Yocto Project Summit 2023.11

CVE Triage, CVE Checker analysis, and “vendor_pr” for CVE Scanners
11-30, 18:00–18:30 (UTC), Nanbield

This presentation will feature introductory slides, a live demonstration, and a live discussion of work around CVE triage and analysis in Yocto Project.

Ideally, CVEs are triaged as soon as they are published so that organizations can fix them before they ever get to their customers. For this purpose the Security Response Tool (SRTool) was created and contributed to YP, and has been extensively used by Wind River. However, not all companies (Yocto Project specially) have the staffing to do this process. In this presentation we will discuss new proposals and initiatives to mitigate and/or jump start this gap.

Additionally, the SRTool has been recently enhanced to import and help analyze the results from Yocto Project’s CVE Checker tool, with integrate with some of the above CVE triage support initiatives.

Finally, we will discuss the community wide problem that generally available CVE scanners (e.g. Black Duck) used by our current and potential customers do not know about packages have been patched for CVEs when the package version is kept the same, leading customers to concluding Yocto Project is less secure than it really is. We will discuss proposals to address this issue and introduce a potential solution around implementing a “vendor_pr” system.

See also:
This speaker also appears in: