On Mon, 2024-08-12 at 10:08 +0000, Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) wrote: > > > > -----Original Message----- > > From: Marko, Peter <[email protected]> > > Sent: Wednesday, August 7, 2024 4:04 PM > > To: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) > > <[email protected]>; Richard Purdie <[email protected]>; > > Marta Rybczynska <[email protected]>; openembedded- > > [email protected] > > Cc: xe-linux-external(mailer list) <[email protected]> > > Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to > > "Unpatched" status > > > > > > > > > -----Original Message----- > > > From: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) > > > <[email protected]> > > > Sent: Wednesday, August 7, 2024 12:17 > > > To: Marko, Peter (ADV D EU SK BFS1) <[email protected]>; Richard > > > Purdie <[email protected]>; Marta Rybczynska > > > <[email protected]>; [email protected] > > > Cc: xe-linux-external(mailer list) <[email protected]> > > > Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' > > > to "Unpatched" status > > > > > > > > > > > > > -----Original Message----- > > > > From: Marko, Peter <[email protected]> > > > > Sent: Wednesday, July 24, 2024 12:04 PM > > > > To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) > > > > <[email protected]>; [email protected] > > > > Cc: xe-linux-external(mailer list) <[email protected]> > > > > Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' > > > > to "Unpatched" status > > > > > > > > -----Original Message----- > > > > From: [email protected] <openembedded- > > > > [email protected]> On Behalf Of Dhairya Nagodra via > > > > lists.openembedded.org > > > > Sent: Wednesday, July 24, 2024 6:45 > > > > To: [email protected] > > > > Cc: [email protected]; Dhairya Nagodra <[email protected]> > > > > Subject: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to > > > > "Unpatched" status > > > > > > > > > - The 'upstream-wontfix' is to be used when the CVE is accepted by the > > > > > upstream, but they are not planning to fix it. > > > > > - If the version used in Yocto is vulnerable, it should not have > > > > > "Ignored" status. The package is still exploitable by the CVE. > > > > > - Also, when the status is exported out of the SDK, it would be > > > > > incorrect to put it under Ignored catgory. > > > > > > > > The purpose of this entry is to remove meaningless CVEs from reports > > > > so that users don't spend countless hours over and over again on > > > > analyzing > > "open" > > > > CVEs if they were already closed upstream. > > > > If you look at comments of entries using this category (7 in oe-core > > > scarthgap) > > > > these CVEs are more or less irrelevant. > > > > > > > > So this patch is from my point of view step in the wrong direction. > > > > If you really need to show these due to your CVE handling process, > > > > you can easily override this variable assignment in your own layer. > > > > > > > > > > > > > I tried this in my layer, created a .conf and included in my distro.conf > > > file. > > > The issue is, it gets overwritten by cve-check-map.conf (as it is included > > later). > > > > If you create meta-<your-layer>/conf/cve-check-map.conf it will be included > > instead of the one from oe-core/poky. > > > > I tried this approach, it included both of the files, and my config was over > written. > > # > <path>/distro/openembedded-core/../my-layer/conf/distro/my-cve-check-map.conf > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/defaultsetup.conf > includes: > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-providers.inc > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-versions.inc > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-distrovars.inc > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/maintainers.inc > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tcmode-default.inc > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tclibc-glibc.inc > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/uninative-flags.inc > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/init-manager-none.inc > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/documentation.conf > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/licenses.conf > # <path>/distro/openembedded-core/../openembedded-core/meta/conf/sanity.conf > # > <path>/distro/openembedded-core/../openembedded-core/meta/conf/cve-check-map.conf
For that to work you need to use the same path. Above you have: conf/distro/my-cve-check-map.conf but it would have to match: conf/cve-check-map.conf Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203216): https://lists.openembedded.org/g/openembedded-core/message/203216 Mute This Topic: https://lists.openembedded.org/mt/107518628/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
