[Buildroot] [PATCH] support/scripts/cve.py: switch to NVD JSON version 2.0
Daniel Lang
dalang at gmx.at
Thu Aug 10 20:12:36 UTC 2023
On 10.08.23 16:58, Arnout Vandecappelle wrote:
>
>
> On 10/08/2023 15:42, Thomas Petazzoni wrote:
>> On Thu, 10 Aug 2023 15:18:42 +0200
>> Arnout Vandecappelle <arnout at mind.be> wrote:
>>
>> Maybe I'm dreaming here, but if it doesn't work like this, it basically
>> means that for any package in Buildroot that never had any CVE, we have
>> absolutely no guarantee that we will properly notice when the first CVE
>> gets reported. Maybe that's life and we have to live with it, but it
>> kinda sucks.
We still match against *:<pkg name> if the CPE is unknown.
That's why CVE-2021-45464 is listed for kvmtool even though no CPE ID
is known.
So there is hope, that a CVE get listed even if the package has no CPE
ID listed.
>
> Yup. That's why I claimed in my EOSS-ELC talk that the CPE approach is broken :-)
Working with the data, I have to the agree. There is a lot of
inconsistency and weirdness.
The thing that's relevant for me in the current patchset [0]:
Do we want to keep gen-missing-cpe or drop it?
I'm asking because a lot of additional data needs to be stored
to the database for gen-missing-cpe to work (title, reference urls...).
Dropping that script would also mean simplifying the database,
which is easier now than once transition happened.
>
> Regards,
> Arnout
Daniel
[0]: https://patchwork.ozlabs.org/project/buildroot/list/?series=368172
More information about the buildroot
mailing list