* Drafting a fetcher for kernelcves
@ 2023-06-06 5:57 Marta Rybczynska
2023-06-07 10:31 ` Ross Burton
0 siblings, 1 reply; 2+ messages in thread
From: Marta Rybczynska @ 2023-06-06 5:57 UTC (permalink / raw)
To: Ross Burton, Richard Purdie, Yoann Congal, Geoffrey GIRY, OE-core
[-- Attachment #1: Type: text/plain, Size: 990 bytes --]
Hello all,
I'm drafting a fetcher for kernelcves (
https://github.com/nluedtke/linux_kernel_cves/) and the data conflicts in a
certain way with cve-extra-exclusions.inc. With multiple fetchers we'll
need to have a way to say which data set has priority.
For now I can see examples of two cases (in all cases we go for a specific
kernel version):
Case one:
NVD says unfixed
linux_kernel_cves says unknown
cve-extra-exclusions.inc says IGNORE
Case two:
NVD says unfixed
linux_kernel_cves says fixed
cve-extra-exclusions says IGNORE
In the first case, the solutions is IGNORE (some old CVEs), in the second
one it's PATCHED.
The questions I have: Should cve-extra-exclusions always have priority?
Should we allow the user to set priority of fetchers?
What I'm going to test is use the kernel_cves fetcher for all kernel CVEs
and NVD for all the rest. Should it be an option?
I'd like to avoid adding too many options that make cause mistakes...
Ideas? Comments?
Kind regards,
Marta
[-- Attachment #2: Type: text/html, Size: 1877 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Drafting a fetcher for kernelcves
2023-06-06 5:57 Drafting a fetcher for kernelcves Marta Rybczynska
@ 2023-06-07 10:31 ` Ross Burton
0 siblings, 0 replies; 2+ messages in thread
From: Ross Burton @ 2023-06-07 10:31 UTC (permalink / raw)
To: Marta Rybczynska; +Cc: Richard Purdie, Yoann Congal, Geoffrey GIRY, OE-core
> On 6 Jun 2023, at 06:57, Marta Rybczynska <rybczynska@gmail.com> wrote:
>
> Hello all,
> I'm drafting a fetcher for kernelcves (https://github.com/nluedtke/linux_kernel_cves/) and the data conflicts in a certain way with cve-extra-exclusions.inc. With multiple fetchers we'll need to have a way to say which data set has priority.
>
> For now I can see examples of two cases (in all cases we go for a specific kernel version):
>
> Case one:
> NVD says unfixed
> linux_kernel_cves says unknown
> cve-extra-exclusions.inc says IGNORE
>
> Case two:
> NVD says unfixed
> linux_kernel_cves says fixed
> cve-extra-exclusions says IGNORE
>
> In the first case, the solutions is IGNORE (some old CVEs), in the second one it's PATCHED.
>
> The questions I have: Should cve-extra-exclusions always have priority? Should we allow the user to set priority of fetchers?
>
> What I'm going to test is use the kernel_cves fetcher for all kernel CVEs and NVD for all the rest. Should it be an option?
>
> I'd like to avoid adding too many options that make cause mistakes…
I’d suggest that the order of priority goes NVD, linux_kernel_cves, then metadata (typically cve-extra-exclusions).
With data from kernelcves being pulled in we should be able to purge most of the data in cve-extra-exclusions and only use it when we’ve backported/resolved a CVE that hasn’t been merged upstream.
Very pleased you’re working on fetching from kernelcves too, as manually maintaining the exclusions is tiresome.
Ross
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2023-06-07 10:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-06-06 5:57 Drafting a fetcher for kernelcves Marta Rybczynska
2023-06-07 10:31 ` Ross Burton
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).