Message ID | 20250311-nvd-stalled-v2-1-fd3825beaf01@bootlin.com |
---|---|
State | New |
Headers | show |
Series | [v2] migration-guides/release-notes-5.2: add known issue on stalled NVD | expand |
On Tue, Mar 11, 2025 at 2:59 PM Antonin Godard via lists.yoctoproject.org <antonin.godard=bootlin.com@lists.yoctoproject.org> wrote: > From: Antonin Godard <antonin.godard@bootlin.com> > > Add an entry to the known issue as the NVD is not up-to-date, the > impact on current CVE reports and future plans for the Yocto Project. > > Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> > --- > Changes in v2: > - Typos and suggestions from Quentin Schulz (thank you!) > - Link to v1: > https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com > --- > .../migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++ > 1 file changed, 17 insertions(+) > > diff --git a/documentation/migration-guides/release-notes-5.2.rst > b/documentation/migration-guides/release-notes-5.2.rst > index 417b202cd..ca681ce2f 100644 > --- a/documentation/migration-guides/release-notes-5.2.rst > +++ b/documentation/migration-guides/release-notes-5.2.rst > @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver| > Known Issues in |yocto-ver| > ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > +- The :ref:`ref-classes-cve-check` class is based on the `National > + Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are > aware > + of, the NVD database has now been stalling since beginning of 2024 and > CVE > + entries are missing the necessary information (:wikipedia:`CPEs > + <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to > + properly account for them. As a result, the current CVE reports may > look good > + but the reality is that some vulnerabilities are just not accounted > for. > + > + The Yocto Project team is working on a solution for the next release > (October > + 2025). This solution should be based on SPDX version 3, which is > already > + implemented in the Yocto Project with the > :ref:`ref-classes-create-spdx` > + class. > + > I propose to add something about what people _can_ do: During that time, users may look up the CVE database for entries concerning software they use, or follow release notes of such projects closely. Please note, that the 'cve-check' tool has always been a helper tool, and you should always review the final result. Results of an automatic scan may not take into account configuration options, compiler options and other factors. > + The `CVE Project <https://github.com/CVEProject>`__ has been working > on > + catching up with the missing CPEs and is therefore a candidate for > being a > + new input for enumerating and classifying CVEs. > + > This is not correct. The CVE Programme is NOT catching up with CPEs. They have added a possibility for CNAs to add it. Kind regards, Marta
Hi Marta, On Tue Mar 11, 2025 at 3:07 PM CET, Marta Rybczynska wrote: > On Tue, Mar 11, 2025 at 2:59 PM Antonin Godard via lists.yoctoproject.org > <antonin.godard=bootlin.com@lists.yoctoproject.org> wrote: > >> From: Antonin Godard <antonin.godard@bootlin.com> >> >> Add an entry to the known issue as the NVD is not up-to-date, the >> impact on current CVE reports and future plans for the Yocto Project. >> >> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> >> --- >> Changes in v2: >> - Typos and suggestions from Quentin Schulz (thank you!) >> - Link to v1: >> https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com >> --- >> .../migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++ >> 1 file changed, 17 insertions(+) >> >> diff --git a/documentation/migration-guides/release-notes-5.2.rst >> b/documentation/migration-guides/release-notes-5.2.rst >> index 417b202cd..ca681ce2f 100644 >> --- a/documentation/migration-guides/release-notes-5.2.rst >> +++ b/documentation/migration-guides/release-notes-5.2.rst >> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver| >> Known Issues in |yocto-ver| >> ~~~~~~~~~~~~~~~~~~~~~~~~~~~ >> >> +- The :ref:`ref-classes-cve-check` class is based on the `National >> + Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are >> aware >> + of, the NVD database has now been stalling since beginning of 2024 and >> CVE >> + entries are missing the necessary information (:wikipedia:`CPEs >> + <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to >> + properly account for them. As a result, the current CVE reports may >> look good >> + but the reality is that some vulnerabilities are just not accounted >> for. >> + >> + The Yocto Project team is working on a solution for the next release >> (October >> + 2025). This solution should be based on SPDX version 3, which is >> already >> + implemented in the Yocto Project with the >> :ref:`ref-classes-create-spdx` >> + class. >> + >> > > I propose to add something about what people _can_ do: > > During that time, users may look up the CVE database for entries concerning > software > they use, or follow release notes of such projects closely. > > Please note, that the 'cve-check' tool has always been a helper tool, and > you should > always review the final result. Results of an automatic scan may not take > into account > configuration options, compiler options and other factors. Thanks, I'll add that to the next version. >> + The `CVE Project <https://github.com/CVEProject>`__ has been working >> on >> + catching up with the missing CPEs and is therefore a candidate for >> being a >> + new input for enumerating and classifying CVEs. >> + >> > > This is not correct. The CVE Programme is NOT catching up with CPEs. They > have > added a possibility for CNAs to add it. Ok, then I propose to just simplify the sentence to: The `CVE Project <https://github.com/CVEProject>`__ is a candidate for being a new input for enumerating and classifying CVEs. Thank you! Antonin
diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst index 417b202cd..ca681ce2f 100644 --- a/documentation/migration-guides/release-notes-5.2.rst +++ b/documentation/migration-guides/release-notes-5.2.rst @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver| Known Issues in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +- The :ref:`ref-classes-cve-check` class is based on the `National + Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware + of, the NVD database has now been stalling since beginning of 2024 and CVE + entries are missing the necessary information (:wikipedia:`CPEs + <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to + properly account for them. As a result, the current CVE reports may look good + but the reality is that some vulnerabilities are just not accounted for. + + The Yocto Project team is working on a solution for the next release (October + 2025). This solution should be based on SPDX version 3, which is already + implemented in the Yocto Project with the :ref:`ref-classes-create-spdx` + class. + + The `CVE Project <https://github.com/CVEProject>`__ has been working on + catching up with the missing CPEs and is therefore a candidate for being a + new input for enumerating and classifying CVEs. + Recipe License changes in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~