Re: [docs] [PATCH v3] migration-guides/release-notes-5.2: add known issue on stalled NVD

[Quentin Schulz <quentin.schulz@cherry.de>]

Hi Antonin,

On 3/13/25 10:41 AM, Antonin Godard via lists.yoctoproject.org wrote:
> From: Antonin Godard <antonin.godard@bootlin.com>
> 
> Add an entry to the known issue as the NVD is not up-to-date, the
> impact on current CVE reports and future plans for the Yocto Project.
> 
> Follows the discussion on:
> https://lists.openembedded.org/g/openembedded-core/message/212446
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
> Changes in v3:
> - Suggested by Marta (thank you!):
>    - Add what users can do at the moment.
>    - Simplify the sentence regarding the CVE Project.
> - Link to v2: https://lore.kernel.org/r/20250311-nvd-stalled-v2-1-fd3825beaf01@bootlin.com
> 
> Changes in v2:
> - Typos and suggestions from Quentin Schulz (thank you!)
> - Link to v1: https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com
> ---
>   .../migration-guides/release-notes-5.2.rst    | 24 +++++++++++++++++++
>   1 file changed, 24 insertions(+)
> 
> diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
> index 417b202cd..60564bbda 100644
> --- a/documentation/migration-guides/release-notes-5.2.rst
> +++ b/documentation/migration-guides/release-notes-5.2.rst
> @@ -402,6 +402,30 @@ New Features / Enhancements in |yocto-ver|
>   Known Issues in |yocto-ver|
>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   
> +-  The :ref:`ref-classes-cve-check` class is based on the `National
> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
> +   of, the NVD database has now been stalling since beginning of 2024 and CVE
> +   entries are missing the necessary information (:wikipedia:`CPEs
> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
> +   properly account for them. As a result, the current CVE reports may look good
> +   but the reality is that some vulnerabilities are just not accounted for.
> +
> +   During that time, users may look up the CVE database for entries concerning
> +   software they use, or follow release notes of such projects closely.
> +
> +   Please note, that the :ref:`ref-classes-cve-check` tool has always been a
> +   helper tool, and users are advised to always review the final result. Results
> +   of an automatic scan may not take into account configuration options,
> +   compiler options and other factors.
> +
> +   The Yocto Project team is working on a solution for the next release (October
> +   2025). This solution should be based on SPDX version 3, which is already
> +   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
> +   class.
> +

With the added note, this is now in an odd location. "Working on a 
solution" to what? The fact we shouldn't trust the output of the 
automated tool?

> +   The `CVE Project <https://github.com/CVEProject>`__ is currently seen as
> +   candidate for being a new source for enumerating and classifying CVEs.
> +

I'll let Marta chime in there but I am not sure this is relevant 
information in the docs?

Cheers,
Quentin