[yocto] Minutes: Yocto Project Technical Team Meeting - Tuesday, Feb 7, 2017 8:00 AM US Pacific Time

Sona Sarmadi sona.sarmadi at enea.com
Tue Feb 7 10:26:06 PST 2017 

Hi Jolley,

Cve-check tool fails on master and latest morty, I have created following bug (Jussi is working on this): 
Bug 11026 - cve-check: Error in executing cve-check-update

Some background info about this tool:
=============================
cve-check tool has been supported since the Morty release. This tool is not perfect (we get many false positives and false negatives) but it is better than nothing. This tool is using the nvd database which reads CVE data from Mitre. Sometimes Mitre doesn't  have the correct/updated info about CVEs. 

EX: CVE-2016-2147 is listed :

 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147

** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.

So this CVE will not be in the nvd database and will not be detected by cve-check tool.

There are other similar problems with nvd database but some of these can be fixed /improved eventually.
 

My suggestion is to run this tool on master e.g. weekly when a release is approaching. It is easier to upgrade a package version to address CVEs on master rather than on maintenance/release branches.

People caring about security could voluntarily check the result (cve.log) or we can have responsible maintainer, rotating on a weekly/bi-weekly basis.

Related issues, hopefully someone will have time to work on these :)
Bug 10771 - cve-check tool does not detect and report all relevant CVEs 
Bug 10772 - Automatic generation of CVE-reports

Let me know if you have further question.

Thanks for paying attention to this issue.
//Sona

From: yocto-bounces at yoctoproject.org [mailto:yocto-bounces at yoctoproject.org] On Behalf Of Jolley, Stephen K
Sent: den 7 februari 2017 17:27
To: yocto at yoctoproject.org
Subject: [yocto] Minutes: Yocto Project Technical Team Meeting - Tuesday, Feb 7, 2017 8:00 AM US Pacific Time

Attendees: Stephen, Armin, Stephano Sona, Ross, Joshua, Jussi, Saul, Sveinse, Richard,  

Agenda:
 
* Opens collection - 5 min (Stephen)
* Yocto Project status - 5 min (Stephen/team)
YP 2.3 M2 rc3 is in QA.  
YP 2.3 M3 target cut off is Feb. 27th.
YP 2.2.1 should go into QA after YP 2.3 M2 is out.
https://wiki.yoctoproject.org/wiki/Yocto_Project_v2.3_Status
https://wiki.yoctoproject.org/wiki/Yocto_2.3_Schedule
https://wiki.yoctoproject.org/wiki/Yocto_2.3_Features 
* Opens - 10 min 
* Team Sharing - 10 min
Sona - CVE Check tool doesn't currently build on master.  Jussi discussed that patches to fix it should be sent this week.  We has some issues with the tool and discussed if we can get this into QA. We need an automated test script to add testing the tool to QA. 
Richard - How are recipe specific sysroots doing?  No issues not filed in bugzilla yet. 

Thanks,

Stephen K. Jolley
Yocto Project Program Manager
INTEL, MS JF1-255, 2111 N.E. 25th Avenue, Hillsboro, OR 97124 
I   Work Telephone:        (503) 712-0534
(    Cell:               (208) 244-4460
((Email:                            stephen.k.jolley at intel.com

More information about the yocto mailing list