On 9/05/23 9:32 pm, Mikko Rapeli wrote:
On Tue, May 09, 2023 at 09:02:59AM +0000, Ross Burton wrote:
On 8 May 2023, at 09:57, Adrian Freihofer via
lists.openembedded.org<adrian.freihofer=gmail....@lists.openembedded.org>
wrote:
Is there any defined language that we can simply adopt?
Since a lot of people talk about SPDX solving these issues would be nice
to know how that is going to work. I can't parse
https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue
and figure out how to mark a CVE issue which has been ignored after
analysis.
Perhaps this?
https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k16-linking-to-a-vulnerability-disclosure-document
To communicate that a package is not vulnerable to a specific
vulnerability it is recommended to reference a web page indicating
why given vulnerabilities are not applicable.
|"externalRefs" : [ { "referenceCategory" : "SECURITY",
"referenceLocator" :
"https://example.com/product-x/security-info.html";, "referenceType"
: "advisory" } ] |
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181084):
https://lists.openembedded.org/g/openembedded-core/message/181084
Mute This Topic: https://lists.openembedded.org/mt/98703185/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
