[yocto] cve-checker tool

Burton, Ross ross.burton at intel.com
Wed Dec 7 08:12:26 PST 2016


On 7 December 2016 at 14:58, Mariano Lopez <mariano.lopez at linux.intel.com>
wrote:

> > We have more recipes which have CVE patches but they are not reported.
> > I have analyzed these; some of these CVEs are still marked as reserved
> on Mitre  and are not present in the nvd.xml files (although they are
> public (e.g. Busybox:
> > https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147).
>
> cve-check-tool will only check against the database that got from the
> nvd.xml files, and these files won't have information for not yet fully
> disclosed CVEs, so that is why you will find these cases frequently in
> OE recipes (Armin does a great job with CVEs).
>

A lot of CVEs get reserved but never actually updated in MITRE.  This is
why the planned successor to cve-check-tool plans to download the Debian /
RHEL / etc security databases to fill in the gaps (I'm not sure what the
state of this rewrite is as we didn't write this tool).

Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20161207/02956b58/attachment.html>


More information about the yocto mailing list