wrote: > CVEs that are currently considered "Patched" are classified into the > following 3 statuses: > 1. "Patched" - means that a patch file that fixed the vulnerability has > been applied > 2. "Not affected"

Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses

2023-10-25 Thread Marta Rybczynska
ched” (so someone > needs to analyze as any other open vulnerability report) > > > > Best Regards, > > Peter > > > > From: Marta Rybczynska > Sent: Wednesday, October 25, 2023 14:44 > To: Andrej Valek > Cc: Matsunaga-Shinji ; Richard Purdie > ; O

Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses

2023-10-25 Thread Peter Marko via lists.openembedded.org
: Matsunaga-Shinji ; Richard Purdie ; OE-core ; Shunsuke Tokumoto ; Marko, Peter (ADV D EU SK BFS1) Subject: Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses Hello Andrej, This patch is splitting the Patched state, not the ignore one. This is not incorrect CPE

Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses

2023-10-25 Thread Marta Rybczynska
Hello Andrej, This patch is splitting the Patched state, not the ignore one. This is not incorrect CPE or anything else. Currently Patched means one of two situations: either this issue has never affected the code base (example: we have version 1.0, issue was introduced in 2.0 and fixed in 2.1),

Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses

2023-10-25 Thread Andrej Valek
Hi Marta, That's fine, as I said we designed the "ignore" with status "cpe-incorrect" or "ignored" exactly for those purposes. Extending the option with "not affected" doesn't make any sense. You have to set the status to "why is not affected" = "ignored". Which completely covers the

Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses

2023-10-25 Thread Marta Rybczynska
Hi Andrej, This is more complex. "Not affected" is also an issue that isn't present in the code - like when we have a version that has never had the vulnerability. Those are also currently 'Patched' in cve-check. This work is in sync with what VEX is doing, is it the use-case Matsanaga-Shinji?

Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses

2023-10-25 Thread Andrej Valek
Hi all, Do we really need a new "not_affected" state? I guess the ignore state is exactly designed for those purposes. Regards, Andrej On 25.10.2023 07:13, Matsunaga-Shinji wrote: CVEs that are currently considered "Patched" are classified into the following 3 statuses: 1. "Patched" -

[OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3 statuses

2023-10-24 Thread Matsunaga-Shinji
CVEs that are currently considered "Patched" are classified into the following 3 statuses: 1. "Patched" - means that a patch file that fixed the vulnerability has been applied 2. "Not affected" - means that the package version (PV) is not affected by the vulnerability 3. "Undecidable" -