diff options
| author | Marta Rybczynska <rybczynska@gmail.com> | 2024-08-14 07:30:40 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-08-20 14:12:40 +0100 |
| commit | 72dd8c0d56379fcb6566f5b2fc53e7d1456a27d8 (patch) | |
| tree | 74f17fcd3430b3456e41f2e1db6473e6270a9d4d | |
| parent | 3859ff591568ac8879be602379ded9762d5fec26 (diff) | |
| download | poky-72dd8c0d56379fcb6566f5b2fc53e7d1456a27d8.tar.gz | |
cve-check-map: add new statuses
Add 'fix-file-included', 'version-not-in-range' and 'version-in-range' generated
by the cve-check.
'fix-file-included' means that a fix file for the CVE has been located.
'version-not-in-range' means that the product version has been found outside of
the vulnerable range.
'version-in-range' means that the product version has been found inside of the
vulnerable range.
(From OE-Core rev: d25f1817752bc8a84c40dcbef75f7559801ce15e)
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/conf/cve-check-map.conf | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index 17b0f15571..ac956379d1 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf | |||
| @@ -8,11 +8,17 @@ CVE_CHECK_STATUSMAP[backported-patch] = "Patched" | |||
| 8 | CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" | 8 | CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" |
| 9 | # use when NVD DB does not mention correct version or does not mention any verion at all | 9 | # use when NVD DB does not mention correct version or does not mention any verion at all |
| 10 | CVE_CHECK_STATUSMAP[fixed-version] = "Patched" | 10 | CVE_CHECK_STATUSMAP[fixed-version] = "Patched" |
| 11 | # use when a fix file has been included (set automatically) | ||
| 12 | CVE_CHECK_STATUSMAP[fix-file-included] = "Patched" | ||
| 13 | # do not use directly: automatic scan reports version number NOT in the vulnerable range (set automatically) | ||
| 14 | CVE_CHECK_STATUSMAP[version-not-in-range] = "Patched" | ||
| 11 | 15 | ||
| 12 | # used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored | 16 | # used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored |
| 13 | CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" | 17 | CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" |
| 14 | # use when CVE is confirmed by upstream but fix is still not available | 18 | # use when CVE is confirmed by upstream but fix is still not available |
| 15 | CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" | 19 | CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" |
| 20 | # do not use directly: automatic scan reports version number IS in the vulnerable range (set automatically) | ||
| 21 | CVE_CHECK_STATUSMAP[version-in-range] = "Unpatched" | ||
| 16 | 22 | ||
| 17 | # used for migration from old concept, do not use for new vulnerabilities | 23 | # used for migration from old concept, do not use for new vulnerabilities |
| 18 | CVE_CHECK_STATUSMAP[ignored] = "Ignored" | 24 | CVE_CHECK_STATUSMAP[ignored] = "Ignored" |
| @@ -26,3 +32,6 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" | |||
| 26 | CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" | 32 | CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" |
| 27 | # use when upstream acknowledged the vulnerability but does not plan to fix it | 33 | # use when upstream acknowledged the vulnerability but does not plan to fix it |
| 28 | CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" | 34 | CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" |
| 35 | |||
| 36 | # use when it is impossible to conclude if the vulnerability is present or not | ||
| 37 | CVE_CHECK_STATUSMAP[unknown] = "Unknown" | ||