>-----Original Message----- >From: Marko, Peter <[email protected]> >Sent: Wednesday, July 24, 2024 12:04 PM >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) ><[email protected]>; [email protected] >Cc: xe-linux-external(mailer list) <[email protected]> >Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to >"Unpatched" status > >-----Original Message----- >From: [email protected] <openembedded- >[email protected]> On Behalf Of Dhairya Nagodra via >lists.openembedded.org >Sent: Wednesday, July 24, 2024 6:45 >To: [email protected] >Cc: [email protected]; Dhairya Nagodra <[email protected]> >Subject: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to >"Unpatched" status > >> - The 'upstream-wontfix' is to be used when the CVE is accepted by the >> upstream, but they are not planning to fix it. >> - If the version used in Yocto is vulnerable, it should not have >> "Ignored" status. The package is still exploitable by the CVE. >> - Also, when the status is exported out of the SDK, it would be >> incorrect to put it under Ignored catgory. > >The purpose of this entry is to remove meaningless CVEs from reports so that >users don't spend countless hours over and over again on analyzing "open" >CVEs if they were already closed upstream. >If you look at comments of entries using this category (7 in oe-core scarthgap) >these CVEs are more or less irrelevant. > >So this patch is from my point of view step in the wrong direction. >If you really need to show these due to your CVE handling process, you can >easily override this variable assignment in your own layer. >
I tried this in my layer, created a .conf and included in my distro.conf file. The issue is, it gets overwritten by cve-check-map.conf (as it is included later). Would it be okay to make assignments soft in the cve-check-map.conf file? This would be similar to CVE_PRODUCT and CVE_VERSION. If everyone agrees, I can share the patch for it. Is there a better way to do this? Best Regards, Dhairya >> >> Signed-off-by: Dhairya Nagodra <[email protected]> >> --- >> meta/conf/cve-check-map.conf | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/meta/conf/cve-check-map.conf >> b/meta/conf/cve-check-map.conf index b9df41a6f3..7ff53f5601 100644 >> --- a/meta/conf/cve-check-map.conf >> +++ b/meta/conf/cve-check-map.conf >> @@ -15,6 +15,8 @@ CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" >> CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" >> # use when CVE fix is not compatible to the current version and cannot be >backported. >> CVE_CHECK_STATUSMAP[cannot-backport] = "Unpatched" >> +# use when upstream acknowledged the vulnerability but does not plan >> +to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Unpatched" >> >> # used for migration from old concept, do not use for new >> vulnerabilities CVE_CHECK_STATUSMAP[ignored] = "Ignored" >> @@ -26,5 +28,3 @@ CVE_CHECK_STATUSMAP[disputed] = "Ignored" >> CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" >> # use when vulnerability affects other platform (e.g. Windows or >> Debian) CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" >> -# use when upstream acknowledged the vulnerability but does not plan >> to fix it -CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203063): https://lists.openembedded.org/g/openembedded-core/message/203063 Mute This Topic: https://lists.openembedded.org/mt/107518628/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
