diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2023-07-20 09:19:50 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-07-21 11:47:45 +0100 |
commit | 1634ed4048cf56788cd5c2c1bdc979b70afcdcd7 (patch) | |
tree | bc385bd5f0997ff793f29f280af7e16be79a3f78 /meta/recipes-extended | |
parent | 176c814f8a103a338da3955e69745f81bc9b70a1 (diff) | |
download | openembedded-core-1634ed4048cf56788cd5c2c1bdc979b70afcdcd7.tar.gz |
cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Diffstat (limited to 'meta/recipes-extended')
-rw-r--r-- | meta/recipes-extended/cpio/cpio_2.14.bb | 3 | ||||
-rw-r--r-- | meta/recipes-extended/cups/cups.inc | 17 | ||||
-rw-r--r-- | meta/recipes-extended/iputils/iputils_20221126.bb | 5 | ||||
-rw-r--r-- | meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb | 3 | ||||
-rw-r--r-- | meta/recipes-extended/procps/procps_4.0.3.bb | 4 | ||||
-rw-r--r-- | meta/recipes-extended/shadow/shadow_4.13.bb | 7 | ||||
-rw-r--r-- | meta/recipes-extended/unzip/unzip_6.0.bb | 3 | ||||
-rw-r--r-- | meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb | 2 | ||||
-rw-r--r-- | meta/recipes-extended/zip/zip_3.0.bb | 7 |
9 files changed, 15 insertions, 36 deletions
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb index 45eb9de8e0..560038d2a6 100644 --- a/meta/recipes-extended/cpio/cpio_2.14.bb +++ b/meta/recipes-extended/cpio/cpio_2.14.bb @@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c inherit autotools gettext texinfo ptest -# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us -CVE_CHECK_IGNORE += "CVE-2010-4226" +CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS" EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index da320b1085..36feaddcf8 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -19,14 +19,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \ GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases" -# Issue only applies to MacOS -CVE_CHECK_IGNORE += "CVE-2008-1033" -# Issue affects pdfdistiller plugin used with but not part of cups -CVE_CHECK_IGNORE += "CVE-2009-0032" -# This is an Ubuntu only issue. -CVE_CHECK_IGNORE += "CVE-2018-6553" -# This is fixed in 2.4.2 but the cve-check class still reports it -CVE_CHECK_IGNORE += "CVE-2022-26691" +CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS" +CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups" +CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue" +CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it" +CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply." LEAD_SONAME = "libcupsdriver.so" @@ -114,7 +111,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess" cups_sysroot_preprocess () { sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:' } - -# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is -# root:root, so this doesn't apply. -CVE_CHECK_IGNORE += "CVE-2021-25317" diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb index cd5fe9bd3e..7d94271a64 100644 --- a/meta/recipes-extended/iputils/iputils_20221126.bb +++ b/meta/recipes-extended/iputils/iputils_20221126.bb @@ -17,9 +17,8 @@ S = "${WORKDIR}/git" UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)" -# Fixed in 2000-10-10, but the versioning of iputils -# breaks the version order. -CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214" +CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order." +CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order." PACKAGECONFIG ??= "libcap" PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native" diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb index f55e0b0ed1..d466905426 100644 --- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb +++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb @@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/" UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/" SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3" -# Was fixed in 1.3.3rc1 so not present in 1.3.3 -CVE_CHECK_IGNORE += "CVE-2021-46828" +CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3" inherit autotools pkgconfig diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb index cc3420df4e..dc0e957bda 100644 --- a/meta/recipes-extended/procps/procps_4.0.3.bb +++ b/meta/recipes-extended/procps/procps_4.0.3.bb @@ -72,10 +72,6 @@ python __anonymous() { d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog)) } -# 'ps' isn't suitable for use as a security tool so whitelist this CVE. -# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 -CVE_CHECK_IGNORE += "CVE-2018-1121" - PROCPS_PACKAGES = "${PN}-lib \ ${PN}-ps \ ${PN}-sysctl" diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb index d1a3fd5593..4e55446312 100644 --- a/meta/recipes-extended/shadow/shadow_4.13.bb +++ b/meta/recipes-extended/shadow/shadow_4.13.bb @@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p BBCLASSEXTEND = "native nativesdk" -# Severity is low and marked as closed and won't fix. # https://bugzilla.redhat.com/show_bug.cgi?id=884658 -CVE_CHECK_IGNORE += "CVE-2013-4235" - -# This is an issue for a different shadow -CVE_CHECK_IGNORE += "CVE-2016-15024" +CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix." +CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow" diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 3051e9b5bc..a53663d086 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1" SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" -# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source -CVE_CHECK_IGNORE += "CVE-2008-0888" +CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source" # exclude version 5.5.2 which triggers a false positive UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb index c390fcf33c..72eb1ae067 100644 --- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb +++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb @@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4" S = "${WORKDIR}/git" # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision -CVE_CHECK_IGNORE += "CVE-2013-4342" +CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision" inherit autotools update-rc.d systemd pkgconfig diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb index 82153131b4..3425e8eb7b 100644 --- a/meta/recipes-extended/zip/zip_3.0.bb +++ b/meta/recipes-extended/zip/zip_3.0.bb @@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1" SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37" SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369" -# Disputed and also Debian doesn't consider a vulnerability -CVE_CHECK_IGNORE += "CVE-2018-13410" - -# Not for zip but for smart contract implementation for it -CVE_CHECK_IGNORE += "CVE-2018-13684" +CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability" +CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it" # zip.inc sets CFLAGS, but what Makefile actually uses is # CFLAGS_NOOPT. It will also force -O3 optimization, overriding |