cve-check: add option to add additional patched CVEs

- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible. The CVE_STATUS should contain an information about status wich is decoded in 3 items: - generic status: "Ignored", "Patched" or "Unpatched" - more detailed status enum - description: free text describing reason for status Examples of usage: CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows" CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally" CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" CVE_CHECK_STATUSMAP[fixed-version] = "Patched" (From OE-Core rev: 34f682a24b7075b12ec308154b937ad118d69fe5) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2023-06-23 13:14:56 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-07-19 23:25:01 +0100
commit: be9883a92bad0fe4c1e9c7302c93dea4ac680f8c (patch)
tree: 6d9d35acbb91f98016956168b4ea90f9b9ce0764 /meta/conf/cve-check-map.conf
parent: ebb8b39463cef3c3d0f90f054c433b2f5256cb1a (diff)
download: poky-be9883a92bad0fe4c1e9c7302c93dea4ac680f8c.tar.gz
1 files changed, 28 insertions, 0 deletions
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
new file mode 100644
index 0000000000..17b0f15571
--- /dev/null
+++ b/meta/conf/cve-check-map.conf
@@ -0,0 +1,28 @@
+# Possible options for CVE statuses
+# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
author	Andrej Valek <andrej.valek@siemens.com>	2023-06-23 13:14:56 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-07-19 23:25:01 +0100
commit	be9883a92bad0fe4c1e9c7302c93dea4ac680f8c (patch)
tree	6d9d35acbb91f98016956168b4ea90f9b9ce0764 /meta/conf/cve-check-map.conf
parent	ebb8b39463cef3c3d0f90f054c433b2f5256cb1a (diff)
download	poky-be9883a92bad0fe4c1e9c7302c93dea4ac680f8c.tar.gz

diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf new file mode 100644 index 0000000000..17b0f15571 --- /dev/null +++ b/meta/conf/cve-check-map.conf
@@ -0,0 +1,28 @@
	1	# Possible options for CVE statuses
	2
	3	# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
	4	CVE_CHECK_STATUSMAP[patched] = "Patched"
	5	# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
	6	CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
	7	# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
	8	CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
	9	# use when NVD DB does not mention correct version or does not mention any verion at all
	10	CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
	11
	12	# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
	13	CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
	14	# use when CVE is confirmed by upstream but fix is still not available
	15	CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
	16
	17	# used for migration from old concept, do not use for new vulnerabilities
	18	CVE_CHECK_STATUSMAP[ignored] = "Ignored"
	19	# use when NVD DB wrongly indicates vulnerability which is actually for a different component
	20	CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
	21	# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
	22	CVE_CHECK_STATUSMAP[disputed] = "Ignored"
	23	# use when vulnerability depends on build or runtime configuration which is not used
	24	CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
	25	# use when vulnerability affects other platform (e.g. Windows or Debian)
	26	CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
	27	# use when upstream acknowledged the vulnerability but does not plan to fix it
	28	CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"