On Sat, Mar 19, 2022 at 8:26 PM Richard Purdie
<richard.pur...@linuxfoundation.org> wrote:
>
> Posted as an RFC to see what people think of this. I make no claims
> on how useful it is/isn't but wanted to show integration isn't difficult
> and provide some inspiration for ideas.
>
> Details on the tool in question: https://github.com/madisongh/kernel-cve-tool
>
> I've ignored the NO-FIXES-AVILABLE and PATCHED-CVES files.

I was not aware of this particular tool, but it uses data from
https://github.com/nluedtke/linux_kernel_cves (which is also used for
www.linuxkernelcves.com).

I have been using this data source for several years. I find it
particularly useful for analysing the LTS kernel branches, because the
NVD database really does not capture [1] the efforts that go into
back-porting the fixes. It takes quite a bit of effort to figure out
which CVEs are addressed in which commit, and then to determine if the
commit is applicable to LTS branches, and whether it has been applied.
The ww.linuxkernelcves.com largely automates this problem, and I've
spot-checked quite a few of its results, and found them to be correct.
The project typically updates every week or so.

So, I for one would welcome a way to include this in the yocto build,
as I am currently doing this manually with post-processing.
As the others replies have indicated, the phrasing of "consider
cherry-pick" is probably not ideal.
Ideally, the output would be formatted the same as the existing
cve-check tool, although a simple list of applicable/unpatched CVEs
would also suffice.
I just got it working against my dunfell branch, so I will do a bit of
experimentation...

Regards,
Ralph

[1] This might change in the upcoming NVD JSON 5.0 format, which now
allows using git hashes to describe the status of multiple branches.
Though it remains to be seen if these new features will actually get
used.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#163587): 
https://lists.openembedded.org/g/openembedded-core/message/163587
Mute This Topic: https://lists.openembedded.org/mt/89894789/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to