[Buildroot] [PATCH 0/7] Add PURL support
Thomas Petazzoni
thomas.petazzoni at bootlin.com
Fri Apr 18 10:39:59 UTC 2025
Hello,
On Wed, 16 Apr 2025 22:49:15 +0200
Thomas Perale <thomas.perale at mind.be> wrote:
> Just to say that with the PURL added to the Django package I got
> notified for the CVE.
But with what tool? Right now our "reference" tool to track CVEs in
Buildroot is support/scripts/pkg-stats, which renders:
http://autobuild.buildroot.net/stats/master.html
And which uses the CVE database from
https://github.com/fkie-cad/nvd-json-data-feeds/.
So I'm still not sure to understand your "DependencyTrack uses NVD
annotation unfortunately". Could you clarify?
Right now, packages have a CPE ID, which we use to match
against https://github.com/fkie-cad/nvd-json-data-feeds/ as part
of the pkg-stats tool. If we want to add more identifiers in packages,
it has to be clear with which CVE database this works, and how this is
going to interact with pkg-stats (and if it doesn't interact, why).
Best regards,
Thomas
--
Thomas Petazzoni, co-owner and CEO, Bootlin
Embedded Linux and Kernel engineering and training
https://bootlin.com
More information about the buildroot
mailing list