Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

security: Reference CPE used for RIOT #18574

Merged
merged 1 commit into from
Sep 11, 2022

Conversation

chrysn
Copy link
Member

@chrysn chrysn commented Sep 10, 2022

Contribution description

CVEs reported about RIOT have been assigned to the CPE cpe:2.3:o:riot-os:riot:2021.01 and similar. Adding this to the SECURITY file makes it more accessible both to users (who can add it to their filter for advisories of which they will be notified) and to reporters.

Context

I was approached about whether RIOT has a CPE number and a CSAF file by a visitor from DGUV during FrOSCon. Given that I've gone through the process of reporting a RIOT security vulnerability, I should really have known that we already have a CPE identifier that is used -- I didn't because the security documentation did not tell me.

@chrysn chrysn added Type: enhancement The issue suggests enhanceable parts / The PR enhances parts of the codebase / documentation Area: doc Area: Documentation Area: security Area: Security-related libraries and subsystems labels Sep 10, 2022
@chrysn chrysn requested a review from jia200x as a code owner September 10, 2022 15:03
@chrysn chrysn added CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR CI: skip compile test If set, CI server will run only non-compile jobs, but no compile jobs or their dependent jobs labels Sep 11, 2022
@chrysn chrysn merged commit dfcd2e5 into RIOT-OS:master Sep 11, 2022
@chrysn chrysn deleted the cpe-reference branch September 11, 2022 19:07
@maribu maribu added this to the Release 2022.10 milestone Oct 14, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: doc Area: Documentation Area: security Area: Security-related libraries and subsystems CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR CI: skip compile test If set, CI server will run only non-compile jobs, but no compile jobs or their dependent jobs Type: enhancement The issue suggests enhanceable parts / The PR enhances parts of the codebase / documentation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants