[Buildroot] Improved CVE reporting
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Tue Mar 16 19:46:17 UTC 2021
Hello,
Last week-end, I worked on improving a bit the CVE information
reporting. Until now, the reporting was done only based on the master
branch. However, we definitely want to also watch out for CVEs that
affect our current LTS branch.
So:
* The pkg-stats script is now executed on a daily basis on all active
branches, with active branches being defined by
http://autobuild.buildroot.net/branches, which is also used by the
autobuilders to know which branches to test. The results of these
pkg-stats runs are available at
http://autobuild.buildroot.net/stats/.
You'll note that even though 2020.02.x is an active branch, there
are no results for it. Indeed, the pkg-stats machinery in this
branch is broken, and 2020.02.x is anyway soon going to go out of
maintenance.
* The weekly e-mail sent to the mailing list and to individual
developers with CVE information about packages now contains details
about all branches. See
http://lists.busybox.net/pipermail/buildroot/2021-March/305859.html
for an example.
Hopefully this will be useful to the overall Buildroot community to
ensure that we have all the security fixes needed in our packages. As
you can see from the above report, there is quite a bit of work to be
done. Of course, some of the issues may also be in correct
classification by the NVD database, in which case our goal is to
contribute to this database to get the data fixed.
Let me know if this is useful, and/or if you see additional possible
improvements.
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
More information about the buildroot
mailing list