The minio umbrella covers multiple projects. The recipe itself builds "minio client", which is a set of basic tools to query data from "minio server" - like ls, mv, find...
The CVEs were files against minio server. Looking at the go mod list, this recipe doesn't use minio server even as a build dependency - so ignore the CVEs. Signed-off-by: Gyorgy Sarvari <[email protected]> --- meta-oe/recipes-extended/minio/minio_git.bb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta-oe/recipes-extended/minio/minio_git.bb b/meta-oe/recipes-extended/minio/minio_git.bb index f278a728fd..511dd4d869 100644 --- a/meta-oe/recipes-extended/minio/minio_git.bb +++ b/meta-oe/recipes-extended/minio/minio_git.bb @@ -164,3 +164,9 @@ do_install() { install -d ${D}/${sbindir} install ${S}/src/${GO_IMPORT}/mc ${D}/${sbindir}/mc } + +CVE_STATUS_GROUPS += "CVE_STATUS_WRONG_CPE" +CVE_STATUS_WRONG_CPE[status] = "cpe-incorrect: The vulnerability is in minio server, not in minio client-tools" +CVE_STATUS_WRONG_CPE = "CVE-2018-1000538 CVE-2020-11012 CVE-2021-21287 CVE-2021-21362 \ + CVE-2021-21390 CVE-2021-43858 CVE-2022-35919 CVE-2023-28433 \ + CVE-2023-28434 CVE-2024-36107"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#122689): https://lists.openembedded.org/g/openembedded-devel/message/122689 Mute This Topic: https://lists.openembedded.org/mt/116807121/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
