Re: cve-checker name collisions


Mikko Rapeli
 

On Mon, Jan 27, 2020 at 10:16:16AM +0200, Anders Montonen wrote:
On 24 Jan 2020, at 12:54, Ross Burton <ross.burton@intel.com> wrote:

On 24/01/2020 09:02, Anders Montonen wrote:
Hi,
What's the best way for handling name collisions when using the cve-checker tool? For example, there's a ton of Adobe Flex vulnerabilities that are reported against the Flex lexical analyzer generator tool. Whitelisting the individual CVEs would be one option, but the list is pretty long.
Set CVE_PRODUCT, if you use a colon then you can set the vendor too.

This specific instance is already fixed in oe-core master:

# Not Apache Flex, or Adobe Flex, or IBM Flex.
CVE_PRODUCT = "flex_project:flex”
Thanks (and to Mikko too), that worked, though I’m a bit curious how one would find the proper vendor name, especially for a project like this where there’s no clear company name.
I always search for existing CVEs for the SW component and check what
project and product names were used.

For flex, Internet search shows for example
https://www.suse.com/security/cve/CVE-2019-6293/

which has "flex_project:flex" in NVD:

https://nvd.nist.gov/vuln/detail/CVE-2019-6293

In my projects I also have exported CVE_PRODUCT to buildhistory and
have a check for CVE product name. Any SW components with non-CLOSED
LICENSE must either have a matching CPE in NVD database or be checked
manually and whitelisted.

Cheers,

-Mikko

Join yocto@lists.yoctoproject.org to automatically receive all group messages.