cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

- Try to add convert and apply statuses for old CVEs - Drop some obsolete ignores, while they are not relevant for current version (From OE-Core rev: 1634ed4048cf56788cd5c2c1bdc979b70afcdcd7) Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Reviewed-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Andrej Valek <andrej.valek@siemens.com> 2023-07-20 09:19:50 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-07-21 11:52:26 +0100
commit: c15e506a4674e558922c5a75512ca2b5c296cd44 (patch)
tree: a0cc1ebf9daca61304185ed901596e31f4029658 /meta/conf/distro
parent: 7e18a90d35a62cd6894385a9dab549a594d5f11e (diff)
download: poky-c15e506a4674e558922c5a75512ca2b5c296cd44.tar.gz
1 files changed, 81 insertions, 68 deletions
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 0ae63e2c63..61fb08dbeb 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,44 +15,43 @@
 # the aim of sharing that work and ensuring we don't duplicate it.
 #
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old \
+with no resolution evident. Broken links in CVE database references make resolution impractical."
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
-# CVE is more than 20 years old with no resolution evident
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
-# broken links in CVE database references make resolution impractical
+The issue here is spoofing of domain names using characters from other character sets. \
-CVE_CHECK_IGNORE += "CVE-2000-0006"
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
-# The issue here is spoofing of domain names using characters from other character sets.
+problem. There isn't any mitigation or fix or way to progress this further."
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
-# we can seem to take.
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
-CVE_CHECK_IGNORE += "CVE-2005-0238"
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
-CVE_CHECK_IGNORE += "CVE-2010-4756"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
+exposing this interface in an exploitable way"
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
 # db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
 #
 # Kernel CVEs, e.g. linux-yocto*
@@ -65,50 +64,64 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
 # welcome than and then entries can likely be removed from here.
 #
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020 \
+                      CVE_STATUS_KERNEL_2021 CVE_STATUS_KERNEL_2022"
 # 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
-                     CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+                          CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
 # 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
-                     CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+                          CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
 # 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
-                     CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+                           CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
 # 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
 # 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
-                     CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+                          CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
 # 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
-                     CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+                          CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
-                     CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+                          CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
-                     CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+                          CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
-                     CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+                          CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
-                     CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+                          CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
-                     CVE-2022-29582 CVE-2022-29968"
+                          CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
-# Wrong CPE in NVD database
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3563
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
-# qemu maintainers say the patch is incorrect and should not be applied
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
+qemu maintainers say the patch is incorrect and should not be applied \
-CVE_CHECK_IGNORE += "CVE-2021-20255"
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
-# still be reproduced or where exactly any bug is.
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
+still be reproduced or where exactly any bug is. \
-CVE_CHECK_IGNORE += "CVE-2019-12067"
+We'll pick up any fix when upstream accepts one."
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
+It is a fuzzing related buffer overflow. It is of low impact since most devices
-# done about the bug, ignore from an OE perspective.
+wouldn't expose an assembler. The upstream is inactive and there is little to be
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+done about the bug, ignore from an OE perspective."
author	Andrej Valek <andrej.valek@siemens.com>	2023-07-20 09:19:50 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-07-21 11:52:26 +0100
commit	c15e506a4674e558922c5a75512ca2b5c296cd44 (patch)
tree	a0cc1ebf9daca61304185ed901596e31f4029658 /meta/conf/distro
parent	7e18a90d35a62cd6894385a9dab549a594d5f11e (diff)
download	poky-c15e506a4674e558922c5a75512ca2b5c296cd44.tar.gz

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 0ae63e2c63..61fb08dbeb 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,44 +15,43 @@
15	# the aim of sharing that work and ensuring we don't duplicate it.	15	# the aim of sharing that work and ensuring we don't duplicate it.
16	#	16	#
17		17
		18	# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
		19	CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old \
		20	with no resolution evident. Broken links in CVE database references make resolution impractical."
18		21
19	# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006	22	# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
20	# CVE is more than 20 years old with no resolution evident	23	CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
21	# broken links in CVE database references make resolution impractical	24	The issue here is spoofing of domain names using characters from other character sets. \
22	CVE_CHECK_IGNORE += "CVE-2000-0006"	25	There has been much discussion amongst the epiphany and webkit developers and \
23		26	whilst there are improvements about how domains are handled and displayed to the user \
24	# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238	27	there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
25	# The issue here is spoofing of domain names using characters from other character sets.	28	problem. There isn't any mitigation or fix or way to progress this further."
26	# There has been much discussion amongst the epiphany and webkit developers and	29
27	# whilst there are improvements about how domains are handled and displayed to the user	30	# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
28	# there is unlikely ever to be a single fix to webkit or epiphany which addresses this	31	CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
29	# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further	32	Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
30	# we can seem to take.	33	Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
31	CVE_CHECK_IGNORE += "CVE-2005-0238"	34	Upstream don't see it as a security issue, ftp servers shouldn't be passing \
32		35	this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
33	# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756	36
34	# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server	37	# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
35	# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681	38	# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
36	# Upstream don't see it as a security issue, ftp servers shouldn't be passing	39	CVE_STATUS_GROUPS += "CVE_STATUS_GO"
37	# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar	40	CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
38	CVE_CHECK_IGNORE += "CVE-2010-4756"	41	CVE_STATUS_GO[status] = "not-applicable-config: \
39		42	The encoding/xml package in go can potentially be used for security exploits if not used correctly \
40	# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509	43	CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
41	# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511	44	exposing this interface in an exploitable way"
42	# The encoding/xml package in go can potentially be used for security exploits if not used correctly
43	# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
44	# exposing this interface in an exploitable way
45	CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
46		45
47	# db	46	# db
48	# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with	47	CVE_STATUS_GROUPS += "CVE_STATUS_DB"
49	# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.	48	CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
50	CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
51	CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \	49	CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
52	CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \	50	CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
53	CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \	51	CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
54	CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"	52	CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
55		53	CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
		54	replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
56		55
57	#	56	#
58	# Kernel CVEs, e.g. linux-yocto*	57	# Kernel CVEs, e.g. linux-yocto*
@@ -65,50 +64,64 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
65	# issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd	64	# issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
66	# welcome than and then entries can likely be removed from here.	65	# welcome than and then entries can likely be removed from here.
67	#	66	#
		67
		68	CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020 \
		69	CVE_STATUS_KERNEL_2021 CVE_STATUS_KERNEL_2022"
		70
68	# 1999-2010	71	# 1999-2010
69	CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \	72	CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
70	CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"	73	CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
		74	CVE_STATUS_KERNEL_2010[status] = "ignored"
		75
71	# 2011-2017	76	# 2011-2017
72	CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \	77	CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
73	CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"	78	CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
		79	CVE_STATUS_KERNEL_2017[status] = "ignored"
		80
74	# 2018	81	# 2018
75	CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \	82	CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
76	CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"	83	CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
		84	CVE_STATUS_KERNEL_2018[status] = "ignored"
		85
77	# 2020	86	# 2020
78	CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"	87	CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
		88	CVE_STATUS_KERNEL_2020[status] = "ignored"
		89
79	# 2021	90	# 2021
80	CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \	91	CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
81	CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"	92	CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
		93	CVE_STATUS_KERNEL_2021[status] = "ignored"
		94
82	# 2022	95	# 2022
83	CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \	96	CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
84	CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \	97	CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
85	CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \	98	CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
86	CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \	99	CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
87	CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \	100	CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
88	CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \	101	CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
89	CVE-2022-29582 CVE-2022-29968"	102	CVE-2022-29582 CVE-2022-29968"
		103	CVE_STATUS_KERNEL_2022[status] = "ignored"
90		104
91		105
92	# Wrong CPE in NVD database
93	# https://nvd.nist.gov/vuln/detail/CVE-2022-3563	106	# https://nvd.nist.gov/vuln/detail/CVE-2022-3563
94	# https://nvd.nist.gov/vuln/detail/CVE-2022-3637	107	# https://nvd.nist.gov/vuln/detail/CVE-2022-3637
95	# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git	108	CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
96	CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"	109	CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
97		110
98	# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255	111	# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
99	# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html	112	CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
100	# qemu maintainers say the patch is incorrect and should not be applied	113	There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
101	# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable	114	qemu maintainers say the patch is incorrect and should not be applied \
102	CVE_CHECK_IGNORE += "CVE-2021-20255"	115	The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
103		116
104	# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067	117	# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
105	# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can	118	CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
106	# still be reproduced or where exactly any bug is.	119	There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
107	# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.	120	still be reproduced or where exactly any bug is. \
108	CVE_CHECK_IGNORE += "CVE-2019-12067"	121	We'll pick up any fix when upstream accepts one."
109		122
110	# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974	123	# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
111	# It is a fuzzing related buffer overflow. It is of low impact since most devices	124	CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
112	# wouldn't expose an assembler. The upstream is inactive and there is little to be	125	It is a fuzzing related buffer overflow. It is of low impact since most devices
113	# done about the bug, ignore from an OE perspective.	126	wouldn't expose an assembler. The upstream is inactive and there is little to be
114	CVE_CHECK_IGNORE += "CVE-2020-18974"	127	done about the bug, ignore from an OE perspective."