Re: [yocto] CVE Scanners and Package Version

[Mikko Rapeli <mikko.rapeli@linaro.org>]

Hi,

On Sat, Dec 23, 2023 at 02:47:36AM -0800, fabian.hanke via lists.yoctoproject.org wrote:
> Hello Yocto community,
> 
> we must provide a SBOM for our Yocto based product which will then be used for (internal) CVE scanning by the security department. Generating the base document in cycloneDX format is fairly easy (thanks to the nature of Yocto).

Note that SBOM is mostly used for documenting SW components and their licenses.
Obvious but needs to be made clear.

> But we do not know how to include information about CVE patches for each package in the document. Not providing these, will cause a lot of “false” feedback on CVEs for specific versions which are already patched (but version number did not change). This problem was also mentioned a few days ago in the presentation from David Reyna: https://youtu.be/PegU1G1bA80?t=1127. I like the proposed solution of adding a vendor specific string to the package version. But I'm still wondering: How would the CVE scanner vendor know which CVEs are included in a yocto specific version and which are not?

If the intention is to know CVE paching and analysis status of a product, then I'd use
the yocto upstream tooling for this, cve-check.bbclass. SBOM and SPDX are tempting but not actually
useful for CVE patching and analysis work, except when they show that a lot of old open source
SW components are embedded into various binaries.

The work needed to push CVE data into SPDX and SBOM is not worth it and it's better to put
the saved effort into fixing the actual CVEs. If management wants reports, generate
them from cve-check.bbclass output, but note that CVE database is a moving target too.

AFAIK, and I'd be happy to be proven wrong, SPDX and SBOM don't help matching SW component names
and version strings so that comparison against CVE database information works. Only license names
are standardized.

Cheers,

-Mikko