diff options
| author | Otavio Salvador <otavio@ossystems.com.br> | 2026-07-13 08:15:44 -0300 |
|---|---|---|
| committer | Otavio Salvador <otavio@ossystems.com.br> | 2026-07-13 08:15:44 -0300 |
| commit | 38df8058895c7abb88889bb7133b30b872e6e805 (patch) | |
| tree | 2088c0e4181792f4dfd75ce2fbcc710f2880fc1c | |
| parent | 92cfcd9fefdb98db5a7eb00d9980018496023301 (diff) | |
| download | meta-freescale-oelint-cleanup-4-config-suppress.tar.gz | |
oelint: Suppress advisory CVE_PRODUCT and BUGTRACKER layer-wideoelint-cleanup-4-config-suppress
oelint.var.suggestedvar.CVE_PRODUCT (179 findings) and
oelint.var.suggestedvar.BUGTRACKER (191 findings) are advisory
"suggested" variables. The overwhelming majority of recipes in this
layer package NXP firmware and BSP components that have no upstream bug
tracker and no meaningful NVD CPE product.
Filling CVE_PRODUCT with a guessed product string is actively harmful:
it makes cve-check match the wrong CPE, producing false positives and
masking real advisories. Leaving it unset is the correct default.
Suppress both layer-wide rather than annotating hundreds of recipes.
The rare recipe that does have a real value can still set it inline.
Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
| -rw-r--r-- | .oelint.cfg | 18 |
1 files changed, 13 insertions, 5 deletions
diff --git a/.oelint.cfg b/.oelint.cfg index 7729602f7..37c94ca3c 100644 --- a/.oelint.cfg +++ b/.oelint.cfg | |||
| @@ -5,12 +5,20 @@ | |||
| 5 | # contrib/oelint/run-oelint.sh. Per-recipe exceptions should stay inline as | 5 | # contrib/oelint/run-oelint.sh. Per-recipe exceptions should stay inline as |
| 6 | # '# nooelint: <rule.id>' comments next to the finding, so new recipes are fully | 6 | # '# nooelint: <rule.id>' comments next to the finding, so new recipes are fully |
| 7 | # linted and each exception is documented in place. Only rules that provably | 7 | # linted and each exception is documented in place. Only rules that provably |
| 8 | # never apply to the whole layer are suppressed here. | 8 | # never apply to the whole layer are suppressed here: |
| 9 | # | ||
| 10 | # * oelint.var.bbclassextend - meta-freescale is a BSP layer; the bulk of its | ||
| 11 | # recipes package machine-specific firmware and prebuilt binaries that are | ||
| 12 | # not cross-compilable libraries, so BBCLASSEXTEND (native/nativesdk) does | ||
| 13 | # not apply. | ||
| 14 | # * oelint.var.suggestedvar.CVE_PRODUCT / .BUGTRACKER - advisory 'suggested' | ||
| 15 | # variables. Most recipes here package NXP firmware/BSP components with no | ||
| 16 | # upstream bug tracker and no meaningful NVD CPE product; guessing a | ||
| 17 | # CVE_PRODUCT would create false or missed CVE matches, which is worse than | ||
| 18 | # leaving it unset. Set them inline on the rare recipe that has a real value. | ||
| 9 | [oelint] | 19 | [oelint] |
| 10 | release = wrynose | 20 | release = wrynose |
| 11 | # meta-freescale is a BSP layer: the bulk of its recipes package machine-specific | ||
| 12 | # firmware and prebuilt binaries that are not cross-compilable libraries, so | ||
| 13 | # BBCLASSEXTEND (native/nativesdk) does not apply. Suppress it layer-wide rather | ||
| 14 | # than annotating every such recipe. | ||
| 15 | suppress = | 21 | suppress = |
| 16 | oelint.var.bbclassextend | 22 | oelint.var.bbclassextend |
| 23 | oelint.var.suggestedvar.CVE_PRODUCT | ||
| 24 | oelint.var.suggestedvar.BUGTRACKER | ||
