On Wed, Jul 10, 2024 at 5:50 AM Richard Purdie via lists.openembedded.org <richard.purdie=linuxfoundation....@lists.openembedded.org> wrote: > > Hi, > > On Thu, 2024-07-04 at 11:02 +0200, Jacoba Brandner via lists.openembedded.org > wrote: > > This email contains a review of the remaining CVEs from the status > > list: https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta- > > oe/cve-status-master.txt > > This work is done as part of "Milestones 3, 4, 5 and 6. Triage CVEs" > > as stated in the Scope of Work with Sovereign Tech Fund (STF) > > (https://www.sovereigntechfund.de/). > > > > The reports are saved as HTML files here: > > - Milestone 3: https://clients.neighbourhood.ie/yocto/81-120.html > > - Milestone 4: https://clients.neighbourhood.ie/yocto/121-160.html > > - Milestone 5: https://clients.neighbourhood.ie/yocto/161-200.html > > - Milestone 6: https://clients.neighbourhood.ie/yocto/201-221.html > > > > The reports contains a review of the CVEs including the following: > > - Package versions affected > > - Current package version on 'meta-openembedded' > > - Notes on how the CVE can be addressed > > > > Please note that for the CVEs marked as 'invalid', separate patch > > status updates have been sent to this mailing- > > list: openembedded-devel@lists.openembedded.org. > > > > The collection of all emails we've sent to NIST are saved > > here https://clients.neighbourhood.ie/yocto/NIST.html > > > > We can also provide this in any other format that might be convenient > > for you. Please let us know. > > I had a look into this. Firstly, I wanted to say a huge thanks for > working through this, you're doing a great job! Getting the status of > CVEs sorted out, particularly the older ones makes a huge difference to > the clarity of the security situation of our codebase. > > We can see the status of our codebase here: > > https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/ > > You can see we've gone from around 271 CVEs at the start to having 136 > currently listed. > > When I looked at the list of open CVEs, a few did catch my eye, > particularly the 24 still open against imagemagick.
This is pretty cool. Next in line is yasm with 20, and I think if we upgrade to latest master then most of the CVEs will be gone. I will take a look into it ( time permits ) . I implore our community to also review and provide feedback and/or patches. Btw. the color coding for master and dunfell is same or atleast it looks like that to my eye, maybe we should just drop dunfell from the graphs now that its EOL > > I can see many were already excluded in the recipe, based upon the CPE > needing an update and I appreciate you've sent emails to get the NVD > entry tweaked: > > https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb > > In your report for milestone 4, I see CVE-2014-9822 has a CPE sent for > it: > > https://clients.neighbourhood.ie/yocto/121-160.html > > but it is listed as being an open issue in the metadata. Was there a > reason we don't have the CVE_STATUS[CVE-2014-9822] set in the recipe? > > There are a few others that are probably in a similar state to this. > > I suspect there are a few details we need to tweak just to fully ensure > the reports reflect all the good work you've done? > > Thanks again for the work though, there is some really great data here, > I just want to ensure our metrics fully reflect it. > > Cheers, > > Richard > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#111311): https://lists.openembedded.org/g/openembedded-devel/message/111311 Mute This Topic: https://lists.openembedded.org/mt/107034729/21656 Group Owner: openembedded-devel+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
