diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2023-07-26 11:50:09 +0200 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2023-07-27 08:54:40 -0700 |
commit | 8af2f17a6fa8bf282c4c27054adbea1bf0873069 (patch) | |
tree | 22b6484379a0f3d3e2b89f958dda0fd45f2a1880 /meta-oe | |
parent | 4c201ede939610946847ccd4221320ed776224aa (diff) | |
download | meta-openembedded-contrib-8af2f17a6fa8bf282c4c27054adbea1bf0873069.tar.gz |
cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-oe')
21 files changed, 29 insertions, 66 deletions
diff --git a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb index 550fbc30d3..0ce58b13c4 100644 --- a/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb +++ b/meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb @@ -50,11 +50,8 @@ SRC_URI:append:toolchain-clang = "\ S = "${WORKDIR}/git" -CVE_CHECK_IGNORE += "\ - CVE-2014-8180 \ - CVE-2017-18381 \ - CVE-2017-2665 \ -" +CVE_STATUS[CVE-2014-8180] = "not-applicable-config: Not affecting our configuration so it can be safely ignored." +CVE_STATUS[CVE-2017-2665] = "not-applicable-config: Not affecting our configuration so it can be safely ignored." COMPATIBLE_HOST ?= '(x86_64|i.86|powerpc64|arm|aarch64).*-linux' diff --git a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb index 50096cfdbc..fec05571d1 100644 --- a/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb +++ b/meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb @@ -9,9 +9,7 @@ DEPENDS = "zlib libsigc++-2.0 openssl cppunit" SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https" SRCREV = "e60f222241319aaae482789517ad00ae9344bd13" -CVE_CHECK_IGNORE += "\ - CVE-2009-1760 \ -" +CVE_STATUS[CVE-2009-1760] = "backported-patch: patched in our product" PV = "0.13.8+git${SRCPV}" diff --git a/meta-oe/recipes-core/emlog/emlog_git.bb b/meta-oe/recipes-core/emlog/emlog_git.bb index 05fa0c334c..03c895f667 100644 --- a/meta-oe/recipes-core/emlog/emlog_git.bb +++ b/meta-oe/recipes-core/emlog/emlog_git.bb @@ -25,11 +25,9 @@ do_install() { RRECOMMENDS:${PN} += "kernel-module-emlog" -# The NVD database doesn't have a CPE for this product, -# the name of this product is exactly the same as github.com/emlog/emlog -# but it's not related in any way. The following CVEs are from that project -# so they can be safely ignored -CVE_CHECK_IGNORE += "\ +CVE_STATUS_GROUPS += "CVE_STATUS_EMLOG" +CVE_STATUS_EMLOG[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored." +CVE_STATUS_EMLOG = " \ CVE-2019-16868 \ CVE-2019-17073 \ CVE-2021-44584 \ diff --git a/meta-oe/recipes-dbs/postgresql/postgresql_15.3.bb b/meta-oe/recipes-dbs/postgresql/postgresql_15.3.bb index c4d4124f9a..e1d49895f0 100644 --- a/meta-oe/recipes-dbs/postgresql/postgresql_15.3.bb +++ b/meta-oe/recipes-dbs/postgresql/postgresql_15.3.bb @@ -13,6 +13,4 @@ SRC_URI += "\ SRC_URI[sha256sum] = "ffc7d4891f00ffbf5c3f4eab7fbbced8460b8c0ee63c5a5167133b9e6599d932" -CVE_CHECK_IGNORE += "\ - CVE-2017-8806 \ -" +CVE_STATUS[CVE-2017-8806] = "not-applicable-config: Ddoesn't apply to out configuration of postgresql so we can safely ignore it." diff --git a/meta-oe/recipes-devtools/flatbuffers/flatbuffers.bb b/meta-oe/recipes-devtools/flatbuffers/flatbuffers.bb index 6573916362..183554e2c8 100644 --- a/meta-oe/recipes-devtools/flatbuffers/flatbuffers.bb +++ b/meta-oe/recipes-devtools/flatbuffers/flatbuffers.bb @@ -15,8 +15,6 @@ RDEPENDS:${PN}-dev += "${PN}-compiler" S = "${WORKDIR}/git" -CVE_CHECK_IGNORE += "CVE-2020-35864" - EXTRA_OECMAKE += " \ -DFLATBUFFERS_BUILD_TESTS=OFF \ -DFLATBUFFERS_BUILD_SHAREDLIB=ON \ diff --git a/meta-oe/recipes-devtools/php/php_8.2.8.bb b/meta-oe/recipes-devtools/php/php_8.2.8.bb index 08d041d77a..407b1a7bcb 100644 --- a/meta-oe/recipes-devtools/php/php_8.2.8.bb +++ b/meta-oe/recipes-devtools/php/php_8.2.8.bb @@ -36,7 +36,9 @@ SRC_URI:append:class-target = " \ S = "${WORKDIR}/php-${PV}" SRC_URI[sha256sum] = "995ed4009c7917c962d31837a1a3658f36d4af4f357b673c97ffdbe6403f8517" -CVE_CHECK_IGNORE += "\ +CVE_STATUS_GROUPS += "CVE_STATUS_PHP" +CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored." +CVE_STATUS_PHP = " \ CVE-2007-2728 \ CVE-2007-3205 \ CVE-2007-4596 \ diff --git a/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb b/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb index ea76d4870b..dcb59f4ea0 100644 --- a/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb +++ b/meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb @@ -22,9 +22,7 @@ SRC_URI[sha256sum] = "53e15a2b5c1bc80161d42e9f69792a3fa18332b7b771910131004eb520 S = "${WORKDIR}/imap-${PV}" -CVE_CHECK_IGNORE += "\ - CVE-2005-0198 \ -" +CVE_STATUS[CVE-2005-0198] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG[pam] = ",,libpam" diff --git a/meta-oe/recipes-extended/libimobiledevice/libplist_2.3.0.bb b/meta-oe/recipes-extended/libimobiledevice/libplist_2.3.0.bb index 1a74dc88f1..f636990f89 100644 --- a/meta-oe/recipes-extended/libimobiledevice/libplist_2.3.0.bb +++ b/meta-oe/recipes-extended/libimobiledevice/libplist_2.3.0.bb @@ -14,7 +14,9 @@ SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=mast S = "${WORKDIR}/git" PR = "r1" -CVE_CHECK_IGNORE += "\ +CVE_STATUS_GROUPS += "CVE_STATUS_LIBLIST" +CVE_STATUS_LIBLIST[status] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS_LIBLIST = " \ CVE-2017-5834 \ CVE-2017-5835 \ CVE-2017-5836 \ diff --git a/meta-oe/recipes-extended/libimobiledevice/libplist_git.bb b/meta-oe/recipes-extended/libimobiledevice/libplist_git.bb index db092600bc..3a10b40f1f 100644 --- a/meta-oe/recipes-extended/libimobiledevice/libplist_git.bb +++ b/meta-oe/recipes-extended/libimobiledevice/libplist_git.bb @@ -15,7 +15,9 @@ SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=mast S = "${WORKDIR}/git" -CVE_CHECK_IGNORE += "\ +CVE_STATUS_GROUPS += "CVE_STATUS_LIBLIST" +CVE_STATUS_LIBLIST[status] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_STATUS_LIBLIST = " \ CVE-2017-5834 \ CVE-2017-5835 \ CVE-2017-5836 \ diff --git a/meta-oe/recipes-extended/libzip/libzip_1.10.0.bb b/meta-oe/recipes-extended/libzip/libzip_1.10.0.bb index e8aa7fdc07..b500f26e25 100644 --- a/meta-oe/recipes-extended/libzip/libzip_1.10.0.bb +++ b/meta-oe/recipes-extended/libzip/libzip_1.10.0.bb @@ -23,7 +23,4 @@ SRC_URI = "https://libzip.org/download/libzip-${PV}.tar.xz" SRC_URI[sha256sum] = "cd2a7ac9f1fb5bfa6218272d9929955dc7237515bba6e14b5ad0e1d1e2212b43" -# Patch for CVE-2017-12858 is applied in version 1.2.0. -CVE_CHECK_IGNORE += "CVE-2017-12858" - BBCLASSEXTEND += "native" diff --git a/meta-oe/recipes-extended/sanlock/sanlock_3.8.5.bb b/meta-oe/recipes-extended/sanlock/sanlock_3.8.5.bb index c2a17d06b9..962d19574c 100644 --- a/meta-oe/recipes-extended/sanlock/sanlock_3.8.5.bb +++ b/meta-oe/recipes-extended/sanlock/sanlock_3.8.5.bb @@ -21,9 +21,7 @@ SRCREV = "b820c63093c4ae85d7da4f719cf3026d7fca5d09" S = "${WORKDIR}/git" -CVE_CHECK_IGNORE += "\ - CVE-2012-5638 \ -" +CVE_STATUS[CVE-2012-5638] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." DEPENDS = "libaio util-linux" diff --git a/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb b/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb index a52f3641dd..2a7cf2285e 100644 --- a/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb +++ b/meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb @@ -34,9 +34,7 @@ SRC_URI = "http://downloads.sourceforge.net/sblim/${BP}.tar.bz2 \ SRC_URI[md5sum] = "28021cdabc73690a94f4f9d57254ce30" SRC_URI[sha256sum] = "634a67b2f7ac3b386a79160eb44413d618e33e4e7fc74ae68b0240484af149dd" -CVE_CHECK_IGNORE += "\ - CVE-2012-3381 \ -" +CVE_STATUS[CVE-2012-3381] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." inherit autotools inherit systemd diff --git a/meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb b/meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb index 7ab15c9718..ccc114007c 100644 --- a/meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb +++ b/meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb @@ -29,10 +29,6 @@ SRC_URI:append:class-nativesdk = "\ " SRC_URI[sha256sum] = "d593695fdaa8a19297523b679ad13d3ef2027b0b7f14cc2bc23e77969ed81565" -CVE_CHECK_IGNORE += "\ - CVE-2014-9157 \ -" - PACKAGECONFIG ??= "librsvg" PACKAGECONFIG[librsvg] = "--with-librsvg,--without-librsvg,librsvg" diff --git a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb index 27dff82df5..85da5bfb4d 100644 --- a/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb +++ b/meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb @@ -6,9 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb" SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master" SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973" -CVE_CHECK_IGNORE += "\ - CVE-2015-8751 \ -" +CVE_STATUS[CVE-2015-8751] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." S = "${WORKDIR}/git" diff --git a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb index 50c501574b..814e6cd0dd 100644 --- a/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb +++ b/meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb @@ -81,5 +81,4 @@ do_configure:prepend() { BBCLASSEXTEND = "native nativesdk" -#CVE-2019-14906 is a RHEL specific vulnerability. -CVE_CHECK_IGNORE += "CVE-2019-14906" +CVE_STATUS[CVE-2019-14906] = "not-applicable-platform: Applies on RHEL only" diff --git a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb index 3277fb1099..11b53e7b61 100644 --- a/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb +++ b/meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb @@ -95,6 +95,3 @@ FILES:${PN}-dbg += "${libdir}/sasl2/.debug" FILES:${PN}-staticdev += "${libdir}/sasl2/*.a" INSANE_SKIP:${PN} += "dev-so" - -# CVE-2020-8032 affects only openSUSE -CVE_CHECK_IGNORE += "CVE-2020-8032" diff --git a/meta-oe/recipes-support/atop/atop_2.4.0.bb b/meta-oe/recipes-support/atop/atop_2.4.0.bb index b1d2abde73..bb1f53624a 100644 --- a/meta-oe/recipes-support/atop/atop_2.4.0.bb +++ b/meta-oe/recipes-support/atop/atop_2.4.0.bb @@ -24,9 +24,7 @@ SRC_URI = "http://www.atoptool.nl/download/${BP}.tar.gz \ SRC_URI[md5sum] = "1077da884ed94f2bc3c81ac3ab970436" SRC_URI[sha256sum] = "be1c010a77086b7d98376fce96514afcd73c3f20a8d1fe01520899ff69a73d69" -CVE_CHECK_IGNORE += "\ - CVE-2011-3618 \ -" +CVE_STATUS[CVE-2011-3618] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." do_compile() { oe_runmake all diff --git a/meta-oe/recipes-support/emacs/emacs_28.2.bb b/meta-oe/recipes-support/emacs/emacs_28.2.bb index df210ef5e9..137c29beea 100644 --- a/meta-oe/recipes-support/emacs/emacs_28.2.bb +++ b/meta-oe/recipes-support/emacs/emacs_28.2.bb @@ -11,9 +11,7 @@ SRC_URI:append:class-target = " file://usemake-docfile-native.patch" SRC_URI[sha256sum] = "ee21182233ef3232dc97b486af2d86e14042dbb65bbc535df562c3a858232488" -CVE_CHECK_IGNORE = "\ - CVE-2007-6109 \ -" +CVE_CHECK_STATUS[CVE-2007-6109] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." PACKAGECONFIG[gnutls] = "--with-gnutls=yes,--with-gnutls=no,gnutls" PACKAGECONFIG[kerberos] = "--with-kerberos=yes,--with-kerberos=no,krb5" diff --git a/meta-oe/recipes-support/nss/nss_3.74.bb b/meta-oe/recipes-support/nss/nss_3.74.bb index 38407a7c42..ea5abe07fb 100644 --- a/meta-oe/recipes-support/nss/nss_3.74.bb +++ b/meta-oe/recipes-support/nss/nss_3.74.bb @@ -283,12 +283,8 @@ BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT += "network_security_services" -# CVE-2006-5201 affects only Sun Solaris -CVE_CHECK_IGNORE += "CVE-2006-5201" +CVE_STATUS_GROUPS += "CVE_STATUS_NSS" +CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db" +CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" -# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect -# the legacy db (libnssdbm), only compiled with --enable-legacy-db. -CVE_CHECK_IGNORE += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698" - -# vulnerability was introduced in 3.77 and fixed in 3.87 -CVE_CHECK_IGNORE += "CVE-2022-3479" +CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87" diff --git a/meta-oe/recipes-support/openldap/openldap_2.5.13.bb b/meta-oe/recipes-support/openldap/openldap_2.5.13.bb index b117677f9b..7dc926c61c 100644 --- a/meta-oe/recipes-support/openldap/openldap_2.5.13.bb +++ b/meta-oe/recipes-support/openldap/openldap_2.5.13.bb @@ -233,6 +233,3 @@ python populate_packages:prepend () { } BBCLASSEXTEND = "native" - -# CVE-2015-3276 has no target code. -CVE_CHECK_IGNORE += "CVE-2015-3276" diff --git a/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb b/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb index 3d8a45786d..3a0cc02299 100644 --- a/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb +++ b/meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb @@ -15,10 +15,8 @@ SRC_URI = "\ SRC_URI[sha256sum] = "19654ad276b149646371fbdac21bc7620742f2975f7399fed0ffc1a18fbaf603" -CVE_CHECK_IGNORE += "\ - CVE-2010-1624 \ - CVE-2011-3594 \ -" +CVE_CHECK_STATUS[CVE-2010-1624] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_CHECK_STATUS[CVE-2011-3594] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." PACKAGECONFIG ??= "gnutls consoleui avahi dbus idn nss \ ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtk startup-notification', '', d)} \ |