Trying with correct email address :) Hi all,
To monitor/scan vulnerabilities (CVE), check affected packages, versions, branches, fixed versions/branches etc ... we need either to file a bug in bugzilla for each publically disclosed CVE or have a simple data base. Today, we sometimes file a bug but most of the time vulnerabilities just get fixed by someone volunteer and some vulnerabilities don't get fixed. We have created a CVE list just for test to see if this is easier to maintain and provides better overview, please have a look at this and let us to know what you think: https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4QqgI6emQ/edit#gid=0 The alternative for maintaining such a list is filing a bug in Bugzilla. The question is which approach is the best, here are some pros and cons: Bugzilla: ======= - it takes more time to create/update a bug in Bugzilla (not a big problem) - history, traceable who updated - when we have releases, we go through open bugs and try to get them fixed Question: can we generate a report from Bugzilla, search for CVEs and find out what CVEs have been fixed and in what branches etc? CVE spread sheet: ============== + Easy to update, anyone just can add info preferably automatically; we + could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and + update the list (some human interactions needs to be done though) easy + to have an overview - ? Any comments? Thanks Sona -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
