Re: [PATCH 1/3] python3-shacl2code: Update to version 1.0.1

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Benjamin Robin <benjamin.robin@bootlin.com>
To: "openembedded-core@lists.openembedded.org"
	<openembedded-core@lists.openembedded.org>,
	"Marko, Peter" <Peter.Marko@siemens.com>,
	Richard Purdie <richard.purdie@linuxfoundation.org>
Cc: "ross.burton@arm.com" <ross.burton@arm.com>,
	"jpewhacker@gmail.com" <jpewhacker@gmail.com>,
	"olivier.benjamin@bootlin.com" <olivier.benjamin@bootlin.com>,
	"antonin.godard@bootlin.com" <antonin.godard@bootlin.com>,
	"mathieu.dubois-briand@bootlin.com"
	<mathieu.dubois-briand@bootlin.com>,
	"thomas.petazzoni@bootlin.com" <thomas.petazzoni@bootlin.com>
Subject: Re: [PATCH 1/3] python3-shacl2code: Update to version 1.0.1
Date: Mon, 27 Apr 2026 10:05:50 +0200	[thread overview]
Message-ID: <6mazmQ5FTz6zTys132BKJQ@bootlin.com> (raw)
In-Reply-To: <2b38a0354bdcb17270f8ce97db3eca2835320b3c.camel@linuxfoundation.org>

On Monday, April 27, 2026 at 9:59 AM, Richard Purdie wrote:
> On Mon, 2026-04-27 at 09:25 +0200, Benjamin Robin wrote:
> > On Sunday, April 26, 2026 at 9:22 PM, Marko, Peter wrote:
> > > I have sent ton of new false-positive cleanup commits this weekend.
> > > For many I couldn't find any explanation why they reappeared.
> > > Since there were also new true positives I think this is fine.
> > > 
> > > But there should be a follow-up investigation for most of my
> > > commits to identify why those false-positives appeared and if the
> > > tooling can be fixed.
> > > Peter
> > 
> > The current behavior of sbom-cve-check is documented here:
> > https://sbom-cve-check.readthedocs.io/en/latest/design.html#find-applicable-cve
> > 
> > I don't think that the tool is not currently working as designed, but
> > maybe
> > there are wrong entries the product database. Also maybe we could
> > improve
> > the algorithm to try to reduce the number of false-positives.
> > The main problem is that the current state of the CVEs databases is
> > not great.
> > This is really not an easy problem to solve.
> > 
> > Most of the time, the proper solution is going to define CVE_PRODUCT.
> > 
> > If you have a list of CVEs that need to be investigated, could you
> > send it.
> > This way I could explain or investigate why there is a problem?
> 
> One idea in the back of my mind is our own "enrichment" data.
> 
> Rather than recipe fixes every time, perhaps we start maintaining our
> own supplement to the CVE database data?

I am not sure this is the proper way of doing this.
 
> That might be useful to others, encourage collaboration and perhaps get
> the upstream entries ultimately updated?

The proper way is to contact the CNA which is responsible for the entry.
For example for https://cveawg.mitre.org/api/cve/CVE-2025-9951
The providerMetadata->orgId is 14ed7db2-1595-443d-9d34-6215bf890778, which
is "Google LLC", and the associated contact email is "alphabet-cna@google.com"
(see the CNA database inside sbom-cve-check: look for cna.toml)

But yes it is more work...

> Cheers,
> 
> Richard
> 


-- 
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

next prev parent reply	other threads:[~2026-04-27  8:06 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-04-22 15:31 [PATCH 0/3] sbom-cve-check: Update to version 1.3.0 Benjamin Robin
2026-04-22 15:31 ` [PATCH 1/3] python3-shacl2code: Update to version 1.0.1 Benjamin Robin
2026-04-26 19:22   ` Marko, Peter
2026-04-27  7:25     ` Benjamin Robin
2026-04-27  7:59       ` Richard Purdie
2026-04-27  8:05         ` Benjamin Robin [this message]
2026-04-27  8:12           ` Richard Purdie
2026-04-22 15:31 ` [PATCH 2/3] python3-spdx-python-model: Update to version 0.0.5 Benjamin Robin
2026-04-22 15:31 ` [PATCH 3/3] python3-sbom-cve-check: Update to version 1.3.0 Benjamin Robin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=6mazmQ5FTz6zTys132BKJQ@bootlin.com \
    --to=benjamin.robin@bootlin.com \
    --cc=Peter.Marko@siemens.com \
    --cc=antonin.godard@bootlin.com \
    --cc=jpewhacker@gmail.com \
    --cc=mathieu.dubois-briand@bootlin.com \
    --cc=olivier.benjamin@bootlin.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=richard.purdie@linuxfoundation.org \
    --cc=ross.burton@arm.com \
    --cc=thomas.petazzoni@bootlin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox