On Mon, Jan 27, 2020 at 10:16:16AM +0200, Anders Montonen wrote:
> On 24 Jan 2020, at 12:54, Ross Burton <[email protected]> wrote:
> >
> > On 24/01/2020 09:02, Anders Montonen wrote:
> >> Hi,
> >> What's the best way for handling name collisions when using the
> >> cve-checker tool? For example, there's a ton of Adobe Flex vulnerabilities
> >> that are reported against the Flex lexical analyzer generator tool.
> >> Whitelisting the individual CVEs would be one option, but the list is
> >> pretty long.
> >
> > Set CVE_PRODUCT, if you use a colon then you can set the vendor too.
> >
> > This specific instance is already fixed in oe-core master:
> >
> > # Not Apache Flex, or Adobe Flex, or IBM Flex.
> > CVE_PRODUCT = "flex_project:flex”
>
> Thanks (and to Mikko too), that worked, though I’m a bit curious how one
> would find the proper vendor name, especially for a project like this where
> there’s no clear company name.
I always search for existing CVEs for the SW component and check what
project and product names were used.
For flex, Internet search shows for example
https://www.suse.com/security/cve/CVE-2019-6293/
which has "flex_project:flex" in NVD:
https://nvd.nist.gov/vuln/detail/CVE-2019-6293
In my projects I also have exported CVE_PRODUCT to buildhistory and
have a check for CVE product name. Any SW components with non-CLOSED
LICENSE must either have a matching CPE in NVD database or be checked
manually and whitelisted.
Cheers,
-Mikko
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#48154): https://lists.yoctoproject.org/g/yocto/message/48154
Mute This Topic: https://lists.yoctoproject.org/mt/70066324/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
