Re: CVE metrics tracking from the autobuilder


Anuj Mittal
 

Hi Richard,

On Wed, 2022-05-25 at 14:30 +0100, Richard Purdie wrote:
I'm happy to say that automatic CVE metric tracking is now on the
autobuilder and automatically feeding to:

https://autobuilder.yocto.io/pub/non-release/patchmetrics/

and the git repository that backs it:

https://git.yoctoproject.org/yocto-metrics/log/
This is very nice.


This is working for dunfell/kirkstone/master. It is enabled for
honister but doesn't work since the json CVE output for honister
isn't
there.

Not sure if we want to add the json CVE output to honister to enable
that for the short time that release has left?
Yeah, there is only a week left and I wasn't planning to take those
patches in my final pull request.

Thanks,

Anuj



I plan to run the autobuilder job powering this nightly.

Currently it adds a json file for each run into the yocto-metrics
repository. These are 6MB each though so we're going to get into
silly
amounts of data rather quickly so I may have to adjust it to just
write
the latest. It would also help the size to use tabs instead of spaces
for indentation.

The autobuilder job currently throws warnings but I think Ross said
he'd send a patch to allow that to be configurable.

Also, this doesn't send the CVE emails Steve currently sends. It
would
be possible to add, I'm hoping someone might like to send some
patches!

Cheers,

Richard




Join yocto@lists.yoctoproject.org to automatically receive all group messages.