Hello Matsunaga-Shinji,
On Wed, 25 Oct 2023 14:13:44 +0900
"Matsunaga-Shinji" wrote:
> CVEs that are currently considered "Patched" are classified into the
> following 3 statuses:
> 1. "Patched" - means that a patch file that fixed the vulnerability has
> been applied
> 2. "Not affected"
ched” (so someone
> needs to analyze as any other open vulnerability report)
>
>
>
> Best Regards,
>
> Peter
>
>
>
> From: Marta Rybczynska
> Sent: Wednesday, October 25, 2023 14:44
> To: Andrej Valek
> Cc: Matsunaga-Shinji ; Richard Purdie
> ; O
: Matsunaga-Shinji ; Richard Purdie
; OE-core
; Shunsuke Tokumoto
; Marko, Peter (ADV D EU SK BFS1)
Subject: Re: [OE-core] [PATCH v2] cve-check: Classify patched CVEs into 3
statuses
Hello Andrej,
This patch is splitting the Patched state, not the ignore one. This is not
incorrect CPE
Hello Andrej,
This patch is splitting the Patched state, not the ignore one. This is not
incorrect CPE or anything else.
Currently Patched means one of two situations: either this issue has never
affected the code base (example: we have version 1.0, issue was introduced
in 2.0 and fixed in 2.1),
Hi Marta,
That's fine, as I said we designed the "ignore" with status
"cpe-incorrect" or "ignored" exactly for those purposes. Extending the
option with "not affected" doesn't make any sense.
You have to set the status to "why is not affected" = "ignored". Which
completely covers the
Hi Andrej,
This is more complex. "Not affected" is also an issue that isn't present in the
code - like when we have a version that has never had the vulnerability.
Those are also currently 'Patched' in cve-check.
This work is in sync with what VEX is doing, is it the use-case
Matsanaga-Shinji?
Hi all,
Do we really need a new "not_affected" state? I guess the ignore state
is exactly designed for those purposes.
Regards,
Andrej
On 25.10.2023 07:13, Matsunaga-Shinji wrote:
CVEs that are currently considered "Patched" are classified into the following
3 statuses:
1. "Patched" -
CVEs that are currently considered "Patched" are classified into the following
3 statuses:
1. "Patched" - means that a patch file that fixed the vulnerability has
been applied
2. "Not affected" - means that the package version (PV) is not affected by the
vulnerability
3. "Undecidable" -