From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: "Raphaël Mélotte via buildroot" <buildroot@buildroot.org>
Cc: "Raphaël Mélotte" <raphael.melotte@mind.be>,
"Sen Hastings" <sen@hastings.org>
Subject: Re: [Buildroot] [RFC PATCH 1/1] support/scripts/pkg-stats: add support for reporting stale CVE entries
Date: Sun, 18 May 2025 10:54:06 +0200 [thread overview]
Message-ID: <20250518105406.41cb1a2f@windsurf> (raw)
In-Reply-To: <20250423152906.1017522-1-raphael.melotte@mind.be>
On Wed, 23 Apr 2025 17:29:05 +0200
Raphaël Mélotte via buildroot <buildroot@buildroot.org> wrote:
> The NVD database contains some CPEs that are wrongly not associated
> with any version number. They are for example sometimes associated
> with very old CVEs.
> Those CPEs are annoying, because they pollute our pkg-stat CVE results
> with CVE entries which actually don't affect us.
>
> The proper way to solve it is, and should remain, to fix the NVD
> database by reporting these issues. Having to deal with a lot of
> CVEs/CPEs, the NVD database is however slow to be updated.
>
> To reduce the noise in our pkg-stats results in the meantime, one
> possibility is to add <PKG_IGNORE_CVES> entries for those CVEs. This
> however comes with the downside that even once the NVD database gets
> fixed, those ignored entries risk remaining in Buildroot forever
> because they are undetected.
>
> This commit tries to address this downside by checking for and
> reporting CVEs that are ignored in Buildroot, but where the
> NVD reports our package version as unaffected. Those CVEs will appear
> in the 'CVEs Ignored' column as '(stale)', and the cell will be
> colored the same way warnings are. This should allow us to detect and
> remove those entries.
>
> It can be tested for example by adding the following variable to the
> apache package (for a CVE that was recently fixed in the NVD database):
> APACHE_IGNORE_CVES = CVE-1999-0236
>
> Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
> ---
> support/scripts/cve.py | 4 +---
> support/scripts/pkg-stats | 36 ++++++++++++++++++++++++++++++++----
> 2 files changed, 33 insertions(+), 7 deletions(-)
Great stuff, thanks a lot! Applied to master.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2025-05-18 8:54 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-23 15:29 [Buildroot] [RFC PATCH 1/1] support/scripts/pkg-stats: add support for reporting stale CVE entries Raphaël Mélotte via buildroot
2025-05-18 8:54 ` Thomas Petazzoni via buildroot [this message]
2025-06-04 17:15 ` Arnout Vandecappelle via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250518105406.41cb1a2f@windsurf \
--to=buildroot@buildroot.org \
--cc=raphael.melotte@mind.be \
--cc=sen@hastings.org \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox