> -----Original Message----- > From: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) > <[email protected]> > Sent: Wednesday, August 7, 2024 12:17 > To: Marko, Peter (ADV D EU SK BFS1) <[email protected]>; Richard > Purdie <[email protected]>; Marta Rybczynska > <[email protected]>; [email protected] > Cc: xe-linux-external(mailer list) <[email protected]> > Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to > "Unpatched" status > > > > >-----Original Message----- > >From: Marko, Peter <[email protected]> > >Sent: Wednesday, July 24, 2024 12:04 PM > >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) > ><[email protected]>; [email protected] > >Cc: xe-linux-external(mailer list) <[email protected]> > >Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to > >"Unpatched" status > > > >-----Original Message----- > >From: [email protected] <openembedded- > >[email protected]> On Behalf Of Dhairya Nagodra via > >lists.openembedded.org > >Sent: Wednesday, July 24, 2024 6:45 > >To: [email protected] > >Cc: [email protected]; Dhairya Nagodra <[email protected]> > >Subject: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to > >"Unpatched" status > > > >> - The 'upstream-wontfix' is to be used when the CVE is accepted by the > >> upstream, but they are not planning to fix it. > >> - If the version used in Yocto is vulnerable, it should not have > >> "Ignored" status. The package is still exploitable by the CVE. > >> - Also, when the status is exported out of the SDK, it would be > >> incorrect to put it under Ignored catgory. > > > >The purpose of this entry is to remove meaningless CVEs from reports so that > >users don't spend countless hours over and over again on analyzing "open" > >CVEs if they were already closed upstream. > >If you look at comments of entries using this category (7 in oe-core > scarthgap) > >these CVEs are more or less irrelevant. > > > >So this patch is from my point of view step in the wrong direction. > >If you really need to show these due to your CVE handling process, you can > >easily override this variable assignment in your own layer. > > > > > I tried this in my layer, created a .conf and included in my distro.conf file. > The issue is, it gets overwritten by cve-check-map.conf (as it is included > later).
If you create meta-<your-layer>/conf/cve-check-map.conf it will be included instead of the one from oe-core/poky. > > Would it be okay to make assignments soft in the cve-check-map.conf file? > This would be similar to CVE_PRODUCT and CVE_VERSION. > If everyone agrees, I can share the patch for it. > Is there a better way to do this? This is also an option; I'm not opinionated on this one... > > Best Regards, > Dhairya > > > >> > >> Signed-off-by: Dhairya Nagodra <[email protected]> > >> --- > >> meta/conf/cve-check-map.conf | 4 ++-- > >> 1 file changed, 2 insertions(+), 2 deletions(-) > >> > >> diff --git a/meta/conf/cve-check-map.conf > >> b/meta/conf/cve-check-map.conf index b9df41a6f3..7ff53f5601 100644 > >> --- a/meta/conf/cve-check-map.conf > >> +++ b/meta/conf/cve-check-map.conf > >> @@ -15,6 +15,8 @@ CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" > >> CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" > >> # use when CVE fix is not compatible to the current version and cannot be > >backported. > >> CVE_CHECK_STATUSMAP[cannot-backport] = "Unpatched" > >> +# use when upstream acknowledged the vulnerability but does not plan > >> +to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Unpatched" > >> > >> # used for migration from old concept, do not use for new > >> vulnerabilities CVE_CHECK_STATUSMAP[ignored] = "Ignored" > >> @@ -26,5 +28,3 @@ CVE_CHECK_STATUSMAP[disputed] = "Ignored" > >> CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" > >> # use when vulnerability affects other platform (e.g. Windows or > >> Debian) CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" > >> -# use when upstream acknowledged the vulnerability but does not plan > >> to fix it -CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203064): https://lists.openembedded.org/g/openembedded-core/message/203064 Mute This Topic: https://lists.openembedded.org/mt/107518628/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
