grpc-go 1.59.0+git: Ignore CVE-2024-7246

Upstream Repository: https://github.com/grpc/grpc-go

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-7246
Type: Security Fix
CVE: CVE-2024-7246
Score: 6.3 (Medium)
Patch: https://github.com/grpc/grpc/issues/36245

Analysis:
-CVE-2024-7246 describes an HTTP/2 HPACK header table poisoning
 issue found in the gRPC C-core implementation (grpc/grpc).
-The vulnerability does not apply to the pure Go implementation
 (grpc-go) used in Yocto (meta-virtualization layer).
-Marking as not-applicable-config (implementation difference).
-The affected code path is not present in grpc-go.Hence ignoring the
  CVE for grpc-go.

Reference:
[1] https://nvd.nist.gov/vuln/detail/CVE-2024-7246
[2] https://github.com/grpc/grpc/issues/36245
[3] Upstream gRPC release notes confirming fixed versions for gRPC
    C-core (not grpc-go).

Signed-off-by: Anil Dongare <adongare@cisco.com>
Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/recipes-devtools/go/grpc-go_git.bb b/recipes-devtools/go/grpc-go_git.bb
index 839a4f9c..c2990869 100644
--- a/recipes-devtools/go/grpc-go_git.bb
+++ b/recipes-devtools/go/grpc-go_git.bb
@@ -41,3 +41,8 @@ FILES:${PN} += " \
 # some CVEs are reported with "cpe:2.3:a:grpc:grpc:*:*:*:*:*:go:*:*"
 # it's better to have false positives than false negatives
 CVE_PRODUCT += "grpc"
+# CVE-2024-7246 is an HTTP/2 HPACK poisoning issue in gRPC C-core
+# (C/C++ implementation, meta-openembedded).
+# grpc-go (Go implementation in meta-virtualization) does not
+# contain the affected HPACK code path.
+CVE_STATUS[CVE-2024-7246] = "not-applicable-config: CVE is for grpc (C-core), not grpc-go."