Also, be aware that cve-check-tool is notorious for unreliable reports and shouldn't be relied upon: the false negative rate is huge (and not something that can be fixed in cve-check-tool either).
Ross On Thu, 14 Feb 2019 at 21:03, Burton, Ross <[email protected]> wrote: > > The report explicitly lists would-be-vulnerable-but-patches issues and > marks them as such, so why can't you just ignore them in the report? > > Ross > > On Thu, 14 Feb 2019 at 19:18, Dan Dedrick <[email protected]> wrote: > > > > It can be useful to filter out patched issues since they are no longer > > vulnerable. This makes it easier to sift through what CVEs still might > > need to be fixed. > > > > Signed-off-by: Dan Dedrick <[email protected]> > > --- > > meta/classes/cve-check.bbclass | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass > > index 743bc08a4f..a486d686ae 100644 > > --- a/meta/classes/cve-check.bbclass > > +++ b/meta/classes/cve-check.bbclass > > @@ -35,6 +35,7 @@ CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" > > CVE_CHECK_MANIFEST ?= > > "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve" > > CVE_CHECK_COPY_FILES ??= "1" > > CVE_CHECK_CREATE_MANIFEST ??= "1" > > +CVE_CHECK_EXCLUDE_PATCHED ??= "0" > > > > # Whitelist for packages (PN) > > CVE_CHECK_PN_WHITELIST = "\ > > @@ -54,6 +55,8 @@ python do_cve_check () { > > if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): > > patched_cves = get_patches_cves(d) > > patched, unpatched = check_cves(d, patched_cves) > > + if d.getVar("CVE_CHECK_EXCLUDE_PATCHED") == "1": > > + patched = [] > > if patched or unpatched: > > cve_data = get_cve_info(d, patched + unpatched) > > cve_write_data(d, patched, unpatched, cve_data) > > -- > > 2.20.1 > > > > -- > > _______________________________________________ > > Openembedded-core mailing list > > [email protected] > > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
