On Sat, 2023-12-23 at 02:47 -0800, fabian.hanke via lists.yoctoproject.org wrote: > we must provide a SBOM for our Yocto based product which will then be > used for (internal) CVE scanning by the security department. > Generating the base document in cycloneDX format is fairly easy > (thanks to the nature of Yocto). > But we do not know how to include information about CVE patches for > each package in the document. Not providing these, will cause a lot > of “false” feedback on CVEs for specific versions which are already > patched (but version number did not change).
https://docs.yoctoproject.org/dev/dev-manual/vulnerabilities.html#vulnerability-check-at-build-time The cve-check tooling can check which issues are present and which are fixed in some way so that information is there. > This problem was also mentioned a few days ago in the presentation > from David Reyna: https://youtu.be/PegU1G1bA80?t=1127 . I like the > proposed solution of adding a vendor specific string to the package > version. But I'm still wondering: How would the CVE scanner vendor > know which CVEs are included in a yocto specific version and which > are not? The data could also be written into our SPDX SBoM information, offhand I'm not sure if it is already or not. > I hope this is the correct place to start a discussion (if not please > point me to the correct place): > Does anyone else also have the same problem with false feedback from > CVE scanners? How do you deal with it? The project has been focused around the cve-check tooling and SPDX SBoM generation. If you want to use that data we'd suggest you extract it from those sources as the proejct iself doesn't want to try and generate multiple different output formats. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#62032): https://lists.yoctoproject.org/g/yocto/message/62032 Mute This Topic: https://lists.yoctoproject.org/mt/103332846/21656 Group Owner: yocto+ow...@lists.yoctoproject.org Unsubscribe: https://lists.yoctoproject.org/g/yocto/leave/6691583/21656/737036229/xyzzy [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
