[OE-core] CVE list vs bugzilla

Sona Sarmadi sona.sarmadi at enea.com
Tue May 5 15:11:37 UTC 2015


Trying with correct email address :) 

Hi all,

To monitor/scan vulnerabilities (CVE), check affected packages, versions, branches, fixed versions/branches etc ... we need either to file a bug in bugzilla for each publically disclosed CVE or have a simple data base. Today, we sometimes file a bug but most of the time vulnerabilities just get fixed by someone volunteer and some vulnerabilities don't get fixed.

We have created a CVE list just for test to see if this is easier to maintain and provides better overview, please have a look at this and let us to know what you think:
https://docs.google.com/spreadsheets/d/13o4IPsCQ42aR2CCGzYOHdmpIEHkHUwDWlF4QqgI6emQ/edit#gid=0 

The alternative for maintaining such a list is filing a bug in Bugzilla. The question is which approach is the best, here are some pros and cons:

Bugzilla: 
=======
- it takes more time to create/update a bug  in Bugzilla (not a big problem)
- history, traceable who updated
- when we have releases, we go through open bugs and try to get them fixed

Question: can we generate a report from Bugzilla, search for CVEs and find out what CVEs have been fixed and in what branches etc?


CVE spread sheet:
==============
+ Easy to update, anyone just can add info preferably automatically; we 
+ could use a tool to check with NVD (https://nvd.nist.gov/ ) daily and 
+ update the list (some human interactions needs to be done though) easy 
+ to have an overview
- ?

Any comments?

Thanks
Sona



More information about the Openembedded-core mailing list