On 20 Sep 2024, at 09:53, Robert Yang via lists.openembedded.org
wrote:
> The VENDOR_REVISION is for cve scanners to know the CVEs have been fixed in a
> lower version, CVE scanners such as Trivy can know the CVEs have been fixed in
> a higher version, but it can't know the CVE is fixed in a lowe
Hi,
On Tue, Sep 24, 2024 at 04:21:49PM +0800, Robert Yang wrote:
> On 9/24/24 15:52, Mikko Rapeli wrote:
> > Hi,
> >
> > On Fri, Sep 20, 2024 at 01:53:13AM -0700, Robert Yang via
> > lists.openembedded.org wrote:
> > > From: Robert Yang
> > >
> > > The VENDOR_REVISION is for cve scanners to kn
On Tue, 24 Sept 2024 at 10:18, Robert Yang wrote:
> > done by users in local installations? This does appear hack-ish to me,
> > the better thing to do would be to actually include the list of fixed
> > CVEs into package metadata.
>
> The problem is that Trivy can't work in this way AFAIK.
You do
On 9/24/24 15:52, Mikko Rapeli wrote:
Hi,
On Fri, Sep 20, 2024 at 01:53:13AM -0700, Robert Yang via
lists.openembedded.org wrote:
From: Robert Yang
The VENDOR_REVISION is for cve scanners to know the CVEs have been fixed in a
lower version, CVE scanners such as Trivy can know the CVEs have b
On 9/24/24 12:47, Alexander Kanavin wrote:
On Tue, 24 Sept 2024 at 06:24, Robert Yang wrote:
Thanks for looking into this, the problem is that the metadata (CVE patch info)
is not in the binary packages such as RPMs, so the cve scanners such as Trivy
doesn't know that. For example, CentOS and
Hi,
On Fri, Sep 20, 2024 at 01:53:13AM -0700, Robert Yang via
lists.openembedded.org wrote:
> From: Robert Yang
>
> The VENDOR_REVISION is for cve scanners to know the CVEs have been fixed in a
> lower version, CVE scanners such as Trivy can know the CVEs have been fixed in
> a higher version,
On Tue, 24 Sept 2024 at 06:24, Robert Yang wrote:
> Thanks for looking into this, the problem is that the metadata (CVE patch
> info)
> is not in the binary packages such as RPMs, so the cve scanners such as Trivy
> doesn't know that. For example, CentOS and Ubuntu also has the similar issues,
>
Hi Alexander,
On 9/24/24 01:19, Alexander Kanavin wrote:
I don't understand. If we fix a CVE with a backport, then there's
metadata in the backported patch to indicate that even though the
overall version doesn't change to the one that isn't vulnerable, the
patch addresses the vulnerability. Why
I don't understand. If we fix a CVE with a backport, then there's
metadata in the backported patch to indicate that even though the
overall version doesn't change to the one that isn't vulnerable, the
patch addresses the vulnerability. Why is a whole separate mechanism
still needed?
Alex
On Fri,
From: Robert Yang
The VENDOR_REVISION is for cve scanners to know the CVEs have been fixed in a
lower version, CVE scanners such as Trivy can know the CVEs have been fixed in
a higher version, but it can't know the CVE is fixed in a lower version without
a helper, we have the following ways to se
10 matches
Mail list logo
