On Tue, 24 Sept 2024 at 06:24, Robert Yang <liezhi.y...@windriver.com> wrote: > Thanks for looking into this, the problem is that the metadata (CVE patch > info) > is not in the binary packages such as RPMs, so the cve scanners such as Trivy > doesn't know that. For example, CentOS and Ubuntu also has the similar issues, > they use the vendor revisions such as 29.el6.centos and 0.4ubuntu3.3 to help > Trivy know that the CVE is fixed in a lower version package.
But how is trivy's database updated to include such custom vendor revisions? Is it done centrally by the vendor (and how?), or is it done by users in local installations? This does appear hack-ish to me, the better thing to do would be to actually include the list of fixed CVEs into package metadata. I'm not sure this should be carried in core, if there's only a single known tool that needs it, and core has no support or tests for it. Maybe something like meta-trivy? Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204833): https://lists.openembedded.org/g/openembedded-core/message/204833 Mute This Topic: https://lists.openembedded.org/mt/108555445/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
