On Thu, Jul 25, 2024 at 7:50 AM Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) <dnago...@cisco.com> wrote:
> > > >-----Original Message----- > >From: Richard Purdie <richard.pur...@linuxfoundation.org> > >Sent: Thursday, July 25, 2024 3:44 AM > >To: Marta Rybczynska <rybczyn...@gmail.com> > >Cc: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) > ><dnago...@cisco.com>; Marko, Peter <peter.ma...@siemens.com>; > >openembedded-core@lists.openembedded.org; xe-linux-external(mailer list) > ><xe-linux-exter...@cisco.com> > >Subject: Re: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to > >"Unpatched" status > > > >On Wed, 2024-07-24 at 18:10 +0200, Marta Rybczynska wrote: > >> On Wed, Jul 24, 2024 at 10:46 AM Richard Purdie via > lists.openembedded.org > ><richard.purdie=linuxfoundation....@lists.openembedded.org> wrote: > >> > > >> > This is far from straightforward unfortunately. > >> > > >> > >> > >> I agree and also agree with Dhairya. We are facing the same issue > within the > >VEX work. > >> And this is going to come back in the context of the CRA. > >> > >> > > >> > Some people are using these lists as "are there any issues we need > >> > to worry about?". > >> > > >> > In that context, if an upstream has assessed a CVE and decided > >> > nothing need be done about it, our decision to "ignore" it is > >> > correct as there is nothing to be done. > >> > > >> > >> > >> The project might have decided not to fix for multiple reasons. Some > >> of them may be good, some not. > >> > >> I do not completely agree that there is nothing to be done. We might > >> decide to use a configuration option that disables the vulnerable > >> feature. In this case there is an appropriate status to put. We can do > >> an in-depth analysis and figure out if the vulnerable code can be > >> reached in our configuration. If not, there is an appropriate status to > put. > > > >I'm working on the assumption that if either of those two things were the > case, > >we'd have done them in preference to the wontfix status. The wontfix > status is > >the last resort where upstream disagrees there is an issue or that the > issue is > >an actual problem. > > As per my understanding, we have 'disputed' status for the above mentioned > scenarios. > (Where upstream disagrees, or they don't consider issue a problem) > > Below is the snippet from the current cve-check-map.conf > # use when upstream does not accept the report as a vulnerability (e.g. > works as designed) > CVE_CHECK_STATUSMAP[disputed] = "Ignored" > # use when upstream *acknowledged* the vulnerability but does not plan to > fix it > CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" > upstream-wontfix and disputed is far from the same thing at the CVE Programme level. "disputed" is a flag of the CVE entry (at least for the most recent ones) and it will be possible to attach it automatically. However, it still means a vendor analysis is needed to decide which side of the dispute you agree with... Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202539): https://lists.openembedded.org/g/openembedded-core/message/202539 Mute This Topic: https://lists.openembedded.org/mt/107518628/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
