[PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD

public inbox for docs@lists.yoctoproject.org
 help / color / mirror / Atom feed

* [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD
@ 2025-03-11 10:56 Antonin Godard
  2025-03-11 12:32 ` Ross Burton
  2025-03-11 12:50 ` [docs] " Quentin Schulz
  0 siblings, 2 replies; 4+ messages in thread
From: Antonin Godard @ 2025-03-11 10:56 UTC (permalink / raw)
  To: docs; +Cc: Ross Burton, Thomas Petazzoni, Antonin Godard

Add an entry to the known issue as the NVD is not up-to-date, the
impact on current CVE reports and future plans for the Yocto Project.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
index 417b202cdbb16d1ae6b95d8737b36f76a58cf6ef..eb8011a2797b1d3cc58514ffce01f0c8e7ab6f63 100644
--- a/documentation/migration-guides/release-notes-5.2.rst
+++ b/documentation/migration-guides/release-notes-5.2.rst
@@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
 Known Issues in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+-  The current :ref:`ref-classes-cve-check` class is based on the `National
+   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
+   of, the NVD database has now been stalling for the past year and CVE entries
+   are missing the necessary information (:wikipedia:`CPEs
+   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
+   properly account for them. As a result, the current CVE reports may look good
+   but the reality is that some vulnerabilities are just not accounted for.
+
+   The Yocto Project team is working on a solution for the next release (October
+   2025). This solution should be based on SPDX version 3, which is already
+   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
+   class.
+
+   The `CVE Project <https://github.com/CVEProject>`__ has been working on
+   catching up with the missing CPEs an so is a candidate for being a new input
+   for enumerating and classifying CVEs.
+
 Recipe License changes in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

---
base-commit: e608902ffae3af5ab0c5308b0550e49a790482f0
change-id: 20250311-nvd-stalled-ed957989e05a

Best regards,
-- 
Antonin Godard <antonin.godard@bootlin.com>



^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD
  2025-03-11 10:56 [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD Antonin Godard
@ 2025-03-11 12:32 ` Ross Burton
  2025-03-11 12:50 ` [docs] " Quentin Schulz
  1 sibling, 0 replies; 4+ messages in thread
From: Ross Burton @ 2025-03-11 12:32 UTC (permalink / raw)
  To: Antonin Godard; +Cc: docs@lists.yoctoproject.org, Thomas Petazzoni

Works for me, thanks Antonin!

Ross

> On 11 Mar 2025, at 10:56, Antonin Godard <antonin.godard@bootlin.com> wrote:
>
> Add an entry to the known issue as the NVD is not up-to-date, the
> impact on current CVE reports and future plans for the Yocto Project.
>
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
> documentation/migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
> index 417b202cdbb16d1ae6b95d8737b36f76a58cf6ef..eb8011a2797b1d3cc58514ffce01f0c8e7ab6f63 100644
> --- a/documentation/migration-guides/release-notes-5.2.rst
> +++ b/documentation/migration-guides/release-notes-5.2.rst
> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
> Known Issues in |yocto-ver|
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> +-  The current :ref:`ref-classes-cve-check` class is based on the `National
> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
> +   of, the NVD database has now been stalling for the past year and CVE entries
> +   are missing the necessary information (:wikipedia:`CPEs
> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
> +   properly account for them. As a result, the current CVE reports may look good
> +   but the reality is that some vulnerabilities are just not accounted for.
> +
> +   The Yocto Project team is working on a solution for the next release (October
> +   2025). This solution should be based on SPDX version 3, which is already
> +   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
> +   class.
> +
> +   The `CVE Project <https://github.com/CVEProject>`__ has been working on
> +   catching up with the missing CPEs an so is a candidate for being a new input
> +   for enumerating and classifying CVEs.
> +
> Recipe License changes in |yocto-ver|
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> ---
> base-commit: e608902ffae3af5ab0c5308b0550e49a790482f0
> change-id: 20250311-nvd-stalled-ed957989e05a
>
> Best regards,
> --
> Antonin Godard <antonin.godard@bootlin.com>
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [docs] [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD
  2025-03-11 10:56 [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD Antonin Godard
  2025-03-11 12:32 ` Ross Burton
@ 2025-03-11 12:50 ` Quentin Schulz
  2025-03-11 13:43   ` Antonin Godard
  1 sibling, 1 reply; 4+ messages in thread
From: Quentin Schulz @ 2025-03-11 12:50 UTC (permalink / raw)
  To: antonin.godard, docs; +Cc: Ross Burton, Thomas Petazzoni

Hi Antonin,

On 3/11/25 11:56 AM, Antonin Godard via lists.yoctoproject.org wrote:
> Add an entry to the known issue as the NVD is not up-to-date, the
> impact on current CVE reports and future plans for the Yocto Project.
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
>   documentation/migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++
>   1 file changed, 17 insertions(+)
> 
> diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
> index 417b202cdbb16d1ae6b95d8737b36f76a58cf6ef..eb8011a2797b1d3cc58514ffce01f0c8e7ab6f63 100644
> --- a/documentation/migration-guides/release-notes-5.2.rst
> +++ b/documentation/migration-guides/release-notes-5.2.rst
> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
>   Known Issues in |yocto-ver|
>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   
> +-  The current :ref:`ref-classes-cve-check` class is based on the `National

-current

It's implied since this is a release note for 5.2.

> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
> +   of, the NVD database has now been stalling for the past year and CVE entries

"for the past year" doesn't mean much when read from the documentation, 
which can happen years from now. Maybe add some info on that so the 
timeline is clear and people can cast doubt on the sentence a few years 
from now?

> +   are missing the necessary information (:wikipedia:`CPEs
> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
> +   properly account for them. As a result, the current CVE reports may look good
> +   but the reality is that some vulnerabilities are just not accounted for.
> +
> +   The Yocto Project team is working on a solution for the next release (October
> +   2025). This solution should be based on SPDX version 3, which is already

Maybe use the release name in addition to the release date?

> +   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
> +   class.
> +
> +   The `CVE Project <https://github.com/CVEProject>`__ has been working on
> +   catching up with the missing CPEs an so is a candidate for being a new input

s/an/and/ ?

maybe "and is therefore a candidate" instead?

Cheers,
Quentin


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [docs] [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD
  2025-03-11 12:50 ` [docs] " Quentin Schulz
@ 2025-03-11 13:43   ` Antonin Godard
  0 siblings, 0 replies; 4+ messages in thread
From: Antonin Godard @ 2025-03-11 13:43 UTC (permalink / raw)
  To: Quentin Schulz, docs; +Cc: Ross Burton, Thomas Petazzoni

Hi Quentin,

On Tue Mar 11, 2025 at 1:50 PM CET, Quentin Schulz wrote:
> Hi Antonin,
>
> On 3/11/25 11:56 AM, Antonin Godard via lists.yoctoproject.org wrote:
>> Add an entry to the known issue as the NVD is not up-to-date, the
>> impact on current CVE reports and future plans for the Yocto Project.
>> 
>> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
>> ---
>>   documentation/migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++
>>   1 file changed, 17 insertions(+)
>> 
>> diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
>> index 417b202cdbb16d1ae6b95d8737b36f76a58cf6ef..eb8011a2797b1d3cc58514ffce01f0c8e7ab6f63 100644
>> --- a/documentation/migration-guides/release-notes-5.2.rst
>> +++ b/documentation/migration-guides/release-notes-5.2.rst
>> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
>>   Known Issues in |yocto-ver|
>>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>   
>> +-  The current :ref:`ref-classes-cve-check` class is based on the `National
>
> -current
>
> It's implied since this is a release note for 5.2.
>
>> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
>> +   of, the NVD database has now been stalling for the past year and CVE entries
>
> "for the past year" doesn't mean much when read from the documentation, 
> which can happen years from now. Maybe add some info on that so the 
> timeline is clear and people can cast doubt on the sentence a few years 
> from now?

Right, that's a good point. I think troubles on the NVD started beginning of
2024, I'll put that instead.

>> +   are missing the necessary information (:wikipedia:`CPEs
>> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
>> +   properly account for them. As a result, the current CVE reports may look good
>> +   but the reality is that some vulnerabilities are just not accounted for.
>> +
>> +   The Yocto Project team is working on a solution for the next release (October
>> +   2025). This solution should be based on SPDX version 3, which is already
>
> Maybe use the release name in addition to the release date?

I think we don't know what the name of the next release is yet?

>> +   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
>> +   class.
>> +
>> +   The `CVE Project <https://github.com/CVEProject>`__ has been working on
>> +   catching up with the missing CPEs an so is a candidate for being a new input
>
> s/an/and/ ?
>
> maybe "and is therefore a candidate" instead?

+1

Thank you!
Antonin

-- 
Antonin Godard, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-03-11 13:44 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-11 10:56 [PATCH] migration-guides/release-notes-5.2: add known issue on stalled NVD Antonin Godard
2025-03-11 12:32 ` Ross Burton
2025-03-11 12:50 ` [docs] " Quentin Schulz
2025-03-11 13:43   ` Antonin Godard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox