On 07.05.21 08:02, Mikko Rapeli wrote:
Hi, On Thu, May 06, 2021 at 07:12:32AM -1000, Steve Sakoman wrote:The preferred methods for CVE resolution are: 1. Version upgrades where possible 2. Patches where not possible 3. Database updates where version info is incorrect 4. Exclusion from checking where it is determined that the CVE does not apply to our environment In some cases none of these methods are possible. For example the CVE may be decades old with no apparent resolution, and with broken links that make further research impractical. This patch creates a mechanism for users to remove this type of CVE from the cve-check results via an optional include file. Signed-off-by: Steve Sakoman <st...@sakoman.com> --- .../distro/include/cve-extra-exclusions.inc | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) create mode 100644 meta/conf/distro/include/cve-extra-exclusions.inc diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc new file mode 100644 index 0000000000..956b3a9a3c --- /dev/null +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -0,0 +1,18 @@ +# This file contains a list of CVE's where resolution has proven to be impractical. +# It contains all the information we are aware of about an issue and analysis about +# why we believe it can't be fixed/handled. Additional information is welcome through +# patches to the file. +# +# Include this file in your local.conf or distro.conf to exclude these CVE's +# from the cve-check results + +# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 +# CVE is more than 20 years old with no resolution evident +# broken links in CVE database references make resolution impractical +CVE_CHECK_WHITELIST += "CVE-2000-0006"Could this be specific to a recipe? It may be that CVE data changes and adds new CPEs and the same CVE could still be valid for another recipe. I think the analysis also applies to a single recipe.
My understanding of this file is, that it targets CVEs that will never be fixed - so it just reduces the noise from a scan - the same settings can still be applied to any kind of recipe.
But what I'd like to see is a proper documentation of this inc file so it gets some visibility - or alternatively it's included by default.
or it might be even okay to include these settings into the cvecheck.bbclass as an opt-out feature - simply any place but an undocumented inc-file
Cheers, -Mikko
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#151412): https://lists.openembedded.org/g/openembedded-core/message/151412 Mute This Topic: https://lists.openembedded.org/mt/82635461/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
