From c15e506a4674e558922c5a75512ca2b5c296cd44 Mon Sep 17 00:00:00 2001 From: Andrej Valek Date: Thu, 20 Jul 2023 09:19:50 +0200 Subject: cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS - Try to add convert and apply statuses for old CVEs - Drop some obsolete ignores, while they are not relevant for current version (From OE-Core rev: 1634ed4048cf56788cd5c2c1bdc979b70afcdcd7) Signed-off-by: Andrej Valek Reviewed-by: Peter Marko Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie --- meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +-- meta/recipes-connectivity/bind/bind_9.18.16.bb | 2 +- meta/recipes-connectivity/bluez5/bluez5_5.68.bb | 4 ++-- meta/recipes-connectivity/openssh/openssh_9.3p1.bb | 9 ++++----- meta/recipes-connectivity/openssl/openssl_3.1.1.bb | 3 +-- 5 files changed, 9 insertions(+), 12 deletions(-) (limited to 'meta/recipes-connectivity') diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index 1764997c41..d1c6f7f54a 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/" SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" -# Issue only affects Debian/SUSE, not us -CVE_CHECK_IGNORE += "CVE-2021-26720" +CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE" DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native" diff --git a/meta/recipes-connectivity/bind/bind_9.18.16.bb b/meta/recipes-connectivity/bind/bind_9.18.16.bb index 1b1649566a..d9b62bb8b0 100644 --- a/meta/recipes-connectivity/bind/bind_9.18.16.bb +++ b/meta/recipes-connectivity/bind/bind_9.18.16.bb @@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P9.(\d*[02468])+(\.\d+)+(-P\d+)*)/" # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore # so the issue doesn't affect us. -CVE_CHECK_IGNORE += "CVE-2019-6470" +CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore." inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.68.bb b/meta/recipes-connectivity/bluez5/bluez5_5.68.bb index 921f739fb8..f8405ed091 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.68.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.68.bb @@ -2,8 +2,8 @@ require bluez5.inc SRC_URI[sha256sum] = "fc505e6445cb579a55cacee6821fe70d633921522043d322b696de0a175ff933" -# These issues have kernel fixes rather than bluez fixes so exclude here -CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490" +CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes" +CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes" # noinst programs in Makefile.tools that are conditional on READLINE # support diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb index 42ce814523..3edc123b9a 100644 --- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb @@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar " SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8" -# This CVE is specific to OpenSSH with the pam opie which we don't build/use here -CVE_CHECK_IGNORE += "CVE-2007-2768" +CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here." # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded -CVE_CHECK_IGNORE += "CVE-2014-9278" +CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \ +Red Hat Enterprise Linux 7 and when running in a Kerberos environment" -# CVE only applies to some distributed RHEL binaries -CVE_CHECK_IGNORE += "CVE-2008-3844" +CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries." PAM_SRC_URI = "file://sshd" diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb index 432ab4032b..c2a7173c84 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb @@ -255,6 +255,5 @@ CVE_PRODUCT = "openssl:openssl" CVE_VERSION_SUFFIX = "alphabetical" -# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough -CVE_CHECK_IGNORE += "CVE-2019-0190" +CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37" -- cgit v1.2.3-54-g00ecf