| Message ID | 20250313-nvd-stalled-v3-1-1ee9b67a975c@bootlin.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] migration-guides/release-notes-5.2: add known issue on stalled NVD | expand |
Hi Antonin, On 3/13/25 10:41 AM, Antonin Godard via lists.yoctoproject.org wrote: > From: Antonin Godard <antonin.godard@bootlin.com> > > Add an entry to the known issue as the NVD is not up-to-date, the > impact on current CVE reports and future plans for the Yocto Project. > > Follows the discussion on: > https://lists.openembedded.org/g/openembedded-core/message/212446 > > Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> > --- > Changes in v3: > - Suggested by Marta (thank you!): > - Add what users can do at the moment. > - Simplify the sentence regarding the CVE Project. > - Link to v2: https://lore.kernel.org/r/20250311-nvd-stalled-v2-1-fd3825beaf01@bootlin.com > > Changes in v2: > - Typos and suggestions from Quentin Schulz (thank you!) > - Link to v1: https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com > --- > .../migration-guides/release-notes-5.2.rst | 24 +++++++++++++++++++ > 1 file changed, 24 insertions(+) > > diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst > index 417b202cd..60564bbda 100644 > --- a/documentation/migration-guides/release-notes-5.2.rst > +++ b/documentation/migration-guides/release-notes-5.2.rst > @@ -402,6 +402,30 @@ New Features / Enhancements in |yocto-ver| > Known Issues in |yocto-ver| > ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > +- The :ref:`ref-classes-cve-check` class is based on the `National > + Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware > + of, the NVD database has now been stalling since beginning of 2024 and CVE > + entries are missing the necessary information (:wikipedia:`CPEs > + <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to > + properly account for them. As a result, the current CVE reports may look good > + but the reality is that some vulnerabilities are just not accounted for. > + > + During that time, users may look up the CVE database for entries concerning > + software they use, or follow release notes of such projects closely. > + > + Please note, that the :ref:`ref-classes-cve-check` tool has always been a > + helper tool, and users are advised to always review the final result. Results > + of an automatic scan may not take into account configuration options, > + compiler options and other factors. > + > + The Yocto Project team is working on a solution for the next release (October > + 2025). This solution should be based on SPDX version 3, which is already > + implemented in the Yocto Project with the :ref:`ref-classes-create-spdx` > + class. > + With the added note, this is now in an odd location. "Working on a solution" to what? The fact we shouldn't trust the output of the automated tool? > + The `CVE Project <https://github.com/CVEProject>`__ is currently seen as > + candidate for being a new source for enumerating and classifying CVEs. > + I'll let Marta chime in there but I am not sure this is relevant information in the docs? Cheers, Quentin
diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst index 417b202cd..60564bbda 100644 --- a/documentation/migration-guides/release-notes-5.2.rst +++ b/documentation/migration-guides/release-notes-5.2.rst @@ -402,6 +402,30 @@ New Features / Enhancements in |yocto-ver| Known Issues in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +- The :ref:`ref-classes-cve-check` class is based on the `National + Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware + of, the NVD database has now been stalling since beginning of 2024 and CVE + entries are missing the necessary information (:wikipedia:`CPEs + <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to + properly account for them. As a result, the current CVE reports may look good + but the reality is that some vulnerabilities are just not accounted for. + + During that time, users may look up the CVE database for entries concerning + software they use, or follow release notes of such projects closely. + + Please note, that the :ref:`ref-classes-cve-check` tool has always been a + helper tool, and users are advised to always review the final result. Results + of an automatic scan may not take into account configuration options, + compiler options and other factors. + + The Yocto Project team is working on a solution for the next release (October + 2025). This solution should be based on SPDX version 3, which is already + implemented in the Yocto Project with the :ref:`ref-classes-create-spdx` + class. + + The `CVE Project <https://github.com/CVEProject>`__ is currently seen as + candidate for being a new source for enumerating and classifying CVEs. + Recipe License changes in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~