mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-14 20:53:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
2fdabc368a52a9bf60f76f33e92b94de843688a8
poky/meta/conf/cve-check-map.conf
Andrej Valek be9883a92b cve-check: add option to add additional patched CVEs 
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

(From OE-Core rev: 34f682a24b7075b12ec308154b937ad118d69fe5)

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2023-07-19 23:25:01 +01:00

29 lines
1.7 KiB
Plaintext
Raw Blame History

# Possible options for CVE statuses
# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
CVE_CHECK_STATUSMAP[patched] = "Patched"
# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
# use when NVD DB does not mention correct version or does not mention any verion at all
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
# use when CVE is confirmed by upstream but fix is still not available
CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
# used for migration from old concept, do not use for new vulnerabilities
CVE_CHECK_STATUSMAP[ignored] = "Ignored"
# use when NVD DB wrongly indicates vulnerability which is actually for a different component
CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
CVE_CHECK_STATUSMAP[disputed] = "Ignored"
# use when vulnerability depends on build or runtime configuration which is not used
CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
# use when vulnerability affects other platform (e.g. Windows or Debian)
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
# use when upstream acknowledged the vulnerability but does not plan to fix it
CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
Reference in New Issue View Git Blame Copy Permalink