diff mbox series

[v2] migration-guides/release-notes-5.2: add known issue on stalled NVD

Message ID 20250311-nvd-stalled-v2-1-fd3825beaf01@bootlin.com
State New
Headers show
Series [v2] migration-guides/release-notes-5.2: add known issue on stalled NVD | expand

Commit Message

Antonin Godard March 11, 2025, 1:58 p.m. UTC
From: Antonin Godard <antonin.godard@bootlin.com>

Add an entry to the known issue as the NVD is not up-to-date, the
impact on current CVE reports and future plans for the Yocto Project.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
Changes in v2:
- Typos and suggestions from Quentin Schulz (thank you!)
- Link to v1: https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com
---
 .../migration-guides/release-notes-5.2.rst      | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)


---
base-commit: e608902ffae3af5ab0c5308b0550e49a790482f0
change-id: 20250311-nvd-stalled-ed957989e05a

Best regards,

Comments

Marta Rybczynska March 11, 2025, 2:07 p.m. UTC | #1
On Tue, Mar 11, 2025 at 2:59 PM Antonin Godard via lists.yoctoproject.org
<antonin.godard=bootlin.com@lists.yoctoproject.org> wrote:

> From: Antonin Godard <antonin.godard@bootlin.com>
>
> Add an entry to the known issue as the NVD is not up-to-date, the
> impact on current CVE reports and future plans for the Yocto Project.
>
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
> Changes in v2:
> - Typos and suggestions from Quentin Schulz (thank you!)
> - Link to v1:
> https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com
> ---
>  .../migration-guides/release-notes-5.2.rst      | 17 +++++++++++++++++
>  1 file changed, 17 insertions(+)
>
> diff --git a/documentation/migration-guides/release-notes-5.2.rst
> b/documentation/migration-guides/release-notes-5.2.rst
> index 417b202cd..ca681ce2f 100644
> --- a/documentation/migration-guides/release-notes-5.2.rst
> +++ b/documentation/migration-guides/release-notes-5.2.rst
> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
>  Known Issues in |yocto-ver|
>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> +-  The :ref:`ref-classes-cve-check` class is based on the `National
> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are
> aware
> +   of, the NVD database has now been stalling since beginning of 2024 and
> CVE
> +   entries are missing the necessary information (:wikipedia:`CPEs
> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
> +   properly account for them. As a result, the current CVE reports may
> look good
> +   but the reality is that some vulnerabilities are just not accounted
> for.
> +
> +   The Yocto Project team is working on a solution for the next release
> (October
> +   2025). This solution should be based on SPDX version 3, which is
> already
> +   implemented in the Yocto Project with the
> :ref:`ref-classes-create-spdx`
> +   class.
> +
>

I propose to add something about what people _can_ do:

During that time, users may look up the CVE database for entries concerning
software
they use, or follow release notes of such projects closely.

Please note, that the 'cve-check' tool has always been a helper tool, and
you should
always review the final result. Results of an automatic scan may not take
into account
configuration options, compiler options and other factors.


> +   The `CVE Project <https://github.com/CVEProject>`__ has been working
> on
> +   catching up with the missing CPEs and is therefore a candidate for
> being a
> +   new input for enumerating and classifying CVEs.
> +
>

This is not correct. The CVE Programme is NOT catching up with CPEs. They
have
added a possibility for CNAs to add it.

Kind regards,
Marta
Antonin Godard March 11, 2025, 2:57 p.m. UTC | #2
Hi Marta,

On Tue Mar 11, 2025 at 3:07 PM CET, Marta Rybczynska wrote:
> On Tue, Mar 11, 2025 at 2:59 PM Antonin Godard via lists.yoctoproject.org
> <antonin.godard=bootlin.com@lists.yoctoproject.org> wrote:
>
>> From: Antonin Godard <antonin.godard@bootlin.com>
>>
>> Add an entry to the known issue as the NVD is not up-to-date, the
>> impact on current CVE reports and future plans for the Yocto Project.
>>
>> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
>> ---
>> Changes in v2:
>> - Typos and suggestions from Quentin Schulz (thank you!)
>> - Link to v1:
>> https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com
>> ---
>>  .../migration-guides/release-notes-5.2.rst      | 17 +++++++++++++++++
>>  1 file changed, 17 insertions(+)
>>
>> diff --git a/documentation/migration-guides/release-notes-5.2.rst
>> b/documentation/migration-guides/release-notes-5.2.rst
>> index 417b202cd..ca681ce2f 100644
>> --- a/documentation/migration-guides/release-notes-5.2.rst
>> +++ b/documentation/migration-guides/release-notes-5.2.rst
>> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
>>  Known Issues in |yocto-ver|
>>  ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>
>> +-  The :ref:`ref-classes-cve-check` class is based on the `National
>> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are
>> aware
>> +   of, the NVD database has now been stalling since beginning of 2024 and
>> CVE
>> +   entries are missing the necessary information (:wikipedia:`CPEs
>> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
>> +   properly account for them. As a result, the current CVE reports may
>> look good
>> +   but the reality is that some vulnerabilities are just not accounted
>> for.
>> +
>> +   The Yocto Project team is working on a solution for the next release
>> (October
>> +   2025). This solution should be based on SPDX version 3, which is
>> already
>> +   implemented in the Yocto Project with the
>> :ref:`ref-classes-create-spdx`
>> +   class.
>> +
>>
>
> I propose to add something about what people _can_ do:
>
> During that time, users may look up the CVE database for entries concerning
> software
> they use, or follow release notes of such projects closely.
>
> Please note, that the 'cve-check' tool has always been a helper tool, and
> you should
> always review the final result. Results of an automatic scan may not take
> into account
> configuration options, compiler options and other factors.

Thanks, I'll add that to the next version.

>> +   The `CVE Project <https://github.com/CVEProject>`__ has been working
>> on
>> +   catching up with the missing CPEs and is therefore a candidate for
>> being a
>> +   new input for enumerating and classifying CVEs.
>> +
>>
>
> This is not correct. The CVE Programme is NOT catching up with CPEs. They
> have
> added a possibility for CNAs to add it.

Ok, then I propose to just simplify the sentence to:

  The `CVE Project <https://github.com/CVEProject>`__ is a candidate for being a
  new input for enumerating and classifying CVEs.

Thank you!
Antonin
diff mbox series

Patch

diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
index 417b202cd..ca681ce2f 100644
--- a/documentation/migration-guides/release-notes-5.2.rst
+++ b/documentation/migration-guides/release-notes-5.2.rst
@@ -402,6 +402,23 @@  New Features / Enhancements in |yocto-ver|
 Known Issues in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
+-  The :ref:`ref-classes-cve-check` class is based on the `National
+   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
+   of, the NVD database has now been stalling since beginning of 2024 and CVE
+   entries are missing the necessary information (:wikipedia:`CPEs
+   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
+   properly account for them. As a result, the current CVE reports may look good
+   but the reality is that some vulnerabilities are just not accounted for.
+
+   The Yocto Project team is working on a solution for the next release (October
+   2025). This solution should be based on SPDX version 3, which is already
+   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
+   class.
+
+   The `CVE Project <https://github.com/CVEProject>`__ has been working on
+   catching up with the missing CPEs and is therefore a candidate for being a
+   new input for enumerating and classifying CVEs.
+
 Recipe License changes in |yocto-ver|
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~