mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-02-20 08:29:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
74befedd6610e08a88beb4889d47fdedeaec6a4e
poky/meta/conf/cve-check-map.conf
Joshua Watt 860aedadc9 spdx30: Allow VEX Justification to be configurable 
Instead of hard coding the VEX justifications for "Ignored" CVE status,
add a map that configures what justification should be used for each
status.

This allows other justifications to be easily added, and also ensures
that status fields added externally (by downstream) can set an
appropriate justification if necessary.

(From OE-Core rev: c0fa3d92cefa74fa57c6c48c94acc64aa454e781)

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-07-03 10:40:17 +01:00

42 lines
2.4 KiB
Plaintext
Raw Blame History

# Possible options for CVE statuses
# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
CVE_CHECK_STATUSMAP[patched] = "Patched"
# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
# use when NVD DB does not mention correct version or does not mention any verion at all
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
# use when a fix file has been included (set automatically)
CVE_CHECK_STATUSMAP[fix-file-included] = "Patched"
# do not use directly: automatic scan reports version number NOT in the vulnerable range (set automatically)
CVE_CHECK_STATUSMAP[version-not-in-range] = "Patched"
# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
# use when CVE is confirmed by upstream but fix is still not available
CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
# do not use directly: automatic scan reports version number IS in the vulnerable range (set automatically)
CVE_CHECK_STATUSMAP[version-in-range] = "Unpatched"
# used for migration from old concept, do not use for new vulnerabilities
CVE_CHECK_STATUSMAP[ignored] = "Ignored"
# use when NVD DB wrongly indicates vulnerability which is actually for a different component
CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
CVE_CHECK_STATUSMAP[disputed] = "Ignored"
# use when vulnerability depends on build or runtime configuration which is not used
CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent"
# use when vulnerability affects other platform (e.g. Windows or Debian)
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_VEX_JUSTIFICATION[not-applicable-platform] = "vulnerableCodeNotPresent"
# use when upstream acknowledged the vulnerability but does not plan to fix it
CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
# use when it is impossible to conclude if the vulnerability is present or not
CVE_CHECK_STATUSMAP[unknown] = "Unknown"
Reference in New Issue View Git Blame Copy Permalink