[yocto-security] [yocto] CVE list vs bugzilla

Whiteman, John L john.l.whiteman at intel.com
Mon May 18 14:53:23 PDT 2015 

Hi Sona,

Have you given any further thought about using the cve-check-tool?

https://github.com/ikeydoherty/cve-check-tool

A bugzilla plugin would need to be added but it may help here to avoid
duplication.

Best Regards,

John

-----Original Message-----
From: yocto-bounces at yoctoproject.org [mailto:yocto-bounces at yoctoproject.org]
On Behalf Of Sona Sarmadi
Sent: Tuesday, May 05, 2015 8:12 AM
To: yocto-security at yoctoproject.org
Cc: 'yocto at yoctoproject.org'; 'openembedded-core at lists.openembedded.org'
Subject: Re: [yocto] CVE list vs bugzilla

Trying with correct email address :) 

Hi all,

To monitor/scan vulnerabilities (CVE), check affected packages, versions,
branches, fixed versions/branches etc ... we need either to file a bug in
bugzilla for each publically disclosed CVE or have a simple data base.
Today, we sometimes file a bug but most of the time vulnerabilities just get
fixed by someone volunteer and some vulnerabilities don't get fixed.

We have created a CVE list just for test to see if this is easier to
maintain and provides better overview, please have a look at this and let us
to know what you think:
https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4Q
qgI6emQ/edit#gid=0 

The alternative for maintaining such a list is filing a bug in Bugzilla. The
question is which approach is the best, here are some pros and cons:

Bugzilla: 
=======
- it takes more time to create/update a bug  in Bugzilla (not a big problem)
- history, traceable who updated
- when we have releases, we go through open bugs and try to get them fixed

Question: can we generate a report from Bugzilla, search for CVEs and find
out what CVEs have been fixed and in what branches etc?


CVE spread sheet:
==============
+ Easy to update, anyone just can add info preferably automatically; we 
+ could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and 
+ update the list (some human interactions needs to be done though) easy 
+ to have an overview
- ?

Any comments?

Thanks
Sona
--
_______________________________________________
yocto mailing list
yocto at yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6664 bytes
Desc: not available
URL: <http://lists.yoctoproject.org/pipermail/yocto-security/attachments/20150518/263cba01/attachment.bin>

More information about the yocto-security mailing list