Re: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs
Hello Andrej, On Tue, 20 Jun 2023 16:15:56 +0200 "Andrej Valek via lists.openembedded.org" wrote: ^^^ As you can see your sender address has been mangled, and as a result the patch is rejected by the the openembedded git server. This is not your fault, but we need you to modify your git configuration to prevent this from happening in the future. Have a look at the wiki for more info and how to solve that: https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded#Fixing_your_From_identity I'm taking your patch for testing on the autobuilders fixing it manually so you don't need to resend your patch this time. Best regards, Luca -- Luca Ceresoli, Bootlin Embedded Linux and Kernel engineering https://bootlin.com -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183172): https://lists.openembedded.org/g/openembedded-core/message/183172 Mute This Topic: https://lists.openembedded.org/mt/99644855/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs
Hi Sanjay, I feel the that the proposal by Andrej is a simpler one and makes me more inclined towards using it as compared to going to VEX status. I do agree that VEX is something which can be mapped but at the end of the day its always "simpler the better" and easy to maintain. Definately, as mentioned by Richard there would be a bit of copy/paste going way forward but will be easier to maintain and understand rather than leaving confusing trails at some points down the line. 2 status having one similar adoption can also add to confusion going forward. the proposal by andrej inline with https://lists.openembedded.org/g/openembedded-core/message/182855 and is better suited to avoid confusion. Cheers, Siddharth -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183170): https://lists.openembedded.org/g/openembedded-core/message/183170 Mute This Topic: https://lists.openembedded.org/mt/99644855/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs
2023-06-20
Thread
Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
Dear Richard and Adrian, I appreciate efforts of Andrej and Peter, you guys have done a great job for improvement in CVE specific security area. As I mentioned information and importance of VEX status for future use case: https://patchwork.yoctoproject.org/project/oe-core/patch/20230519081850.82586-1-andrej.va...@siemens.com/#10797 I can see community members are also in favour of VEX: https://patchwork.yoctoproject.org/project/oe-core/patch/20230519062420.37015-1-andrej.va...@siemens.com/#11120 We can start looking in that direction, because to adopt initial VEX template we just required minor modifications with development of Andrej. In current implementation we have main three categories of status: "Patched", "Ignored" and "Unpatched". On top of which we want to add comment information which can be added in JSON format to process further. VEX have main 4 category: Fixed, Not Affected, Affected and Under Investigation. Richard has rightly mentioned that we don't require affected status as those CVEs would fix in near future once fix is available in source of specific package. We can map our existing status as below with VEX status. Existing Status | VEX adoption --- Patched | Fixed Ignore | Not Affected Not required| Not Affected Unpatched | Under Investigation Fixed and Under Investigation don't require any sub-status as their status is sufficient to explain their case. To get more information on possible sub-status of not affected status, we can follow one of below reference document. https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf : 2.0 Status Justifications Overview This document covers all the possible cases which are already discuss or may come in future development. Thank you, Richard, for considering my request. I would appreciate comment from you and community people for the adoption of VEX. Thanks, Sanjay Chitroda -Original Message- From: openembedded-core@lists.openembedded.org On Behalf Of Andrej Valek via lists.openembedded.org Sent: Tuesday, June 20, 2023 7:46 PM To: openembedded-core@lists.openembedded.org Cc: Andrej Valek ; Peter Marko Subject: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs - Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible. The CVE_STATUS should contain an information about status wich is decoded in 3 items: - generic status: "Ignored", "Patched" or "Unpatched" - more detailed status enum - description: free text describing reason for status Examples of usage: CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows" CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally" CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" CVE_CHECK_STATUSMAP[fixed-version] = "Patched" Signed-off-by: Andrej Valek Signed-off-by: Peter Marko --- -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183167): https://lists.openembedded.org/g/openembedded-core/message/183167 Mute This Topic: https://lists.openembedded.org/mt/99644855/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-