On Tue, 24 Sept 2024 at 10:18, Robert Yang <liezhi.y...@windriver.com> wrote: > > done by users in local installations? This does appear hack-ish to me, > > the better thing to do would be to actually include the list of fixed > > CVEs into package metadata. > > The problem is that Trivy can't work in this way AFAIK.
You do need to raise this with trivy. It's open source, and can be improved. This whole CVE ecosystem is already mad enough and that's why I'm not getting involved, managing vendor revisions instead of directly looking at what has been fixed is just adding to that madness. Or let's just not use broken external tools, and do things right ourselves. Alex
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204841): https://lists.openembedded.org/g/openembedded-core/message/204841 Mute This Topic: https://lists.openembedded.org/mt/108555445/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
