On Sat, Mar 19, 2022 at 8:26 PM Richard Purdie <richard.pur...@linuxfoundation.org> wrote: > > Posted as an RFC to see what people think of this. I make no claims > on how useful it is/isn't but wanted to show integration isn't difficult > and provide some inspiration for ideas. > > Details on the tool in question: https://github.com/madisongh/kernel-cve-tool > > I've ignored the NO-FIXES-AVILABLE and PATCHED-CVES files.
I was not aware of this particular tool, but it uses data from https://github.com/nluedtke/linux_kernel_cves (which is also used for www.linuxkernelcves.com). I have been using this data source for several years. I find it particularly useful for analysing the LTS kernel branches, because the NVD database really does not capture [1] the efforts that go into back-porting the fixes. It takes quite a bit of effort to figure out which CVEs are addressed in which commit, and then to determine if the commit is applicable to LTS branches, and whether it has been applied. The ww.linuxkernelcves.com largely automates this problem, and I've spot-checked quite a few of its results, and found them to be correct. The project typically updates every week or so. So, I for one would welcome a way to include this in the yocto build, as I am currently doing this manually with post-processing. As the others replies have indicated, the phrasing of "consider cherry-pick" is probably not ideal. Ideally, the output would be formatted the same as the existing cve-check tool, although a simple list of applicable/unpatched CVEs would also suffice. I just got it working against my dunfell branch, so I will do a bit of experimentation... Regards, Ralph [1] This might change in the upcoming NVD JSON 5.0 format, which now allows using git hashes to describe the status of multiple branches. Though it remains to be seen if these new features will actually get used.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#163587): https://lists.openembedded.org/g/openembedded-core/message/163587 Mute This Topic: https://lists.openembedded.org/mt/89894789/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-