mirror of
https://git.yoctoproject.org/poky
synced 2026-02-15 05:03:03 +01:00
cc8ba2f80b
Currently flag cvesInRecord is set to false if all CVEs are ignored or patched. This is inconsistent as it shows false if a CVE was fixed via patch and true if this CVE was fixed by upgrade. In both cases the CVE is valid and was fixed. As I understand this flag, it should say if any CVE exists for particular component's product (regardless of how this CVE is handled) and can be used to validate if a product is correctly set. Note that skipping ignored CVEs may make sense in some cases, as ignored may mean that NVD DB is wrong, but in many cases it is ignored for other reasons. Further patch can be done to evaluate ignore subtype but that would be against my understanding of this flag as described above. (From OE-Core rev: c5d499693672ec9619392011b765941cf94aa319) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>