CVE list vs bugzilla

CVE list vs bugzilla

[Sona Sarmadi]

Hi all,

To monitor/scan vulnerabilities (CVE), check affected packages, versions, branches, fixed versions/branches etc ... we need either to file a bug in bugzilla for each publically disclosed CVE or have a simple data base. Today, we sometimes file a bug but most of the time vulnerabilities just get fixed by someone volunteer and some vulnerabilities don't get fixed.

We have created a CVE list just for test to see if this is easier to maintain and provides better overview, please have a look at this and let us to know what you think:
https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4QqgI6emQ/edit#gid=0 

The alternative for maintaining such a list is filing a bug in Bugzilla. The question is which approach is the best, here are some pros and cons:

Bugzilla: 
=======
- it takes more time to create/update a bug  in Bugzilla (not a big problem)
- history, traceable who updated
- when we have releases, we go through open bugs and try to get them fixed

Question: can we generate a report from Bugzilla, search for CVEs and find out what CVEs have been fixed and in what branches etc?


CVE spread sheet:
==============
+ Easy to update, anyone just can add info preferably automatically; we could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and update the list (some human interactions needs to be done though) 
+ easy to have an overview
- ?

Any comments?

Thanks
Sona

Re: CVE list vs bugzilla

[Sona Sarmadi]

Trying with correct email address :) 

Hi all,

To monitor/scan vulnerabilities (CVE), check affected packages, versions, branches, fixed versions/branches etc ... we need either to file a bug in bugzilla for each publically disclosed CVE or have a simple data base. Today, we sometimes file a bug but most of the time vulnerabilities just get fixed by someone volunteer and some vulnerabilities don't get fixed.

We have created a CVE list just for test to see if this is easier to maintain and provides better overview, please have a look at this and let us to know what you think:
https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4QqgI6emQ/edit#gid=0 

The alternative for maintaining such a list is filing a bug in Bugzilla. The question is which approach is the best, here are some pros and cons:

Bugzilla: 
=======
- it takes more time to create/update a bug  in Bugzilla (not a big problem)
- history, traceable who updated
- when we have releases, we go through open bugs and try to get them fixed

Question: can we generate a report from Bugzilla, search for CVEs and find out what CVEs have been fixed and in what branches etc?


CVE spread sheet:
==============
+ Easy to update, anyone just can add info preferably automatically; we 
+ could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and 
+ update the list (some human interactions needs to be done though) easy 
+ to have an overview
- ?

Any comments?

Thanks
Sona

Re: CVE list vs bugzilla

[Whiteman, John L]

[-- Attachment #1: Type: text/plain, Size: 2229 bytes --]

Hi Sona,

Have you given any further thought about using the cve-check-tool?

https://github.com/ikeydoherty/cve-check-tool

A bugzilla plugin would need to be added but it may help here to avoid
duplication.

Best Regards,

John

-----Original Message-----
From: yocto-bounces@yoctoproject.org [mailto:yocto-bounces@yoctoproject.org]
On Behalf Of Sona Sarmadi
Sent: Tuesday, May 05, 2015 8:12 AM
To: yocto-security@yoctoproject.org
Cc: 'yocto@yoctoproject.org'; 'openembedded-core@lists.openembedded.org'
Subject: Re: [yocto] CVE list vs bugzilla

Trying with correct email address :) 

Hi all,

To monitor/scan vulnerabilities (CVE), check affected packages, versions,
branches, fixed versions/branches etc ... we need either to file a bug in
bugzilla for each publically disclosed CVE or have a simple data base.
Today, we sometimes file a bug but most of the time vulnerabilities just get
fixed by someone volunteer and some vulnerabilities don't get fixed.

We have created a CVE list just for test to see if this is easier to
maintain and provides better overview, please have a look at this and let us
to know what you think:
https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4Q
qgI6emQ/edit#gid=0 

The alternative for maintaining such a list is filing a bug in Bugzilla. The
question is which approach is the best, here are some pros and cons:

Bugzilla: 
=======
- it takes more time to create/update a bug  in Bugzilla (not a big problem)
- history, traceable who updated
- when we have releases, we go through open bugs and try to get them fixed

Question: can we generate a report from Bugzilla, search for CVEs and find
out what CVEs have been fixed and in what branches etc?


CVE spread sheet:
==============
+ Easy to update, anyone just can add info preferably automatically; we 
+ could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and 
+ update the list (some human interactions needs to be done though) easy 
+ to have an overview
- ?

Any comments?

Thanks
Sona
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[-- Attachment #2: smime.p7s --]
[-- Type: application/pkcs7-signature, Size: 6664 bytes --]