[yocto-security] Import cve-check to srtool

Reyna, David david.reyna at windriver.com
Tue Mar 12 14:46:58 PDT 2019 

Hi Dan,

> "I was hoping we can import the cve-check report (e.g. in a json format) directly into strool’s vulnerability tab"

I have made it very easy to extend the SRTool with custom pages and tools (and even custom data).

If you can provide me with the JSON schema and some outline and detail on the actions you would like to perform, I can give you a prototype extension and let you go to town.

> "It is more user friendly to review and remove false positive in the web GUI."

Yes!

- David

-----Original Message-----
From: yocto-security-bounces at yoctoproject.org [mailto:yocto-security-bounces at yoctoproject.org] On Behalf Of Daniel Wang
Sent: Tuesday, March 12, 2019 2:34 PM
To: Burton, Ross
Cc: yocto-security at yoctoproject.org
Subject: Re: [yocto-security] Import cve-check to srtool

Hi Ross,

Thank you for the quick response. I was hoping we can import the cve-check report (e.g. in a json format) directly into strool’s vulnerability tab. It is more user friendly to review and remove false positive in the web GUI. The reason I ask is I hope we can automatic this process. For example if a couple days later we rebuild the system we can just import the cve-check report and only review the newly emerged CVEs. If that makes sense.

Thanks
-Dan 

> On Mar 12, 2019, at 2:25 PM, Burton, Ross <ross.burton at intel.com> wrote:
> 
> On Tue, 12 Mar 2019 at 21:12, Daniel Wang <xiaolong.wang at anki.com> wrote:
>> I just heard about Yocto srtool. It looks fantastic! I’m wondering is there a way to automatically import cve-check from Yocto build process to strool somehow? I have not be able to find a way to do so.
> 
> What do you expect the import to be?  Remember that the cve-check-tool
> output *needs* to be reviewed by a human, so srtool is effectively
> that review using its own copy of the CVE database.
> 
> Ross

_______________________________________________
yocto-security mailing list
yocto-security at yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto-security

More information about the yocto-security mailing list