summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorOtavio Salvador <otavio@ossystems.com.br>2026-07-13 08:15:44 -0300
committerOtavio Salvador <otavio@ossystems.com.br>2026-07-13 08:15:44 -0300
commit38df8058895c7abb88889bb7133b30b872e6e805 (patch)
tree2088c0e4181792f4dfd75ce2fbcc710f2880fc1c
parent92cfcd9fefdb98db5a7eb00d9980018496023301 (diff)
downloadmeta-freescale-oelint-cleanup-4-config-suppress.tar.gz
oelint: Suppress advisory CVE_PRODUCT and BUGTRACKER layer-wideoelint-cleanup-4-config-suppress
oelint.var.suggestedvar.CVE_PRODUCT (179 findings) and oelint.var.suggestedvar.BUGTRACKER (191 findings) are advisory "suggested" variables. The overwhelming majority of recipes in this layer package NXP firmware and BSP components that have no upstream bug tracker and no meaningful NVD CPE product. Filling CVE_PRODUCT with a guessed product string is actively harmful: it makes cve-check match the wrong CPE, producing false positives and masking real advisories. Leaving it unset is the correct default. Suppress both layer-wide rather than annotating hundreds of recipes. The rare recipe that does have a real value can still set it inline. Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
-rw-r--r--.oelint.cfg18
1 files changed, 13 insertions, 5 deletions
diff --git a/.oelint.cfg b/.oelint.cfg
index 7729602f7..37c94ca3c 100644
--- a/.oelint.cfg
+++ b/.oelint.cfg
@@ -5,12 +5,20 @@
5# contrib/oelint/run-oelint.sh. Per-recipe exceptions should stay inline as 5# contrib/oelint/run-oelint.sh. Per-recipe exceptions should stay inline as
6# '# nooelint: <rule.id>' comments next to the finding, so new recipes are fully 6# '# nooelint: <rule.id>' comments next to the finding, so new recipes are fully
7# linted and each exception is documented in place. Only rules that provably 7# linted and each exception is documented in place. Only rules that provably
8# never apply to the whole layer are suppressed here. 8# never apply to the whole layer are suppressed here:
9#
10# * oelint.var.bbclassextend - meta-freescale is a BSP layer; the bulk of its
11# recipes package machine-specific firmware and prebuilt binaries that are
12# not cross-compilable libraries, so BBCLASSEXTEND (native/nativesdk) does
13# not apply.
14# * oelint.var.suggestedvar.CVE_PRODUCT / .BUGTRACKER - advisory 'suggested'
15# variables. Most recipes here package NXP firmware/BSP components with no
16# upstream bug tracker and no meaningful NVD CPE product; guessing a
17# CVE_PRODUCT would create false or missed CVE matches, which is worse than
18# leaving it unset. Set them inline on the rare recipe that has a real value.
9[oelint] 19[oelint]
10release = wrynose 20release = wrynose
11# meta-freescale is a BSP layer: the bulk of its recipes package machine-specific
12# firmware and prebuilt binaries that are not cross-compilable libraries, so
13# BBCLASSEXTEND (native/nativesdk) does not apply. Suppress it layer-wide rather
14# than annotating every such recipe.
15suppress = 21suppress =
16 oelint.var.bbclassextend 22 oelint.var.bbclassextend
23 oelint.var.suggestedvar.CVE_PRODUCT
24 oelint.var.suggestedvar.BUGTRACKER