diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2023-06-23 13:14:56 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-07-19 23:25:01 +0100 |
commit | be9883a92bad0fe4c1e9c7302c93dea4ac680f8c (patch) | |
tree | 6d9d35acbb91f98016956168b4ea90f9b9ce0764 /meta/conf/cve-check-map.conf | |
parent | ebb8b39463cef3c3d0f90f054c433b2f5256cb1a (diff) | |
download | poky-be9883a92bad0fe4c1e9c7302c93dea4ac680f8c.tar.gz |
cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
(From OE-Core rev: 34f682a24b7075b12ec308154b937ad118d69fe5)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/conf/cve-check-map.conf')
-rw-r--r-- | meta/conf/cve-check-map.conf | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf new file mode 100644 index 0000000000..17b0f15571 --- /dev/null +++ b/meta/conf/cve-check-map.conf | |||
@@ -0,0 +1,28 @@ | |||
1 | # Possible options for CVE statuses | ||
2 | |||
3 | # used by this class internally when fix is detected (NVD DB version check or CVE patch file) | ||
4 | CVE_CHECK_STATUSMAP[patched] = "Patched" | ||
5 | # use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch) | ||
6 | CVE_CHECK_STATUSMAP[backported-patch] = "Patched" | ||
7 | # use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports | ||
8 | CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" | ||
9 | # use when NVD DB does not mention correct version or does not mention any verion at all | ||
10 | CVE_CHECK_STATUSMAP[fixed-version] = "Patched" | ||
11 | |||
12 | # used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored | ||
13 | CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" | ||
14 | # use when CVE is confirmed by upstream but fix is still not available | ||
15 | CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" | ||
16 | |||
17 | # used for migration from old concept, do not use for new vulnerabilities | ||
18 | CVE_CHECK_STATUSMAP[ignored] = "Ignored" | ||
19 | # use when NVD DB wrongly indicates vulnerability which is actually for a different component | ||
20 | CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" | ||
21 | # use when upstream does not accept the report as a vulnerability (e.g. works as designed) | ||
22 | CVE_CHECK_STATUSMAP[disputed] = "Ignored" | ||
23 | # use when vulnerability depends on build or runtime configuration which is not used | ||
24 | CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" | ||
25 | # use when vulnerability affects other platform (e.g. Windows or Debian) | ||
26 | CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" | ||
27 | # use when upstream acknowledged the vulnerability but does not plan to fix it | ||
28 | CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" | ||