2b4c64dbef
When CPE is not provided and character ":" is in cve status description, current code takes only last part of split function. This works only if there is no ":" in description, otherwise it drops the other split parts. Do a new split of the original string to take the whole description unchanged. This fixes following entries from world build of poky+meta-oe+meta-python: tiff-4.6.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2015-7313 CVE_STATUS: fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue description: //security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue corrected: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue gnupg-2.5.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2022-3219 CVE_STATUS: upstream-wontfix: Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993 description: //dev.gnupg.org/T5993 corrected: Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993 libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35325 CVE_STATUS: upstream-wontfix: Upstream thinks this is a misuse (or wrong use) of the libyaml API - https://github.com/yaml/libyaml/issues/303 description: //github.com/yaml/libyaml/issues/303 corrected: Upstream thinks this is a misuse (or wrong use) of the libyaml API - https://github.com/yaml/libyaml/issues/303 libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35326 CVE_STATUS: upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302 description: //github.com/yaml/libyaml/issues/302 corrected: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302 libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35328 CVE_STATUS: upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302 description: //github.com/yaml/libyaml/issues/302 corrected: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302 cpio-2.15-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2023-7216 CVE_STATUS: disputed: intended behaviour, see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html description: //lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html corrected: intended behaviour, see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html openssh-9.9p1-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2023-51767 CVE_STATUS: upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1. description: //bugzilla.mindrot.org/show_bug.cgi?id=3656#c1. corrected: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1. cups-2.4.10-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2021-25317 CVE_STATUS: not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply. description: root, so this doesn't apply. corrected: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply. unzip-1_6.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2008-0888 CVE_STATUS: fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source description: //bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source corrected: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source syslog-ng-4.7.0-r0 do_cve_check: CVE_STATUS with 6 parts for CVE-2022-38725 CVE_STATUS: cpe-incorrect: cve-check wrongly matches cpe:2.3🅰️oneidentity:syslog-ng:*:*:*:*:premium:*:*:* < 7.0.32 description: syslog-ng:*:*:*:*:premium:*:*:* < 7.0.32 corrected: cve-check wrongly matches cpe:2.3🅰️oneidentity:syslog-ng:*:*:*:*:premium:*:*:* < 7.0.32 (From OE-Core rev: 5cd34a34879ad424f3b1637b48892d6fa037861d) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit cc33dd9176726cb4b2d2f142ed1bc655da8e0a9f) Signed-off-by: Steve Sakoman <steve@sakoman.com>
Poky
Poky is an integration of various components to form a pre-packaged build system and development environment which is used as a development and validation tool by the Yocto Project. It features support for building customised embedded style device images and custom containers. There are reference demo images ranging from X11/GTK+ to Weston, commandline and more. The system supports cross-architecture application development using QEMU emulation and a standalone toolchain and SDK suitable for IDE integration.
Additional information on the specifics of hardware that Poky supports is available in README.hardware. Further hardware support can easily be added in the form of BSP layers which extend the systems capabilities in a modular way. Many layers are available and can be found through the layer index.
As an integration layer Poky consists of several upstream projects such as BitBake, OpenEmbedded-Core, Yocto documentation, the 'meta-yocto' layer which has configuration and hardware support components. These components are all part of the Yocto Project and OpenEmbedded ecosystems.
The Yocto Project has extensive documentation about the system including a reference manual which can be found at https://docs.yoctoproject.org/
OpenEmbedded is the build architecture used by Poky and the Yocto project. For information about OpenEmbedded, see the OpenEmbedded website.
Contribution Guidelines
Please refer to our contributor guide here: https://docs.yoctoproject.org/dev/contributor-guide/ for full details on how to submit changes.
Where to Send Patches
As Poky is an integration repository (built using a tool called combo-layer), patches against the various components should be sent to their respective upstreams:
OpenEmbedded-Core (files in meta/, meta-selftest/, meta-skeleton/, scripts/):
- Git repository: https://git.openembedded.org/openembedded-core/
- Mailing list: openembedded-core@lists.openembedded.org
BitBake (files in bitbake/):
- Git repository: https://git.openembedded.org/bitbake/
- Mailing list: bitbake-devel@lists.openembedded.org
Documentation (files in documentation/):
- Git repository: https://git.yoctoproject.org/cgit/cgit.cgi/yocto-docs/
- Mailing list: docs@lists.yoctoproject.org
meta-yocto (files in meta-poky/, meta-yocto-bsp/):
- Git repository: https://git.yoctoproject.org/cgit/cgit.cgi/meta-yocto
- Mailing list: poky@lists.yoctoproject.org
If in doubt, check the openembedded-core git repository for the content you intend to modify as most files are from there unless clearly one of the above categories. Before sending, be sure the patches apply cleanly to the current git repository branch in question.