[yocto-security] Import cve-check to srtool

Daniel Wang xiaolong.wang at anki.com
Tue Mar 12 16:02:28 PDT 2019 

Hi David,

Thank you for the quick response. Sounds great! I would definitely love to contribute in whatever way I can. You guys probably have a better model in mind. 

Just an initial thought. Based on my limited experience, the cve-check report might contain some false positive information depends on how packages are patched. For example bash-3.2’s patch is named as `bash23-<index>`(https://ftp.gnu.org/gnu/bash/bash-3.2-patches/). CVE-check-tool, which is based on name match might not be able to detect the patch and report vulnerabilities. So I was hope to be able to import cve-check report into srtool and manage from there. It will be ever better if we can incrementally import and those are marked as false positive can just be ignore.

Thanks
-Dan

> On Mar 12, 2019, at 2:33 PM, Reyna, David <david.reyna at windriver.com> wrote:
> 
> Hi Dan,
> 
>> "I just heard about Yocto srtool. It looks fantastic!"
> 
> Thank you! 
> 
> It is under rapid development right now, with a huge commit pending based on my deployment within Wind River. Once I get that shared (plus new support for multiple SQL databases), we will declare version 2.0 and more formally announcement it to the world.
> 
>> "I’m wondering is there a way to automatically import cve-check from Yocto build process to strool somehow? I have not be able to find a way to do so."
> 
> That is part of the plan, to connect and/or correlate the SRTool data to actual builds, their package manifests, and scanner output like "cve-check".
> 
> I myself do not have any experience with "cve-check" yet. As per Ross's comments, do you have an idea on how you would like to fit the data together?
> 
> I am happy to host a meeting to discuss it if you want to explore the idea together.
> 
> David Reyna
> Lead Developer, SRTool
> 
> -----Original Message-----
> From: yocto-security-bounces at yoctoproject.org [mailto:yocto-security-bounces at yoctoproject.org] On Behalf Of Burton, Ross
> Sent: Tuesday, March 12, 2019 2:25 PM
> To: Daniel Wang
> Cc: yocto-security at yoctoproject.org
> Subject: Re: [yocto-security] Import cve-check to srtool
> 
> On Tue, 12 Mar 2019 at 21:12, Daniel Wang <xiaolong.wang at anki.com> wrote:
>> I just heard about Yocto srtool. It looks fantastic! I’m wondering is there a way to automatically import cve-check from Yocto build process to strool somehow? I have not be able to find a way to do so.
> 
> What do you expect the import to be?  Remember that the cve-check-tool
> output *needs* to be reviewed by a human, so srtool is effectively
> that review using its own copy of the CVE database.
> 
> Ross
> _______________________________________________
> yocto-security mailing list
> yocto-security at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto-security

More information about the yocto-security mailing list