[OE-core] CVE list vs bugzilla
Sona Sarmadi
sona.sarmadi at enea.com
Tue May 5 15:11:37 UTC 2015
Trying with correct email address :)
Hi all,
To monitor/scan vulnerabilities (CVE), check affected packages, versions, branches, fixed versions/branches etc ... we need either to file a bug in bugzilla for each publically disclosed CVE or have a simple data base. Today, we sometimes file a bug but most of the time vulnerabilities just get fixed by someone volunteer and some vulnerabilities don't get fixed.
We have created a CVE list just for test to see if this is easier to maintain and provides better overview, please have a look at this and let us to know what you think:
https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4QqgI6emQ/edit#gid=0
The alternative for maintaining such a list is filing a bug in Bugzilla. The question is which approach is the best, here are some pros and cons:
Bugzilla:
=======
- it takes more time to create/update a bug in Bugzilla (not a big problem)
- history, traceable who updated
- when we have releases, we go through open bugs and try to get them fixed
Question: can we generate a report from Bugzilla, search for CVEs and find out what CVEs have been fixed and in what branches etc?
CVE spread sheet:
==============
+ Easy to update, anyone just can add info preferably automatically; we
+ could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and
+ update the list (some human interactions needs to be done though) easy
+ to have an overview
- ?
Any comments?
Thanks
Sona
More information about the Openembedded-core
mailing list