Hello Luca, How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it didn't print any warning. Should I build an image?
Regards, Andrej On Thu, 2023-06-22 at 14:42 +0200, Luca Ceresoli wrote: > Hello Andrej, > > On Thu, 22 Jun 2023 08:59:02 +0200 > "Andrej Valek via lists.openembedded.org" > <andrej.valek=siemens....@lists.openembedded.org> wrote: > > > After discussion in all parallel threads we proposed following variant which > > covers both expressed requirements to have very small number of different > > cve > > statuses and also very large number of them at the same time. > > This is a compromise version which maybe is not ideal but deals with > > conflicting responses we got. > > > > Changes compare to version 6: > > - added conversion from CVE_CHECK_IGNORE to CVE_STATUS > > - added comments for all statuses > > - dropped "not-affected" status > > - conversion showed that it is not very usefull > > - added "disputed" status > > > > Documentation will be updated in separated repository. > > This patchset generates a lot of warnings when run on the autobuilders. > Here are a few: > > WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail cpe-incorrect for > CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < > 0.6.0 and not qemu itself", fallback to Unpatched > WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-config > for CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can > expose host files uder some circumstances. We don't enable it by default.", > fallback to Unpatched > WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail disputed for > CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were > determined to not constitute a vulnerability.", fallback to Unpatched > NOTE: recipe python3-calver-2022.6.26-r0: task do_create_runtime_spdx: > Succeeded > WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-platform > for CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies > on Windows", fallback to Unpatched > > WARNING: cpio-2.14-r0 do_create_spdx: Invalid detail not-applicable-platform > for CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use > of cpio in SUSE/OBS", fallback to Unpatched > > WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for > CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes > rather than bluez fixes", fallback to Unpatched > WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for > CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes > rather than bluez fixes", fallback to Unpatched > > For a more complete list you can look at the build page: > https://swatbot.yoctoproject.org/collection/17294/ > > All/most of the warnings are about CVEs. > > I haven't looked in detail at what is the intended behavior of your > patch set, however I'm removing it from my testing branch for the time > being. > > Best regards, > Luca >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183242): https://lists.openembedded.org/g/openembedded-core/message/183242 Mute This Topic: https://lists.openembedded.org/mt/99693212/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
