From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6DD0BC7EE22 for ; Tue, 9 May 2023 21:46:35 +0000 (UTC) Received: from smtp0.taitradio.net (smtp0.taitradio.net [202.37.96.22]) by mx.groups.io with SMTP id smtpd.web10.1857.1683668775909124634 for ; Tue, 09 May 2023 14:46:26 -0700 Authentication-Results: mx.groups.io; dkim=missing; spf=pass (domain: taitcommunications.com, ip: 202.37.96.22, mailfrom: douglas.royds@taitcommunications.com) Received: from [172.16.169.141] (unknown [172.16.169.141]) by smtp0.taitradio.net (Postfix) with ESMTP id D1CCFE0249; Wed, 10 May 2023 09:37:13 +1200 (NZST) Content-Type: multipart/alternative; boundary="------------33wym0JKbCDxp7z31z1fC6kb" Message-ID: <3661ef44-1856-783e-e89c-e87cf94c2487@taitcommunications.com> Date: Wed, 10 May 2023 09:37:13 +1200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs Content-Language: en-GB To: Mikko Rapeli Cc: "openembedded-core@lists.openembedded.org" References: <20230505111814.491483-1-andrej.valek@siemens.com> <6123792e2eee7767b4e6a377c15bdcc6ba266125.camel@linuxfoundation.org> <1a9baf9413cc3e405433806ec3e5f122e2a42793.camel@gmail.com> From: Douglas Royds In-Reply-To: List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 09 May 2023 21:46:35 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/181084 This is a multi-part message in MIME format. --------------33wym0JKbCDxp7z31z1fC6kb Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 9/05/23 9:32 pm, Mikko Rapeli wrote: > On Tue, May 09, 2023 at 09:02:59AM +0000, Ross Burton wrote: >> On 8 May 2023, at 09:57, Adrian Freihofer via lists.openembedded.org wrote: >> Is there any defined language that we can simply adopt? > Since a lot of people talk about SPDX solving these issues would be nice > to know how that is going to work. I can't parse > https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue > and figure out how to mark a CVE issue which has been ignored after > analysis. Perhaps this? https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k16-linking-to-a-vulnerability-disclosure-document To communicate that a package is not vulnerable to a specific vulnerability it is recommended to reference a web page indicating why given vulnerabilities are not applicable. |"externalRefs" : [ { "referenceCategory" : "SECURITY", "referenceLocator" : "https://example.com/product-x/security-info.html", "referenceType" : "advisory" } ] | --------------33wym0JKbCDxp7z31z1fC6kb Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

On 9/05/23 9:32 pm, Mikko Rapeli wrote:

On Tue, May 09, 2023 at 09:02:59AM +0000, Ross Burton wrote:

On 8 May 2023, at 09:57, Adrian Freihofer via lists.openembedded.org <adrian.freihofer=gmail.com@lists.openembedded.org> wrote:

Is there any defined language that we can simply adopt?

Since a lot of people talk about SPDX solving these issues would be nice
to know how that is going to work. I can't parse
https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue
and figure out how to mark a CVE issue which has been ignored after
analysis.

Perhaps this?

https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k16-linking-to-a-vulnerability-disclosure-document

To communicate that a package is not vulnerable to a specific vulnerability it is recommended to reference a web page indicating why given vulnerabilities are not applicable.
"externalRefs" : [ {
  "referenceCategory" : "SECURITY",
  "referenceLocator" : "https://example.com/product-x/security-info.html",
  "referenceType" : "advisory"
} ]

--------------33wym0JKbCDxp7z31z1fC6kb--