cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

- Try to add convert and apply statuses for old CVEs - Drop some obsolete ignores, while they are not relevant for current version (From OE-Core rev: 1634ed4048cf56788cd5c2c1bdc979b70afcdcd7) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Reviewed-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2023-07-20 09:19:50 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-07-21 11:52:26 +0100
commit: c15e506a4674e558922c5a75512ca2b5c296cd44 (patch)
tree: a0cc1ebf9daca61304185ed901596e31f4029658
parent: 7e18a90d35a62cd6894385a9dab549a594d5f11e (diff)
download: poky-c15e506a4674e558922c5a75512ca2b5c296cd44.tar.gz
41 files changed, 310 insertions, 421 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 0ae63e2c63..61fb08dbeb 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,44 +15,43 @@
 # the aim of sharing that work and ensuring we don't duplicate it.
 #
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old \
+with no resolution evident. Broken links in CVE database references make resolution impractical."
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
-# CVE is more than 20 years old with no resolution evident
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
-# broken links in CVE database references make resolution impractical
+The issue here is spoofing of domain names using characters from other character sets. \
-CVE_CHECK_IGNORE += "CVE-2000-0006"
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
-# The issue here is spoofing of domain names using characters from other character sets.
+problem. There isn't any mitigation or fix or way to progress this further."
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
-# we can seem to take.
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
-CVE_CHECK_IGNORE += "CVE-2005-0238"
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
-CVE_CHECK_IGNORE += "CVE-2010-4756"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
+exposing this interface in an exploitable way"
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
 # db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
 #
 # Kernel CVEs, e.g. linux-yocto*
@@ -65,50 +64,64 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
 # welcome than and then entries can likely be removed from here.
 #
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020 \
+                      CVE_STATUS_KERNEL_2021 CVE_STATUS_KERNEL_2022"
 # 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
-                     CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+                          CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
 # 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
-                     CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+                          CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
 # 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
-                     CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+                           CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
 # 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
 # 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
-                     CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+                          CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
 # 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
-                     CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+                          CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
-                     CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+                          CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
-                     CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+                          CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
-                     CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+                          CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
-                     CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+                          CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
-                     CVE-2022-29582 CVE-2022-29968"
+                          CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
-# Wrong CPE in NVD database
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3563
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
-# qemu maintainers say the patch is incorrect and should not be applied
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
+qemu maintainers say the patch is incorrect and should not be applied \
-CVE_CHECK_IGNORE += "CVE-2021-20255"
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
-# still be reproduced or where exactly any bug is.
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
+still be reproduced or where exactly any bug is. \
-CVE_CHECK_IGNORE += "CVE-2019-12067"
+We'll pick up any fix when upstream accepts one."
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
+It is a fuzzing related buffer overflow. It is of low impact since most devices
-# done about the bug, ignore from an OE perspective.
+wouldn't expose an assembler. The upstream is inactive and there is little to be
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+done about the bug, ignore from an OE perspective."
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..41839698dc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-# Applies only to RHEL
+CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
-CVE_CHECK_IGNORE += "CVE-2019-14865"
+CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
 DEPENDS = "flex-native bison-native gettext-native"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1764997c41..d1c6f7f54a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
 SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
 SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
-# Issue only affects Debian/SUSE, not us
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
-CVE_CHECK_IGNORE += "CVE-2021-26720"
 DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
diff --git a/meta/recipes-connectivity/bind/bind_9.18.16.bb b/meta/recipes-connectivity/bind/bind_9.18.16.bb
index 1b1649566a..d9b62bb8b0 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.16.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.16.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
 # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
 # so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.68.bb b/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
index 921f739fb8..f8405ed091 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
@@ -2,8 +2,8 @@ require bluez5.inc
 SRC_URI[sha256sum] = "fc505e6445cb579a55cacee6821fe70d633921522043d322b696de0a175ff933"
-# These issues have kernel fixes rather than bluez fixes so exclude here
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index 42ce814523..3edc123b9a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
           "
 SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
-CVE_CHECK_IGNORE += "CVE-2007-2768"
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
-# CVE only applies to some distributed RHEL binaries
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
-CVE_CHECK_IGNORE += "CVE-2008-3844"
 PAM_SRC_URI = "file://sshd"
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index 432ab4032b..c2a7173c84 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -255,6 +255,5 @@ CVE_PRODUCT = "openssl:openssl"
 CVE_VERSION_SUFFIX = "alphabetical"
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb
index 25da988f50..ba38169f05 100644
--- a/meta/recipes-core/coreutils/coreutils_9.3.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.3.bb
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
 SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa"
 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
-# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
+# 
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
 EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
 EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index 3387441cad..851aa612b1 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -4,18 +4,19 @@ require glibc-version.inc
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
-# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
-# "this is being treated as a non-security bug and no real threat."
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "disputed: \
+Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \
+this is being treated as a non-security bug and no real threat."
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
-# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
-# easier access for another. "ASLR bypass itself is not a vulnerability."
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "disputed: \
+Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
+easier access for another. 'ASLR bypass itself is not a vulnerability.'"
-# This is integrated into the 2.37 branch as of 07b9521fc6
+CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6"
-CVE_CHECK_IGNORE += "CVE-2023-25139"
 DEPENDS += "gperf-native bison-native"
diff --git a/meta/recipes-core/libxml/libxml2_2.11.4.bb b/meta/recipes-core/libxml/libxml2_2.11.4.bb
index 713d0baf6c..cbf20504f8 100644
--- a/meta/recipes-core/libxml/libxml2_2.11.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.11.4.bb
@@ -23,10 +23,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
 BINCONFIG = "${bindir}/xml2-config"
-# Fixed since 2.9.11 via
-# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
 PACKAGECONFIG ??= "python \
    ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
 "
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index 87fbf6f785..cf0e17ff00 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () {
 pkg_prerm:udev-hwdb () {
        rm -f $D${sysconfdir}/udev/hwdb.bin
 }
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 7788a5c45a..f57a77c7bb 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,4 @@ SRC_URI[sha256sum] = "313b6880c291bd4fe31c0aa51d6e62659282a521e695f30d5cc0d25abb
 UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
-# This is specific to the npm package that installs cmake, so isn't
+CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..1ac88d65ef 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,10 +26,10 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
 GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
-# Disputed - yes there is stack exhaustion but no bug and it is building the
-# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
 # https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "upstream-wontfix: \
+there is stack exhaustion but no bug and it is building the \
+parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
 inherit autotools gettext texinfo ptest github-releases
diff --git a/meta/recipes-devtools/gcc/gcc-13.1.inc b/meta/recipes-devtools/gcc/gcc-13.1.inc
index 4da703db52..e94753eed0 100644
--- a/meta/recipes-devtools/gcc/gcc-13.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.1.inc
@@ -111,5 +111,4 @@ EXTRA_OECONF_PATHS = "\
    --with-build-sysroot=${STAGING_DIR_TARGET} \
 "
-# Is a binutils 2.26 issue, not gcc
+CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
-CVE_CHECK_IGNORE += "CVE-2021-37322"
diff --git a/meta/recipes-devtools/git/git_2.39.3.bb b/meta/recipes-devtools/git/git_2.39.3.bb
index 54a863acd2..3393550c85 100644
--- a/meta/recipes-devtools/git/git_2.39.3.bb
+++ b/meta/recipes-devtools/git/git_2.39.3.bb
@@ -27,13 +27,6 @@ LIC_FILES_CHKSUM = "\
 CVE_PRODUCT = "git-scm:git"
-# This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
 PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d..db4745ad7a 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,8 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
 UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
 # https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
+CVE_STATUS[CVE-2007-2379] = "upstream-wontfix: There are ways jquery can expose security issues but any issues \
-# and there is little we can directly do
+are in the apps exposing them and there is little we can directly do."
-CVE_CHECK_IGNORE += "CVE-2007-2379"
 inherit allarch
diff --git a/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
index 83d2f01263..8e297ec4d4 100644
--- a/meta/recipes-devtools/ninja/ninja_1.11.1.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
@@ -30,5 +30,4 @@ do_install() {
 BBCLASSEXTEND = "native nativesdk"
-# This is a different Ninja
+CVE_STATUS[CVE-2021-4336] = "cpe-incorrect: This is a different Ninja"
-CVE_CHECK_IGNORE += "CVE-2021-4336"
diff --git a/meta/recipes-devtools/python/python3_3.11.4.bb b/meta/recipes-devtools/python/python3_3.11.4.bb
index 7a277facf7..b3534ad678 100644
--- a/meta/recipes-devtools/python/python3_3.11.4.bb
+++ b/meta/recipes-devtools/python/python3_3.11.4.bb
@@ -47,17 +47,13 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 CVE_PRODUCT = "python"
-# Upstream consider this expected behaviour
+CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
-CVE_CHECK_IGNORE += "CVE-2007-4559"
+CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
+CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
-CVE_CHECK_IGNORE += "CVE-2019-18348"
+CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
 # The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
+CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
-# Not an issue, in fact expected behaviour
+# CVE_STATUS[CVE-2023-36632] = "disputed: Not an issue, in fact expected behaviour"
-CVE_CHECK_IGNORE += "CVE-2023-36632"
 PYTHON_MAJMIN = "3.11"
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 16581db69d..64bade86aa 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -38,21 +38,16 @@ SRC_URI[sha256sum] = "ecf4d32cbef9d397bfc8cc50e4d1e92a1b30253bf32e8ee73c7a8dcf9a
 SRC_URI:append:class-target = " file://cross.patch"
 SRC_URI:append:class-nativesdk = " file://cross.patch"
-# Applies against virglrender < 0.6.0 and not qemu itself
+CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself"
-CVE_CHECK_IGNORE += "CVE-2017-5957"
-# The VNC server can expose host files uder some circumstances. We don't
+CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
 # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability."
 # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
 # https://bugzilla.redhat.com/show_bug.cgi?id=2167423
-# this bug related to windows specific.
+CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows"
-CVE_CHECK_IGNORE += "CVE-2023-0664"
 COMPATIBLE_HOST:mipsarchn32 = "null"
 COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1c..130581a785 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
           "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
 inherit autotools-brokensep
 PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb..91fc81352e 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,10 +29,6 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
 SRC_URI:class-native = "${BASE_SRC_URI}"
-# Upstream don't believe this is an exploitable issue
-# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
 UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
 UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index 45eb9de8e0..560038d2a6 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
 inherit autotools gettext texinfo ptest
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
-CVE_CHECK_IGNORE += "CVE-2010-4226"
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index da320b1085..36feaddcf8 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -19,14 +19,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
-# Issue only applies to MacOS
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
-CVE_CHECK_IGNORE += "CVE-2008-1033"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
-# Issue affects pdfdistiller plugin used with but not part of cups
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
-CVE_CHECK_IGNORE += "CVE-2009-0032"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
-# This is an Ubuntu only issue.
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
 LEAD_SONAME = "libcupsdriver.so"
@@ -114,7 +111,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
        sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
-# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
-# Fixed in 2000-10-10, but the versioning of iputils
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
-# breaks the version order.
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
 PACKAGECONFIG ??= "libcap"
 PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
-CVE_CHECK_IGNORE += "CVE-2021-46828"
 inherit autotools pkgconfig
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
        d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
 PROCPS_PACKAGES = "${PN}-lib \
                   ${PN}-ps \
                   ${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 BBCLASSEXTEND = "native nativesdk"
-# Severity is low and marked as closed and won't fix.
 # https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
-CVE_CHECK_IGNORE += "CVE-2008-0888"
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
 S = "${WORKDIR}/git"
 # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
 inherit autotools update-rc.d systemd pkgconfig
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
-# Disputed and also Debian doesn't consider a vulnerability
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
-CVE_CHECK_IGNORE += "CVE-2018-13410"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
 # zip.inc sets CFLAGS, but what Makefile actually uses is
 # CFLAGS_NOOPT.  It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00..6888c33d14 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -33,4 +33,4 @@ RCONFLICTS:${PN} += "libnotify3"
 RREPLACES:${PN} += "libnotify3"
 # -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "cpe-incorrect: The issue is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb b/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb
index 5649ed7d17..edd7ad38fd 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb
@@ -50,8 +50,7 @@ do_compile:prepend() {
    sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
 }
-# Issue only on windows
+CVE_STATUS[CVE-2018-1000041] = "not-applicable-platform: Issue only applies on Windows"
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
 CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
        chown  builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
 }
-# -4178 is an unrelated 'builder'
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
-CVE_CHECK_IGNORE = "CVE-2008-4178"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
-# timing on the behalf of the attacker. Many graphical applications exit if their
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
-# connection to the X server is lost, so a typical desktop session is either
+timing on the behalf of the attacker. Many graphical applications exit if their \
-# impossible or difficult to exploit. There is currently no upstream patch
+connection to the X server is lost, so a typical desktop session is either \
-# available for this flaw.
+impossible or difficult to exploit. There is currently no upstream patch \
-CVE_CHECK_IGNORE += "CVE-2020-25697"
+available for this flaw."
-# This is specific to XQuartz, which is the macOS X server port
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
-CVE_CHECK_IGNORE += "CVE-2022-3553"
 S = "${WORKDIR}/${XORG_PN}-${PV}"
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 6a0bd19447..2eb4836c35 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,26 +1,24 @@
-# This is specific to Ubuntu
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: Issue only affects Ubuntu"
-CVE_CHECK_IGNORE += "CVE-2018-6559"
 # https://www.linuxkernelcves.com/cves/CVE-2019-3016
 # Fixed with 5.6
-CVE_CHECK_IGNORE += "CVE-2019-3016"
+CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed in version v5.6"
 # https://www.linuxkernelcves.com/cves/CVE-2019-3819
 # Fixed with 5.1
-CVE_CHECK_IGNORE += "CVE-2019-3819"
+CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed in version v5.1"
 # https://www.linuxkernelcves.com/cves/CVE-2019-3887
 # Fixed with 5.2
-CVE_CHECK_IGNORE += "CVE-2019-3887"
+CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed in version v5.2"
-# This is specific to aufs, which is not in linux-yocto
+CVE_STATUS[CVE-2020-11935] = "not-applicable-config: Issue only affects aufs, which is not in linux-yocto"
-CVE_CHECK_IGNORE += "CVE-2020-11935"
 # https://nvd.nist.gov/vuln/detail/CVE-2020-27784
 # Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
 # Patched in kernel since v5.10        e8d5f92b8d30bb4ade76494490c3c065e12411b1
 # Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+CVE_STATUS[CVE-2020-27784] = "cpe-stable-backport: Backported in version v5.4.73"
 # 2021
@@ -28,19 +26,19 @@ CVE_CHECK_IGNORE += "CVE-2020-27784"
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3669
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed in version v5.15"
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3759
 # Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
 # Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
 # Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
 # Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "cpe-stable-backport: Backported in versions v5.4.224 and v6.1.11"
 # https://nvd.nist.gov/vuln/detail/CVE-2021-4218
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed in version v5.8"
 # 2022
@@ -48,7 +46,7 @@ CVE_CHECK_IGNORE += "CVE-2021-4218"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-0480
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "fixed-version: Fixed in version v5.15"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1184
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -56,7 +54,7 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
 # Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
 # Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
 # Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "cpe-stable-backport: Backported in versions v5.4.198, v5.10.121 and v5.15.46"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1462
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -64,7 +62,7 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
 # Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
 # Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
 # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "cpe-stable-backport: Backported in versions v5.4.208, v5.10.134 and v5.15.58"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2196
 # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -74,19 +72,19 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
 # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
 # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
 # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "cpe-stable-backport: Backported in versions v5.4.1233, v5.10.170, v5.15.46 and v6.1.14"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2308
 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
 # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
 # Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
 # Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "cpe-stable-backport: Backported in versions v5.15.72 and v5.19.14"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2327
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed in version v5.10.125"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2663
 # Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -95,19 +93,19 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
 # Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
 # Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
 # Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "cpe-stable-backport: Backported in versions v5.4.213, v5.10.143, v5.15.68 and v5.19.9"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2785
 # Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
 # Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
 # Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "cpe-stable-backport: Backported in version v5.19.4"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3176
 # Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
 # Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "cpe-stable-backport: Backported in version v5.15.65"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3424
 # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -116,7 +114,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
 # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
 # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
 # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.86 and v 6.1.2"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3435
 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -127,18 +125,18 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
 # Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
 # Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
 # Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "cpe-stable-backport: Backported in versions v5.4.226, v5.10.158 and v5.15.82"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3523
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "fixed-version: Fixed in version v6.1"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3526
 # Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
 # Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
 # Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "cpe-stable-backport: Backported in version v5.15.35"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3534
 # Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -146,30 +144,30 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
 # Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
 # Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
 # Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "cpe-stable-backport: Backported in versions v5.10.163, v5.15.86 and v6.1.2"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3564
 # Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
 # Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
 # Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
 # Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "cpe-stable-backport: Backported in versions v5.10.154 and v5.15.78"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3566
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "fixed-version: Fixed in version v6.1"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3567
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "fixed-version: Fixed in version v6.1"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3619
 # Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
 # Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
 # Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "cpe-stable-backport: Backported in version v5.15.78"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3621
 # Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -178,7 +176,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
 # Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
 # Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
 # Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "cpe-stable-backport: Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3623
 # Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -187,12 +185,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
 # Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
 # Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
 # Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "cpe-stable-backport: Backported in versions v5.4.228, v5.10.159, v5.15.78 and v 5.19.17"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3624
 # Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
 # Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed in version v6.0"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3625
 # Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -201,7 +199,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
 # Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
 # Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
 # Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3629
 # Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -210,13 +208,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
 # Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
 # Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
 # Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3630
 # Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
 # Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
 # Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "cpe-stable-backport: Backported in version v5.19.4"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3633
 # Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -225,7 +223,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
 # Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
 # Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
 # Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3635
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -234,12 +232,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
 # Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
 # Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
 # Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3636
 # Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
 # Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "cpe-stable-backport: Backported in version v5.19"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3640
 # Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -250,7 +248,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
 # Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
 # Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
 # Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "cpe-stable-backport: Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3646
 # Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -259,7 +257,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
 # Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
 # Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
 # Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "cpe-stable-backport: Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3649
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -268,7 +266,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
 # Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
 # Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
 # Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "cpe-stable-backport: Backported in versions v5.4.220, v5.10.148, v5.15.74 and v5.19.16"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-4382
 # Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -277,7 +275,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
 # Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
 # Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
 # Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "cpe-stable-backport: Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-26365
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -285,7 +283,7 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
 # Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
 # Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
 # Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33740
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -293,7 +291,7 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
 # Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
 # Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
 # Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33741
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -301,7 +299,7 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
 # Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
 # Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
 # Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33742
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -309,15 +307,15 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
 # Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
 # Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
 # Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42895
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
 # Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "cpe-stable-backport: Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42896
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -325,7 +323,7 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
 # Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
 # Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
 # Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "cpe-stable-backport: Backported in versions v5.4.226, v5.10.154 and v5.15.78"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-38457
 # https://nvd.nist.gov/vuln/detail/CVE-2022-40133
@@ -337,10 +335,11 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-38457
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-40133
 #  * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "cpe-stable-backport: Backported in version v6.1.7"
+CVE_STATUS[CVE-2022-40133] = "cpe-stable-backport: Backported in version v6.1.7"
 # Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2022-48425"
+CVE_STATUS[CVE-2022-48425] = "cpe-stable-backport: Backported in version v6.1.33"
 # 2023
@@ -349,14 +348,14 @@ CVE_CHECK_IGNORE += "CVE-2022-48425"
 # Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
 # Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
 # Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "cpe-stable-backport: Backported in versions v5.10.164, v5.15.89 and v6.1.7"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0266
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
 # Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
 # Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "cpe-stable-backport: Backported in versions v5.15.88 and v6.1.6"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0394
 # Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -365,14 +364,14 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
 # Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
 # Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
 # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0386
 # Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
 # Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
 # Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0461
 # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -381,7 +380,7 @@ CVE_CHECK_IGNORE += "CVE-2023-0386"
 # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
 # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.5"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1073
 # Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
@@ -389,20 +388,20 @@ CVE_CHECK_IGNORE += "CVE-2023-0461"
 # Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
 # Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
 # Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+CVE_STATUS[CVE-2023-1073] = "cpe-stable-backport: Backported in versions v5.10.166, v5.15.91 and v6.1.9"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1074
 # Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
 # Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
 # Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+CVE_STATUS[CVE-2023-1074] = "cpe-stable-backport: Backported in versions v5.15.91 andv6.1.9"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1075
 # Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
 # Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
 # Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
 # 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "cpe-stable-backport: Backported in version v6.1.11"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1076
 # Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -411,19 +410,19 @@ CVE_CHECK_IGNORE += "CVE-2023-1075"
 # Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
 # Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
 # Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1077
 # Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
 # Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
 # Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+CVE_STATUS[CVE-2023-1077] = "cpe-stable-backport: Backported in versions v5.15.99 and v6.1.16"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1078
 # Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
 # Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
 # Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+CVE_STATUS[CVE-2023-1078] = "cpe-stable-backport: Backported in versions v5.15.94 and v6.1.12"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1079
 # Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -432,7 +431,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
 # Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
 # Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
 # Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1118
 # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -442,7 +441,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
 # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
 # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
 # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1281
 # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -450,7 +449,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
 # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
 # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
 # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "cpe-stable-backport: Backported in versions v5.10.169, v5.15.95 and v6.1.13"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1513
 # Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -458,7 +457,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
 # Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
 # Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1652
 # Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -466,7 +465,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
 # Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
 # Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1829
 # Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -477,178 +476,130 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
 # Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
 # Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
+# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
+# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
+# Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962
+# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
+# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
+# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
+CVE_STATUS[CVE-2023-28466] = "cpe-stable-backport: Backported in versions v5.15.05, v6.1.20 and v6.2.7"
-# https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0459"
 # https://www.linuxkernelcves.com/cves/CVE-2023-0615
 # Fixed in 6.1 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0615"
+CVE_STATUS[CVE-2023-0615] = "fixed-version: Fixed in version v6.1 onwards"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1380
+# https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed in 6.1.27
+# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-1380"
+CVE_STATUS[CVE-2023-28328] = "fixed-version: Fixed in version v6.1.2"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-1611"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1855
+# https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.21
+# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-1855"
+CVE_STATUS[CVE-2023-2162] = "fixed-version: Fixed in version v6.1.11"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1859
+# https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.25
+# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-1859"
+CVE_STATUS[CVE-2023-0459] = "fixed-version: Fixed in version v6.1.14"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1989
+# https://www.linuxkernelcves.com/cves/CVE-2023-1999
-# Fixed in 6.1.22
+# https://www.linuxkernelcves.com/cves/CVE-2023-2985
-CVE_CHECK_IGNORE += "CVE-2023-1989"
+# Fixed in 6.1.16
+CVE_STATUS[CVE-2023-1998] = "fixed-version: Fixed in version v6.1.16"
+CVE_STATUS[CVE-2023-2985] = "fixed-version: Fixed in version v6.1.16"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1855
 # https://www.linuxkernelcves.com/cves/CVE-2023-1990
+# https://www.linuxkernelcves.com/cves/CVE-2023-2235
+# https://www.linuxkernelcves.com/cves/CVE-2023-30456
 # Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1990"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6121"
+CVE_STATUS_KERNEL_6121 = "CVE-2023-1855 CVE-2023-1990 CVE-2023-2235 CVE-2023-30456"
+CVE_STATUS_KERNEL_6121[status] =  "fixed-version: Fixed in version v6.1.21"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1999
+# https://www.linuxkernelcves.com/cves/CVE-2023-1989
-# Fixed in 6.1.16
+# https://www.linuxkernelcves.com/cves/CVE-2023-2194
-CVE_CHECK_IGNORE += "CVE-2023-1998"
+# https://www.linuxkernelcves.com/cves/CVE-2023-28866
+# https://www.linuxkernelcves.com/cves/CVE-2023-30772
+# https://www.linuxkernelcves.com/cves/CVE-2023-33203
+# https://www.linuxkernelcves.com/cves/CVE-2023-33288
+# Fixed with 6.1.22
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6122"
+CVE_STATUS_KERNEL_6122 = "CVE-2023-2194 CVE-2023-1989 CVE-2023-28866 CVE-2023-30772 CVE-2023-33203 CVE-2023-33288"
+CVE_STATUS_KERNEL_6122[status] =  "fixed-version: Fixed in version v6.1.22"
-# https://www.linuxkernelcves.com/cves/CVE-2023-2002
+# https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.27
+# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-2002"
+CVE_STATUS[CVE-2023-1611] = "fixed-version: Fixed in version v6.1.23"
-# Backported to 6.1.33
+# https://www.linuxkernelcves.com/cves/CVE-2023-1859
-CVE_CHECK_IGNORE += "CVE-2023-2124"
+# Fixed in 6.1.25
+CVE_STATUS[CVE-2023-1859] = "fixed-version: Fixed in version v6.1.25"
 # https://www.linuxkernelcves.com/cves/CVE-2023-2156
+# https://www.linuxkernelcves.com/cves/CVE-2023-31436
 # Fixed in 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-2156"
+CVE_STATUS[CVE-2023-2156] = "fixed-version: Fixed in version v6.1.26"
+CVE_STATUS[CVE-2023-31436] = "fixed-version: Fixed in version v6.1.26"
-# https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-2162"
-# https://www.linuxkernelcves.com/cves/CVE-2023-2194
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-2194"
-# https://www.linuxkernelcves.com/cves/CVE-2023-2235
+# https://www.linuxkernelcves.com/cves/CVE-2023-1380
-# Fixed with 6.1.21
+# https://www.linuxkernelcves.com/cves/CVE-2023-2002
-CVE_CHECK_IGNORE += "CVE-2023-2235"
+# Fixed in 6.1.27
+CVE_STATUS[CVE-2023-1380] = "fixed-version: Fixed in version v6.1.27"
+CVE_STATUS[CVE-2023-2002] = "fixed-version: Fixed in version v6.1.27"
-# https://www.linuxkernelcves.com/cves/CVE-2023-2985
+# https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed in 6.1.16
+# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-2985"
+CVE_STATUS[CVE-2023-32233] = "fixed-version: Fixed in version v6.1.28"
-# Backported to 6.1.30
+# https://www.linuxkernelcves.com/cves/CVE-2023-34256
-CVE_CHECK_IGNORE += "CVE-2023-3090"
+# Fixed in 6.1.29
+CVE_STATUS[CVE-2023-34256] = "fixed-version: Fixed in version v6.1.29"
-# Backported to 6.1.35
-CVE_CHECK_IGNORE += "CVE-2023-3117"
-# Backported to 6.1.30 as 9a342d4
+# Backported to 6.1.9
-CVE_CHECK_IGNORE += "CVE-2023-3141"
+CVE_STATUS[CVE-2023-3358] = "cpe-stable-backport: Backported in version v6.1.9"
 # Backported to 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-3161"
+CVE_STATUS[CVE-2023-3359] = "cpe-stable-backport: Backported in version v6.1.11"
+CVE_STATUS[CVE-2023-3161] = "cpe-stable-backport: Backported in version v6.1.11"
-# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2023-3212"
-# Only in 6.2.0 to 6.2.14, and 6.3.0 to 6.3.1
-CVE_CHECK_IGNORE += "CVE-2023-3312"
 # Backported to 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-3220"
+CVE_STATUS[CVE-2023-3220] = "cpe-stable-backport: Backported in version v6.1.16"
 # Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-3268"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6128"
+CVE_STATUS_KERNEL_6128 = "CVE-2023-3268 CVE-2023-35823 CVE-2023-35824 CVE-2023-35826 CVE-2023-35828 CVE-2023-35829"
+CVE_STATUS_KERNEL_6122[status] = "cpe-stable-backport: Backported in version v6.1.28"
-# Backported to 6.1.9
+# Backported to 6.1.30
-CVE_CHECK_IGNORE += "CVE-2023-3358"
+# Backported to 6.1.30 as 9a342d4
+CVE_STATUS[CVE-2023-3090] = "cpe-stable-backport: Backported in version v6.1.30"
+CVE_STATUS[CVE-2023-3141] = "cpe-stable-backport: Backported in version v6.1.30 as 9a342d4"
-# Backported to 6.1.11
+# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2023-3359"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6133"
+CVE_STATUS_KERNEL_6133 = "CVE-2023-2124 CVE-2023-3212 CVE-2023-35788"
+CVE_STATUS_KERNEL_6133[status] = "cpe-stable-backport: Backported in version v6.1.33"
+# Backported to 6.1.35
+CVE_STATUS[CVE-2023-3117] = "cpe-stable-backport: Backported in version v6.1.35"
+CVE_STATUS[CVE-2023-3390] = "cpe-stable-backport: Backported in version v6.1.35"
 # Backported to 6.1.36
-CVE_CHECK_IGNORE += "CVE-2023-3389"
+CVE_STATUS[CVE-2023-3389] = "cpe-stable-backport: Backported in version v6.1.36"
+# Only in 6.2.0 to 6.2.14, and 6.3.0 to 6.3.1
+CVE_STATUS[CVE-2023-3312] = "not-applicable-config: Only in versions v6.2.0 to v6.2.4 and v6.3.0 to v6.3.1"
-# Backported to 6.1.35
-CVE_CHECK_IGNORE += "CVE-2023-3390"
 # https://nvd.nist.gov/vuln/detail/CVE-2023-23005
 # Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
 # Patched in kernel since v6.2 4a625ceee8a0ab0273534cb6b432ce6b331db5ee
 # But, the CVE is disputed:
-# > NOTE: this is disputed by third parties because there are no realistic cases
+CVE_STATUS[CVE-2023-23005] = "disputed: There are no realistic cases \
-# > in which a user can cause the alloc_memory_type error case to be reached.
+in which a user can cause the alloc_memory_type error case to be reached. \
-# See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
+See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2"
-# We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
-# https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-28328"
-# Only in 6.3-rc
-CVE_CHECK_IGNORE += "CVE-2023-28464"
-# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
-# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
-# Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962
-# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
-# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
-# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
-# https://www.linuxkernelcves.com/cves/CVE-2023-28866
+CVE_STATUS[CVE-2023-28464] = "not-applicable-config: Only in 6.3-rc"
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-28866"
-# https://www.linuxkernelcves.com/cves/CVE-2023-30456
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-30456"
-# https://www.linuxkernelcves.com/cves/CVE-2023-30772
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-30772"
-# https://www.linuxkernelcves.com/cves/CVE-2023-31436
-# Fixed with 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-31436"
-# https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-32233"
-# https://www.linuxkernelcves.com/cves/CVE-2023-33203
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33203"
-# https://www.linuxkernelcves.com/cves/CVE-2023-33288
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33288"
-# https://www.linuxkernelcves.com/cves/CVE-2023-34256
-# Fixed in 6.1.29
-CVE_CHECK_IGNORE += "CVE-2023-34256"
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35823"
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35824"
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35826"
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35828"
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35829"
-# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2023-35788"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.40.bb b/meta/recipes-multimedia/libpng/libpng_1.6.40.bb
index 0ef4b82d1c..293bf2858d 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.40.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.40.bb
@@ -32,5 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
 BBCLASSEXTEND = "native nativesdk"
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
+CVE_STATUS[CVE-2019-17371] = "cpe-incorrect: A memory leak in gif2png 2.x"
-CVE_CHECK_IGNORE += "CVE-2019-17371"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index 5af3f84265..6171a538e5 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -15,9 +15,7 @@ SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167d
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
+CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
 inherit autotools multilib_header
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
index 58f07a116d..524b06ca22 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
@@ -29,8 +29,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
           "
 SRC_URI[sha256sum] = "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03"
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
+CVE_STATUS[CVE-2018-12433] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12438] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
 BINCONFIG = "${bindir}/libgcrypt-config"
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.38.bb b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
index bf35a94b7f..ed5b15badd 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.38.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
@@ -19,9 +19,7 @@ SRC_URI[sha256sum] = "1f32450425819a09acaff2ab7a5a7f8a2ec7956e505d7beeb45e843d0e
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
-# We have libxml2 2.9.14 and we don't link statically with it anyway
+CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
 S = "${WORKDIR}/libxslt-${PV}"
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b0..51a854d44a 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,8 +21,7 @@ S = "${WORKDIR}/git"
 inherit ptest
-# Fixed in r118, which is larger than the current version.
+CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version."
-CVE_CHECK_IGNORE += "CVE-2014-4715"
 EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
index f60aca63d2..8783f620f4 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
@@ -6,9 +6,3 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
 SRC_URI[sha256sum] = "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6"
-# -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
author	Andrej Valek <andrej.valek@siemens.com>	2023-07-20 09:19:50 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-07-21 11:52:26 +0100
commit	c15e506a4674e558922c5a75512ca2b5c296cd44 (patch)
tree	a0cc1ebf9daca61304185ed901596e31f4029658
parent	7e18a90d35a62cd6894385a9dab549a594d5f11e (diff)
download	poky-c15e506a4674e558922c5a75512ca2b5c296cd44.tar.gz