* CVE list vs bugzilla
@ 2015-05-05 14:49 Sona Sarmadi
2015-05-05 15:11 ` Sona Sarmadi
0 siblings, 1 reply; 3+ messages in thread
From: Sona Sarmadi @ 2015-05-05 14:49 UTC (permalink / raw)
To: yocto.security; +Cc: yocto, openembedded-core
Hi all,
To monitor/scan vulnerabilities (CVE), check affected packages, versions, branches, fixed versions/branches etc ... we need either to file a bug in bugzilla for each publically disclosed CVE or have a simple data base. Today, we sometimes file a bug but most of the time vulnerabilities just get fixed by someone volunteer and some vulnerabilities don't get fixed.
We have created a CVE list just for test to see if this is easier to maintain and provides better overview, please have a look at this and let us to know what you think:
https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4QqgI6emQ/edit#gid=0
The alternative for maintaining such a list is filing a bug in Bugzilla. The question is which approach is the best, here are some pros and cons:
Bugzilla:
=======
- it takes more time to create/update a bug in Bugzilla (not a big problem)
- history, traceable who updated
- when we have releases, we go through open bugs and try to get them fixed
Question: can we generate a report from Bugzilla, search for CVEs and find out what CVEs have been fixed and in what branches etc?
CVE spread sheet:
==============
+ Easy to update, anyone just can add info preferably automatically; we could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and update the list (some human interactions needs to be done though)
+ easy to have an overview
- ?
Any comments?
Thanks
Sona
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: CVE list vs bugzilla
2015-05-05 14:49 CVE list vs bugzilla Sona Sarmadi
@ 2015-05-05 15:11 ` Sona Sarmadi
2015-05-18 21:53 ` Whiteman, John L
0 siblings, 1 reply; 3+ messages in thread
From: Sona Sarmadi @ 2015-05-05 15:11 UTC (permalink / raw)
To: yocto-security
Cc: 'yocto@yoctoproject.org',
'openembedded-core@lists.openembedded.org'
Trying with correct email address :)
Hi all,
To monitor/scan vulnerabilities (CVE), check affected packages, versions, branches, fixed versions/branches etc ... we need either to file a bug in bugzilla for each publically disclosed CVE or have a simple data base. Today, we sometimes file a bug but most of the time vulnerabilities just get fixed by someone volunteer and some vulnerabilities don't get fixed.
We have created a CVE list just for test to see if this is easier to maintain and provides better overview, please have a look at this and let us to know what you think:
https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4QqgI6emQ/edit#gid=0
The alternative for maintaining such a list is filing a bug in Bugzilla. The question is which approach is the best, here are some pros and cons:
Bugzilla:
=======
- it takes more time to create/update a bug in Bugzilla (not a big problem)
- history, traceable who updated
- when we have releases, we go through open bugs and try to get them fixed
Question: can we generate a report from Bugzilla, search for CVEs and find out what CVEs have been fixed and in what branches etc?
CVE spread sheet:
==============
+ Easy to update, anyone just can add info preferably automatically; we
+ could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and
+ update the list (some human interactions needs to be done though) easy
+ to have an overview
- ?
Any comments?
Thanks
Sona
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: CVE list vs bugzilla
2015-05-05 15:11 ` Sona Sarmadi
@ 2015-05-18 21:53 ` Whiteman, John L
0 siblings, 0 replies; 3+ messages in thread
From: Whiteman, John L @ 2015-05-18 21:53 UTC (permalink / raw)
To: Sona Sarmadi, yocto-security
Cc: 'yocto@yoctoproject.org',
'openembedded-core@lists.openembedded.org'
[-- Attachment #1: Type: text/plain, Size: 2229 bytes --]
Hi Sona,
Have you given any further thought about using the cve-check-tool?
https://github.com/ikeydoherty/cve-check-tool
A bugzilla plugin would need to be added but it may help here to avoid
duplication.
Best Regards,
John
-----Original Message-----
From: yocto-bounces@yoctoproject.org [mailto:yocto-bounces@yoctoproject.org]
On Behalf Of Sona Sarmadi
Sent: Tuesday, May 05, 2015 8:12 AM
To: yocto-security@yoctoproject.org
Cc: 'yocto@yoctoproject.org'; 'openembedded-core@lists.openembedded.org'
Subject: Re: [yocto] CVE list vs bugzilla
Trying with correct email address :)
Hi all,
To monitor/scan vulnerabilities (CVE), check affected packages, versions,
branches, fixed versions/branches etc ... we need either to file a bug in
bugzilla for each publically disclosed CVE or have a simple data base.
Today, we sometimes file a bug but most of the time vulnerabilities just get
fixed by someone volunteer and some vulnerabilities don't get fixed.
We have created a CVE list just for test to see if this is easier to
maintain and provides better overview, please have a look at this and let us
to know what you think:
https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4Q
qgI6emQ/edit#gid=0
The alternative for maintaining such a list is filing a bug in Bugzilla. The
question is which approach is the best, here are some pros and cons:
Bugzilla:
=======
- it takes more time to create/update a bug in Bugzilla (not a big problem)
- history, traceable who updated
- when we have releases, we go through open bugs and try to get them fixed
Question: can we generate a report from Bugzilla, search for CVEs and find
out what CVEs have been fixed and in what branches etc?
CVE spread sheet:
==============
+ Easy to update, anyone just can add info preferably automatically; we
+ could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and
+ update the list (some human interactions needs to be done though) easy
+ to have an overview
- ?
Any comments?
Thanks
Sona
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6664 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-05-18 21:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-05-05 14:49 CVE list vs bugzilla Sona Sarmadi
2015-05-05 15:11 ` Sona Sarmadi
2015-05-18 21:53 ` Whiteman, John L
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.