1 files changed, 28 insertions, 0 deletions
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
new file mode 100644
index 0000000000..17b0f15571
--- /dev/null
+++ b/meta/conf/cve-check-map.conf
@@ -0,0 +1,28 @@
+# Possible options for CVE statuses
+# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"

diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf new file mode 100644 index 0000000000..17b0f15571 --- /dev/null +++ b/meta/conf/cve-check-map.conf
@@ -0,0 +1,28 @@
	1	# Possible options for CVE statuses
	2
	3	# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
	4	CVE_CHECK_STATUSMAP[patched] = "Patched"
	5	# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
	6	CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
	7	# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
	8	CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
	9	# use when NVD DB does not mention correct version or does not mention any verion at all
	10	CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
	11
	12	# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
	13	CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
	14	# use when CVE is confirmed by upstream but fix is still not available
	15	CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
	16
	17	# used for migration from old concept, do not use for new vulnerabilities
	18	CVE_CHECK_STATUSMAP[ignored] = "Ignored"
	19	# use when NVD DB wrongly indicates vulnerability which is actually for a different component
	20	CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
	21	# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
	22	CVE_CHECK_STATUSMAP[disputed] = "Ignored"
	23	# use when vulnerability depends on build or runtime configuration which is not used
	24	CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
	25	# use when vulnerability affects other platform (e.g. Windows or Debian)
	26	CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
	27	# use when upstream acknowledged the vulnerability but does not plan to fix it
	28	CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"