9 files changed, 15 insertions, 36 deletions
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index 45eb9de8e0..560038d2a6 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
 inherit autotools gettext texinfo ptest
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
-CVE_CHECK_IGNORE += "CVE-2010-4226"
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index da320b1085..36feaddcf8 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -19,14 +19,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
-# Issue only applies to MacOS
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
-CVE_CHECK_IGNORE += "CVE-2008-1033"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
-# Issue affects pdfdistiller plugin used with but not part of cups
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
-CVE_CHECK_IGNORE += "CVE-2009-0032"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
-# This is an Ubuntu only issue.
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
 LEAD_SONAME = "libcupsdriver.so"
@@ -114,7 +111,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
        sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
-# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
-# Fixed in 2000-10-10, but the versioning of iputils
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
-# breaks the version order.
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
 PACKAGECONFIG ??= "libcap"
 PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
-CVE_CHECK_IGNORE += "CVE-2021-46828"
 inherit autotools pkgconfig
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
        d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
 PROCPS_PACKAGES = "${PN}-lib \
                   ${PN}-ps \
                   ${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 BBCLASSEXTEND = "native nativesdk"
-# Severity is low and marked as closed and won't fix.
 # https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
-CVE_CHECK_IGNORE += "CVE-2008-0888"
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
 S = "${WORKDIR}/git"
 # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
 inherit autotools update-rc.d systemd pkgconfig
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
-# Disputed and also Debian doesn't consider a vulnerability
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
-CVE_CHECK_IGNORE += "CVE-2018-13410"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
 # zip.inc sets CFLAGS, but what Makefile actually uses is
 # CFLAGS_NOOPT.  It will also force -O3 optimization, overriding

diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb index 45eb9de8e0..560038d2a6 100644 --- a/meta/recipes-extended/cpio/cpio_2.14.bb +++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
16		16
17	inherit autotools gettext texinfo ptest	17	inherit autotools gettext texinfo ptest
18		18
19	# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us	19	CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
20	CVE_CHECK_IGNORE += "CVE-2010-4226"
21		20
22	EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"	21	EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
23		22


diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index da320b1085..36feaddcf8 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc
@@ -19,14 +19,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
19		19
20	GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"	20	GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
21		21
22	# Issue only applies to MacOS	22	CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
23	CVE_CHECK_IGNORE += "CVE-2008-1033"	23	CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
24	# Issue affects pdfdistiller plugin used with but not part of cups	24	CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
25	CVE_CHECK_IGNORE += "CVE-2009-0032"	25	CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
26	# This is an Ubuntu only issue.	26	CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
27	CVE_CHECK_IGNORE += "CVE-2018-6553"
28	# This is fixed in 2.4.2 but the cve-check class still reports it
29	CVE_CHECK_IGNORE += "CVE-2022-26691"
30		27
31	LEAD_SONAME = "libcupsdriver.so"	28	LEAD_SONAME = "libcupsdriver.so"
32		29
@@ -114,7 +111,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
114	cups_sysroot_preprocess () {	111	cups_sysroot_preprocess () {
115	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.:cups_serverbin=${libexecdir}/cups:'	112	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.:cups_serverbin=${libexecdir}/cups:'
116	}	113	}
117
118	# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is
119	# root:root, so this doesn't apply.
120	CVE_CHECK_IGNORE += "CVE-2021-25317"


diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb index cd5fe9bd3e..7d94271a64 100644 --- a/meta/recipes-extended/iputils/iputils_20221126.bb +++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
17		17
18	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"	18	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
19		19
20	# Fixed in 2000-10-10, but the versioning of iputils	20	CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
21	# breaks the version order.	21	CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
22	CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
23		22
24	PACKAGECONFIG ??= "libcap"	23	PACKAGECONFIG ??= "libcap"
25	PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"	24	PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"


diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb index f55e0b0ed1..d466905426 100644 --- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb +++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
14	UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"	14	UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
15	SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"	15	SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
16		16
17	# Was fixed in 1.3.3rc1 so not present in 1.3.3	17	CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
18	CVE_CHECK_IGNORE += "CVE-2021-46828"
19		18
20	inherit autotools pkgconfig	19	inherit autotools pkgconfig
21		20


diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb index cc3420df4e..dc0e957bda 100644 --- a/meta/recipes-extended/procps/procps_4.0.3.bb +++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
72	d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))	72	d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
73	}	73	}
74		74
75	# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
76	# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
77	CVE_CHECK_IGNORE += "CVE-2018-1121"
78
79	PROCPS_PACKAGES = "${PN}-lib \	75	PROCPS_PACKAGES = "${PN}-lib \
80	${PN}-ps \	76	${PN}-ps \
81	${PN}-sysctl"	77	${PN}-sysctl"


diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb index d1a3fd5593..4e55446312 100644 --- a/meta/recipes-extended/shadow/shadow_4.13.bb +++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
6		6
7	BBCLASSEXTEND = "native nativesdk"	7	BBCLASSEXTEND = "native nativesdk"
8		8
9	# Severity is low and marked as closed and won't fix.
10	# https://bugzilla.redhat.com/show_bug.cgi?id=884658	9	# https://bugzilla.redhat.com/show_bug.cgi?id=884658
11	CVE_CHECK_IGNORE += "CVE-2013-4235"	10	CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
12		11	CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
13	# This is an issue for a different shadow
14	CVE_CHECK_IGNORE += "CVE-2016-15024"


diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 3051e9b5bc..a53663d086 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
39	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"	39	SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
40	SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"	40	SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
41		41
42	# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source	42	CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
43	CVE_CHECK_IGNORE += "CVE-2008-0888"
44		43
45	# exclude version 5.5.2 which triggers a false positive	44	# exclude version 5.5.2 which triggers a false positive
46	UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"	45	UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"


diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb index c390fcf33c..72eb1ae067 100644 --- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb +++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
18	S = "${WORKDIR}/git"	18	S = "${WORKDIR}/git"
19		19
20	# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision	20	# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
21	CVE_CHECK_IGNORE += "CVE-2013-4342"	21	CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
22		22
23	inherit autotools update-rc.d systemd pkgconfig	23	inherit autotools update-rc.d systemd pkgconfig
24		24


diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb index 82153131b4..3425e8eb7b 100644 --- a/meta/recipes-extended/zip/zip_3.0.bb +++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
26	SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"	26	SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
27	SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"	27	SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
28		28
29	# Disputed and also Debian doesn't consider a vulnerability	29	CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
30	CVE_CHECK_IGNORE += "CVE-2018-13410"	30	CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
31
32	# Not for zip but for smart contract implementation for it
33	CVE_CHECK_IGNORE += "CVE-2018-13684"
34		31
35	# zip.inc sets CFLAGS, but what Makefile actually uses is	32	# zip.inc sets CFLAGS, but what Makefile actually uses is
36	# CFLAGS_NOOPT. It will also force -O3 optimization, overriding	33	# CFLAGS_NOOPT. It will also force -O3 optimization, overriding