Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Notes from 3.3.1 roadmap/planning meeting #4078

Open
terriko opened this issue Apr 24, 2024 · 1 comment
Open

Notes from 3.3.1 roadmap/planning meeting #4078

terriko opened this issue Apr 24, 2024 · 1 comment
Labels
discussion Discussion thread or meeting minutes that may not have any trivially fixable code issues associated
Milestone
3.3.1

Comments

@terriko
Copy link
Contributor

terriko commented Apr 24, 2024
edited

3.3.1 plans:

  • evaluate some of the NVD overlay / extra meta data /alternative data sources and see which ones should be integrated
    • NVD is currently very backlogged and it's getting worse due to funding cuts. etc. They've announced plans for an NVD Consortium to get a wider industry group to help resolve this but it's very likely we'll be using some additional data sources for some time before they're back up to speed.
    • Edited to add issue link: feat: Adding alternative vulnerability data sources #4100
  • CWE support
    • these are already available in NVD, but we'd need to actually have options to display them, possibly filter/group on them.
  • Other meta data?
  • OSV & de-dupe of data -- some of our data sources may not be playing well together
  • SPDX 3 is out, library may be able to support it soon but it's very different -- not sure how many people will want to support it at this stage, will likely keep current default for some time
  • CycloneDX 1.6 is a less radical change
  • more binary reverse engineering tools? improve accuracy
  • provide a no-scan mode for SBOM generation without any scanning (no download of data, etc.) -- this is being used by embedded folk and we could make the process nicer for them.
  • take a look at flags/options in cve-bin-tool, do we need to streamline/reduce/add?
  • improve any workflows? usability? Edit: Started discussion in Discussion: Command line usability resources #4087

Feel free to use this issue to continue to discuss things that might fit in 3.3.1
@terriko terriko added this to the 3.3.1 milestone Apr 24, 2024
@terriko
Copy link
Contributor Author

terriko commented Apr 24, 2024

I'm also starting to flag a lot of issues as 3.3.1, here's the link for that:

https://github.com/intel/cve-bin-tool/milestone/11

I'm particularly interested in making sure I track smaller post-3.3 bugs to make sure they're resolved in 3.3.1, but there's also some features and bigger stuff in there at this time. If you see something that you think should be tagged as 3.3.1, you can mention it here or directly on the relevant issue to let me know!

@terriko terriko added the discussion Discussion thread or meeting minutes that may not have any trivially fixable code issues associated label Apr 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
discussion Discussion thread or meeting minutes that may not have any trivially fixable code issues associated
Projects
None yet
Milestone
3.3.1
Development

No branches or pull requests
1 participant
@terriko