Hi Arnout,
On 5.02.2025 12:19, Arnout Engelen wrote:
On Wed, Feb 5, 2025 at 9:41 AM Piotr P. Karwasz<[email protected]>
wrote:
if something happens to a transitive dependency, but all our direct
dependencies publish a "not affected" VEX statement, we can skip the
upgrade
Possibly (or perhaps doing the update but not rushing a release)
Sure, in ecosystems where the latest release is not chosen
automatically, we should always try to use the latest versions.
and publish a "not_affected" VEX statement ourselves.
In this case, shouldn't downstream projects consume that upstream VEX
themselves? I'm not sure we should repeat that information.
Publishing a "not_affected" VEX statement would show that we did analyze
the CVE and the VEX file is maintained.
If a
direct dependency publishes an "exploitable" VEX statement and a nice
description of the conditions under which the bug can be triggered, we
can still check if we meet those conditions in our own code. We won't
have to analyze the code of our dependencies! Maybe we are not affected
and we can just publish a VEX statement that says so.
This would be interesting. It would also be nice to be able to accept such
statements/descriptions as contributions.
The CRA mandates manufacturers to supply patches upstream, I wonder if
this could be extended to VEX-es.
Piotr
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
