| Message ID | 20250317-nvd-stalled-v4-1-2eab55aa0fc0@bootlin.com |
|---|---|
| State | New |
| Headers | show |
| Series | [v4] migration-guides/release-notes-5.2: add known issue on stalled NVD | expand |
Hi Antonin, On 3/17/25 10:10 AM, Antonin Godard via lists.yoctoproject.org wrote: > Add an entry to the known issue as the NVD is not up-to-date, the > impact on current CVE reports and future plans for the Yocto Project. > > Follows the discussion on: > https://lists.openembedded.org/g/openembedded-core/message/212446 > > Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> > --- > Changes in v4: > - Review by Quentin Schulz (thank you!): > - Be more precise about what solution the YP team will try to solve. > - Remove CVE Project potential candidate. > - Link to v3: https://lore.kernel.org/r/20250313-nvd-stalled-v3-1-1ee9b67a975c@bootlin.com > > Changes in v3: > - Suggested by Marta (thank you!): > - Add what users can do at the moment. > - Simplify the sentence regarding the CVE Project. > - Link to v2: https://lore.kernel.org/r/20250311-nvd-stalled-v2-1-fd3825beaf01@bootlin.com > > Changes in v2: > - Typos and suggestions from Quentin Schulz (thank you!) > - Link to v1: https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com > --- > .../migration-guides/release-notes-5.2.rst | 21 +++++++++++++++++++ > 1 file changed, 21 insertions(+) > > diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst > index 417b202cd..5b7da9f03 100644 > --- a/documentation/migration-guides/release-notes-5.2.rst > +++ b/documentation/migration-guides/release-notes-5.2.rst > @@ -402,6 +402,27 @@ New Features / Enhancements in |yocto-ver| > Known Issues in |yocto-ver| > ~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > +- The :ref:`ref-classes-cve-check` class is based on the `National > + Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware > + of, the NVD database has now been stalling since beginning of 2024 and CVE > + entries are missing the necessary information (:wikipedia:`CPEs > + <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to > + properly account for them. As a result, the current CVE reports may look good > + but the reality is that some vulnerabilities are just not accounted for. > + > + During that time, users may look up the CVE database for entries concerning > + software they use, or follow release notes of such projects closely. > + > + Please note, that the :ref:`ref-classes-cve-check` tool has always been a > + helper tool, and users are advised to always review the final result. Results > + of an automatic scan may not take into account configuration options, > + compiler options and other factors. > + > + The Yocto Project team is working on a new solution for the next release > + (October 2025) for enumerating CVEs. This solution should be based on SPDX > + version 3, which is already implemented in the Yocto Project with the > + :ref:`ref-classes-create-spdx` class. > + Wording looks good to me, that is, someone not involved in CVE checking in Yocto :) +Cc Marta who's very involved in all of this, maybe she has something to say about this? Thanks! Quentin
diff --git a/documentation/migration-guides/release-notes-5.2.rst b/documentation/migration-guides/release-notes-5.2.rst index 417b202cd..5b7da9f03 100644 --- a/documentation/migration-guides/release-notes-5.2.rst +++ b/documentation/migration-guides/release-notes-5.2.rst @@ -402,6 +402,27 @@ New Features / Enhancements in |yocto-ver| Known Issues in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~ +- The :ref:`ref-classes-cve-check` class is based on the `National + Vulnerability Database <https://nvd.nist.gov/>`__ (NVD). As some are aware + of, the NVD database has now been stalling since beginning of 2024 and CVE + entries are missing the necessary information (:wikipedia:`CPEs + <Common_Platform_Enumeration>`) for the :ref:`ref-classes-cve-check` to + properly account for them. As a result, the current CVE reports may look good + but the reality is that some vulnerabilities are just not accounted for. + + During that time, users may look up the CVE database for entries concerning + software they use, or follow release notes of such projects closely. + + Please note, that the :ref:`ref-classes-cve-check` tool has always been a + helper tool, and users are advised to always review the final result. Results + of an automatic scan may not take into account configuration options, + compiler options and other factors. + + The Yocto Project team is working on a new solution for the next release + (October 2025) for enumerating CVEs. This solution should be based on SPDX + version 3, which is already implemented in the Yocto Project with the + :ref:`ref-classes-create-spdx` class. + Recipe License changes in |yocto-ver| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Add an entry to the known issue as the NVD is not up-to-date, the impact on current CVE reports and future plans for the Yocto Project. Follows the discussion on: https://lists.openembedded.org/g/openembedded-core/message/212446 Signed-off-by: Antonin Godard <antonin.godard@bootlin.com> --- Changes in v4: - Review by Quentin Schulz (thank you!): - Be more precise about what solution the YP team will try to solve. - Remove CVE Project potential candidate. - Link to v3: https://lore.kernel.org/r/20250313-nvd-stalled-v3-1-1ee9b67a975c@bootlin.com Changes in v3: - Suggested by Marta (thank you!): - Add what users can do at the moment. - Simplify the sentence regarding the CVE Project. - Link to v2: https://lore.kernel.org/r/20250311-nvd-stalled-v2-1-fd3825beaf01@bootlin.com Changes in v2: - Typos and suggestions from Quentin Schulz (thank you!) - Link to v1: https://lore.kernel.org/r/20250311-nvd-stalled-v1-1-f383ddcf3316@bootlin.com --- .../migration-guides/release-notes-5.2.rst | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) --- base-commit: e608902ffae3af5ab0c5308b0550e49a790482f0 change-id: 20250311-nvd-stalled-ed957989e05a Best regards,