Hi Andrej
On 19.05.23 at 08:24, Andrej Valek via lists.openembedded.org wrote:
- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contain flag for each CVE with accepted
values "Ignored", "Not applicable" or "Patched". It allows to add
a status for each CVEs.
- Optional CVE_STATUS_REASONING flag variable may contain a reason
why the CVE status was used. It will be added in csv/json report like
a new "reason" entry.
- Settings the same status and reason for multiple CVEs is possible
via CVE_STATUS_GROUPS variable.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
CVE_STATUS[CVE-1234-0002] = "Not applicable"
CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "Not applicable"
CVE_STATUS_WIN[reason] = "Issue only applies on Windows"
CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "Patched"
CVE_STATUS_PATCHED[reason] = "Fixed externally"
Signed-off-by: Andrej Valek <[email protected]>
Signed-off-by: Peter Marko <[email protected]>
---
documentation/dev-manual/new-recipe.rst | 4 +-
documentation/dev-manual/vulnerabilities.rst | 11 ++---
documentation/ref-manual/classes.rst | 9 ++--
documentation/ref-manual/variables.rst | 33 ++++++++++++---
meta/classes/cve-check.bbclass | 44 +++++++++++++++++---
meta/lib/oe/cve_check.py | 6 +++
6 files changed, 87 insertions(+), 20 deletions(-)
Many thanks for the patch and for the documentation changes too !
However, could you send the documentation changes separately, using the
yocto-docs repository as a reference, and sending them to the
[email protected] mailing list?
You seem to have produced your patches against "poky", but that's a
repository aggregating stuff from other repositories. Your code changes
should be for the "openembedded-core" repository.
Another advantage is that we can merge the documentation changes only
when the code changes are accepted.
Thanks in advance
Cheers
Michael.
--
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181536):
https://lists.openembedded.org/g/openembedded-core/message/181536
Mute This Topic: https://lists.openembedded.org/mt/99007092/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
