Hi, On Thu, 2024-07-04 at 11:02 +0200, Jacoba Brandner via lists.openembedded.org wrote: > This email contains a review of the remaining CVEs from the status > list: https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta- > oe/cve-status-master.txt > This work is done as part of "Milestones 3, 4, 5 and 6. Triage CVEs" > as stated in the Scope of Work with Sovereign Tech Fund (STF) > (https://www.sovereigntechfund.de/). > > The reports are saved as HTML files here: > - Milestone 3: https://clients.neighbourhood.ie/yocto/81-120.html > - Milestone 4: https://clients.neighbourhood.ie/yocto/121-160.html > - Milestone 5: https://clients.neighbourhood.ie/yocto/161-200.html > - Milestone 6: https://clients.neighbourhood.ie/yocto/201-221.html > > The reports contains a review of the CVEs including the following: > - Package versions affected > - Current package version on 'meta-openembedded' > - Notes on how the CVE can be addressed > > Please note that for the CVEs marked as 'invalid', separate patch > status updates have been sent to this mailing- > list: [email protected]. > > The collection of all emails we've sent to NIST are saved > here https://clients.neighbourhood.ie/yocto/NIST.html > > We can also provide this in any other format that might be convenient > for you. Please let us know.
I had a look into this. Firstly, I wanted to say a huge thanks for working through this, you're doing a great job! Getting the status of CVEs sorted out, particularly the older ones makes a huge difference to the clarity of the security situation of our codebase. We can see the status of our codebase here: https://autobuilder.yocto.io/pub/non-release/patchmetrics-meta-oe/ You can see we've gone from around 271 CVEs at the start to having 136 currently listed. When I looked at the list of open CVEs, a few did catch my eye, particularly the 24 still open against imagemagick. I can see many were already excluded in the recipe, based upon the CPE needing an update and I appreciate you've sent emails to get the NVD entry tweaked: https://git.openembedded.org/meta-openembedded/tree/meta-oe/recipes-support/imagemagick/imagemagick_7.1.1.bb In your report for milestone 4, I see CVE-2014-9822 has a CPE sent for it: https://clients.neighbourhood.ie/yocto/121-160.html but it is listed as being an open issue in the metadata. Was there a reason we don't have the CVE_STATUS[CVE-2014-9822] set in the recipe? There are a few others that are probably in a similar state to this. I suspect there are a few details we need to tweak just to fully ensure the reports reflect all the good work you've done? Thanks again for the work though, there is some really great data here, I just want to ensure our metrics fully reflect it. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#111298): https://lists.openembedded.org/g/openembedded-devel/message/111298 Mute This Topic: https://lists.openembedded.org/mt/107034729/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
