[yocto-security] Import cve-check to srtool
Reyna, David
david.reyna at windriver.com
Tue Mar 12 14:33:16 PDT 2019
Hi Dan,
> "I just heard about Yocto srtool. It looks fantastic!"
Thank you!
It is under rapid development right now, with a huge commit pending based on my deployment within Wind River. Once I get that shared (plus new support for multiple SQL databases), we will declare version 2.0 and more formally announcement it to the world.
> "I’m wondering is there a way to automatically import cve-check from Yocto build process to strool somehow? I have not be able to find a way to do so."
That is part of the plan, to connect and/or correlate the SRTool data to actual builds, their package manifests, and scanner output like "cve-check".
I myself do not have any experience with "cve-check" yet. As per Ross's comments, do you have an idea on how you would like to fit the data together?
I am happy to host a meeting to discuss it if you want to explore the idea together.
David Reyna
Lead Developer, SRTool
-----Original Message-----
From: yocto-security-bounces at yoctoproject.org [mailto:yocto-security-bounces at yoctoproject.org] On Behalf Of Burton, Ross
Sent: Tuesday, March 12, 2019 2:25 PM
To: Daniel Wang
Cc: yocto-security at yoctoproject.org
Subject: Re: [yocto-security] Import cve-check to srtool
On Tue, 12 Mar 2019 at 21:12, Daniel Wang <xiaolong.wang at anki.com> wrote:
> I just heard about Yocto srtool. It looks fantastic! I’m wondering is there a way to automatically import cve-check from Yocto build process to strool somehow? I have not be able to find a way to do so.
What do you expect the import to be? Remember that the cve-check-tool
output *needs* to be reviewed by a human, so srtool is effectively
that review using its own copy of the CVE database.
Ross
_______________________________________________
yocto-security mailing list
yocto-security at yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto-security
More information about the yocto-security
mailing list