From: Benjamin Robin <benjamin.robin@bootlin.com>
To: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
"Marko, Peter" <Peter.Marko@siemens.com>
Cc: "richard.purdie@linuxfoundation.org"
<richard.purdie@linuxfoundation.org>,
"ross.burton@arm.com" <ross.burton@arm.com>,
"jpewhacker@gmail.com" <jpewhacker@gmail.com>,
"olivier.benjamin@bootlin.com" <olivier.benjamin@bootlin.com>,
"antonin.godard@bootlin.com" <antonin.godard@bootlin.com>,
"mathieu.dubois-briand@bootlin.com"
<mathieu.dubois-briand@bootlin.com>,
"thomas.petazzoni@bootlin.com" <thomas.petazzoni@bootlin.com>
Subject: Re: [PATCH 1/3] python3-shacl2code: Update to version 1.0.1
Date: Mon, 27 Apr 2026 09:25:45 +0200 [thread overview]
Message-ID: <7o6_XKvhQ267WrzPXGIUdQ@bootlin.com> (raw)
In-Reply-To: <AS1PR10MB5697161BED467E81C606A1D7FD292@AS1PR10MB5697.EURPRD10.PROD.OUTLOOK.COM>
Hello Peter,
On Sunday, April 26, 2026 at 9:22 PM, Marko, Peter wrote:
> I have sent ton of new false-positive cleanup commits this weekend.
> For many I couldn't find any explanation why they reappeared.
> Since there were also new true positives I think this is fine.
>
> But there should be a follow-up investigation for most of my commits to identify why those false-positives appeared and if the tooling can be fixed.
> Peter
The current behavior of sbom-cve-check is documented here:
https://sbom-cve-check.readthedocs.io/en/latest/design.html#find-applicable-cve
I don't think that the tool is not currently working as designed, but maybe
there are wrong entries the product database. Also maybe we could improve
the algorithm to try to reduce the number of false-positives.
The main problem is that the current state of the CVEs databases is not great.
This is really not an easy problem to solve.
Most of the time, the proper solution is going to define CVE_PRODUCT.
If you have a list of CVEs that need to be investigated, could you send it.
This way I could explain or investigate why there is a problem?
Best regards,
--
Benjamin Robin, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
next prev parent reply other threads:[~2026-04-27 7:25 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 15:31 [PATCH 0/3] sbom-cve-check: Update to version 1.3.0 Benjamin Robin
2026-04-22 15:31 ` [PATCH 1/3] python3-shacl2code: Update to version 1.0.1 Benjamin Robin
2026-04-26 19:22 ` Marko, Peter
2026-04-27 7:25 ` Benjamin Robin [this message]
2026-04-27 7:59 ` Richard Purdie
2026-04-27 8:05 ` Benjamin Robin
2026-04-27 8:12 ` Richard Purdie
2026-04-22 15:31 ` [PATCH 2/3] python3-spdx-python-model: Update to version 0.0.5 Benjamin Robin
2026-04-22 15:31 ` [PATCH 3/3] python3-sbom-cve-check: Update to version 1.3.0 Benjamin Robin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7o6_XKvhQ267WrzPXGIUdQ@bootlin.com \
--to=benjamin.robin@bootlin.com \
--cc=Peter.Marko@siemens.com \
--cc=antonin.godard@bootlin.com \
--cc=jpewhacker@gmail.com \
--cc=mathieu.dubois-briand@bootlin.com \
--cc=olivier.benjamin@bootlin.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=richard.purdie@linuxfoundation.org \
--cc=ross.burton@arm.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox