From be9883a92bad0fe4c1e9c7302c93dea4ac680f8c Mon Sep 17 00:00:00 2001 From: Andrej Valek Date: Fri, 23 Jun 2023 13:14:56 +0200 Subject: cve-check: add option to add additional patched CVEs - Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible. The CVE_STATUS should contain an information about status wich is decoded in 3 items: - generic status: "Ignored", "Patched" or "Unpatched" - more detailed status enum - description: free text describing reason for status Examples of usage: CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows" CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally" CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" CVE_CHECK_STATUSMAP[fixed-version] = "Patched" (From OE-Core rev: 34f682a24b7075b12ec308154b937ad118d69fe5) Signed-off-by: Andrej Valek Signed-off-by: Peter Marko Signed-off-by: Richard Purdie --- meta/conf/cve-check-map.conf | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 meta/conf/cve-check-map.conf (limited to 'meta/conf/cve-check-map.conf') diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf new file mode 100644 index 0000000000..17b0f15571 --- /dev/null +++ b/meta/conf/cve-check-map.conf @@ -0,0 +1,28 @@ +# Possible options for CVE statuses + +# used by this class internally when fix is detected (NVD DB version check or CVE patch file) +CVE_CHECK_STATUSMAP[patched] = "Patched" +# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch) +CVE_CHECK_STATUSMAP[backported-patch] = "Patched" +# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports +CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" +# use when NVD DB does not mention correct version or does not mention any verion at all +CVE_CHECK_STATUSMAP[fixed-version] = "Patched" + +# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored +CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" +# use when CVE is confirmed by upstream but fix is still not available +CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" + +# used for migration from old concept, do not use for new vulnerabilities +CVE_CHECK_STATUSMAP[ignored] = "Ignored" +# use when NVD DB wrongly indicates vulnerability which is actually for a different component +CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" +# use when upstream does not accept the report as a vulnerability (e.g. works as designed) +CVE_CHECK_STATUSMAP[disputed] = "Ignored" +# use when vulnerability depends on build or runtime configuration which is not used +CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" +# use when vulnerability affects other platform (e.g. Windows or Debian) +CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" +# use when upstream acknowledged the vulnerability but does not plan to fix it +CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" -- cgit v1.2.3-54-g00ecf