On Tue, 2024-06-25 at 14:41 +0200, Marta Rybczynska wrote: > Applying ADP (we'll add support just after finishing the tests in > progress now) requires modifying JSONs for each affected entry. The > only ADP today is CISA and their entries have been merged in the > cvelistV5 repo. For us becoming an ADP would likely take time. Adding > ADP clauses separately requires you to modify the entry, so you need > to keep it somewhere. I see two options: either fork and modify, or > copy separate files and modify in place. I didn't go for the second > solution, because entries do actually change, and copies would likely > mean more work (for example, they have recently converted all entries > automatically to the 5.1 schema). For now, the rebase is actually > working well (had a few issues after the 5.1 update but that was my > fault).
I think we should maintain a separate ADP json file even if we're not an official ADP (we can consider that later if appropriate). One trick we could use is to checksum the data in the original, then inform the user we need to update the ADP entry if that original data checksum for the parent entry changes? I prefer the ADP since it makes it clear which data we're supplementing. I'm hoping there is only minimal data we need to copy into our supplement, which should make it clear which data we're tweaking. > What I haven't done yet is submitting fixes for old entries - the > number of affected CNAs is quite small so maybe we can lower the > backlog quite rapidly. That sounds promising! > BTW The CISA extension adds a notion of the exploitability of the > vulnerability - this is additional information we can report. Unfixed > CVE that is exploited vs not exploited, this is well a different > class of useful information. Yes, although I would like to get the basics working before we get to that! Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201135): https://lists.openembedded.org/g/openembedded-core/message/201135 Mute This Topic: https://lists.openembedded.org/mt/106798238/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
