On 9/24/24 12:47, Alexander Kanavin wrote:
On Tue, 24 Sept 2024 at 06:24, Robert Yang <liezhi.y...@windriver.com> wrote:
Thanks for looking into this, the problem is that the metadata (CVE patch info)
is not in the binary packages such as RPMs, so the cve scanners such as Trivy
doesn't know that. For example, CentOS and Ubuntu also has the similar issues,
they use the vendor revisions such as 29.el6.centos and 0.4ubuntu3.3 to help
Trivy know that the CVE is fixed in a lower version package.
But how is trivy's database updated to include such custom vendor
revisions? Is it done centrally by the vendor (and how?), or is it
The vendor itself will update trivy's database, David Reyna (in the To list) is
working on a script which can update the database, we will provide more detailed
examples later.
done by users in local installations? This does appear hack-ish to me,
the better thing to do would be to actually include the list of fixed
CVEs into package metadata.
The problem is that Trivy can't work in this way AFAIK.
I'm not sure this should be carried in core, if there's only a single
known tool that needs it, and core has no support or tests for it.
Maybe something like meta-trivy?
Trivy is just an example, we're trying to make more tools such as blackduck
work.
// Robert
Alex
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#204839):
https://lists.openembedded.org/g/openembedded-core/message/204839
Mute This Topic: https://lists.openembedded.org/mt/108555445/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
