Hello Yocto community, we must provide a SBOM for our Yocto based product which will then be used for (internal) CVE scanning by the security department. Generating the base document in cycloneDX format is fairly easy (thanks to the nature of Yocto).
But we do not know how to include information about CVE patches for each package in the document. Not providing these, will cause a lot of “false” feedback on CVEs for specific versions which are already patched (but version number did not change). This problem was also mentioned a few days ago in the presentation from David Reyna: https://youtu.be/PegU1G1bA80?t=1127. I like the proposed solution of adding a vendor specific string to the package version. But I'm still wondering: How would the CVE scanner vendor know which CVEs are included in a yocto specific version and which are not? I hope this is the correct place to start a discussion (if not please point me to the correct place): Does anyone else also have the same problem with false feedback from CVE scanners? How do you deal with it? Best regards, Fabian Hanke ---------------------------------- Bosch Rexroth AG Registered Office: Stuttgart, Registration Court: Amtsgericht Stuttgart HRB 23192 Executive Board: Dr. Steffen Haack (President), Roland Bittenauer, Thomas Fechner, Holger von Hebel, Reinhard Schäfer Chairman of the Supervisory Board: Dr. Markus Forschner
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62031): https://lists.yoctoproject.org/g/yocto/message/62031 Mute This Topic: https://lists.yoctoproject.org/mt/103332846/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-