Hi, On Fri, May 19, 2023 at 03:11:57PM +0200, Marta Rybczynska wrote: > I'm missing a status to cover the situation when the NVD (or any other > database) has an incorrect entry. We have quite many of those. This might > be a temporary situation, but not always. > > SPDX (the 3.0 draft) has some other possible reasons > https://github.com/spdx/spdx-spec/blob/vulnerability-profile/chapters/profile-vulnerabilities.md > What looks like interesting ideas are: > * "Can't fix" / "Will not fix" > * "Not applicable" (SPDX language: Ineffective) when the code is not used > * "Invalid match" (this is our NVD mismatch case) > * "Mitigated" measures taken so that it cannot be exploited > * "Workarounded"
To me the SPDX details don't seem very usable when actually maintaining a linux distro for a long time. Anyone from major Linux distro stable/security teams participating in the work? So I'd rather compare to Debian security tracker CVE status data and ask what our LTS and master branch maintainers and those in the community who maintain yocto based SW stacks need. Do the maintainers want to read SPDX output, for example? What common statuses do the maintainers want to encode for each CVE? Debian security tracker https://security-team.debian.org/security_tracker.html shows states: * vulnerable: binary package with specified version in their distro version is vulnerable to the issue * fixed: binary package in their distro version has fixed the issue * undetermined: it is not yet clear if the issue affects Debian and their version of the packages And "vulnerable" has sub states: * ignored: the issue does not impact Debian packages * postponed: no security patch updates will be provided, e.g. such a minor issue that update will happen for example via normal package version updates to next stable version There are a lot of additional "standards" and sub states when looking at CVE data in the tracker (info not public, no upstream fix available, not supported configuration etc), but those major high level states are enough. And then there are security relevant bugs without CVEs. I've been happy with "Unpatched", "Patched" and "Ignored" states for each CVE detected by cve-check.bbclass. There could be a few more sub stated to "Ignored" and the "Patched" state should better reflect reality, which this patch set helps. But I'm happy with that. I'm not so happy with the SPDX states names and meanings. Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181584): https://lists.openembedded.org/g/openembedded-core/message/181584 Mute This Topic: https://lists.openembedded.org/mt/99007092/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
