git: Ignore CVE-2022-24975

Everyone I've talked to doesn't see this as a major issue. The CVE asks for a documentation improvement on the --mirror option to git clone as deleted content could be leaked into a mirror. For OE's general users/use cases, we wouldn't build or ship docs so this wouldn't affect us. Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-04-12 11:21:13 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-04-12 16:39:27 +0100
commit: 5dfe2dd5482c9a446f8e722fe51903d205e6770d (patch)
tree: d530c7ba181fe254dbc892529453b6f659450a4d /meta/recipes-devtools
parent: 256d212fd1eb9b6d4b87c2c84b1ea2a3afdeb843 (diff)
download: openembedded-core-contrib-5dfe2dd5482c9a446f8e722fe51903d205e6770d.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/meta/recipes-devtools/git/git_2.35.1.bb b/meta/recipes-devtools/git/git_2.35.1.bb
index 47c2211864..e39142128b 100644
--- a/meta/recipes-devtools/git/git_2.35.1.bb
+++ b/meta/recipes-devtools/git/git_2.35.1.bb
@@ -18,6 +18,11 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=7c0d7ef03a7eb04ce795b0f60e68e7e1"
 
 CVE_PRODUCT = "git-scm:git"
 
+# This is about a manpage not mentioning --mirror may "leak" information
+# in mirrored git repos. Most OE users wouldn't build the docs and
+# we don't see this as a major issue for our general users/usecases.
+CVE_CHECK_IGNORE += "CVE-2022-24975"
+
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
 PACKAGECONFIG[svn] = ""
author	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-04-12 11:21:13 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-04-12 16:39:27 +0100
commit	5dfe2dd5482c9a446f8e722fe51903d205e6770d (patch)
tree	d530c7ba181fe254dbc892529453b6f659450a4d /meta/recipes-devtools
parent	256d212fd1eb9b6d4b87c2c84b1ea2a3afdeb843 (diff)
download	openembedded-core-contrib-5dfe2dd5482c9a446f8e722fe51903d205e6770d.tar.gz