[yocto-security] [yocto] CVE list vs bugzilla

[Whiteman, John L]

Hi Sona,

I haven't tried the other tools so I couldn't say if they are better or not.
Plus I may be a bit bias :).

What I do know is that we rewrote the cve-check-tool in C to improve
execution performance.  We also add a plug in to communicate with the JIRA
server on a different project. We can do the same for Bugzilla.  Either way
let us know and we can offer assistance if you are still interested.  The
most important thing is that you are checking the CVE database on a regular
basis for quicker response times.

Best Regards,

John

-----Original Message-----
From: Sona Sarmadi [mailto:sona.sarmadi at enea.com] 
Sent: Wednesday, May 20, 2015 5:39 AM
To: Whiteman, John L; yocto-security at yoctoproject.org
Subject: RE: [yocto] CVE list vs bugzilla


> Hi Sona,
> 
> Have you given any further thought about using the cve-check-tool?
> 
> https://github.com/ikeydoherty/cve-check-tool
> 
> A bugzilla plugin would need to be added but it may help here to avoid 
> duplication.
> 

Thanks  John,

For a while ago I tried to use cvechecker, I found that tool not very
user-friendly. I didn't have time to investigate further I gave up :( but
this is on my to-do-list so I will give it a try.

How is cve-check-tool related to the other cvechecker tools? 

- cvechecker-x.tar.gz : http://sourceforge.net/projects/cvechecker/files
-  git://github.com/sjvermeu/cvechecker.git
- poky-contrib: git clone git://git.yoctoproject.org/poky-contrib
- YoctoSecurityAdvisoryTrackingUtility: 
 https://github.com/ScottGarman/YoctoSecurityAdvisoryTrackingUtility

There are some other CVE-Compatible Products/tools:
https://cve.mitre.org/compatible/compatible.html

Cheers
//Sona



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6664 bytes
Desc: not available
URL: <http://lists.yoctoproject.org/pipermail/yocto-security/attachments/20150520/ab924a9f/attachment.bin>