From: Quentin Schulz <quentin.schulz@cherry.de>
To: antonin.godard@bootlin.com, docs@lists.yoctoproject.org
Cc: Ross Burton <ross.burton@arm.com>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Subject: Re: [docs] [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD
Date: Tue, 11 Mar 2025 13:50:07 +0100 [thread overview]
Message-ID: <0d48ca3f-8bb3-4ec7-b431-9cc32fdaa395@cherry.de> (raw)
In-Reply-To: <20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com>
Hi Antonin,
On 3/11/25 11:56 AM, Antonin Godard via lists.yoctoproject.org wrote:
> Add an entry to the known issue as the NVD is not up-to-date, the
> impact on current CVE reports and future plans for the Yocto Project.
>
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
> documentation/migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
> index 417b202cdbb16d1ae6b95d8737b36f76a58cf6ef..eb8011a2797b1d3cc58514ffce01f0c8e7ab6f63 100644
> --- a/documentation/migration-guides/release-notes-5.2.rst
> +++ b/documentation/migration-guides/release-notes-5.2.rst
> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
> Known Issues in |yocto-ver|
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> +- The current :ref:`ref-classes-cve-check` class is based on the `National
-current
It's implied since this is a release note for 5.2.
> + Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
> + of, the NVD database has now been stalling for the past year and CVE entries
"for the past year" doesn't mean much when read from the documentation,
which can happen years from now. Maybe add some info on that so the
timeline is clear and people can cast doubt on the sentence a few years
from now?
> + are missing the necessary information (:wikipedia:`CPEs
> + <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
> + properly account for them. As a result, the current CVE reports may look good
> + but the reality is that some vulnerabilities are just not accounted for.
> +
> + The Yocto Project team is working on a solution for the next release (October
> + 2025). This solution should be based on SPDX version 3, which is already
Maybe use the release name in addition to the release date?
> + implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
> + class.
> +
> + The `CVE Project <https://github.com/CVEProject>`__ has been working on
> + catching up with the missing CPEs an so is a candidate for being a new input
s/an/and/ ?
maybe "and is therefore a candidate" instead?
Cheers,
Quentin
next prev parent reply other threads:[~2025-03-11 12:50 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-11 10:56 [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD Antonin Godard
2025-03-11 12:32 ` Ross Burton
2025-03-11 12:50 ` Quentin Schulz [this message]
2025-03-11 13:43 ` [docs] " Antonin Godard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0d48ca3f-8bb3-4ec7-b431-9cc32fdaa395@cherry.de \
--to=quentin.schulz@cherry.de \
--cc=antonin.godard@bootlin.com \
--cc=docs@lists.yoctoproject.org \
--cc=ross.burton@arm.com \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox