On 7 December 2016 at 14:58, Mariano Lopez <mariano.lo...@linux.intel.com> wrote:
> > We have more recipes which have CVE patches but they are not reported. > > I have analyzed these; some of these CVEs are still marked as reserved > on Mitre and are not present in the nvd.xml files (although they are > public (e.g. Busybox: > > https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147). > > cve-check-tool will only check against the database that got from the > nvd.xml files, and these files won't have information for not yet fully > disclosed CVEs, so that is why you will find these cases frequently in > OE recipes (Armin does a great job with CVEs). > A lot of CVEs get reserved but never actually updated in MITRE. This is why the planned successor to cve-check-tool plans to download the Debian / RHEL / etc security databases to fill in the gaps (I'm not sure what the state of this rewrite is as we didn't write this tool). Ross
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto