IP compliance and security

Here is a list of ideas of work that can be done jointly between IP policy and security domains.

  • Use the complete package list from the IP policy run

    • Compare with the list Yocto CVE check is using to download the lists of CVEs - could be used to find bad package versions
    • Cross-check the Yocto CVE checker list for missing packages (eg. missing CPE mapping)
    • Generate a list of packages to be upgraded urgently
  • Add the CVE count to the dashboard

    • Requires the cve tool to output JSON or other format easy to import
  • When received a security issue notification, check for the vulnerability presence using the Alien4friends packages for all possibly concerned releases. This can avoid incorrectly skipping already-applied patches.