Closed KanjiMonster closed 8 months ago
Add a new flag for calculating fixed CVEs between two versions, and use this for the changelog for new releases.
This works by getting open CVEs for each package included in the image, then comparing the lists.
Creates output like this:
Fixed CVEs: c-ares: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067 dbus: CVE-2023-34969 docker-ce: CVE-2023-28840 CVE-2023-28841 CVE-2023-28842
Be aware that the check is rather slow due to rate limiting by the CVE database.
The CVE lists are generated based on the known CVEs at changelog generation, not time of the release, so they are not "reproducible".
As an addition, slightly extend the example config with a section explaining how to enable CVE checking for the build.
Added a snipped to the example config, and added an example entry for the generated JSON file by Yocto.
Add a new flag for calculating fixed CVEs between two versions, and use this for the changelog for new releases.
This works by getting open CVEs for each package included in the image, then comparing the lists.
Creates output like this:
Be aware that the check is rather slow due to rate limiting by the CVE database.
The CVE lists are generated based on the known CVEs at changelog generation, not time of the release, so they are not "reproducible".
As an addition, slightly extend the example config with a section explaining how to enable CVE checking for the build.