summaryrefslogtreecommitdiffstats
path: root/meta/conf
diff options
context:
space:
mode:
authorJoshua Watt <JPEWhacker@gmail.com>2025-07-02 10:43:28 -0600
committerRichard Purdie <richard.purdie@linuxfoundation.org>2025-07-03 10:40:17 +0100
commit860aedadc9244e5979bb3750e321cab4c4cf3063 (patch)
treee15c781899b296593a5e0b56d445263176a2941f /meta/conf
parent2fef1b9af036e575b80b7b5135c0362a49647199 (diff)
downloadpoky-860aedadc9244e5979bb3750e321cab4c4cf3063.tar.gz
spdx30: Allow VEX Justification to be configurable
Instead of hard coding the VEX justifications for "Ignored" CVE status, add a map that configures what justification should be used for each status. This allows other justifications to be easily added, and also ensures that status fields added externally (by downstream) can set an appropriate justification if necessary. (From OE-Core rev: c0fa3d92cefa74fa57c6c48c94acc64aa454e781) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/conf')
-rw-r--r--meta/conf/cve-check-map.conf4
1 files changed, 4 insertions, 0 deletions
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
index ac956379d1..fc49fe0a50 100644
--- a/meta/conf/cve-check-map.conf
+++ b/meta/conf/cve-check-map.conf
@@ -28,8 +28,12 @@ CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
28CVE_CHECK_STATUSMAP[disputed] = "Ignored" 28CVE_CHECK_STATUSMAP[disputed] = "Ignored"
29# use when vulnerability depends on build or runtime configuration which is not used 29# use when vulnerability depends on build or runtime configuration which is not used
30CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" 30CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
31CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent"
32
31# use when vulnerability affects other platform (e.g. Windows or Debian) 33# use when vulnerability affects other platform (e.g. Windows or Debian)
32CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" 34CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
35CVE_CHECK_VEX_JUSTIFICATION[not-applicable-platform] = "vulnerableCodeNotPresent"
36
33# use when upstream acknowledged the vulnerability but does not plan to fix it 37# use when upstream acknowledged the vulnerability but does not plan to fix it
34CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" 38CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
35 39