Dear all, Here's the update on our CVE management research work for YP. Contest: a frequent request is to be able to answer "is YP affected by this particular CVE". We have a part of an answer in the cve-check, but not the triage of issues YP is not affected at all.
This research includes two elements: Manual CVE triage tests SRTool investigation Manual CVE triage tests =================== Marta has done manual triage of two sets of two days: one manual (download from CVE JSON5 database) and one via SRTool. Manual triage: 2h SRTool triage: 1.5h (but manual triage was done earlier) Take-aways: - a huge majority of issues does not affect YP - those that do are most of the time already listed in cve-check results - the effective procedure to check was "git grep" to find if we have a recipe (Layer index could be used too), then checking a "world" run of cve-check. Only rarely manual verifications are needed. - found some CPE mismatches etc (patches will come) - if we want to set up triage, we need to clearly define which layers we take care of. For example, in one of the sets there were numerous Java runtime issues. Also other issues in packages from various layers. To sum up, the triage takes around 1h/day without automation. However, it should be way sgorter if pre-triaged with cve-check result and package list from supported layers. Open questions: who will be willing to participate in the effort? SRTool investigation ================ We have had a call on October 19th (people present in CC). Subjects discussed: 1. Installing SRTool Marta has a running instance, Alex plans to set up one 2. Workflow David explained how the investigation is done at WR. "Vulnerability" describes a problem, can link to multiple CVEs (for example from multiple researchers). From Vulnerabilities they create Investigations (1:1 for each product - in our case YP releases). Defects are handles in the bug tracker. A proposal of David was to integrate Bugzilla and trace CVE entries, import them into investigations. This would mean to use bugs to populate CVE statuses. However, we could not use that approach with YP right now, as CVE entries aren't managed in Bugzilla. There's another subject on CVE patches synchronization work, see https://lists.yoctoproject.org/g/yocto-security/message/964 We have information on what version is affected/not affected from the cve-check. Then David has shown the "Audit" functionality. It can be populated from cve-check. Agreed to do a PoC implementation (David will work on it). When CVEs are filled from cve-check, only a certain number of CVEs will be left with unknown status. Marta hopes they will be easy to handle. 3. Result sharing We discussed how triage results from YP can be used by other vendors. It seems possible to do that via "audit" sources. Next meeting planned on Nov 2nd. Everyone willing to participate is welcome (send me or David a message to be added to the invitation). Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#61446): https://lists.yoctoproject.org/g/yocto/message/61446 Mute This Topic: https://lists.yoctoproject.org/mt/102131075/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-