Here is a list of ideas of work that can be done jointly between IP policy and security domains.

• Use the complete package list from the IP policy run

  • Compare with the list Yocto CVE check is using to download the lists of CVEs - could be used to find bad package versions
  • Cross-check the Yocto CVE checker list for missing packages (eg. missing CPE mapping)
  • Generate a list of packages to be upgraded urgently

• Add the CVE count to the dashboard

  • Requires the cve tool to output JSON or other format easy to import

• When received a security issue notification, check for the vulnerability presence using the Alien4friends packages for all possibly concerned releases. This can avoid incorrectly skipping already-applied patches.