The report explicitly lists would-be-vulnerable-but-patches issues and marks them as such, so why can't you just ignore them in the report?
Ross On Thu, 14 Feb 2019 at 19:18, Dan Dedrick <[email protected]> wrote: > > It can be useful to filter out patched issues since they are no longer > vulnerable. This makes it easier to sift through what CVEs still might > need to be fixed. > > Signed-off-by: Dan Dedrick <[email protected]> > --- > meta/classes/cve-check.bbclass | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass > index 743bc08a4f..a486d686ae 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -35,6 +35,7 @@ CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" > CVE_CHECK_MANIFEST ?= > "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve" > CVE_CHECK_COPY_FILES ??= "1" > CVE_CHECK_CREATE_MANIFEST ??= "1" > +CVE_CHECK_EXCLUDE_PATCHED ??= "0" > > # Whitelist for packages (PN) > CVE_CHECK_PN_WHITELIST = "\ > @@ -54,6 +55,8 @@ python do_cve_check () { > if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): > patched_cves = get_patches_cves(d) > patched, unpatched = check_cves(d, patched_cves) > + if d.getVar("CVE_CHECK_EXCLUDE_PATCHED") == "1": > + patched = [] > if patched or unpatched: > cve_data = get_cve_info(d, patched + unpatched) > cve_write_data(d, patched, unpatched, cve_data) > -- > 2.20.1 > > -- > _______________________________________________ > Openembedded-core mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
