Re: [yocto] cve-checker tool

2016-12-07 Thread Burton, Ross
On 7 December 2016 at 14:58, Mariano Lopez wrote: > > Those CVEs which are listed in the nvd.xml file under > "cpe:/a:haxx:libcurl: are not detected and reported by cve-check tool. > > In the case of libcurl, it is build using the curl recipe, and currently >

Re: [yocto] cve-checker tool

2016-12-07 Thread Burton, Ross
On 7 December 2016 at 14:58, Mariano Lopez wrote: > > We have more recipes which have CVE patches but they are not reported. > > I have analyzed these; some of these CVEs are still marked as reserved > on Mitre and are not present in the nvd.xml files (although

Re: [yocto] cve-checker tool

2016-12-07 Thread Mariano Lopez
On 06/12/16 08:41, Sona Sarmadi wrote: > Another qustion: > > We don't have recipes for libcurl, I guess both curl and libcurl CVEs are > patched in the curl recipes, right? > I think curl uses libcurl, and libcurl is built when building curl. > > Those CVEs which are listed in the nvd.xml

Re: [yocto] cve-checker tool

2016-12-06 Thread Sona Sarmadi
ected and reported by cve-check tool. //Sona -Original Message- From: Sona Sarmadi Sent: den 6 december 2016 15:28 To: Mariano Lopez <mariano.lo...@linux.intel.com>; mariano.lo...@intel.com; yocto@yoctoproject.org Subject: RE: [yocto] cve-checker tool Hi Mariano, all, > If ther

Re: [yocto] cve-checker tool

2016-12-06 Thread Sona Sarmadi
Hi Mariano, all, > If there is a version affected by a CVE it will look for a patch that solves > that particular CVE using the the metadata in the patch format. > For example, the current bind version is affected by CVE-2016-1285, but > there is patch for that, so the cve-check class will find

Re: [yocto] cve-checker tool

2016-10-28 Thread Patrick Ohly
On Fri, 2016-10-28 at 09:28 -0500, Mariano Lopez wrote: > > On 10/27/2016 06:03 AM, Sona Sarmadi wrote: > >> Can this tool be used together with "meta-security-isafw" and get a fancy > >> report? > > When I was working on this it was the transition to python3 so, > meta-security-isafw didn't

Re: [yocto] cve-checker tool

2016-10-28 Thread Mariano Lopez
On 10/27/2016 06:03 AM, Sona Sarmadi wrote: -Original Message- From: Sona Sarmadi Sent: den 27 oktober 2016 10:57 To: Scott Rifenbark ; 'mariano.lo...@intel.com' ; yocto@yoctoproject.org Subject: cve-checker tool Hi guys, I have some

Re: [yocto] cve-checker tool

2016-10-28 Thread Sona Sarmadi
> > ./bzip2/1.0.6-r5/cve/cve.log > > ./libxml2/2.9.4-r0/cve/cve.log > > ./perl/5.22.1-r0/cve/cve.log > > ./expat/2.2.0-r0/cve/cve.log > > ./flex/2.6.0-r0/cve/cve.log > > perhaps you can add this info to "How Do I” > section in wiki here https://wiki.yoctoproject.org/wiki/How_do_I Good idea,

Re: [yocto] cve-checker tool

2016-10-27 Thread Khem Raj
> On Oct 27, 2016, at 4:03 AM, Sona Sarmadi wrote: > > > >> -Original Message- >> From: Sona Sarmadi >> Sent: den 27 oktober 2016 10:57 >> To: Scott Rifenbark ; 'mariano.lo...@intel.com' >> ; yocto@yoctoproject.org

Re: [yocto] cve-checker tool

2016-10-27 Thread Sona Sarmadi
> -Original Message- > From: Sona Sarmadi > Sent: den 27 oktober 2016 10:57 > To: Scott Rifenbark ; 'mariano.lo...@intel.com' > ; yocto@yoctoproject.org > Subject: cve-checker tool > > Hi guys, > > I have some questions regarding cve-check

[yocto] cve-checker tool

2016-10-27 Thread Sona Sarmadi
Hi guys, I have some questions regarding cve-check tool. I don't find anything about this tool in Yocto 2.2 release, dose documentation mention this tool and how to use it? Is this tool planned to be integrated with daily build so the Yocto project can detect Not addressed CVEs