On Sun, 2023-06-04 at 09:59 +0000, Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) wrote: > Hi Richard, > > Thank you for acknowledgement on my proposal. > Please consider my additional input for VEX standard. > > There is total four main VEX standard status: > - Fixed > - Affected > - Not Affected > - Under Investigation > > Out for 4 standard we can adopt Fixed and Not affected status for CVE fixing. > As these two statuses will never get changed for specific package and CVE. > > Regarding the CVE status of community and VEX standard, we can map like > following: > > Existing Status | VEX adoption > ------------------------------------------- > Patched | Fixed > Ignore | Not Affected > Not required | Not Affected > > Remaining two statuses Affected and Under investigation would be changed with > time as following: > * Under Investigation: > - When any new CVE is reported against any package then by default it would > go with "under investigation" status > - Until we make the final status like fixed/not affected/affected status > after our final investigation on specific CVE. > * Affected: > - Regarding affected status it would be temporary status until we find the > actual fix for the CVE. > - Once we have a fix the CVE then status would be as fixed/not affected which > we can input to our recipe.
Whilst I understand the desire to use VEX, I don't think we should directly. It serves a very specific purpose and "loses" some information by only having two states. Tying ourselves too closely to a limiting standard like that can be problematic. The v6 from Adrian can be mapped into this if that is what you need. I think that is a good compromise as it doesn't lose the information others may need. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183171): https://lists.openembedded.org/g/openembedded-core/message/183171 Mute This Topic: https://lists.openembedded.org/mt/99007092/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
