summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/classes/archiver.bbclass2
-rw-r--r--meta/classes/buildhistory.bbclass4
-rw-r--r--meta/classes/cve-check.bbclass10
-rw-r--r--meta/classes/insane.bbclass4
-rw-r--r--meta/classes/populate_sdk_ext.bbclass12
-rw-r--r--meta/classes/sstate.bbclass26
-rw-r--r--meta/classes/staging.bbclass4
-rw-r--r--meta/conf/distro/include/cve-extra-exclusions.inc12
-rw-r--r--meta/lib/oeqa/selftest/cases/eSDK.py4
-rw-r--r--meta/recipes-bsp/grub/grub2.inc2
-rw-r--r--meta/recipes-connectivity/avahi/avahi_0.8.bb2
-rw-r--r--meta/recipes-connectivity/bind/bind_9.16.25.bb2
-rw-r--r--meta/recipes-connectivity/bluez5/bluez5_5.63.bb2
-rw-r--r--meta/recipes-connectivity/openssh/openssh_8.8p1.bb6
-rw-r--r--meta/recipes-connectivity/openssl/openssl_3.0.1.bb2
-rw-r--r--meta/recipes-core/coreutils/coreutils_9.0.bb2
-rw-r--r--meta/recipes-core/glibc/glibc_2.35.bb6
-rw-r--r--meta/recipes-core/meta/target-sdk-provides-dummy.bb2
-rw-r--r--meta/recipes-devtools/cmake/cmake.inc2
-rw-r--r--meta/recipes-devtools/flex/flex_2.6.4.bb2
-rw-r--r--meta/recipes-devtools/gcc/gcc-11.2.inc2
-rw-r--r--meta/recipes-devtools/gcc/gcc-target.inc2
-rw-r--r--meta/recipes-devtools/gdb/gdb-cross-canadian.inc2
-rw-r--r--meta/recipes-devtools/go/go-1.17.7.inc2
-rw-r--r--meta/recipes-devtools/jquery/jquery_3.6.0.bb2
-rw-r--r--meta/recipes-devtools/libtool/libtool_2.4.6.bb2
-rw-r--r--meta/recipes-devtools/python/python3_3.10.2.bb6
-rw-r--r--meta/recipes-devtools/qemu/qemu.inc6
-rw-r--r--meta/recipes-devtools/rsync/rsync_3.2.3.bb2
-rw-r--r--meta/recipes-devtools/tcltk/tcl_8.6.11.bb2
-rw-r--r--meta/recipes-extended/cpio/cpio_2.13.bb2
-rw-r--r--meta/recipes-extended/cups/cups.inc8
-rw-r--r--meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb2
-rw-r--r--meta/recipes-extended/iputils/iputils_20211215.bb2
-rw-r--r--meta/recipes-extended/logrotate/logrotate_3.19.0.bb2
-rw-r--r--meta/recipes-extended/procps/procps_3.3.17.bb2
-rw-r--r--meta/recipes-extended/shadow/shadow_4.11.1.bb2
-rw-r--r--meta/recipes-extended/unzip/unzip_6.0.bb2
-rw-r--r--meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb2
-rw-r--r--meta/recipes-extended/zip/zip_3.0.bb4
-rw-r--r--meta/recipes-gnome/libnotify/libnotify_0.7.9.bb2
-rw-r--r--meta/recipes-gnome/librsvg/librsvg_2.52.5.bb2
-rw-r--r--meta/recipes-graphics/builder/builder_0.1.bb2
-rw-r--r--meta/recipes-graphics/xorg-font/font-util_1.3.2.bb2
-rw-r--r--meta/recipes-graphics/xorg-lib/xorg-lib-common.inc2
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg.inc4
-rw-r--r--meta/recipes-multimedia/libpng/libpng_1.6.37.bb2
-rw-r--r--meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb2
-rw-r--r--meta/recipes-multimedia/libtiff/tiff_4.3.0.bb2
-rw-r--r--meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb2
-rw-r--r--meta/recipes-support/lz4/lz4_1.9.3.bb2
-rw-r--r--meta/recipes-support/sqlite/sqlite3_3.37.2.bb6
52 files changed, 97 insertions, 97 deletions
diff --git a/meta/classes/archiver.bbclass b/meta/classes/archiver.bbclass
index e830900574..c19c770d11 100644
--- a/meta/classes/archiver.bbclass
+++ b/meta/classes/archiver.bbclass
@@ -63,7 +63,7 @@ ARCHIVER_WORKDIR = "${WORKDIR}/archiver-work/"
63# When producing a combined mirror directory, allow duplicates for the case 63# When producing a combined mirror directory, allow duplicates for the case
64# where multiple recipes use the same SRC_URI. 64# where multiple recipes use the same SRC_URI.
65ARCHIVER_COMBINED_MIRRORDIR = "${ARCHIVER_TOPDIR}/mirror" 65ARCHIVER_COMBINED_MIRRORDIR = "${ARCHIVER_TOPDIR}/mirror"
66SSTATE_DUPWHITELIST += "${DEPLOY_DIR_SRC}/mirror" 66SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_SRC}/mirror"
67 67
68do_dumpdata[dirs] = "${ARCHIVER_OUTDIR}" 68do_dumpdata[dirs] = "${ARCHIVER_OUTDIR}"
69do_ar_recipe[dirs] = "${ARCHIVER_OUTDIR}" 69do_ar_recipe[dirs] = "${ARCHIVER_OUTDIR}"
diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass
index 05f66d10b9..49797a6701 100644
--- a/meta/classes/buildhistory.bbclass
+++ b/meta/classes/buildhistory.bbclass
@@ -792,8 +792,8 @@ def buildhistory_get_sdkvars(d):
792 sdkvars = "DISTRO DISTRO_VERSION SDK_NAME SDK_VERSION SDKMACHINE SDKIMAGE_FEATURES TOOLCHAIN_HOST_TASK TOOLCHAIN_TARGET_TASK BAD_RECOMMENDATIONS NO_RECOMMENDATIONS PACKAGE_EXCLUDE" 792 sdkvars = "DISTRO DISTRO_VERSION SDK_NAME SDK_VERSION SDKMACHINE SDKIMAGE_FEATURES TOOLCHAIN_HOST_TASK TOOLCHAIN_TARGET_TASK BAD_RECOMMENDATIONS NO_RECOMMENDATIONS PACKAGE_EXCLUDE"
793 if d.getVar('BB_CURRENTTASK') == 'populate_sdk_ext': 793 if d.getVar('BB_CURRENTTASK') == 'populate_sdk_ext':
794 # Extensible SDK uses some additional variables 794 # Extensible SDK uses some additional variables
795 sdkvars += " SDK_LOCAL_CONF_WHITELIST SDK_LOCAL_CONF_BLACKLIST SDK_INHERIT_BLACKLIST SDK_UPDATE_URL SDK_EXT_TYPE SDK_RECRDEP_TASKS SDK_INCLUDE_PKGDATA SDK_INCLUDE_TOOLCHAIN" 795 sdkvars += " ESDK_LOCALCONF_ALLOW ESDK_LOCALCONF_REMOVE ESDK_CLASS_INHERIT_DISABLE SDK_UPDATE_URL SDK_EXT_TYPE SDK_RECRDEP_TASKS SDK_INCLUDE_PKGDATA SDK_INCLUDE_TOOLCHAIN"
796 listvars = "SDKIMAGE_FEATURES BAD_RECOMMENDATIONS PACKAGE_EXCLUDE SDK_LOCAL_CONF_WHITELIST SDK_LOCAL_CONF_BLACKLIST SDK_INHERIT_BLACKLIST" 796 listvars = "SDKIMAGE_FEATURES BAD_RECOMMENDATIONS PACKAGE_EXCLUDE ESDK_LOCALCONF_ALLOW ESDK_LOCALCONF_REMOVE ESDK_CLASS_INHERIT_DISABLE"
797 return outputvars(sdkvars, listvars, d) 797 return outputvars(sdkvars, listvars, d)
798 798
799 799
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 21d3da7974..2d69aeba4b 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -44,14 +44,14 @@ CVE_CHECK_CREATE_MANIFEST ??= "1"
44CVE_CHECK_REPORT_PATCHED ??= "1" 44CVE_CHECK_REPORT_PATCHED ??= "1"
45 45
46# Whitelist for packages (PN) 46# Whitelist for packages (PN)
47CVE_CHECK_PN_WHITELIST ?= "" 47CVE_CHECK_SKIP_RECIPE ?= ""
48 48
49# Whitelist for CVE. If a CVE is found, then it is considered patched. 49# Whitelist for CVE. If a CVE is found, then it is considered patched.
50# The value is a string containing space separated CVE values: 50# The value is a string containing space separated CVE values:
51# 51#
52# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' 52# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
53# 53#
54CVE_CHECK_WHITELIST ?= "" 54CVE_CHECK_IGNORE ?= ""
55 55
56# Layers to be excluded 56# Layers to be excluded
57CVE_CHECK_LAYER_EXCLUDELIST ??= "" 57CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -178,11 +178,11 @@ def check_cves(d, patched_cves):
178 pv = d.getVar("CVE_VERSION").split("+git")[0] 178 pv = d.getVar("CVE_VERSION").split("+git")[0]
179 179
180 # If the recipe has been whitelisted we return empty lists 180 # If the recipe has been whitelisted we return empty lists
181 if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split(): 181 if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split():
182 bb.note("Recipe has been whitelisted, skipping check") 182 bb.note("Recipe has been whitelisted, skipping check")
183 return ([], [], []) 183 return ([], [], [])
184 184
185 cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() 185 cve_whitelist = d.getVar("CVE_CHECK_IGNORE").split()
186 186
187 import sqlite3 187 import sqlite3
188 db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") 188 db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass
index a28fcd4798..4fc3c06c64 100644
--- a/meta/classes/insane.bbclass
+++ b/meta/classes/insane.bbclass
@@ -48,7 +48,7 @@ enabled tests are listed here, the do_package_qa task will run under fakeroot."
48 48
49ALL_QA = "${WARN_QA} ${ERROR_QA}" 49ALL_QA = "${WARN_QA} ${ERROR_QA}"
50 50
51UNKNOWN_CONFIGURE_WHITELIST ?= "--enable-nls --disable-nls --disable-silent-rules --disable-dependency-tracking --with-libtool-sysroot --disable-static" 51UNKNOWN_CONFIGURE_OPT_IGNORE ?= "--enable-nls --disable-nls --disable-silent-rules --disable-dependency-tracking --with-libtool-sysroot --disable-static"
52 52
53# This is a list of directories that are expected to be empty. 53# This is a list of directories that are expected to be empty.
54QA_EMPTY_DIRS ?= " \ 54QA_EMPTY_DIRS ?= " \
@@ -1270,7 +1270,7 @@ Rerun configure task after fixing this."""
1270 options = set() 1270 options = set()
1271 for line in output.splitlines(): 1271 for line in output.splitlines():
1272 options |= set(line.partition(flag)[2].split()) 1272 options |= set(line.partition(flag)[2].split())
1273 whitelist = set(d.getVar("UNKNOWN_CONFIGURE_WHITELIST").split()) 1273 whitelist = set(d.getVar("UNKNOWN_CONFIGURE_OPT_IGNORE").split())
1274 options -= whitelist 1274 options -= whitelist
1275 if options: 1275 if options:
1276 pn = d.getVar('PN') 1276 pn = d.getVar('PN')
diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass
index a6f1506a39..9c9561c5c6 100644
--- a/meta/classes/populate_sdk_ext.bbclass
+++ b/meta/classes/populate_sdk_ext.bbclass
@@ -22,8 +22,8 @@ SDK_INCLUDE_BUILDTOOLS ?= '1'
22SDK_RECRDEP_TASKS ?= "" 22SDK_RECRDEP_TASKS ?= ""
23SDK_CUSTOM_TEMPLATECONF ?= "0" 23SDK_CUSTOM_TEMPLATECONF ?= "0"
24 24
25SDK_LOCAL_CONF_WHITELIST ?= "" 25ESDK_LOCALCONF_ALLOW ?= ""
26SDK_LOCAL_CONF_BLACKLIST ?= "CONF_VERSION \ 26ESDK_LOCALCONF_REMOVE ?= "CONF_VERSION \
27 BB_NUMBER_THREADS \ 27 BB_NUMBER_THREADS \
28 BB_NUMBER_PARSE_THREADS \ 28 BB_NUMBER_PARSE_THREADS \
29 PARALLEL_MAKE \ 29 PARALLEL_MAKE \
@@ -34,7 +34,7 @@ SDK_LOCAL_CONF_BLACKLIST ?= "CONF_VERSION \
34 TMPDIR \ 34 TMPDIR \
35 BB_SERVER_TIMEOUT \ 35 BB_SERVER_TIMEOUT \
36 " 36 "
37SDK_INHERIT_BLACKLIST ?= "buildhistory icecc" 37ESDK_CLASS_INHERIT_DISABLE ?= "buildhistory icecc"
38SDK_UPDATE_URL ?= "" 38SDK_UPDATE_URL ?= ""
39 39
40SDK_TARGETS ?= "${PN}" 40SDK_TARGETS ?= "${PN}"
@@ -294,8 +294,8 @@ python copy_buildsystem () {
294 if derivative: 294 if derivative:
295 shutil.copyfile(builddir + '/conf/local.conf', baseoutpath + '/conf/local.conf') 295 shutil.copyfile(builddir + '/conf/local.conf', baseoutpath + '/conf/local.conf')
296 else: 296 else:
297 local_conf_whitelist = (d.getVar('SDK_LOCAL_CONF_WHITELIST') or '').split() 297 local_conf_whitelist = (d.getVar('ESDK_LOCALCONF_ALLOW') or '').split()
298 local_conf_blacklist = (d.getVar('SDK_LOCAL_CONF_BLACKLIST') or '').split() 298 local_conf_blacklist = (d.getVar('ESDK_LOCALCONF_REMOVE') or '').split()
299 def handle_var(varname, origvalue, op, newlines): 299 def handle_var(varname, origvalue, op, newlines):
300 if varname in local_conf_blacklist or (origvalue.strip().startswith('/') and not varname in local_conf_whitelist): 300 if varname in local_conf_blacklist or (origvalue.strip().startswith('/') and not varname in local_conf_whitelist):
301 newlines.append('# Removed original setting of %s\n' % varname) 301 newlines.append('# Removed original setting of %s\n' % varname)
@@ -338,7 +338,7 @@ python copy_buildsystem () {
338 f.write('CONF_VERSION = "%s"\n\n' % d.getVar('CONF_VERSION', False)) 338 f.write('CONF_VERSION = "%s"\n\n' % d.getVar('CONF_VERSION', False))
339 339
340 # Some classes are not suitable for SDK, remove them from INHERIT 340 # Some classes are not suitable for SDK, remove them from INHERIT
341 f.write('INHERIT:remove = "%s"\n' % d.getVar('SDK_INHERIT_BLACKLIST', False)) 341 f.write('INHERIT:remove = "%s"\n' % d.getVar('ESDK_CLASS_INHERIT_DISABLE', False))
342 342
343 # Bypass the default connectivity check if any 343 # Bypass the default connectivity check if any
344 f.write('CONNECTIVITY_CHECK_URIS = ""\n\n') 344 f.write('CONNECTIVITY_CHECK_URIS = ""\n\n')
diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass
index 86bf0395d2..787172b408 100644
--- a/meta/classes/sstate.bbclass
+++ b/meta/classes/sstate.bbclass
@@ -50,21 +50,21 @@ SSTATE_EXTRAPATH[vardepvalue] = ""
50SSTATE_EXTRAPATHWILDCARD[vardepvalue] = "" 50SSTATE_EXTRAPATHWILDCARD[vardepvalue] = ""
51 51
52# For multilib rpm the allarch packagegroup files can overwrite (in theory they're identical) 52# For multilib rpm the allarch packagegroup files can overwrite (in theory they're identical)
53SSTATE_DUPWHITELIST = "${DEPLOY_DIR}/licenses/" 53SSTATE_ALLOW_OVERLAP_FILES = "${DEPLOY_DIR}/licenses/"
54# Avoid docbook/sgml catalog warnings for now 54# Avoid docbook/sgml catalog warnings for now
55SSTATE_DUPWHITELIST += "${STAGING_ETCDIR_NATIVE}/sgml ${STAGING_DATADIR_NATIVE}/sgml" 55SSTATE_ALLOW_OVERLAP_FILES += "${STAGING_ETCDIR_NATIVE}/sgml ${STAGING_DATADIR_NATIVE}/sgml"
56# sdk-provides-dummy-nativesdk and nativesdk-buildtools-perl-dummy overlap for different SDKMACHINE 56# sdk-provides-dummy-nativesdk and nativesdk-buildtools-perl-dummy overlap for different SDKMACHINE
57SSTATE_DUPWHITELIST += "${DEPLOY_DIR_RPM}/sdk_provides_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-nativesdk/" 57SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_RPM}/sdk_provides_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-nativesdk/"
58SSTATE_DUPWHITELIST += "${DEPLOY_DIR_RPM}/buildtools_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/buildtools-dummy-nativesdk/" 58SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_RPM}/buildtools_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/buildtools-dummy-nativesdk/"
59# target-sdk-provides-dummy overlaps that allarch is disabled when multilib is used 59# target-sdk-provides-dummy overlaps that allarch is disabled when multilib is used
60SSTATE_DUPWHITELIST += "${COMPONENTS_DIR}/sdk-provides-dummy-target/ ${DEPLOY_DIR_RPM}/sdk_provides_dummy_target/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-target/" 60SSTATE_ALLOW_OVERLAP_FILES += "${COMPONENTS_DIR}/sdk-provides-dummy-target/ ${DEPLOY_DIR_RPM}/sdk_provides_dummy_target/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-target/"
61# Archive the sources for many architectures in one deploy folder 61# Archive the sources for many architectures in one deploy folder
62SSTATE_DUPWHITELIST += "${DEPLOY_DIR_SRC}" 62SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_SRC}"
63# ovmf/grub-efi/systemd-boot/intel-microcode multilib recipes can generate identical overlapping files 63# ovmf/grub-efi/systemd-boot/intel-microcode multilib recipes can generate identical overlapping files
64SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/ovmf" 64SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/ovmf"
65SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/grub-efi" 65SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/grub-efi"
66SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/systemd-boot" 66SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/systemd-boot"
67SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/microcode" 67SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/microcode"
68 68
69SSTATE_SCAN_FILES ?= "*.la *-config *_config postinst-*" 69SSTATE_SCAN_FILES ?= "*.la *-config *_config postinst-*"
70SSTATE_SCAN_CMD ??= 'find ${SSTATE_BUILDDIR} \( -name "${@"\" -o -name \"".join(d.getVar("SSTATE_SCAN_FILES").split())}" \) -type f' 70SSTATE_SCAN_CMD ??= 'find ${SSTATE_BUILDDIR} \( -name "${@"\" -o -name \"".join(d.getVar("SSTATE_SCAN_FILES").split())}" \) -type f'
@@ -260,7 +260,7 @@ def sstate_install(ss, d):
260 shareddirs.append(dstdir) 260 shareddirs.append(dstdir)
261 261
262 # Check the file list for conflicts against files which already exist 262 # Check the file list for conflicts against files which already exist
263 whitelist = (d.getVar("SSTATE_DUPWHITELIST") or "").split() 263 whitelist = (d.getVar("SSTATE_ALLOW_OVERLAP_FILES") or "").split()
264 match = [] 264 match = []
265 for f in sharedfiles: 265 for f in sharedfiles:
266 if os.path.exists(f) and not os.path.islink(f): 266 if os.path.exists(f) and not os.path.islink(f):
@@ -296,7 +296,7 @@ def sstate_install(ss, d):
296 "DISTRO_FEATURES on an existing build directory is not supported - you " \ 296 "DISTRO_FEATURES on an existing build directory is not supported - you " \
297 "should really clean out tmp and rebuild (reusing sstate should be safe). " \ 297 "should really clean out tmp and rebuild (reusing sstate should be safe). " \
298 "It could be the overlapping files detected are harmless in which case " \ 298 "It could be the overlapping files detected are harmless in which case " \
299 "adding them to SSTATE_DUPWHITELIST may be the correct solution. It could " \ 299 "adding them to SSTATE_ALLOW_OVERLAP_FILES may be the correct solution. It could " \
300 "also be your build is including two different conflicting versions of " \ 300 "also be your build is including two different conflicting versions of " \
301 "things (e.g. bluez 4 and bluez 5 and the correct solution for that would " \ 301 "things (e.g. bluez 4 and bluez 5 and the correct solution for that would " \
302 "be to resolve the conflict. If in doubt, please ask on the mailing list, " \ 302 "be to resolve the conflict. If in doubt, please ask on the mailing list, " \
@@ -350,7 +350,7 @@ def sstate_install(ss, d):
350 for lock in locks: 350 for lock in locks:
351 bb.utils.unlockfile(lock) 351 bb.utils.unlockfile(lock)
352 352
353sstate_install[vardepsexclude] += "SSTATE_DUPWHITELIST STATE_MANMACH SSTATE_MANFILEPREFIX" 353sstate_install[vardepsexclude] += "SSTATE_ALLOW_OVERLAP_FILES STATE_MANMACH SSTATE_MANFILEPREFIX"
354sstate_install[vardeps] += "${SSTATEPOSTINSTFUNCS}" 354sstate_install[vardeps] += "${SSTATEPOSTINSTFUNCS}"
355 355
356def sstate_installpkg(ss, d): 356def sstate_installpkg(ss, d):
diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass
index 574700260f..65499283da 100644
--- a/meta/classes/staging.bbclass
+++ b/meta/classes/staging.bbclass
@@ -24,7 +24,7 @@ SYSROOT_DIRS:append:class-cross = " ${SYSROOT_DIRS_NATIVE}"
24SYSROOT_DIRS:append:class-crosssdk = " ${SYSROOT_DIRS_NATIVE}" 24SYSROOT_DIRS:append:class-crosssdk = " ${SYSROOT_DIRS_NATIVE}"
25 25
26# These directories will not be staged in the sysroot 26# These directories will not be staged in the sysroot
27SYSROOT_DIRS_BLACKLIST = " \ 27SYSROOT_DIRS_IGNORE = " \
28 ${mandir} \ 28 ${mandir} \
29 ${docdir} \ 29 ${docdir} \
30 ${infodir} \ 30 ${infodir} \
@@ -65,7 +65,7 @@ sysroot_stage_dirs() {
65 done 65 done
66 66
67 # Remove directories we do not care about 67 # Remove directories we do not care about
68 for dir in ${SYSROOT_DIRS_BLACKLIST}; do 68 for dir in ${SYSROOT_DIRS_IGNORE}; do
69 rm -rf "$to$dir" 69 rm -rf "$to$dir"
70 done 70 done
71} 71}
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index e02a4d1fde..85b40207bf 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -19,7 +19,7 @@
19# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 19# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
20# CVE is more than 20 years old with no resolution evident 20# CVE is more than 20 years old with no resolution evident
21# broken links in CVE database references make resolution impractical 21# broken links in CVE database references make resolution impractical
22CVE_CHECK_WHITELIST += "CVE-2000-0006" 22CVE_CHECK_IGNORE += "CVE-2000-0006"
23 23
24# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 24# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
25# The issue here is spoofing of domain names using characters from other character sets. 25# The issue here is spoofing of domain names using characters from other character sets.
@@ -28,26 +28,26 @@ CVE_CHECK_WHITELIST += "CVE-2000-0006"
28# there is unlikely ever to be a single fix to webkit or epiphany which addresses this 28# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
29# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further 29# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further
30# we can seem to take. 30# we can seem to take.
31CVE_CHECK_WHITELIST += "CVE-2005-0238" 31CVE_CHECK_IGNORE += "CVE-2005-0238"
32 32
33# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 33# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
34# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server 34# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
35# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 35# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
36# Upstream don't see it as a security issue, ftp servers shouldn't be passing 36# Upstream don't see it as a security issue, ftp servers shouldn't be passing
37# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar 37# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
38CVE_CHECK_WHITELIST += "CVE-2010-4756" 38CVE_CHECK_IGNORE += "CVE-2010-4756"
39 39
40# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 40# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
41# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 41# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
42# The encoding/xml package in go can potentially be used for security exploits if not used correctly 42# The encoding/xml package in go can potentially be used for security exploits if not used correctly
43# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything 43# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
44# exposing this interface in an exploitable way 44# exposing this interface in an exploitable way
45CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511" 45CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
46 46
47# db 47# db
48# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with 48# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
49# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed. 49# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
50CVE_CHECK_WHITELIST += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \ 50CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
51CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \ 51CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
52CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \ 52CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
53CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \ 53CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
@@ -58,7 +58,7 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
58# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803 58# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803
59# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7 59# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7
60# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10. 60# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10.
61#CVE_CHECK_WHITELIST += "CVE-2000-0803" 61#CVE_CHECK_IGNORE += "CVE-2000-0803"
62 62
63 63
64 64
diff --git a/meta/lib/oeqa/selftest/cases/eSDK.py b/meta/lib/oeqa/selftest/cases/eSDK.py
index d0c402ba8a..f7279b3230 100644
--- a/meta/lib/oeqa/selftest/cases/eSDK.py
+++ b/meta/lib/oeqa/selftest/cases/eSDK.py
@@ -63,7 +63,7 @@ class oeSDKExtSelfTest(OESelftestTestCase):
63 cls.env_eSDK = oeSDKExtSelfTest.get_esdk_environment('', cls.tmpdir_eSDKQA) 63 cls.env_eSDK = oeSDKExtSelfTest.get_esdk_environment('', cls.tmpdir_eSDKQA)
64 64
65 sstate_config=""" 65 sstate_config="""
66SDK_LOCAL_CONF_WHITELIST = "SSTATE_MIRRORS" 66ESDK_LOCALCONF_ALLOW = "SSTATE_MIRRORS"
67SSTATE_MIRRORS = "file://.* file://%s/PATH" 67SSTATE_MIRRORS = "file://.* file://%s/PATH"
68CORE_IMAGE_EXTRA_INSTALL = "perl" 68CORE_IMAGE_EXTRA_INSTALL = "perl"
69 """ % sstate_dir 69 """ % sstate_dir
@@ -91,7 +91,7 @@ CORE_IMAGE_EXTRA_INSTALL = "perl"
91 91
92 # Configure eSDK to use sstate mirror from poky 92 # Configure eSDK to use sstate mirror from poky
93 sstate_config=""" 93 sstate_config="""
94SDK_LOCAL_CONF_WHITELIST = "SSTATE_MIRRORS" 94ESDK_LOCALCONF_ALLOW = "SSTATE_MIRRORS"
95SSTATE_MIRRORS = "file://.* file://%s/PATH" 95SSTATE_MIRRORS = "file://.* file://%s/PATH"
96 """ % bb_vars["SSTATE_DIR"] 96 """ % bb_vars["SSTATE_DIR"]
97 with open(os.path.join(cls.tmpdir_eSDKQA, 'conf', 'local.conf'), 'a+') as f: 97 with open(os.path.join(cls.tmpdir_eSDKQA, 'conf', 'local.conf'), 'a+') as f:
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 193a92cb94..ba0596c938 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -27,7 +27,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
27SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" 27SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
28 28
29# Applies only to RHEL 29# Applies only to RHEL
30CVE_CHECK_WHITELIST += "CVE-2019-14865" 30CVE_CHECK_IGNORE += "CVE-2019-14865"
31 31
32DEPENDS = "flex-native bison-native gettext-native" 32DEPENDS = "flex-native bison-native gettext-native"
33 33
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index cc143ac490..3e020e6780 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -33,7 +33,7 @@ SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
33SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" 33SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
34 34
35# Issue only affects Debian/SUSE, not us 35# Issue only affects Debian/SUSE, not us
36CVE_CHECK_WHITELIST += "CVE-2021-26720" 36CVE_CHECK_IGNORE += "CVE-2021-26720"
37 37
38DEPENDS = "expat libcap libdaemon glib-2.0" 38DEPENDS = "expat libcap libdaemon glib-2.0"
39 39
diff --git a/meta/recipes-connectivity/bind/bind_9.16.25.bb b/meta/recipes-connectivity/bind/bind_9.16.25.bb
index 27a1683a5c..7c16376b58 100644
--- a/meta/recipes-connectivity/bind/bind_9.16.25.bb
+++ b/meta/recipes-connectivity/bind/bind_9.16.25.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(16|20|24|28)(\.\d+)+(-P\d+)*)/"
28 28
29# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore 29# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
30# so the issue doesn't affect us. 30# so the issue doesn't affect us.
31CVE_CHECK_WHITELIST += "CVE-2019-6470" 31CVE_CHECK_IGNORE += "CVE-2019-6470"
32 32
33inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives 33inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
34 34
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.63.bb b/meta/recipes-connectivity/bluez5/bluez5_5.63.bb
index 34c4767d2b..a9ee29135d 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.63.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.63.bb
@@ -3,7 +3,7 @@ require bluez5.inc
3SRC_URI[sha256sum] = "9349e11e8160bb3d720835d271250d8a7424d3690f5289e6db6fe07cc66c6d76" 3SRC_URI[sha256sum] = "9349e11e8160bb3d720835d271250d8a7424d3690f5289e6db6fe07cc66c6d76"
4 4
5# These issues have kernel fixes rather than bluez fixes so exclude here 5# These issues have kernel fixes rather than bluez fixes so exclude here
6CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490" 6CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
7 7
8# noinst programs in Makefile.tools that are conditional on READLINE 8# noinst programs in Makefile.tools that are conditional on READLINE
9# support 9# support
diff --git a/meta/recipes-connectivity/openssh/openssh_8.8p1.bb b/meta/recipes-connectivity/openssh/openssh_8.8p1.bb
index ee86bb92ab..953c29dbf2 100644
--- a/meta/recipes-connectivity/openssh/openssh_8.8p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_8.8p1.bb
@@ -28,14 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
28SRC_URI[sha256sum] = "4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9" 28SRC_URI[sha256sum] = "4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9"
29 29
30# This CVE is specific to OpenSSH with the pam opie which we don't build/use here 30# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
31CVE_CHECK_WHITELIST += "CVE-2007-2768" 31CVE_CHECK_IGNORE += "CVE-2007-2768"
32 32
33# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 33# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
34# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded 34# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
35CVE_CHECK_WHITELIST += "CVE-2014-9278" 35CVE_CHECK_IGNORE += "CVE-2014-9278"
36 36
37# CVE only applies to some distributed RHEL binaries 37# CVE only applies to some distributed RHEL binaries
38CVE_CHECK_WHITELIST += "CVE-2008-3844" 38CVE_CHECK_IGNORE += "CVE-2008-3844"
39 39
40PAM_SRC_URI = "file://sshd" 40PAM_SRC_URI = "file://sshd"
41 41
diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.1.bb b/meta/recipes-connectivity/openssl/openssl_3.0.1.bb
index d08d9b02dc..1128f6a737 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.0.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.0.1.bb
@@ -255,4 +255,4 @@ CVE_VERSION_SUFFIX = "alphabetical"
255 255
256# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 256# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
257# Apache in meta-webserver is already recent enough 257# Apache in meta-webserver is already recent enough
258CVE_CHECK_WHITELIST += "CVE-2019-0190" 258CVE_CHECK_IGNORE += "CVE-2019-0190"
diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb b/meta/recipes-core/coreutils/coreutils_9.0.bb
index 8b904fd56e..6a97c4d5cc 100644
--- a/meta/recipes-core/coreutils/coreutils_9.0.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.0.bb
@@ -26,7 +26,7 @@ SRC_URI[sha256sum] = "ce30acdf4a41bc5bb30dd955e9eaa75fa216b4e3deb08889ed32433c7b
26 26
27# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 27# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
28# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue. 28# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
29CVE_CHECK_WHITELIST += "CVE-2016-2781" 29CVE_CHECK_IGNORE += "CVE-2016-2781"
30 30
31EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" 31EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
32EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname" 32EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
index b785b61154..6ea5b1efb5 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -1,20 +1,20 @@
1require glibc.inc 1require glibc.inc
2require glibc-version.inc 2require glibc-version.inc
3 3
4CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2021-27645" 4CVE_CHECK_IGNORE += "CVE-2020-10029 CVE-2021-27645"
5 5
6# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 6# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
7# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 7# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
8# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 8# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
9# Upstream glibc maintainers dispute there is any issue and have no plans to address it further. 9# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
10# "this is being treated as a non-security bug and no real threat." 10# "this is being treated as a non-security bug and no real threat."
11CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" 11CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
12 12
13# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 13# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
14# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow 14# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
15# easier access for another. "ASLR bypass itself is not a vulnerability." 15# easier access for another. "ASLR bypass itself is not a vulnerability."
16# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853 16# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
17CVE_CHECK_WHITELIST += "CVE-2019-1010025" 17CVE_CHECK_IGNORE += "CVE-2019-1010025"
18 18
19DEPENDS += "gperf-native bison-native make-native" 19DEPENDS += "gperf-native bison-native make-native"
20 20
diff --git a/meta/recipes-core/meta/target-sdk-provides-dummy.bb b/meta/recipes-core/meta/target-sdk-provides-dummy.bb
index e3beeb796c..849407cca5 100644
--- a/meta/recipes-core/meta/target-sdk-provides-dummy.bb
+++ b/meta/recipes-core/meta/target-sdk-provides-dummy.bb
@@ -58,4 +58,4 @@ DUMMYPROVIDES = "\
58 58
59require dummy-sdk-package.inc 59require dummy-sdk-package.inc
60 60
61SSTATE_DUPWHITELIST += "${PKGDATA_DIR}/${PN} ${PKGDATA_DIR}/runtime/${PN}" 61SSTATE_ALLOW_OVERLAP_FILES += "${PKGDATA_DIR}/${PN} ${PKGDATA_DIR}/runtime/${PN}"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 9276db3c56..a8bd4311c4 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -27,4 +27,4 @@ UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
27 27
28# This is specific to the npm package that installs cmake, so isn't 28# This is specific to the npm package that installs cmake, so isn't
29# relevant to OpenEmbedded 29# relevant to OpenEmbedded
30CVE_CHECK_WHITELIST += "CVE-2016-10642" 30CVE_CHECK_IGNORE += "CVE-2016-10642"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 95e2c087ee..c7cd965347 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -31,7 +31,7 @@ UPSTREAM_CHECK_REGEX = "flex-(?P<pver>\d+(\.\d+)+)\.tar"
31# Disputed - yes there is stack exhaustion but no bug and it is building the 31# Disputed - yes there is stack exhaustion but no bug and it is building the
32# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address 32# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
33# https://github.com/westes/flex/issues/414 33# https://github.com/westes/flex/issues/414
34CVE_CHECK_WHITELIST += "CVE-2019-6293" 34CVE_CHECK_IGNORE += "CVE-2019-6293"
35 35
36inherit autotools gettext texinfo ptest 36inherit autotools gettext texinfo ptest
37 37
diff --git a/meta/recipes-devtools/gcc/gcc-11.2.inc b/meta/recipes-devtools/gcc/gcc-11.2.inc
index d892182fd5..2394c86e29 100644
--- a/meta/recipes-devtools/gcc/gcc-11.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-11.2.inc
@@ -119,4 +119,4 @@ EXTRA_OECONF_PATHS = "\
119" 119"
120 120
121# Is a binutils 2.26 issue, not gcc 121# Is a binutils 2.26 issue, not gcc
122CVE_CHECK_WHITELIST += "CVE-2021-37322" 122CVE_CHECK_IGNORE += "CVE-2021-37322"
diff --git a/meta/recipes-devtools/gcc/gcc-target.inc b/meta/recipes-devtools/gcc/gcc-target.inc
index 66f737c9dc..cc65e995c3 100644
--- a/meta/recipes-devtools/gcc/gcc-target.inc
+++ b/meta/recipes-devtools/gcc/gcc-target.inc
@@ -256,4 +256,4 @@ do_install:append () {
256# and builds track file dependencies (e.g. perl and its makedepends code). 256# and builds track file dependencies (e.g. perl and its makedepends code).
257# For determinism we don't install this ever and rely on the copy from gcc-cross. 257# For determinism we don't install this ever and rely on the copy from gcc-cross.
258# [YOCTO #7287] 258# [YOCTO #7287]
259SYSROOT_DIRS_BLACKLIST += "${libdir}/gcc" 259SYSROOT_DIRS_IGNORE += "${libdir}/gcc"
diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
index 836c51a3de..8e926e81e1 100644
--- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
+++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc
@@ -20,7 +20,7 @@ PACKAGECONFIG[python] = "--with-python=${WORKDIR}/python,--without-python,native
20PACKAGECONFIG[readline] = "--with-system-readline,--without-system-readline,nativesdk-readline" 20PACKAGECONFIG[readline] = "--with-system-readline,--without-system-readline,nativesdk-readline"
21PACKAGECONFIG[debuginfod] = "--with-debuginfod, --without-debuginfod, nativesdk-elfutils" 21PACKAGECONFIG[debuginfod] = "--with-debuginfod, --without-debuginfod, nativesdk-elfutils"
22 22
23SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb" 23SSTATE_ALLOW_OVERLAP_FILES += "${STAGING_DATADIR}/gdb"
24 24
25do_configure:prepend() { 25do_configure:prepend() {
26cat > ${WORKDIR}/python << EOF 26cat > ${WORKDIR}/python << EOF
diff --git a/meta/recipes-devtools/go/go-1.17.7.inc b/meta/recipes-devtools/go/go-1.17.7.inc
index e8c8c031ae..3832b65eae 100644
--- a/meta/recipes-devtools/go/go-1.17.7.inc
+++ b/meta/recipes-devtools/go/go-1.17.7.inc
@@ -22,4 +22,4 @@ SRC_URI[main.sha256sum] = "c108cd33b73b1911a02b697741df3dea43e01a5c4e08e409e8b3a
22# Upstream don't believe it is a signifiant real world issue and will only 22# Upstream don't believe it is a signifiant real world issue and will only
23# fix in 1.17 onwards where we can drop this. 23# fix in 1.17 onwards where we can drop this.
24# https://github.com/golang/go/issues/30999#issuecomment-910470358 24# https://github.com/golang/go/issues/30999#issuecomment-910470358
25CVE_CHECK_WHITELIST += "CVE-2021-29923" 25CVE_CHECK_IGNORE += "CVE-2021-29923"
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.0.bb b/meta/recipes-devtools/jquery/jquery_3.6.0.bb
index 33b177d1d0..39ffd38114 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.0.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.0.bb
@@ -22,7 +22,7 @@ UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
22# https://github.com/jquery/jquery/issues/3927 22# https://github.com/jquery/jquery/issues/3927
23# There are ways jquery can expose security issues but any issues are in the apps exposing them 23# There are ways jquery can expose security issues but any issues are in the apps exposing them
24# and there is little we can directly do 24# and there is little we can directly do
25CVE_CHECK_WHITELIST += "CVE-2007-2379" 25CVE_CHECK_IGNORE += "CVE-2007-2379"
26 26
27inherit allarch 27inherit allarch
28 28
diff --git a/meta/recipes-devtools/libtool/libtool_2.4.6.bb b/meta/recipes-devtools/libtool/libtool_2.4.6.bb
index fb40ce7317..44a4950574 100644
--- a/meta/recipes-devtools/libtool/libtool_2.4.6.bb
+++ b/meta/recipes-devtools/libtool/libtool_2.4.6.bb
@@ -7,7 +7,7 @@ RDEPENDS:${PN} += "bash"
7# 7#
8# We want the results of libtool-cross preserved - don't stage anything ourselves. 8# We want the results of libtool-cross preserved - don't stage anything ourselves.
9# 9#
10SYSROOT_DIRS_BLACKLIST += " \ 10SYSROOT_DIRS_IGNORE += " \
11 ${bindir} \ 11 ${bindir} \
12 ${datadir}/aclocal \ 12 ${datadir}/aclocal \
13 ${datadir}/libtool/build-aux \ 13 ${datadir}/libtool/build-aux \
diff --git a/meta/recipes-devtools/python/python3_3.10.2.bb b/meta/recipes-devtools/python/python3_3.10.2.bb
index d07bb017ea..429839b622 100644
--- a/meta/recipes-devtools/python/python3_3.10.2.bb
+++ b/meta/recipes-devtools/python/python3_3.10.2.bb
@@ -49,12 +49,12 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
49CVE_PRODUCT = "python" 49CVE_PRODUCT = "python"
50 50
51# Upstream consider this expected behaviour 51# Upstream consider this expected behaviour
52CVE_CHECK_WHITELIST += "CVE-2007-4559" 52CVE_CHECK_IGNORE += "CVE-2007-4559"
53# This is not exploitable when glibc has CVE-2016-10739 fixed. 53# This is not exploitable when glibc has CVE-2016-10739 fixed.
54CVE_CHECK_WHITELIST += "CVE-2019-18348" 54CVE_CHECK_IGNORE += "CVE-2019-18348"
55 55
56# This is windows only issue. 56# This is windows only issue.
57CVE_CHECK_WHITELIST += "CVE-2020-15523" 57CVE_CHECK_IGNORE += "CVE-2020-15523"
58 58
59PYTHON_MAJMIN = "3.10" 59PYTHON_MAJMIN = "3.10"
60 60
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 80b83be63f..94190b52f4 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -36,15 +36,15 @@ SRC_URI:append:class-target = " file://cross.patch"
36SRC_URI:append:class-nativesdk = " file://cross.patch" 36SRC_URI:append:class-nativesdk = " file://cross.patch"
37 37
38# Applies against virglrender < 0.6.0 and not qemu itself 38# Applies against virglrender < 0.6.0 and not qemu itself
39CVE_CHECK_WHITELIST += "CVE-2017-5957" 39CVE_CHECK_IGNORE += "CVE-2017-5957"
40 40
41# The VNC server can expose host files uder some circumstances. We don't 41# The VNC server can expose host files uder some circumstances. We don't
42# enable it by default. 42# enable it by default.
43CVE_CHECK_WHITELIST += "CVE-2007-0998" 43CVE_CHECK_IGNORE += "CVE-2007-0998"
44 44
45# 'The issues identified by this CVE were determined to not constitute a vulnerability.' 45# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
46# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 46# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
47CVE_CHECK_WHITELIST += "CVE-2018-18438" 47CVE_CHECK_IGNORE += "CVE-2018-18438"
48 48
49COMPATIBLE_HOST:mipsarchn32 = "null" 49COMPATIBLE_HOST:mipsarchn32 = "null"
50COMPATIBLE_HOST:mipsarchn64 = "null" 50COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/meta/recipes-devtools/rsync/rsync_3.2.3.bb
index 1cdf509004..b950e30b46 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.3.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.3.bb
@@ -20,7 +20,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
20SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e" 20SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e"
21 21
22# -16548 required for v3.1.3pre1. Already in v3.1.3. 22# -16548 required for v3.1.3pre1. Already in v3.1.3.
23CVE_CHECK_WHITELIST += " CVE-2017-16548 " 23CVE_CHECK_IGNORE += " CVE-2017-16548 "
24 24
25inherit autotools-brokensep 25inherit autotools-brokensep
26 26
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.11.bb b/meta/recipes-devtools/tcltk/tcl_8.6.11.bb
index 7ead00d489..9f6b003ffb 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.11.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.11.bb
@@ -31,7 +31,7 @@ SRC_URI:class-native = "${BASE_SRC_URI}"
31 31
32# Upstream don't believe this is an exploitable issue 32# Upstream don't believe this is an exploitable issue
33# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7 33# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
34CVE_CHECK_WHITELIST += "CVE-2021-35331" 34CVE_CHECK_IGNORE += "CVE-2021-35331"
35 35
36UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src" 36UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
37 37
diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb
index b4dbff1157..e72a114de9 100644
--- a/meta/recipes-extended/cpio/cpio_2.13.bb
+++ b/meta/recipes-extended/cpio/cpio_2.13.bb
@@ -18,7 +18,7 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8
18inherit autotools gettext texinfo 18inherit autotools gettext texinfo
19 19
20# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us 20# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
21CVE_CHECK_WHITELIST += "CVE-2010-4226" 21CVE_CHECK_IGNORE += "CVE-2010-4226"
22 22
23EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" 23EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
24 24
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 05c1e34a77..6f28dc30d0 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -21,11 +21,11 @@ UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases"
21UPSTREAM_CHECK_REGEX = "cups-(?P<pver>(?!.+\d(b|rc)\d.+).+)-source.tar" 21UPSTREAM_CHECK_REGEX = "cups-(?P<pver>(?!.+\d(b|rc)\d.+).+)-source.tar"
22 22
23# Issue only applies to MacOS 23# Issue only applies to MacOS
24CVE_CHECK_WHITELIST += "CVE-2008-1033" 24CVE_CHECK_IGNORE += "CVE-2008-1033"
25# Issue affects pdfdistiller plugin used with but not part of cups 25# Issue affects pdfdistiller plugin used with but not part of cups
26CVE_CHECK_WHITELIST += "CVE-2009-0032" 26CVE_CHECK_IGNORE += "CVE-2009-0032"
27# This is an Ubuntu only issue. 27# This is an Ubuntu only issue.
28CVE_CHECK_WHITELIST += "CVE-2018-6553" 28CVE_CHECK_IGNORE += "CVE-2018-6553"
29 29
30LEAD_SONAME = "libcupsdriver.so" 30LEAD_SONAME = "libcupsdriver.so"
31 31
@@ -117,4 +117,4 @@ cups_sysroot_preprocess () {
117 117
118# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is 118# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is
119# root:root, so this doesn't apply. 119# root:root, so this doesn't apply.
120CVE_CHECK_WHITELIST += "CVE-2021-25317" 120CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
index 5f0fa67aa7..c28e62f089 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb
@@ -21,7 +21,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
21 21
22# As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources 22# As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources
23# however we use an external jpeg which doesn't have the issue. 23# however we use an external jpeg which doesn't have the issue.
24CVE_CHECK_WHITELIST += "CVE-2013-6629" 24CVE_CHECK_IGNORE += "CVE-2013-6629"
25 25
26def gs_verdir(v): 26def gs_verdir(v):
27 return "".join(v.split(".")) 27 return "".join(v.split("."))
diff --git a/meta/recipes-extended/iputils/iputils_20211215.bb b/meta/recipes-extended/iputils/iputils_20211215.bb
index 29eec163b7..3ddce0be54 100644
--- a/meta/recipes-extended/iputils/iputils_20211215.bb
+++ b/meta/recipes-extended/iputils/iputils_20211215.bb
@@ -21,7 +21,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
21 21
22# Fixed in 2000-10-10, but the versioning of iputils 22# Fixed in 2000-10-10, but the versioning of iputils
23# breaks the version order. 23# breaks the version order.
24CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214" 24CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
25 25
26PACKAGECONFIG ??= "libcap rarpd \ 26PACKAGECONFIG ??= "libcap rarpd \
27 ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ninfod', '', d)} \ 27 ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ninfod', '', d)} \
diff --git a/meta/recipes-extended/logrotate/logrotate_3.19.0.bb b/meta/recipes-extended/logrotate/logrotate_3.19.0.bb
index 929350dcfb..2a60d9b31f 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.19.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.19.0.bb
@@ -18,7 +18,7 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz
18SRC_URI[sha256sum] = "ddd5274d684c5c99ca724e8069329f343ebe376e07493d537d9effdc501214ba" 18SRC_URI[sha256sum] = "ddd5274d684c5c99ca724e8069329f343ebe376e07493d537d9effdc501214ba"
19 19
20# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used 20# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
21CVE_CHECK_WHITELIST += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550" 21CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
22 22
23PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}" 23PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
24 24
diff --git a/meta/recipes-extended/procps/procps_3.3.17.bb b/meta/recipes-extended/procps/procps_3.3.17.bb
index 97f341488a..0f5575c9ab 100644
--- a/meta/recipes-extended/procps/procps_3.3.17.bb
+++ b/meta/recipes-extended/procps/procps_3.3.17.bb
@@ -75,7 +75,7 @@ python __anonymous() {
75 75
76# 'ps' isn't suitable for use as a security tool so whitelist this CVE. 76# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
77# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 77# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
78CVE_CHECK_WHITELIST += "CVE-2018-1121" 78CVE_CHECK_IGNORE += "CVE-2018-1121"
79 79
80PROCPS_PACKAGES = "${PN}-lib \ 80PROCPS_PACKAGES = "${PN}-lib \
81 ${PN}-ps \ 81 ${PN}-ps \
diff --git a/meta/recipes-extended/shadow/shadow_4.11.1.bb b/meta/recipes-extended/shadow/shadow_4.11.1.bb
index 2fbd81bf72..40b11345c9 100644
--- a/meta/recipes-extended/shadow/shadow_4.11.1.bb
+++ b/meta/recipes-extended/shadow/shadow_4.11.1.bb
@@ -8,4 +8,4 @@ BBCLASSEXTEND = "native nativesdk"
8 8
9# Severity is low and marked as closed and won't fix. 9# Severity is low and marked as closed and won't fix.
10# https://bugzilla.redhat.com/show_bug.cgi?id=884658 10# https://bugzilla.redhat.com/show_bug.cgi?id=884658
11CVE_CHECK_WHITELIST += "CVE-2013-4235" 11CVE_CHECK_IGNORE += "CVE-2013-4235"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 0bc6abcd4b..4720fddf48 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -34,7 +34,7 @@ SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
34SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" 34SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
35 35
36# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source 36# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
37CVE_CHECK_WHITELIST += "CVE-2008-0888" 37CVE_CHECK_IGNORE += "CVE-2008-0888"
38 38
39# exclude version 5.5.2 which triggers a false positive 39# exclude version 5.5.2 which triggers a false positive
40UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" 40UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index e64494e54e..62ee70d244 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
18S = "${WORKDIR}/git" 18S = "${WORKDIR}/git"
19 19
20# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision 20# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
21CVE_CHECK_WHITELIST += "CVE-2013-4342" 21CVE_CHECK_IGNORE += "CVE-2013-4342"
22 22
23inherit autotools update-rc.d systemd pkgconfig 23inherit autotools update-rc.d systemd pkgconfig
24 24
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 18b5d8648e..3fea75125e 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -21,10 +21,10 @@ SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
21SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369" 21SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
22 22
23# Disputed and also Debian doesn't consider a vulnerability 23# Disputed and also Debian doesn't consider a vulnerability
24CVE_CHECK_WHITELIST += "CVE-2018-13410" 24CVE_CHECK_IGNORE += "CVE-2018-13410"
25 25
26# Not for zip but for smart contract implementation for it 26# Not for zip but for smart contract implementation for it
27CVE_CHECK_WHITELIST += "CVE-2018-13684" 27CVE_CHECK_IGNORE += "CVE-2018-13684"
28 28
29# zip.inc sets CFLAGS, but what Makefile actually uses is 29# zip.inc sets CFLAGS, but what Makefile actually uses is
30# CFLAGS_NOOPT. It will also force -O3 optimization, overriding 30# CFLAGS_NOOPT. It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb b/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb
index 20cac71c55..fa3253b616 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb
@@ -35,4 +35,4 @@ RCONFLICTS:${PN} += "libnotify3"
35RREPLACES:${PN} += "libnotify3" 35RREPLACES:${PN} += "libnotify3"
36 36
37# -7381 is specific to the NodeJS bindings 37# -7381 is specific to the NodeJS bindings
38CVE_CHECK_WHITELIST += "CVE-2013-7381" 38CVE_CHECK_IGNORE += "CVE-2013-7381"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.52.5.bb b/meta/recipes-gnome/librsvg/librsvg_2.52.5.bb
index f4b3773bf7..1279c663f7 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.52.5.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.52.5.bb
@@ -51,7 +51,7 @@ do_compile:prepend() {
51} 51}
52 52
53# Issue only on windows 53# Issue only on windows
54CVE_CHECK_WHITELIST += "CVE-2018-1000041" 54CVE_CHECK_IGNORE += "CVE-2018-1000041"
55 55
56CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders" 56CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
57 57
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index f448465f9a..39be3bd63f 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -30,4 +30,4 @@ do_install () {
30} 30}
31 31
32# -4178 is an unrelated 'builder' 32# -4178 is an unrelated 'builder'
33CVE_CHECK_WHITELIST = "CVE-2008-4178" 33CVE_CHECK_IGNORE = "CVE-2008-4178"
diff --git a/meta/recipes-graphics/xorg-font/font-util_1.3.2.bb b/meta/recipes-graphics/xorg-font/font-util_1.3.2.bb
index 84e1d377a8..b3e832756b 100644
--- a/meta/recipes-graphics/xorg-font/font-util_1.3.2.bb
+++ b/meta/recipes-graphics/xorg-font/font-util_1.3.2.bb
@@ -19,4 +19,4 @@ BBCLASSEXTEND = "native"
19SRC_URI[md5sum] = "3d6adb76fdd072db8c8fae41b40855e8" 19SRC_URI[md5sum] = "3d6adb76fdd072db8c8fae41b40855e8"
20SRC_URI[sha256sum] = "3ad880444123ac06a7238546fa38a2a6ad7f7e0cc3614de7e103863616522282" 20SRC_URI[sha256sum] = "3ad880444123ac06a7238546fa38a2a6ad7f7e0cc3614de7e103863616522282"
21 21
22SYSROOT_DIRS_BLACKLIST:remove = "${datadir}/fonts" 22SYSROOT_DIRS_IGNORE:remove = "${datadir}/fonts"
diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
index fad2962948..60bc8c76fa 100644
--- a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
+++ b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc
@@ -18,7 +18,7 @@ EXTRA_OECONF = "--disable-specs --without-groff --without-ps2pdf --without-fop"
18PACKAGECONFIG ??= "" 18PACKAGECONFIG ??= ""
19PACKAGECONFIG[xmlto] = "--with-xmlto, --without-xmlto, xmlto-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" 19PACKAGECONFIG[xmlto] = "--with-xmlto, --without-xmlto, xmlto-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
20 20
21UNKNOWN_CONFIGURE_WHITELIST += "--enable-malloc0returnsnull --disable-malloc0returnsnull \ 21UNKNOWN_CONFIGURE_OPT_IGNORE += "--enable-malloc0returnsnull --disable-malloc0returnsnull \
22 --disable-specs --without-groff --without-ps2pdf --without-fop \ 22 --disable-specs --without-groff --without-ps2pdf --without-fop \
23 --without-xmlto --with-xmlto \ 23 --without-xmlto --with-xmlto \
24" 24"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index 5b7d0cd292..057a1ba6ad 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -21,13 +21,13 @@ UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
21 21
22CVE_PRODUCT = "xorg-server x_server" 22CVE_PRODUCT = "xorg-server x_server"
23# This is specific to Debian's xserver-wrapper.c 23# This is specific to Debian's xserver-wrapper.c
24CVE_CHECK_WHITELIST += "CVE-2011-4613" 24CVE_CHECK_IGNORE += "CVE-2011-4613"
25# As per upstream, exploiting this flaw is non-trivial and it requires exact 25# As per upstream, exploiting this flaw is non-trivial and it requires exact
26# timing on the behalf of the attacker. Many graphical applications exit if their 26# timing on the behalf of the attacker. Many graphical applications exit if their
27# connection to the X server is lost, so a typical desktop session is either 27# connection to the X server is lost, so a typical desktop session is either
28# impossible or difficult to exploit. There is currently no upstream patch 28# impossible or difficult to exploit. There is currently no upstream patch
29# available for this flaw. 29# available for this flaw.
30CVE_CHECK_WHITELIST += "CVE-2020-25697" 30CVE_CHECK_IGNORE += "CVE-2020-25697"
31 31
32S = "${WORKDIR}/${XORG_PN}-${PV}" 32S = "${WORKDIR}/${XORG_PN}-${PV}"
33 33
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
index 7791b0eecf..61e3d92e95 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb
@@ -32,4 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
32BBCLASSEXTEND = "native nativesdk" 32BBCLASSEXTEND = "native nativesdk"
33 33
34# CVE-2019-17371 is actually a memory leak in gif2png 2.x 34# CVE-2019-17371 is actually a memory leak in gif2png 2.x
35CVE_CHECK_WHITELIST += "CVE-2019-17371" 35CVE_CHECK_IGNORE += "CVE-2019-17371"
diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
index eb3f983ba1..b8e703d084 100644
--- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
+++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb
@@ -43,4 +43,4 @@ do_install:append() {
43 43
44# This can't be replicated and is just a memory leak. 44# This can't be replicated and is just a memory leak.
45# https://github.com/erikd/libsndfile/issues/398 45# https://github.com/erikd/libsndfile/issues/398
46CVE_CHECK_WHITELIST += "CVE-2018-13419" 46CVE_CHECK_IGNORE += "CVE-2018-13419"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
index 86b55ad284..6b933a409b 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb
@@ -20,7 +20,7 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
20 20
21# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 21# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
22# and 4.3.0 doesn't have the issue 22# and 4.3.0 doesn't have the issue
23CVE_CHECK_WHITELIST += "CVE-2015-7313" 23CVE_CHECK_IGNORE += "CVE-2015-7313"
24 24
25inherit autotools multilib_header 25inherit autotools multilib_header
26 26
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb
index b9173d84d8..866f3932f6 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb
@@ -30,7 +30,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
30SRC_URI[sha256sum] = "ea849c83a72454e3ed4267697e8ca03390aee972ab421e7df69dfe42b65caaf7" 30SRC_URI[sha256sum] = "ea849c83a72454e3ed4267697e8ca03390aee972ab421e7df69dfe42b65caaf7"
31 31
32# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro. 32# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
33CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438" 33CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
34 34
35BINCONFIG = "${bindir}/libgcrypt-config" 35BINCONFIG = "${bindir}/libgcrypt-config"
36 36
diff --git a/meta/recipes-support/lz4/lz4_1.9.3.bb b/meta/recipes-support/lz4/lz4_1.9.3.bb
index abcf25f873..129a86b681 100644
--- a/meta/recipes-support/lz4/lz4_1.9.3.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.3.bb
@@ -20,7 +20,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)"
20S = "${WORKDIR}/git" 20S = "${WORKDIR}/git"
21 21
22# Fixed in r118, which is larger than the current version. 22# Fixed in r118, which is larger than the current version.
23CVE_CHECK_WHITELIST += "CVE-2014-4715" 23CVE_CHECK_IGNORE += "CVE-2014-4715"
24 24
25EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" 25EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
26 26
diff --git a/meta/recipes-support/sqlite/sqlite3_3.37.2.bb b/meta/recipes-support/sqlite/sqlite3_3.37.2.bb
index 56364b4828..eb684e0d14 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.37.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.37.2.bb
@@ -7,8 +7,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz"
7SRC_URI[sha256sum] = "4089a8d9b467537b3f246f217b84cd76e00b1d1a971fe5aca1e30e230e46b2d8" 7SRC_URI[sha256sum] = "4089a8d9b467537b3f246f217b84cd76e00b1d1a971fe5aca1e30e230e46b2d8"
8 8
9# -19242 is only an issue in specific development branch commits 9# -19242 is only an issue in specific development branch commits
10CVE_CHECK_WHITELIST += "CVE-2019-19242" 10CVE_CHECK_IGNORE += "CVE-2019-19242"
11# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA) 11# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
12CVE_CHECK_WHITELIST += "CVE-2015-3717" 12CVE_CHECK_IGNORE += "CVE-2015-3717"
13# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f 13# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
14CVE_CHECK_WHITELIST += "CVE-2021-36690" 14CVE_CHECK_IGNORE += "CVE-2021-36690"