[yocto-security] Import cve-check to srtool
Daniel Wang
xiaolong.wang at anki.com
Tue Mar 12 14:33:49 PDT 2019
Hi Ross,
Thank you for the quick response. I was hoping we can import the cve-check report (e.g. in a json format) directly into strool’s vulnerability tab. It is more user friendly to review and remove false positive in the web GUI. The reason I ask is I hope we can automatic this process. For example if a couple days later we rebuild the system we can just import the cve-check report and only review the newly emerged CVEs. If that makes sense.
Thanks
-Dan
> On Mar 12, 2019, at 2:25 PM, Burton, Ross <ross.burton at intel.com> wrote:
>
> On Tue, 12 Mar 2019 at 21:12, Daniel Wang <xiaolong.wang at anki.com> wrote:
>> I just heard about Yocto srtool. It looks fantastic! I’m wondering is there a way to automatically import cve-check from Yocto build process to strool somehow? I have not be able to find a way to do so.
>
> What do you expect the import to be? Remember that the cve-check-tool
> output *needs* to be reviewed by a human, so srtool is effectively
> that review using its own copy of the CVE database.
>
> Ross
More information about the yocto-security
mailing list