public inbox for docs@lists.yoctoproject.org
 help / color / mirror / Atom feed
* [PATCH v3] migration-guides/release-notes-5.2: add known issue on stalled NVD
@ 2025-03-13  9:41 Antonin Godard
  2025-03-13 11:01 ` [docs] " Quentin Schulz
  0 siblings, 1 reply; 2+ messages in thread
From: Antonin Godard @ 2025-03-13  9:41 UTC (permalink / raw)
  To: docs; +Cc: Thomas Petazzoni, Antonin Godard

From: Antonin Godard <antonin.godard@bootlin.com>

Add an entry to the known issue as the NVD is not up-to-date, the
impact on current CVE reports and future plans for the Yocto Project.

Follows the discussion on:
https://lists.openembedded.org/g/openembedded-core/message/212446

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
Changes in v3:
- Suggested by Marta (thank you!):
  - Add what users can do at the moment.
  - Simplify the sentence regarding the CVE Project.
- Link to v2: https://lore.kernel.org/r/20250311-nvd-stalled-v2-1-fd3825beaf01@bootlin.com

Changes in v2:
- Typos and suggestions from Quentin Schulz (thank you!)
- Link to v1: https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com
---
 .../migration-guides/release-notes-5.2.rst    | 24 +++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
index 417b202cd..60564bbda 100644
--- a/documentation/migration-guides/release-notes-5.2.rst
+++ b/documentation/migration-guides/release-notes-5.2.rst
@@ -402,6 +402,30 @@ New Features / Enhancements in |yocto-ver|
 Known Issues in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+-  The :ref:`ref-classes-cve-check` class is based on the `National
+   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
+   of, the NVD database has now been stalling since beginning of 2024 and CVE
+   entries are missing the necessary information (:wikipedia:`CPEs
+   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
+   properly account for them. As a result, the current CVE reports may look good
+   but the reality is that some vulnerabilities are just not accounted for.
+
+   During that time, users may look up the CVE database for entries concerning
+   software they use, or follow release notes of such projects closely.
+
+   Please note, that the :ref:`ref-classes-cve-check` tool has always been a
+   helper tool, and users are advised to always review the final result. Results
+   of an automatic scan may not take into account configuration options,
+   compiler options and other factors.
+
+   The Yocto Project team is working on a solution for the next release (October
+   2025). This solution should be based on SPDX version 3, which is already
+   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
+   class.
+
+   The `CVE Project <https://github.com/CVEProject>`__ is currently seen as
+   candidate for being a new source for enumerating and classifying CVEs.
+
 Recipe License changes in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

---
base-commit: e608902ffae3af5ab0c5308b0550e49a790482f0
change-id: 20250311-nvd-stalled-ed957989e05a

Best regards,
-- 
Antonin Godard <antonin.godard@bootlin.com>



^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-03-13 11:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-13  9:41 [PATCH v3] migration-guides/release-notes-5.2: add known issue on stalled NVD Antonin Godard
2025-03-13 11:01 ` [docs] " Quentin Schulz

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox