cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

- Try to add convert and apply statuses for old CVEs - Drop some obsolete ignores, while they are not relevant for current version Signed-off-by: Andrej Valek <andrej.valek@siemens.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Andrej Valek <andrej.valek@siemens.com> 2023-07-26 11:50:09 +0200
committer: Khem Raj <raj.khem@gmail.com> 2023-07-27 08:54:40 -0700
commit: 8af2f17a6fa8bf282c4c27054adbea1bf0873069 (patch)
tree: 22b6484379a0f3d3e2b89f958dda0fd45f2a1880 /meta-networking
parent: 4c201ede939610946847ccd4221320ed776224aa (diff)
download: meta-openembedded-8af2f17a6fa8bf282c4c27054adbea1bf0873069.tar.gz
11 files changed, 30 insertions, 61 deletions
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb
index 9a2bbab39f..35733c5307 100644
--- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb
+++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb
@@ -43,10 +43,8 @@ SRCREV = "d956f683d37ea40e7977cc5907361f3e6988a439"
 UPSTREAM_CHECK_GITTAGREGEX = "release_(?P<pver>\d+(\_\d+)+)"
-CVE_CHECK_IGNORE = "\
+CVE_CHECK_STATUS[CVE-2002-0318] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
-    CVE-2002-0318 \
+CVE_CHECK_STATUS[CVE-2011-4966] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
-    CVE-2011-4966 \
-"
 PARALLEL_MAKE = ""
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
index ce094d5afb..fff320afd8 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
@@ -57,10 +57,8 @@ BBCLASSEXTEND = "native nativesdk"
 CVE_PRODUCT = "mbed_tls"
-# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310
+CVE_STATUS[CVE-2021-43666] = "backported-patch: Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310"
-CVE_CHECK_IGNORE += "CVE-2021-43666"
+CVE_STATUS[CVE-2021-43666] = "backported-patch: Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c"
-# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c
-CVE_CHECK_IGNORE += "CVE-2021-45451"
 # Strip host paths from autogenerated test files
 do_compile:append() {
diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
index b8c9662de7..10fb7de8ca 100644
--- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
+++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
@@ -58,11 +58,6 @@ BBCLASSEXTEND = "native nativesdk"
 CVE_PRODUCT = "mbed_tls"
-# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310
-CVE_CHECK_IGNORE += "CVE-2021-43666"
-# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c
-CVE_CHECK_IGNORE += "CVE-2021-45451"
 # Strip host paths from autogenerated test files
 do_compile:append() {
        sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || :
diff --git a/meta-networking/recipes-connectivity/openthread/wpantund_git.bb b/meta-networking/recipes-connectivity/openthread/wpantund_git.bb
index a7fcc202a4..ebb3fc3c1c 100644
--- a/meta-networking/recipes-connectivity/openthread/wpantund_git.bb
+++ b/meta-networking/recipes-connectivity/openthread/wpantund_git.bb
@@ -22,11 +22,8 @@ S = "${WORKDIR}/git"
 inherit pkgconfig perlnative autotools
-# CVE-2020-8916 has been fixed in commit
-# 3f108441e23e033b936e85be5b6877dd0a1fbf1c which is included in the SRCREV
-# CVE-2021-33889 has been fixed in commit
-# a8f3f761f6753b567d1e5ad22cbe6b0ceb6f2649 which is included in the SRCREV
 # There has not been a wpantund release as of yet that includes these fixes.
 # That means cve-check can not match them. Once a new release comes we can
-# remove the ignore statement.
+# remove the statement.
-CVE_CHECK_IGNORE = "CVE-2020-8916 CVE-2021-33889"
+CVE_STATUS[CVE-2020-8916] = "backported-patch: fixed via 3f108441e23e033b936e85be5b6877dd0a1fbf1c"
+CVE_STATUS[CVE-2021-33889] = "backported-patch: fixed via 3f108441e23e033b936e85be5b6877dd0a1fbf1c"
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb b/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb
index 66089edad5..3386b93b5e 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb
@@ -38,12 +38,7 @@ UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.18(\.\d+)+).tar.gz"
 inherit systemd waf-samba cpan-base perlnative update-rc.d perl-version pkgconfig
-# CVE-2011-2411 is valnerble only on HP NonStop Servers.
+CVE_STATUS[CVE-2011-2411] = "not-applicable-platform: vulnerable only on HP NonStop Servers"
-CVE_CHECK_IGNORE += "CVE-2011-2411" 
-# Patch for CVE-2018-1050 is applied in version 4.5.15, 4.6.13, 4.7.5.
-CVE_CHECK_IGNORE += "CVE-2018-1050"
-# Patch for CVE-2018-1057 is applied in version 4.3.13, 4.4.16.
-CVE_CHECK_IGNORE += "CVE-2018-1057"
 # remove default added RDEPENDS on perl
 RDEPENDS:${PN}:remove = "perl"
diff --git a/meta-networking/recipes-protocols/mdns/mdns_1790.80.10.bb b/meta-networking/recipes-protocols/mdns/mdns_1790.80.10.bb
index 46f1b70cb7..aff7954f50 100644
--- a/meta-networking/recipes-protocols/mdns/mdns_1790.80.10.bb
+++ b/meta-networking/recipes-protocols/mdns/mdns_1790.80.10.bb
@@ -46,18 +46,16 @@ PACKAGECONFIG[tls] = ",tls=no,mbedtls"
 CVE_PRODUCT = "apple:mdnsresponder"
-# CVE-2007-0613 is not applicable as it only affects Apple products
+CVE_STATUS[CVE-2007-0613] = "not-applicable-platform: Issue affects Apple products \
-# i.e. ichat,mdnsresponder, instant message framework and MacOS.
+i.e. ichat,mdnsresponder, instant message framework and MacOS. Also, \
-# Also, https://www.exploit-db.com/exploits/3230 shows the part of code
+https://www.exploit-db.com/exploits/3230 shows the part of code \
-# affected by CVE-2007-0613 which is not preset in upstream source code.
+affected by CVE-2007-0613 which is not preset in upstream source code. \
-# Hence, CVE-2007-0613 does not affect other Yocto implementations and
+Hence, CVE-2007-0613 does not affect other Yocto implementations and \
-# is not reported for other distros can be marked whitelisted.
+is not reported for other distros can be marked whitelisted. \
-# Links:
+Links: https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 \
-# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
+https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 \
-# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613
+https://security-tracker.debian.org/tracker/CVE-2007-0613 \
-# https://security-tracker.debian.org/tracker/CVE-2007-0613
+https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613"
-# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
-CVE_CHECK_IGNORE += "CVE-2007-0613"
 PARALLEL_MAKE = ""
diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc
index aaad0e00e1..7062d21462 100644
--- a/meta-networking/recipes-protocols/openflow/openflow.inc
+++ b/meta-networking/recipes-protocols/openflow/openflow.inc
@@ -13,10 +13,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2"
 SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master"
-CVE_CHECK_IGNORE = "\
+CVE_STATUS[CVE-2015-1611] = "not-applicable-config: Not referred to our implementation of openflow"
-    CVE-2015-1611 \
+CVE_STATUS[CVE-2015-1612] = "not-applicable-config: Not referred to our implementation of openflow"
-    CVE-2015-1612 \
+CVE_STATUS[CVE-2018-1078] = "cpe-incorrect: This CVE is not for this product but cve-check assumes it is \
-"
+because two CPE collides when checking the NVD database"
 DEPENDS = "virtual/libc"
@@ -58,7 +58,3 @@ do_install:append() {
 }
 FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
-# This CVE is not for this product but cve-check assumes it is
-# because two CPE collides when checking the NVD database
-CVE_CHECK_IGNORE = "CVE-2018-1078"
diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.3.20.bb b/meta-networking/recipes-support/dovecot/dovecot_2.3.20.bb
index 01e060e2f5..e41dd93f5d 100644
--- a/meta-networking/recipes-support/dovecot/dovecot_2.3.20.bb
+++ b/meta-networking/recipes-support/dovecot/dovecot_2.3.20.bb
@@ -71,5 +71,4 @@ FILES:${PN}-staticdev += "${libdir}/dovecot/*/*.a"
 FILES:${PN}-dev += "${libdir}/dovecot/libdovecot*.so"
 FILES:${PN}-dbg += "${libdir}/dovecot/*/.debug"
-# CVE-2016-4983 affects only postinstall script on specific distribution
+CVE_STATUS[CVE-2016-4983] = "not-applicable-platform: Affects only postinstall script on specific distribution."
-CVE_CHECK_IGNORE += "CVE-2016-4983"
diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p17.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p17.bb
index fba4611b99..e80ea4c149 100644
--- a/meta-networking/recipes-support/ntp/ntp_4.2.8p17.bb
+++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p17.bb
@@ -26,12 +26,11 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
 SRC_URI[sha256sum] = "103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866"
-# CVE-2016-9312 is only for windows.
+CVE_STATUS[CVE-2016-9312] = "not-applicable-platform: Issue only applies on Windows"
-# CVE-2019-11331 is inherent to RFC 5905 and cannot be fixed without breaking compatibility
+CVE_STATUS[CVE-2019-11331] = "upstream-wontfix: inherent to RFC 5905 and cannot be fixed without breaking compatibility"
-# The other CVEs are not correctly identified because cve-check
+CVE_STATUS_GROUPS += "CVE_STATUS_NTP"
-# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference)
+CVE_STATUS_NTP[status] = "fixed-version: Yocto CVE check can not handle 'p' in ntp version"
-CVE_CHECK_IGNORE += "\
+CVE_STATUS_NTP = " \
-    CVE-2016-9312 \
    CVE-2015-5146 \
    CVE-2015-5300 \
    CVE-2015-7975 \
@@ -51,7 +50,6 @@ CVE_CHECK_IGNORE += "\
    CVE-2016-7433 \
    CVE-2016-9310 \
    CVE-2016-9311 \
-    CVE-2019-11331 \
 "
diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.3.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.3.bb
index 76bce7db53..a5fc158749 100644
--- a/meta-networking/recipes-support/openvpn/openvpn_2.6.3.bb
+++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.3.bb
@@ -16,8 +16,7 @@ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
 SRC_URI[sha256sum] = "13b207a376d8880507c74ff78aabc3778a9da47c89f1e247dcee3c7237138ff6"
-# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn.
+CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn"
-CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569"
 INITSCRIPT_PACKAGES = "${PN}"
 INITSCRIPT_NAME:${PN} = "openvpn"
diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb
index b3e687476b..5732f509b1 100644
--- a/meta-networking/recipes-support/spice/spice_git.bb
+++ b/meta-networking/recipes-support/spice/spice_git.bb
@@ -30,11 +30,7 @@ SRC_URI = " \
 S = "${WORKDIR}/git"
-CVE_CHECK_IGNORE += "\
+CVE_STATUS[CVE-2018-10893] = "fixed-version: patched already, caused by inaccurate CPE in the NVD database."
-    CVE-2016-0749 \
-    CVE-2016-2150 \
-    CVE-2018-10893 \
-"
 inherit autotools gettext python3native python3-dir pkgconfig
author	Andrej Valek <andrej.valek@siemens.com>	2023-07-26 11:50:09 +0200
committer	Khem Raj <raj.khem@gmail.com>	2023-07-27 08:54:40 -0700
commit	8af2f17a6fa8bf282c4c27054adbea1bf0873069 (patch)
tree	22b6484379a0f3d3e2b89f958dda0fd45f2a1880 /meta-networking
parent	4c201ede939610946847ccd4221320ed776224aa (diff)
download	meta-openembedded-8af2f17a6fa8bf282c4c27054adbea1bf0873069.tar.gz