migration-guides/release-notes-5.2: add known issue on stalled NVD

Add an entry to the known issue as the NVD is not up-to-date, the
impact on current CVE reports and future plans for the Yocto Project.

Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
---
 documentation/migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)


---
base-commit: e608902ffae3af5ab0c5308b0550e49a790482f0
change-id: 20250311-nvd-stalled-ed957989e05a

Best regards,

Works for me, thanks Antonin!

Ross

> On 11 Mar 2025, at 10:56, Antonin Godard <antonin.godard@bootlin.com> wrote:
>
> Add an entry to the known issue as the NVD is not up-to-date, the
> impact on current CVE reports and future plans for the Yocto Project.
>
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
> documentation/migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
> index 417b202cdbb16d1ae6b95d8737b36f76a58cf6ef..eb8011a2797b1d3cc58514ffce01f0c8e7ab6f63 100644
> --- a/documentation/migration-guides/release-notes-5.2.rst
> +++ b/documentation/migration-guides/release-notes-5.2.rst
> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
> Known Issues in |yocto-ver|
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> +-  The current :ref:`ref-classes-cve-check` class is based on the `National
> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
> +   of, the NVD database has now been stalling for the past year and CVE entries
> +   are missing the necessary information (:wikipedia:`CPEs
> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
> +   properly account for them. As a result, the current CVE reports may look good
> +   but the reality is that some vulnerabilities are just not accounted for.
> +
> +   The Yocto Project team is working on a solution for the next release (October
> +   2025). This solution should be based on SPDX version 3, which is already
> +   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
> +   class.
> +
> +   The `CVE Project <https://github.com/CVEProject>`__ has been working on
> +   catching up with the missing CPEs an so is a candidate for being a new input
> +   for enumerating and classifying CVEs.
> +
> Recipe License changes in |yocto-ver|
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>
> ---
> base-commit: e608902ffae3af5ab0c5308b0550e49a790482f0
> change-id: 20250311-nvd-stalled-ed957989e05a
>
> Best regards,
> --
> Antonin Godard <antonin.godard@bootlin.com>
>

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

Hi Antonin,

On 3/11/25 11:56 AM, Antonin Godard via lists.yoctoproject.org wrote:
> Add an entry to the known issue as the NVD is not up-to-date, the
> impact on current CVE reports and future plans for the Yocto Project.
> 
> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
> ---
>   documentation/migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++
>   1 file changed, 17 insertions(+)
> 
> diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
> index 417b202cdbb16d1ae6b95d8737b36f76a58cf6ef..eb8011a2797b1d3cc58514ffce01f0c8e7ab6f63 100644
> --- a/documentation/migration-guides/release-notes-5.2.rst
> +++ b/documentation/migration-guides/release-notes-5.2.rst
> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
>   Known Issues in |yocto-ver|
>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>   
> +-  The current :ref:`ref-classes-cve-check` class is based on the `National

-current

It's implied since this is a release note for 5.2.

> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
> +   of, the NVD database has now been stalling for the past year and CVE entries

"for the past year" doesn't mean much when read from the documentation, 
which can happen years from now. Maybe add some info on that so the 
timeline is clear and people can cast doubt on the sentence a few years 
from now?

> +   are missing the necessary information (:wikipedia:`CPEs
> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
> +   properly account for them. As a result, the current CVE reports may look good
> +   but the reality is that some vulnerabilities are just not accounted for.
> +
> +   The Yocto Project team is working on a solution for the next release (October
> +   2025). This solution should be based on SPDX version 3, which is already

Maybe use the release name in addition to the release date?

> +   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
> +   class.
> +
> +   The `CVE Project <https://github.com/CVEProject>`__ has been working on
> +   catching up with the missing CPEs an so is a candidate for being a new input

s/an/and/ ?

maybe "and is therefore a candidate" instead?

Cheers,
Quentin

Hi Quentin,

On Tue Mar 11, 2025 at 1:50 PM CET, Quentin Schulz wrote:
> Hi Antonin,
>
> On 3/11/25 11:56 AM, Antonin Godard via lists.yoctoproject.org wrote:
>> Add an entry to the known issue as the NVD is not up-to-date, the
>> impact on current CVE reports and future plans for the Yocto Project.
>> 
>> Signed-off-by: Antonin Godard <antonin.godard@bootlin.com>
>> ---
>>   documentation/migration-guides/release-notes-5.2.rst | 17 +++++++++++++++++
>>   1 file changed, 17 insertions(+)
>> 
>> diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst
>> index 417b202cdbb16d1ae6b95d8737b36f76a58cf6ef..eb8011a2797b1d3cc58514ffce01f0c8e7ab6f63 100644
>> --- a/documentation/migration-guides/release-notes-5.2.rst
>> +++ b/documentation/migration-guides/release-notes-5.2.rst
>> @@ -402,6 +402,23 @@ New Features / Enhancements in |yocto-ver|
>>   Known Issues in |yocto-ver|
>>   ~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>   
>> +-  The current :ref:`ref-classes-cve-check` class is based on the `National
>
> -current
>
> It's implied since this is a release note for 5.2.
>
>> +   Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware
>> +   of, the NVD database has now been stalling for the past year and CVE entries
>
> "for the past year" doesn't mean much when read from the documentation, 
> which can happen years from now. Maybe add some info on that so the 
> timeline is clear and people can cast doubt on the sentence a few years 
> from now?

Right, that's a good point. I think troubles on the NVD started beginning of
2024, I'll put that instead.

>> +   are missing the necessary information (:wikipedia:`CPEs
>> +   <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to
>> +   properly account for them. As a result, the current CVE reports may look good
>> +   but the reality is that some vulnerabilities are just not accounted for.
>> +
>> +   The Yocto Project team is working on a solution for the next release (October
>> +   2025). This solution should be based on SPDX version 3, which is already
>
> Maybe use the release name in addition to the release date?

I think we don't know what the name of the next release is yet?

>> +   implemented in the Yocto Project with the :ref:`ref-classes-create-spdx`
>> +   class.
>> +
>> +   The `CVE Project <https://github.com/CVEProject>`__ has been working on
>> +   catching up with the missing CPEs an so is a candidate for being a new input
>
> s/an/and/ ?
>
> maybe "and is therefore a candidate" instead?

+1

Thank you!
Antonin