From: Jan Kiszka <jan.kiszka@siemens.com>
To: Sai.Sathujoda@toshiba-tsip.com, cip-dev@lists.cip-project.org
Cc: dinesh.kumar@toshiba-tsip.com, kazuhiro3.hayashi@toshiba.co.jp
Subject: Re: [isar-cip-core 0/3] Generate CVE-reports during a tag release
Date: Tue, 2 Jan 2024 13:32:37 +0100 [thread overview]
Message-ID: <bc11f976-b2dc-49b2-9af6-35d45f1ac71a@siemens.com> (raw)
In-Reply-To: <20231221120423.2388639-1-Sai.Sathujoda@toshiba-tsip.com>
On 21.12.23 13:04, Sai.Sathujoda@toshiba-tsip.com wrote:
> From: Sai Sathujoda <Sai.Sathujoda@toshiba-tsip.com>
>
> This series of patches enables generation of CVE-reports from a latest copy of
> dpkg-status files stored in CIP project's s3 bucket whenever a tag is released.
> This is to follow IEC 62443-4-1 SM-11 requirement where security related issues
> are addressed along with their severity prior a release.
Will that mean that users is CIP need to take Debian packages of that
day when isar-cip-core is released in order to benefit from the
(pre-)certification? Won't that get us to the point where we actually
pin packages to specific versions to make use of the argumentation?
If not and if this is only about having the processes in place, then I
wonder why this series not only ships tools but also tries to apply them
on specific dates.
Jan
>
> debian-cve-checker repository [1] is used to generate the CVE-reports from the
> dpkg-status of repsective targets.
>
> Sai Sathujoda (3):
> scripts/run-cve-checks.sh: Add script to generate CVE report
> scripts/deploy-cip-core.sh: Upload dpkg-status files to aws s3 bucket
> .gitlab-ci.yml: Add cve-checks job which runs when a tag is pushed
>
> .gitlab-ci.yml | 7 +++++++
> scripts/deploy-cip-core.sh | 12 ++++++++++++
> scripts/run-cve-checks.sh | 40 ++++++++++++++++++++++++++++++++++++++
> 3 files changed, 59 insertions(+)
> create mode 100755 scripts/run-cve-checks.sh
>
--
Siemens AG, Technology
Linux Expert Center
prev parent reply other threads:[~2024-01-02 12:32 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-21 12:04 [isar-cip-core 0/3] Generate CVE-reports during a tag release Sai.Sathujoda
2023-12-21 12:04 ` [isar-cip-core 1/3] scripts/run-cve-checks.sh: Add script to generate CVE report Sai.Sathujoda
2023-12-21 12:04 ` [isar-cip-core 2/3] scripts/deploy-cip-core.sh: Upload dpkg-status files to aws s3 bucket Sai.Sathujoda
2023-12-21 12:04 ` [isar-cip-core 3/3] .gitlab-ci.yml: Add cve-checks job which runs when a tag is pushed Sai.Sathujoda
2024-01-02 12:32 ` Jan Kiszka [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bc11f976-b2dc-49b2-9af6-35d45f1ac71a@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=Sai.Sathujoda@toshiba-tsip.com \
--cc=cip-dev@lists.cip-project.org \
--cc=dinesh.kumar@toshiba-tsip.com \
--cc=kazuhiro3.hayashi@toshiba.co.jp \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.