From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Arnout Vandecappelle <arnout@mind.be>
Cc: Daniel Lang <dalang@gmx.at>,
buildroot@buildroot.org, clement.ramirez@bootlin.com
Subject: Re: [Buildroot] [PATCH] support/scripts/cve.py: switch to NVD JSON version 2.0
Date: Thu, 10 Aug 2023 15:42:41 +0200 [thread overview]
Message-ID: <20230810154241.3faee0fc@windsurf> (raw)
In-Reply-To: <12cfcd50-66e4-4c03-febd-b9a259bf10d7@mind.be>
On Thu, 10 Aug 2023 15:18:42 +0200
Arnout Vandecappelle <arnout@mind.be> wrote:
> > It could still be useful to have something to contribute new entries,
> > for those packages that have no entry at all (regardless of their
> > version number) in the CPE database.
>
> This makes no sense at all. The only reason to have a CPE database entry is in
> order to link it to a CVE. If there is already a CVE, then it should already
> have a CPE entry. If there's no CVE yet, then will the first person to ever
> submit a CVE for it use the same ID?
Well, that would be my expectation indeed. A package in Buildroot has
no CPE in the database, no CVE. We submit a CPE to the NVD database. My
hope (but perhaps I'm dreaming too much) is that the day there is a CVE
on this software component that CPE identifier that was submitted will
be used, and therefore our CVE tracking will work.
Maybe I'm dreaming here, but if it doesn't work like this, it basically
means that for any package in Buildroot that never had any CVE, we have
absolutely no guarantee that we will properly notice when the first CVE
gets reported. Maybe that's life and we have to live with it, but it
kinda sucks.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2023-08-10 13:42 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-07-31 20:14 [Buildroot] [PATCH] support/scripts/cve.py: switch to NVD JSON version 2.0 Daniel Lang
2023-07-31 21:52 ` Thomas Petazzoni via buildroot
2023-08-01 14:13 ` Daniel Lang
2023-08-01 14:19 ` Thomas Petazzoni via buildroot
2023-08-01 14:44 ` Daniel Lang
2023-08-01 19:44 ` Thomas Petazzoni via buildroot
2023-08-01 19:55 ` Daniel Lang
2023-08-09 20:31 ` Arnout Vandecappelle via buildroot
2023-08-09 20:59 ` Thomas Petazzoni via buildroot
2023-08-10 5:50 ` Daniel Lang
2023-08-10 7:07 ` Thomas Petazzoni via buildroot
2023-08-10 13:18 ` Arnout Vandecappelle via buildroot
2023-08-10 13:42 ` Thomas Petazzoni via buildroot [this message]
2023-08-10 14:58 ` Arnout Vandecappelle via buildroot
2023-08-10 20:12 ` Daniel Lang
2023-08-10 21:12 ` Thomas Petazzoni via buildroot
2023-08-11 6:51 ` Arnout Vandecappelle via buildroot
2023-08-11 12:30 ` [Buildroot] [External] " Weber, Matthew L Collins via buildroot
2023-08-10 20:02 ` [Buildroot] " Daniel Lang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230810154241.3faee0fc@windsurf \
--to=buildroot@buildroot.org \
--cc=arnout@mind.be \
--cc=clement.ramirez@bootlin.com \
--cc=dalang@gmx.at \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox