>-----Original Message----- >From: Marko, Peter <[email protected]> >Sent: Wednesday, August 7, 2024 4:04 PM >To: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) ><[email protected]>; Richard Purdie <[email protected]>; >Marta Rybczynska <[email protected]>; openembedded- >[email protected] >Cc: xe-linux-external(mailer list) <[email protected]> >Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to >"Unpatched" status > > > >> -----Original Message----- >> From: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) >> <[email protected]> >> Sent: Wednesday, August 7, 2024 12:17 >> To: Marko, Peter (ADV D EU SK BFS1) <[email protected]>; Richard >> Purdie <[email protected]>; Marta Rybczynska >> <[email protected]>; [email protected] >> Cc: xe-linux-external(mailer list) <[email protected]> >> Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' >> to "Unpatched" status >> >> >> >> >-----Original Message----- >> >From: Marko, Peter <[email protected]> >> >Sent: Wednesday, July 24, 2024 12:04 PM >> >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) >> ><[email protected]>; [email protected] >> >Cc: xe-linux-external(mailer list) <[email protected]> >> >Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' >> >to "Unpatched" status >> > >> >-----Original Message----- >> >From: [email protected] <openembedded- >> >[email protected]> On Behalf Of Dhairya Nagodra via >> >lists.openembedded.org >> >Sent: Wednesday, July 24, 2024 6:45 >> >To: [email protected] >> >Cc: [email protected]; Dhairya Nagodra <[email protected]> >> >Subject: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to >> >"Unpatched" status >> > >> >> - The 'upstream-wontfix' is to be used when the CVE is accepted by the >> >> upstream, but they are not planning to fix it. >> >> - If the version used in Yocto is vulnerable, it should not have >> >> "Ignored" status. The package is still exploitable by the CVE. >> >> - Also, when the status is exported out of the SDK, it would be >> >> incorrect to put it under Ignored catgory. >> > >> >The purpose of this entry is to remove meaningless CVEs from reports >> >so that users don't spend countless hours over and over again on analyzing >"open" >> >CVEs if they were already closed upstream. >> >If you look at comments of entries using this category (7 in oe-core >> scarthgap) >> >these CVEs are more or less irrelevant. >> > >> >So this patch is from my point of view step in the wrong direction. >> >If you really need to show these due to your CVE handling process, >> >you can easily override this variable assignment in your own layer. >> > >> >> >> I tried this in my layer, created a .conf and included in my distro.conf >> file. >> The issue is, it gets overwritten by cve-check-map.conf (as it is included >later). > >If you create meta-<your-layer>/conf/cve-check-map.conf it will be included >instead of the one from oe-core/poky. >
I tried this approach, it included both of the files, and my config was over written. # <path>/distro/openembedded-core/../my-layer/conf/distro/my-cve-check-map.conf # <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/defaultsetup.conf includes: # <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-providers.inc # <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-versions.inc # <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-distrovars.inc # <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/maintainers.inc # <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tcmode-default.inc # <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tclibc-glibc.inc # <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/uninative-flags.inc # <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/init-manager-none.inc # <path>/distro/openembedded-core/../openembedded-core/meta/conf/documentation.conf # <path>/distro/openembedded-core/../openembedded-core/meta/conf/licenses.conf # <path>/distro/openembedded-core/../openembedded-core/meta/conf/sanity.conf # <path>/distro/openembedded-core/../openembedded-core/meta/conf/cve-check-map.conf >> >> Would it be okay to make assignments soft in the cve-check-map.conf file? >> This would be similar to CVE_PRODUCT and CVE_VERSION. This seems to be the only way, I'll share the patch soon. >> If everyone agrees, I can share the patch for it. >> Is there a better way to do this? > >This is also an option; I'm not opinionated on this one... > >> >> Best Regards, >> Dhairya >> >> >> >> >> >> Signed-off-by: Dhairya Nagodra <[email protected]> >> >> --- >> >> meta/conf/cve-check-map.conf | 4 ++-- >> >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> >> >> diff --git a/meta/conf/cve-check-map.conf >> >> b/meta/conf/cve-check-map.conf index b9df41a6f3..7ff53f5601 100644 >> >> --- a/meta/conf/cve-check-map.conf >> >> +++ b/meta/conf/cve-check-map.conf >> >> @@ -15,6 +15,8 @@ CVE_CHECK_STATUSMAP[unpatched] = >"Unpatched" >> >> CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" >> >> # use when CVE fix is not compatible to the current version and >> >> cannot be >> >backported. >> >> CVE_CHECK_STATUSMAP[cannot-backport] = "Unpatched" >> >> +# use when upstream acknowledged the vulnerability but does not >> >> +plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Unpatched" >> >> >> >> # used for migration from old concept, do not use for new >> >> vulnerabilities CVE_CHECK_STATUSMAP[ignored] = "Ignored" >> >> @@ -26,5 +28,3 @@ CVE_CHECK_STATUSMAP[disputed] = "Ignored" >> >> CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" >> >> # use when vulnerability affects other platform (e.g. Windows or >> >> Debian) CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" >> >> -# use when upstream acknowledged the vulnerability but does not >> >> plan to fix it -CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203215): https://lists.openembedded.org/g/openembedded-core/message/203215 Mute This Topic: https://lists.openembedded.org/mt/107518628/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
