Re: [docs] [PATCH v2] migration-guides/release-notes-5.2: add known issue on stalled NVD

["Antonin Godard" <antonin.godard@bootlin.com>]

Hi Marta,

On Tue Mar 11, 2025 at 3:07 PM CET, Marta Rybczynska wrote:
> On Tue, Mar 11, 2025 at 2:59 PM Antonin Godard via lists.yoctoproject.org
> <antonin.godard=bootlin.com@lists.yoctoproject.org> wrote:
>
>> From: Antonin Godard <antonin.godard@bootlin.com>
>>
>> Add an entry to the known issue as the NVD is not up-to-date, the
>> impact on current CVE reports and future plans for the Yocto Project.
>>
>> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
>> ---
>> Changes in v2:
>> - Typos and suggestions from Quentin Schulz (thank you!)
>> - Link to v1:
>> https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com
>> ---
>>  .../migration-guides/release-notes-5.2.rst      | 17 +++++++++++++++++
>>  1 file changed, 17 insertions(+)
>>
>> diff --git a/documentation/migration-guides/release-notes-5.2.rst
>> b/documentation/migration-guides/release-notes-5.2.rst
>> index 417b202cd..ca681ce2f 100644
>> --- a/documentation/migration-guides/release-notes-5.2.rst
>> +++ b/documentation/migration-guides/release-notes-5.2.rst
>> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
>>  Known Issues in |yocto-ver|
>>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> +-  The :ref:`ref-classes-cve-check` class is based on the `National
>> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are
>> aware
>> +   of, the NVD database has now been stalling since beginning of 2024 and
>> CVE
>> +   entries are missing the necessary information (:wikipedia:`CPEs
>> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
>> +   properly account for them. As a result, the current CVE reports may
>> look good
>> +   but the reality is that some vulnerabilities are just not accounted
>> for.
>> +
>> +   The Yocto Project team is working on a solution for the next release
>> (October
>> +   2025). This solution should be based on SPDX version 3, which is
>> already
>> +   implemented in the Yocto Project with the
>> :ref:`ref-classes-create-spdx`
>> +   class.
>> +
>>
>
> I propose to add something about what people _can_ do:
>
> During that time, users may look up the CVE database for entries concerning
> software
> they use, or follow release notes of such projects closely.
>
> Please note, that the 'cve-check' tool has always been a helper tool, and
> you should
> always review the final result. Results of an automatic scan may not take
> into account
> configuration options, compiler options and other factors.

Thanks, I'll add that to the next version.

>> +   The `CVE Project <https://github.com/CVEProject>`__ has been working
>> on
>> +   catching up with the missing CPEs and is therefore a candidate for
>> being a
>> +   new input for enumerating and classifying CVEs.
>> +
>>
>
> This is not correct. The CVE Programme is NOT catching up with CPEs. They
> have
> added a possibility for CNAs to add it.

Ok, then I propose to just simplify the sentence to:

  The `CVE Project <https://github.com/CVEProject>`__ is a candidate for being a
  new input for enumerating and classifying CVEs.

Thank you!
Antonin

-- 
Antonin Godard, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com