cve-check: add coverage statistics on recipes without CVEs
Until now the CVE checker was giving information about CVEs found for a product (or more products) contained in a recipe. However, there was no easy way to find out which products or recipes have no CVEs. Having no reported CVEs might mean there are simply none, but can also mean a product name (CPE) mismatch. This patch adds CVE_CHECK_COVERAGE option enabling a new type of statistics. A new file (*.cves_coverage) shows if a recipe has any CVEs found in the NVD database, and if so, for which products. This option is expected to help with an identification of recipes with mismatched CPEs, issues in the database and more. An example entry: LAYER: meta PACKAGE NAME: libsdl2-native PACKAGE VERSION: 2.0.14 CVES FOUND IN RECIPE: Yes PRODUCT: simple_directmedia_layer (Yes) PRODUCT: sdl (No) Upstream-Status: Submitted [openembedded-core] [1] [1] https://lists.openembedded.org/g/openembedded-core/message/154677 Signed-off-by:Marta Rybczynska <marta.rybczynska@huawei.com>
Please register or sign in to comment