Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
2023-05-23
Thread
Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
Hello Richard and Andrej, Recently, I have observed the OpenEmbedded team is going beyond "patched" status for CVE. This change is required and helps to capture additional status. We can identify and define the reason for a whitelisted or CVE that are not "patched". Customers can get this reason and identify whether their product is vulnerable or not with a specific vulnerability. VEX is the standard tool used by many customers to check the vulnerability of the product. I suggest we adopt the VEX standard instead of "Ignored" or "Not applicable". ○ NOT AFFECTED – No remediation is required regarding this vulnerability. ○ AFFECTED – Actions are recommended to remediate or address this vulnerability. ○ FIXED – These product versions contain a fix for the vulnerability. ○ UNDER INVESTIGATION – It is not yet known whether these product versions are affected by the vulnerability. An update will be provided in a later release. The main four categories of VEX standard cover all possible cases, which are required to consider all potential cases. We can expand the cve-check to validate main VEX standard and we can use sub-status information as a possible reason for reference. Please find below reference information on how VEX and SBOM can work together: https://www.rezilion.com/guides/vulnerability-exploitability-exchange-vex-a-guide/ More information on VEX standards and use cases: https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_Aprill2022.pdf Thanks, Sanjay -Original Message- From: openembedded-core@lists.openembedded.org On Behalf Of Andrej Valek via lists.openembedded.org Sent: Friday, May 19, 2023 6:49 PM To: openembedded-core@lists.openembedded.org; michael.opdenac...@bootlin.com Cc: Marko, Peter Subject: Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Hello Michael, I wanted to use a "CVE_STATUS_REASON", but it was advised here https://lists.openembedded.org/g/openembedded-core/message/181037 by Richard. So I was thinking, that it has to correct. Regards, Andrej On Fri, 2023-05-19 at 15:09 +0200, Michael Opdenacker wrote: > Hi Andrej, > > On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote: > > - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] > > to be more flexible. CVE_STATUS should contain flag for each CVE > > with accepted values "Ignored", "Not applicable" or "Patched". It > > allows to add a status for each CVEs. > > - Optional CVE_STATUS_REASONING flag variable may contain a reason > > why the CVE status was used. It will be added in csv/json report > > like a new "reason" entry. > > > I'm not a native English speaker, but what about just > "CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"? > > "Reasoning" is a mental process if I understand correctly. See > https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm. > It seems to me that the term "reason" should be sufficient, as the > "reason" flag that you're using. > > I'd be interested in what others think about this... > Thanks in advance > Cheers > > Michael. > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181636): https://lists.openembedded.org/g/openembedded-core/message/181636 Mute This Topic: https://lists.openembedded.org/mt/99008417/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
Hello Michael, I wanted to use a "CVE_STATUS_REASON", but it was advised here https://lists.openembedded.org/g/openembedded-core/message/181037 by Richard. So I was thinking, that it has to correct. Regards, Andrej On Fri, 2023-05-19 at 15:09 +0200, Michael Opdenacker wrote: > Hi Andrej, > > On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote: > > - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be > > more flexible. CVE_STATUS should contain flag for each CVE with accepted > > values "Ignored", "Not applicable" or "Patched". It allows to add > > a status for each CVEs. > > - Optional CVE_STATUS_REASONING flag variable may contain a reason > > why the CVE status was used. It will be added in csv/json report like > > a new "reason" entry. > > > I'm not a native English speaker, but what about just > "CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"? > > "Reasoning" is a mental process if I understand correctly. See > https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm. > It seems to me that the term "reason" should be sufficient, as the > "reason" flag that you're using. > > I'd be interested in what others think about this... > Thanks in advance > Cheers > > Michael. > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181551): https://lists.openembedded.org/g/openembedded-core/message/181551 Mute This Topic: https://lists.openembedded.org/mt/99008417/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
Hi Andrej, On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote: - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be more flexible. CVE_STATUS should contain flag for each CVE with accepted values "Ignored", "Not applicable" or "Patched". It allows to add a status for each CVEs. - Optional CVE_STATUS_REASONING flag variable may contain a reason why the CVE status was used. It will be added in csv/json report like a new "reason" entry. I'm not a native English speaker, but what about just "CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"? "Reasoning" is a mental process if I understand correctly. See https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm. It seems to me that the term "reason" should be sufficient, as the "reason" flag that you're using. I'd be interested in what others think about this... Thanks in advance Cheers Michael. -- Michael Opdenacker, Bootlin Embedded Linux and Kernel engineering https://bootlin.com -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181549): https://lists.openembedded.org/g/openembedded-core/message/181549 Mute This Topic: https://lists.openembedded.org/mt/99008417/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
Hi, Looks good to me now. Thanks a lot! Acked-by: Mikko Rapeli Cheers, -Mikko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181540): https://lists.openembedded.org/g/openembedded-core/message/181540 Mute This Topic: https://lists.openembedded.org/mt/99008417/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-