Recently a number of CVEs have been logged against a nodejs project called "node-tar". These appear as false positives against the GNU tar being built by Yocto. Some of these have been manually excluded using CVE_CHECK_WHITELIST.
To avoid this problem, use the vendor name (in addition to package name) for filtering CVEs. The syntax for this is: CVE_PRODUCT = "vendor:package" When not specified, the vendor defaults to "%" which matches anything. Signed-off-by: Ralph Siemsen <[email protected]> --- meta/recipes-extended/tar/tar_1.34.bb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/meta/recipes-extended/tar/tar_1.34.bb b/meta/recipes-extended/tar/tar_1.34.bb index 98755a11cc..3728b5090d 100644 --- a/meta/recipes-extended/tar/tar_1.34.bb +++ b/meta/recipes-extended/tar/tar_1.34.bb @@ -62,5 +62,6 @@ NATIVE_PACKAGE_PATH_SUFFIX = "/${PN}" BBCLASSEXTEND = "native nativesdk" -# These are both specific to the NPM package node-tar -CVE_CHECK_WHITELIST += "CVE-2021-32803 CVE-2021-32804" +# Avoid false positives from CVEs in node-tar package +# For example CVE-2021-{32803,32804,37701,37712,37713} +CVE_PRODUCT = "gnu:tar" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#156022): https://lists.openembedded.org/g/openembedded-core/message/156022 Mute This Topic: https://lists.openembedded.org/mt/85610692/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
