[Buildroot] [PATCH] support/scripts/cve.py: switch to NVD JSON version 2.0
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Thu Aug 10 13:42:41 UTC 2023
On Thu, 10 Aug 2023 15:18:42 +0200
Arnout Vandecappelle <arnout at mind.be> wrote:
> > It could still be useful to have something to contribute new entries,
> > for those packages that have no entry at all (regardless of their
> > version number) in the CPE database.
>
> This makes no sense at all. The only reason to have a CPE database entry is in
> order to link it to a CVE. If there is already a CVE, then it should already
> have a CPE entry. If there's no CVE yet, then will the first person to ever
> submit a CVE for it use the same ID?
Well, that would be my expectation indeed. A package in Buildroot has
no CPE in the database, no CVE. We submit a CPE to the NVD database. My
hope (but perhaps I'm dreaming too much) is that the day there is a CVE
on this software component that CPE identifier that was submitted will
be used, and therefore our CVE tracking will work.
Maybe I'm dreaming here, but if it doesn't work like this, it basically
means that for any package in Buildroot that never had any CVE, we have
absolutely no guarantee that we will properly notice when the first CVE
gets reported. Maybe that's life and we have to live with it, but it
kinda sucks.
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
More information about the buildroot
mailing list