Re: [OE-core] [PATCH] cve-check-map: Add accept-risk tag

Wed, 26 Feb 2025 08:52:12 -0800 

On Wed, Feb 26, 2025 at 8:07 AM Colin McAllister via
lists.openembedded.org <colinmca242=gmail....@lists.openembedded.org>
wrote:
>
> Adds tag for downstream users of Poky to accept risk for CVEs.
>
> Signed-off-by: Colin Pinnell McAllister <colinmca...@gmail.com>
> ---
> Upcoming cybersecurity regulations allow for CVEs to be accepted on a
> risk basis. This tag will allow consumers of Poky to mark CVEs as

s/Poky/end users/

> ignored with this tag, which will help when feeding cve-check output
> into compliance documentation.
>
> This is not intended to be used upstream and the comment tries to
> indicate that. If I need to be more explicit in my comment, I'm happy to
> send up a v2 patch.
>
>  meta/conf/cve-check-map.conf | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
> index ac956379d1..ef3aabe641 100644
> --- a/meta/conf/cve-check-map.conf
> +++ b/meta/conf/cve-check-map.conf
> @@ -32,6 +32,8 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
>  CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
>  # use when upstream acknowledged the vulnerability but does not plan to fix 
> it
>  CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
> +# for poky consumers to use when adding justification for why they don't 
> plan to fix it

Maybe better as something like:

  "for end users to use when adding justification for why the do not
plan to fix a vulnerability (e.g. in local.conf or similar)"

> +CVE_CHECK_STATUSMAP[accept-risk] = "Ignored"
>
>  # use when it is impossible to conclude if the vulnerability is present or 
> not
>  CVE_CHECK_STATUSMAP[unknown] = "Unknown"
> --
> 2.34.1
>
>
> 
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#211962): 
https://lists.openembedded.org/g/openembedded-core/message/211962
Mute This Topic: https://lists.openembedded.org/mt/111397328/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to