* Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
@ 2023-05-19 9:17 ` Mikko Rapeli
2023-05-19 13:09 ` Michael Opdenacker
` (20 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Mikko Rapeli @ 2023-05-19 9:17 UTC (permalink / raw)
To: andrej.valek; +Cc: openembedded-core, Peter Marko, docs, michael.opdenacker
Hi,
Looks good to me now. Thanks a lot!
Acked-by: Mikko Rapeli <mikko.rapeli@linaro.org>
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-19 9:17 ` Mikko Rapeli
@ 2023-05-19 13:09 ` Michael Opdenacker
2023-05-19 13:19 ` Valek, Andrej
2023-06-12 11:57 ` [OE-core][PATCH v5 0/2] CVE-check handling Andrej Valek
` (19 subsequent siblings)
21 siblings, 1 reply; 73+ messages in thread
From: Michael Opdenacker @ 2023-05-19 13:09 UTC (permalink / raw)
To: andrej.valek, openembedded-core; +Cc: Peter Marko
Hi Andrej,
On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contain flag for each CVE with accepted
> values "Ignored", "Not applicable" or "Patched". It allows to add
> a status for each CVEs.
> - Optional CVE_STATUS_REASONING flag variable may contain a reason
> why the CVE status was used. It will be added in csv/json report like
> a new "reason" entry.
I'm not a native English speaker, but what about just
"CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"?
"Reasoning" is a mental process if I understand correctly. See
https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm.
It seems to me that the term "reason" should be sufficient, as the
"reason" flag that you're using.
I'd be interested in what others think about this...
Thanks in advance
Cheers
Michael.
--
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
2023-05-19 13:09 ` Michael Opdenacker
@ 2023-05-19 13:19 ` Valek, Andrej
2023-05-23 11:39 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
0 siblings, 1 reply; 73+ messages in thread
From: Valek, Andrej @ 2023-05-19 13:19 UTC (permalink / raw)
To: openembedded-core, michael.opdenacker; +Cc: Marko, Peter
Hello Michael,
I wanted to use a "CVE_STATUS_REASON", but it was advised here
https://lists.openembedded.org/g/openembedded-core/message/181037 by Richard. So
I was thinking, that it has to correct.
Regards,
Andrej
On Fri, 2023-05-19 at 15:09 +0200, Michael Opdenacker wrote:
> Hi Andrej,
>
> On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote:
> > - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> > more flexible. CVE_STATUS should contain flag for each CVE with accepted
> > values "Ignored", "Not applicable" or "Patched". It allows to add
> > a status for each CVEs.
> > - Optional CVE_STATUS_REASONING flag variable may contain a reason
> > why the CVE status was used. It will be added in csv/json report like
> > a new "reason" entry.
>
>
> I'm not a native English speaker, but what about just
> "CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"?
>
> "Reasoning" is a mental process if I understand correctly. See
> https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm.
> It seems to me that the term "reason" should be sufficient, as the
> "reason" flag that you're using.
>
> I'd be interested in what others think about this...
> Thanks in advance
> Cheers
>
> Michael.
>
^ permalink raw reply [flat|nested] 73+ messages in thread
* RE: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
2023-05-19 13:19 ` Valek, Andrej
@ 2023-05-23 11:39 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
0 siblings, 0 replies; 73+ messages in thread
From: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) @ 2023-05-23 11:39 UTC (permalink / raw)
To: andrej.valek, openembedded-core, michael.opdenacker, richard.purdie
Cc: Marko, Peter
[-- Attachment #1: Type: text/plain, Size: 3275 bytes --]
Hello Richard and Andrej,
Recently, I have observed the OpenEmbedded team is going beyond "patched" status for CVE. This change is required and helps to capture additional status.
We can identify and define the reason for a whitelisted or CVE that are not "patched".
Customers can get this reason and identify whether their product is vulnerable or not with a specific vulnerability.
VEX is the standard tool used by many customers to check the vulnerability of the product.
I suggest we adopt the VEX standard instead of "Ignored" or "Not applicable".
○ NOT AFFECTED – No remediation is required regarding this vulnerability.
○ AFFECTED – Actions are recommended to remediate or address this vulnerability.
○ FIXED – These product versions contain a fix for the vulnerability.
○ UNDER INVESTIGATION – It is not yet known whether these product versions are affected by the vulnerability. An update will be provided in a later release.
The main four categories of VEX standard cover all possible cases, which are required to consider all potential cases.
We can expand the cve-check to validate main VEX standard and we can use sub-status information as a possible reason for reference.
Please find below reference information on how VEX and SBOM can work together:
https://www.rezilion.com/guides/vulnerability-exploitability-exchange-vex-a-guide/
More information on VEX standards and use cases:
https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_Aprill2022.pdf
Thanks,
Sanjay
-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Andrej Valek via lists.openembedded.org
Sent: Friday, May 19, 2023 6:49 PM
To: openembedded-core@lists.openembedded.org; michael.opdenacker@bootlin.com
Cc: Marko, Peter <Peter.Marko@siemens.com>
Subject: Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
Hello Michael,
I wanted to use a "CVE_STATUS_REASON", but it was advised here
https://lists.openembedded.org/g/openembedded-core/message/181037 by Richard. So I was thinking, that it has to correct.
Regards,
Andrej
On Fri, 2023-05-19 at 15:09 +0200, Michael Opdenacker wrote:
> Hi Andrej,
>
> On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote:
> > - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING]
> > to be more flexible. CVE_STATUS should contain flag for each CVE
> > with accepted values "Ignored", "Not applicable" or "Patched". It
> > allows to add a status for each CVEs.
> > - Optional CVE_STATUS_REASONING flag variable may contain a reason
> > why the CVE status was used. It will be added in csv/json report
> > like a new "reason" entry.
>
>
> I'm not a native English speaker, but what about just
> "CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"?
>
> "Reasoning" is a mental process if I understand correctly. See
> https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm.
> It seems to me that the term "reason" should be sufficient, as the
> "reason" flag that you're using.
>
> I'd be interested in what others think about this...
> Thanks in advance
> Cheers
>
> Michael.
>
[-- Attachment #2: Screenshot 2023-05-23 163104.png --]
[-- Type: image/png, Size: 72035 bytes --]
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][PATCH v5 0/2] CVE-check handling
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-19 9:17 ` Mikko Rapeli
2023-05-19 13:09 ` Michael Opdenacker
@ 2023-06-12 11:57 ` Andrej Valek
2023-06-12 11:57 ` [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs Andrej Valek
` (18 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-12 11:57 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.
Please guide us which direction do we need to go to get further with acceptance of this patch series.
The CVE_CHECK_IGNORE variable is now deprecated in favor of CVE_STATUS variable.
The variable contains the same values like before ("Ignored", "Patched"
and "Unpatched"). The previous implementation has been extended by two
additional optional variables, CVE_STATUS_DETAIL and CVE_STATUS_DESCRIPTION.
meta/classes/cve-check.bbclass | 89 ++++++++++++++++---
meta/lib/oe/cve_check.py | 6 ++
meta/lib/oeqa/selftest/cases/cve_check.py | 26 ++++--
.../logrotate/logrotate_3.21.0.bb | 7 +-
4 files changed, 109 insertions(+), 19 deletions(-)
--
2.40.1
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (2 preceding siblings ...)
2023-06-12 11:57 ` [OE-core][PATCH v5 0/2] CVE-check handling Andrej Valek
@ 2023-06-12 11:57 ` Andrej Valek
2023-06-15 12:47 ` Richard Purdie
2023-06-12 11:57 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
` (17 subsequent siblings)
21 siblings, 1 reply; 73+ messages in thread
From: Andrej Valek @ 2023-06-12 11:57 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek, Peter Marko
- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_DETAIL] +
[CVE_STATUS_DESCRIPTION] to be more flexible. CVE_STATUS should
contain flag for each CVE with accepted values "Ignored", "Patched"
or "Unpatched". It allows to add a status for each CVEs.
- Optional CVE_STATUS_DEATAIL flag variable may contain a detailed
status. Possible options for each status:
- Patched
- fixed-version, backported-patch, cpe-stable-backport or other
- Unpatched
- vulnerable-investigating or other
- Ignored
- cpe-incorrect, not-applicable-platform, upstream-wontfix
not-applicable-config, not-affected or other
- Optional CVE_STATUS_DESCRIPTION flag variable may contain a reason
why the CVE status was used. Both optionals will be added in csv/json
report like a new "detail" an "description" entries
- Settings the same status and reason for multiple CVEs is possible
via CVE_STATUS_GROUPS variable.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Patched" or "Unpatched"
CVE_STATUS[CVE-1234-0002] = "Ignored"
CVE_STATUS_DETAIL[CVE-1234-0002] = "not-applicable-platform"
CVE_STATUS_DESCRIPTION[CVE-1234-0002] = "Issue only applies on Windows"
CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "Ignored"
CVE_STATUS_DETAIL[detail] = "not-applicable-platform"
CVE_STATUS_WIN[description] = "Issue only applies on Windows"
CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "Patched"
CVE_STATUS_DETAIL[detail] = "fixed-version"
CVE_STATUS_PATCHED[description] = "Fixed externally"
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 89 +++++++++++++++++++++++++++++-----
meta/lib/oe/cve_check.py | 6 +++
2 files changed, 83 insertions(+), 12 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..62676ba5bc 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,16 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Patched" or "Unpatched"
+# CVE_STATUS[CVE-1234-0002] = "Ignored"
+# CVE_STATUS_DETAIL[CVE-1234-0002] = "not-applicable-platform"
+# CVE_STATUS_DESCRIPTION[CVE-1234-0002] = "Issue only applies on Windows"
#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
# Layers to be excluded
@@ -88,6 +92,47 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+ # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+ cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+ if cve_check_ignore:
+ bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+ set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
+
+ # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+ for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+ cve_group = d.getVar(cve_status_group)
+ if cve_group is not None:
+ set_cves_statuses(d, cve_group,
+ d.getVarFlag(cve_status_group, "status"),
+ d.getVarFlag(cve_status_group, "detail"),
+ d.getVarFlag(cve_status_group, "description"))
+ else:
+ bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
+def set_cves_statuses(d, cves, status, detail="", description=""):
+ for cve in cves.split():
+ d.setVarFlag("CVE_STATUS", cve, status)
+ d.setVarFlag("CVE_STATUS_DETAIL", cve, detail)
+ d.setVarFlag("CVE_STATUS_DESCRIPTION", cve, description)
+
+def get_cve_detail(d, cve, status):
+ detail = d.getVarFlag("CVE_STATUS_DETAIL", cve)
+ if detail is not None:
+ if status == "Patched":
+ if detail in ["fixed-version", "backported-patch", "cpe-stable-backport", "other"]:
+ return detail
+ elif status == "Unpatched":
+ if detail in ["vulnerable-investigating", "other"]:
+ return detail
+ else:
+ if detail in ["cpe-incorrect", "not-applicable-platform", "upstream-wontfix",
+ "not-applicable-config", "not-affected", "other"]:
+ return detail
+ bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s"' % (detail, cve, status))
+ return ""
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -282,7 +327,13 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
- cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+ # Convert CVE_STATUS into ignored CVEs and check validity
+ cve_ignore = []
+ for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+ if status == "Ignored":
+ cve_ignore.append(cve)
+ elif status not in ["Patched", "Unpatched"]:
+ bb.error("Unsupported status %s in CVE_STATUS[%s]" % (status, cve))
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -441,20 +492,28 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
is_patched = cve in patched
is_ignored = cve in ignored
+ status = "Unpatched"
if (is_patched or is_ignored) and not report_all:
continue
+ if is_ignored:
+ status = "Ignored"
+ elif is_patched:
+ status = "Patched"
+ else:
+ # default value of status is Unpatched
+ unpatched_cves.append(cve)
write_string += "LAYER: %s\n" % layer
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
write_string += "CVE: %s\n" % cve
- if is_ignored:
- write_string += "CVE STATUS: Ignored\n"
- elif is_patched:
- write_string += "CVE STATUS: Patched\n"
- else:
- unpatched_cves.append(cve)
- write_string += "CVE STATUS: Unpatched\n"
+ write_string += "CVE STATUS: %s\n" % status
+ detail = get_cve_detail(d, cve, status)
+ if detail:
+ write_string += "CVE DETAIL: %s\n" % detail
+ description = d.getVarFlag("CVE_STATUS_DESCRIPTION", cve)
+ if description:
+ write_string += "CVE DESCRIPTION: %s\n" % description
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -576,6 +635,12 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
"status" : status,
"link": issue_link
}
+ detail = get_cve_detail(d, cve, status)
+ if detail:
+ cve_item["detail"] = detail
+ description = d.getVarFlag("CVE_STATUS_DESCRIPTION", cve)
+ if description:
+ cve_item["description"] = description
cve_list.append(cve_item)
package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..f47dd9920e 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,12 @@ def get_patched_cves(d):
if not fname_match and not text_match:
bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+ # Search for additional patched CVEs
+ for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+ if status == "Patched":
+ bb.debug(2, "CVE %s is additionally patched" % cve)
+ patched_cves.add(cve)
+
return patched_cves
--
2.40.1
^ permalink raw reply related [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs
2023-06-12 11:57 ` [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs Andrej Valek
@ 2023-06-15 12:47 ` Richard Purdie
0 siblings, 0 replies; 73+ messages in thread
From: Richard Purdie @ 2023-06-15 12:47 UTC (permalink / raw)
To: andrej.valek, openembedded-core; +Cc: Peter Marko
On Mon, 2023-06-12 at 13:57 +0200, Andrej Valek via
lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_DETAIL] +
> [CVE_STATUS_DESCRIPTION] to be more flexible. CVE_STATUS should
> contain flag for each CVE with accepted values "Ignored", "Patched"
> or "Unpatched". It allows to add a status for each CVEs.
> - Optional CVE_STATUS_DEATAIL flag variable may contain a detailed
> status. Possible options for each status:
> - Patched
> - fixed-version, backported-patch, cpe-stable-backport or other
> - Unpatched
> - vulnerable-investigating or other
> - Ignored
> - cpe-incorrect, not-applicable-platform, upstream-wontfix
> not-applicable-config, not-affected or other
> - Optional CVE_STATUS_DESCRIPTION flag variable may contain a reason
> why the CVE status was used. Both optionals will be added in csv/json
> report like a new "detail" an "description" entries
> - Settings the same status and reason for multiple CVEs is possible
> via CVE_STATUS_GROUPS variable.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
>
> Examples of usage:
> CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Patched" or "Unpatched"
> CVE_STATUS[CVE-1234-0002] = "Ignored"
> CVE_STATUS_DETAIL[CVE-1234-0002] = "not-applicable-platform"
> CVE_STATUS_DESCRIPTION[CVE-1234-0002] = "Issue only applies on Windows"
>
> CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
> CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
> CVE_STATUS_WIN[status] = "Ignored"
> CVE_STATUS_DETAIL[detail] = "not-applicable-platform"
> CVE_STATUS_WIN[description] = "Issue only applies on Windows"
>
> CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
> CVE_STATUS_PATCHED[status] = "Patched"
> CVE_STATUS_DETAIL[detail] = "fixed-version"
> CVE_STATUS_PATCHED[description] = "Fixed externally"
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
> meta/classes/cve-check.bbclass | 89 +++++++++++++++++++++++++++++-----
> meta/lib/oe/cve_check.py | 6 +++
> 2 files changed, 83 insertions(+), 12 deletions(-)
I'm afraid I really don't like this :(. Why?:
* we now have three different pieces of information, "status", "detail"
and "description" when we should only need two
* this needs a group mapping mechanism which is confusing above
* the information is spread over multiple differently named variables
* two pieces of the status information are connected in a hardcoded way
As a counter proposal, consider:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0003] = "fixed-version: Fixed externally"
CVE_STATUS[CVE-1234-0004] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
which conveys the same information with a slight bit of copy/paste but
not at a level I'd lose sleep over. To me it is a lot more readable.
Thoughts?
Cheers,
Richard
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (3 preceding siblings ...)
2023-06-12 11:57 ` [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs Andrej Valek
@ 2023-06-12 11:57 ` Andrej Valek
2023-06-12 12:01 ` Valek, Andrej
2023-06-12 11:59 ` [OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values Andrej Valek
` (16 subsequent siblings)
21 siblings, 1 reply; 73+ messages in thread
From: Andrej Valek @ 2023-06-12 11:57 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
All mentioned CVEs are related to HSTS check feature, which is not
implemented in version 7.69.1 .
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 899daf8eac..ea36c0bd3d 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229
# This CVE issue affects Windows only Hence whitelisting this CVE
CVE_CHECK_WHITELIST += "CVE-2021-22897"
+# HSTS check feature is not implemented
+CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
+
inherit autotools pkgconfig binconfig multilib_header
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
--
2.39.2
^ permalink raw reply related [flat|nested] 73+ messages in thread
* Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
2023-06-12 11:57 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
@ 2023-06-12 12:01 ` Valek, Andrej
0 siblings, 0 replies; 73+ messages in thread
From: Valek, Andrej @ 2023-06-12 12:01 UTC (permalink / raw)
To: openembedded-core
This was sent by misstate, ignore it please.
Andrej
On Mon, 2023-06-12 at 13:57 +0200, Andrej Valek wrote:
> All mentioned CVEs are related to HSTS check feature, which is not
> implemented in version 7.69.1 .
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> support/curl/curl_7.69.1.bb
> index 899daf8eac..ea36c0bd3d 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-
> 2021-22926 CVE-2021-229
> # This CVE issue affects Windows only Hence whitelisting this CVE
> CVE_CHECK_WHITELIST += "CVE-2021-22897"
>
> +# HSTS check feature is not implemented
> +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> +
> inherit autotools pkgconfig binconfig multilib_header
>
> PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls
> libidn proxy threaded-resolver verbose zlib"
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (4 preceding siblings ...)
2023-06-12 11:57 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
@ 2023-06-12 11:59 ` Andrej Valek
2023-06-20 14:15 ` [OE-core][PATCH v6 0/2] RFC: CVE-check handling Andrej Valek
` (15 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-12 11:59 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
- After introducing the CVE_STATUS_DETAIL and CVE_STATUS_DESCRIPTION flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++++++++++++++----
.../logrotate/logrotate_3.21.0.bb | 7 +++--
2 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
- found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+ found_cves = {}
+ for issue in package["issue"]:
+ found_cves[issue["id"]] = {
+ "status" : issue["status"],
+ "detail" : issue["detail"] if "detail" in issue else "",
+ "description" : issue["description"] if "description" in issue else ""
+ }
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
- self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+ self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+ detail = "not-applicable-platform"
+ description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
- self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
self.assertIn("CVE-2011-1549", found_cves)
- self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
self.assertIn("CVE-2011-1550", found_cves)
- self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..48497138be 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[detail] = "not-applicable-platform"
+CVE_STATUS_RECIPE[description] = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.40.1
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH v6 0/2] RFC: CVE-check handling
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (5 preceding siblings ...)
2023-06-12 11:59 ` [OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values Andrej Valek
@ 2023-06-20 14:15 ` Andrej Valek
2023-06-20 14:15 ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
` (14 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-20 14:15 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.
This patches version is missing commit for CVE_CHECK_IGNORE to CVE_STATUS
conversion as it is large effort and current implementation is still in
discussion. Once the concept is agreed, that commit will be added in next
patchset version.
Documentation is not updated too while current implementation is still in
discussion.
meta/classes/cve-check.bbclass | 86 ++++++++++++++++---
meta/lib/oe/cve_check.py | 25 ++++++
meta/lib/oeqa/selftest/cases/cve_check.py | 26 ++++--
.../logrotate/logrotate_3.21.0.bb | 5 +-
4 files changed, 122 insertions(+), 20 deletions(-)
--
2.41.0
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (6 preceding siblings ...)
2023-06-20 14:15 ` [OE-core][PATCH v6 0/2] RFC: CVE-check handling Andrej Valek
@ 2023-06-20 14:15 ` Andrej Valek
2023-06-21 5:07 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21 7:55 ` [OE-core][PATCH " Luca Ceresoli
2023-06-20 14:15 ` [OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
` (13 subsequent siblings)
21 siblings, 2 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-20 14:15 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek, Peter Marko
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 86 +++++++++++++++++++++++++++++-----
meta/lib/oe/cve_check.py | 25 ++++++++++
2 files changed, 98 insertions(+), 13 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..6710c1d6bb 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,14 +70,35 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
#
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
+# Possible options for CVE statuses
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+CVE_CHECK_STATUSMAP[not-affected] = "Ignored"
+
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -88,6 +109,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+ # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+ cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+ if cve_check_ignore:
+ bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+ for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+ d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+ # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+ for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+ cve_group = d.getVar(cve_status_group)
+ if cve_group is not None:
+ for cve in cve_group.split():
+ d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
+ else:
+ bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -260,7 +299,7 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
- from oe.cve_check import Version, convert_cve_version
+ from oe.cve_check import Version, convert_cve_version, decode_cve_status
pn = d.getVar("PN")
real_pv = d.getVar("PV")
@@ -282,7 +321,12 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
- cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+ # Convert CVE_STATUS into ignored CVEs and check validity
+ cve_ignore = []
+ for cve in (d.getVarFlags("CVE_STATUS") or {}):
+ decoded_status, _, _ = decode_cve_status(d, cve)
+ if decoded_status == "Ignored":
+ cve_ignore.append(cve)
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +457,8 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
CVE manifest if enabled.
"""
+ from oe.cve_check import decode_cve_status
+
cve_file = d.getVar("CVE_CHECK_LOG")
fdir_name = d.getVar("FILE_DIRNAME")
layer = fdir_name.split("/")[-3]
@@ -441,20 +487,27 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
is_patched = cve in patched
is_ignored = cve in ignored
+ status = "Unpatched"
if (is_patched or is_ignored) and not report_all:
continue
+ if is_ignored:
+ status = "Ignored"
+ elif is_patched:
+ status = "Patched"
+ else:
+ # default value of status is Unpatched
+ unpatched_cves.append(cve)
write_string += "LAYER: %s\n" % layer
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
write_string += "CVE: %s\n" % cve
- if is_ignored:
- write_string += "CVE STATUS: Ignored\n"
- elif is_patched:
- write_string += "CVE STATUS: Patched\n"
- else:
- unpatched_cves.append(cve)
- write_string += "CVE STATUS: Unpatched\n"
+ write_string += "CVE STATUS: %s\n" % status
+ _, detail, description = decode_cve_status(d, cve)
+ if detail:
+ write_string += "CVE DETAIL: %s\n" % detail
+ if description:
+ write_string += "CVE DESCRIPTION: %s\n" % description
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -516,6 +569,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
Prepare CVE data for the JSON format, then write it.
"""
+ from oe.cve_check import decode_cve_status
+
output = {"version":"1", "package": []}
nvd_link = "https://nvd.nist.gov/vuln/detail/"
@@ -576,6 +631,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
"status" : status,
"link": issue_link
}
+ _, detail, description = decode_cve_status(d, cve)
+ if detail:
+ cve_item["detail"] = detail
+ if description:
+ cve_item["description"] = description
cve_list.append(cve_item)
package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..5bf3caac47 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,13 @@ def get_patched_cves(d):
if not fname_match and not text_match:
bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+ # Search for additional patched CVEs
+ for cve in (d.getVarFlags("CVE_STATUS") or {}):
+ decoded_status, _, _ = decode_cve_status(d, cve)
+ if decoded_status == "Patched":
+ bb.debug(2, "CVE %s is additionally patched" % cve)
+ patched_cves.add(cve)
+
return patched_cves
@@ -218,3 +225,21 @@ def convert_cve_version(version):
return version + update
+def decode_cve_status(d, cve):
+ """
+ Convert CVE_STATUS into status, detail and description.
+ """
+ status = d.getVarFlag("CVE_STATUS", cve)
+ if status is None:
+ return ("", "", "")
+
+ status_split = status.split(':', 1)
+ detail = status_split[0]
+ description = status_split[1].strip() if (len(status_split) > 1) else ""
+
+ status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+ if status_mapping is None:
+ bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+ status_mapping = "Unpatched"
+
+ return (status_mapping, detail, description)
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* RE: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs
2023-06-20 14:15 ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
@ 2023-06-21 5:07 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21 6:48 ` [PATCH " Siddharth
2023-06-21 7:55 ` [OE-core][PATCH " Luca Ceresoli
1 sibling, 1 reply; 73+ messages in thread
From: Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) @ 2023-06-21 5:07 UTC (permalink / raw)
To: openembedded-core, Richard Purdie, adrian.freihofer
Cc: Peter Marko, Andrej Valek
Dear Richard and Adrian,
I appreciate efforts of Andrej and Peter, you guys have done a great job for improvement in CVE specific security area.
As I mentioned information and importance of VEX status for future use case:
https://patchwork.yoctoproject.org/project/oe-core/patch/20230519081850.82586-1-andrej.valek@siemens.com/#10797
I can see community members are also in favour of VEX:
https://patchwork.yoctoproject.org/project/oe-core/patch/20230519062420.37015-1-andrej.valek@siemens.com/#11120
We can start looking in that direction, because to adopt initial VEX template we just required minor modifications with development of Andrej.
In current implementation we have main three categories of status: "Patched", "Ignored" and "Unpatched".
On top of which we want to add comment information which can be added in JSON format to process further.
VEX have main 4 category: Fixed, Not Affected, Affected and Under Investigation.
Richard has rightly mentioned that we don't require affected status as those CVEs would fix in near future once fix is available in source of specific package.
We can map our existing status as below with VEX status.
Existing Status | VEX adoption
-------------------------------------------
Patched | Fixed
Ignore | Not Affected
Not required | Not Affected
Unpatched | Under Investigation
Fixed and Under Investigation don't require any sub-status as their status is sufficient to explain their case.
To get more information on possible sub-status of not affected status, we can follow one of below reference document.
https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf : 2.0 Status Justifications Overview
This document covers all the possible cases which are already discuss or may come in future development.
Thank you, Richard, for considering my request.
I would appreciate comment from you and community people for the adoption of VEX.
Thanks,
Sanjay Chitroda
-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Andrej Valek via lists.openembedded.org
Sent: Tuesday, June 20, 2023 7:46 PM
To: openembedded-core@lists.openembedded.org
Cc: Andrej Valek <andrej.valek@siemens.com>; Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs
2023-06-20 14:15 ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-21 5:07 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
@ 2023-06-21 7:55 ` Luca Ceresoli
1 sibling, 0 replies; 73+ messages in thread
From: Luca Ceresoli @ 2023-06-21 7:55 UTC (permalink / raw)
To: Andrej Valek via lists.openembedded.org
Cc: andrej.valek, openembedded-core, Peter Marko
Hello Andrej,
On Tue, 20 Jun 2023 16:15:56 +0200
"Andrej Valek via lists.openembedded.org"
<andrej.valek=siemens.com@lists.openembedded.org> wrote:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
As you can see your sender address has been mangled, and as a result
the patch is rejected by the the openembedded git server. This is not
your fault, but we need you to modify your git configuration to prevent
this from happening in the future. Have a look at the wiki for more
info and how to solve that:
https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded#Fixing_your_From_identity
I'm taking your patch for testing on the autobuilders fixing it
manually so you don't need to resend your patch this time.
Best regards,
Luca
--
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (7 preceding siblings ...)
2023-06-20 14:15 ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
@ 2023-06-20 14:15 ` Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 0/3] CVE-check handling Andrej Valek
` (12 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-20 14:15 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++++++++++++++----
.../logrotate/logrotate_3.21.0.bb | 5 ++--
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
- found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+ found_cves = {}
+ for issue in package["issue"]:
+ found_cves[issue["id"]] = {
+ "status" : issue["status"],
+ "detail" : issue["detail"] if "detail" in issue else "",
+ "description" : issue["description"] if "description" in issue else ""
+ }
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
- self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+ self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+ detail = "not-applicable-platform"
+ description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
- self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
self.assertIn("CVE-2011-1549", found_cves)
- self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
self.assertIn("CVE-2011-1550", found_cves)
- self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH v7 0/3] CVE-check handling
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (8 preceding siblings ...)
2023-06-20 14:15 ` [OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
@ 2023-06-22 6:59 ` Andrej Valek
2023-06-22 12:42 ` Luca Ceresoli
2023-06-22 6:59 ` [OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (11 subsequent siblings)
21 siblings, 1 reply; 73+ messages in thread
From: Andrej Valek @ 2023-06-22 6:59 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.
Changes compare to version 6:
- added conversion from CVE_CHECK_IGNORE to CVE_STATUS
- added comments for all statuses
- dropped "not-affected" status
- conversion showed that it is not very usefull
- added "disputed" status
Documentation will be updated in separated repository.
meta/classes/cve-check.bbclass | 99 ++++-
.../distro/include/cve-extra-exclusions.inc | 371 +++++++++---------
meta/lib/oe/cve_check.py | 25 ++
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +-
meta/recipes-bsp/grub/grub2.inc | 6 +-
meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +-
.../recipes-connectivity/bind/bind_9.18.15.bb | 2 +-
.../bluez5/bluez5_5.66.bb | 4 +-
.../openssh/openssh_9.3p1.bb | 9 +-
.../openssl/openssl_3.1.1.bb | 3 +-
meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +-
meta/recipes-core/glibc/glibc_2.37.bb | 17 +-
meta/recipes-core/libxml/libxml2_2.10.4.bb | 4 -
meta/recipes-core/systemd/systemd_253.3.bb | 3 -
meta/recipes-devtools/cmake/cmake.inc | 4 +-
meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +-
meta/recipes-devtools/gcc/gcc-13.1.inc | 3 +-
meta/recipes-devtools/git/git_2.39.3.bb | 7 -
meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +-
meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +-
.../recipes-devtools/python/python3_3.11.3.bb | 13 +-
meta/recipes-devtools/qemu/qemu.inc | 13 +-
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 -
meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 -
meta/recipes-extended/cpio/cpio_2.14.bb | 3 +-
meta/recipes-extended/cups/cups.inc | 17 +-
.../ghostscript/ghostscript_10.01.1.bb | 3 +-
.../iputils/iputils_20221126.bb | 5 +-
.../libtirpc/libtirpc_1.3.3.bb | 3 +-
.../logrotate/logrotate_3.21.0.bb | 5 +-
meta/recipes-extended/procps/procps_4.0.3.bb | 4 -
meta/recipes-extended/shadow/shadow_4.13.bb | 7 +-
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +-
.../xinetd/xinetd_2.3.15.4.bb | 2 +-
meta/recipes-extended/zip/zip_3.0.bb | 7 +-
.../libnotify/libnotify_0.8.2.bb | 2 +-
meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +-
meta/recipes-graphics/builder/builder_0.1.bb | 3 +-
.../xorg-xserver/xserver-xorg.inc | 19 +-
.../linux/cve-exclusion_6.1.inc | 11 +-
.../libpng/libpng_1.6.39.bb | 3 +-
meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 9 +-
.../libgcrypt/libgcrypt_1.10.2.bb | 4 +-
.../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +-
meta/recipes-support/lz4/lz4_1.9.4.bb | 3 -
meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 -
46 files changed, 390 insertions(+), 374 deletions(-)
--
2.41.0
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v7 0/3] CVE-check handling
2023-06-22 6:59 ` [OE-core][PATCH v7 0/3] CVE-check handling Andrej Valek
@ 2023-06-22 12:42 ` Luca Ceresoli
2023-06-22 13:50 ` Valek, Andrej
0 siblings, 1 reply; 73+ messages in thread
From: Luca Ceresoli @ 2023-06-22 12:42 UTC (permalink / raw)
To: Andrej Valek via lists.openembedded.org; +Cc: andrej.valek, openembedded-core
Hello Andrej,
On Thu, 22 Jun 2023 08:59:02 +0200
"Andrej Valek via lists.openembedded.org"
<andrej.valek=siemens.com@lists.openembedded.org> wrote:
> After discussion in all parallel threads we proposed following variant which
> covers both expressed requirements to have very small number of different cve
> statuses and also very large number of them at the same time.
> This is a compromise version which maybe is not ideal but deals with
> conflicting responses we got.
>
> Changes compare to version 6:
> - added conversion from CVE_CHECK_IGNORE to CVE_STATUS
> - added comments for all statuses
> - dropped "not-affected" status
> - conversion showed that it is not very usefull
> - added "disputed" status
>
> Documentation will be updated in separated repository.
This patchset generates a lot of warnings when run on the autobuilders.
Here are a few:
WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail cpe-incorrect for CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself", fallback to Unpatched
WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-config for CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default.", fallback to Unpatched
WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail disputed for CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability.", fallback to Unpatched
NOTE: recipe python3-calver-2022.6.26-r0: task do_create_runtime_spdx: Succeeded
WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-platform for CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows", fallback to Unpatched
WARNING: cpio-2.14-r0 do_create_spdx: Invalid detail not-applicable-platform for CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS", fallback to Unpatched
WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes", fallback to Unpatched
WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes", fallback to Unpatched
For a more complete list you can look at the build page:
https://swatbot.yoctoproject.org/collection/17294/
All/most of the warnings are about CVEs.
I haven't looked in detail at what is the intended behavior of your
patch set, however I'm removing it from my testing branch for the time
being.
Best regards,
Luca
--
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v7 0/3] CVE-check handling
2023-06-22 12:42 ` Luca Ceresoli
@ 2023-06-22 13:50 ` Valek, Andrej
2023-06-22 13:55 ` Luca Ceresoli
0 siblings, 1 reply; 73+ messages in thread
From: Valek, Andrej @ 2023-06-22 13:50 UTC (permalink / raw)
To: luca.ceresoli, andrej.valek=siemens.com; +Cc: openembedded-core
Hello Luca,
How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it
didn't print any warning. Should I build an image?
Regards,
Andrej
On Thu, 2023-06-22 at 14:42 +0200, Luca Ceresoli wrote:
> Hello Andrej,
>
> On Thu, 22 Jun 2023 08:59:02 +0200
> "Andrej Valek via lists.openembedded.org"
> <andrej.valek=siemens.com@lists.openembedded.org> wrote:
>
> > After discussion in all parallel threads we proposed following variant which
> > covers both expressed requirements to have very small number of different
> > cve
> > statuses and also very large number of them at the same time.
> > This is a compromise version which maybe is not ideal but deals with
> > conflicting responses we got.
> >
> > Changes compare to version 6:
> > - added conversion from CVE_CHECK_IGNORE to CVE_STATUS
> > - added comments for all statuses
> > - dropped "not-affected" status
> > - conversion showed that it is not very usefull
> > - added "disputed" status
> >
> > Documentation will be updated in separated repository.
>
> This patchset generates a lot of warnings when run on the autobuilders.
> Here are a few:
>
> WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail cpe-incorrect for
> CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender <
> 0.6.0 and not qemu itself", fallback to Unpatched
> WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-config
> for CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can
> expose host files uder some circumstances. We don't enable it by default.",
> fallback to Unpatched
> WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail disputed for
> CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were
> determined to not constitute a vulnerability.", fallback to Unpatched
> NOTE: recipe python3-calver-2022.6.26-r0: task do_create_runtime_spdx:
> Succeeded
> WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-platform
> for CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies
> on Windows", fallback to Unpatched
>
> WARNING: cpio-2.14-r0 do_create_spdx: Invalid detail not-applicable-platform
> for CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use
> of cpio in SUSE/OBS", fallback to Unpatched
>
> WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for
> CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes
> rather than bluez fixes", fallback to Unpatched
> WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for
> CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes
> rather than bluez fixes", fallback to Unpatched
>
> For a more complete list you can look at the build page:
> https://swatbot.yoctoproject.org/collection/17294/
>
> All/most of the warnings are about CVEs.
>
> I haven't looked in detail at what is the intended behavior of your
> patch set, however I'm removing it from my testing branch for the time
> being.
>
> Best regards,
> Luca
>
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v7 0/3] CVE-check handling
2023-06-22 13:50 ` Valek, Andrej
@ 2023-06-22 13:55 ` Luca Ceresoli
2023-06-22 13:59 ` Valek, Andrej
0 siblings, 1 reply; 73+ messages in thread
From: Luca Ceresoli @ 2023-06-22 13:55 UTC (permalink / raw)
To: Andrej Valek via lists.openembedded.org; +Cc: andrej.valek, openembedded-core
Hello Andrej,
On Thu, 22 Jun 2023 13:50:32 +0000
"Andrej Valek via lists.openembedded.org"
<andrej.valek=siemens.com@lists.openembedded.org> wrote:
> Hello Luca,
>
> How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it
> didn't print any warning. Should I build an image?
I don't know how to reproduce _exactly_ the build environment of the
autobuilders, however the logs have some good hints (click the "stdio"
links in the page at the URL I provided). E.g. for the qemuarm64
builder it says:
Running '. ./oe-init-build-env; bitbake core-image-sato core-image-sato-sdk core-image-minimal core-image-minimal-dev core-image-sato:do_populate_sdk -k' ...
MACHINE = "qemuarm64"
DISTRO = "poky"
...and more settings you might want to put in your local.conf...
So you may try that.
Luca
--
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v7 0/3] CVE-check handling
2023-06-22 13:55 ` Luca Ceresoli
@ 2023-06-22 13:59 ` Valek, Andrej
2023-06-22 14:07 ` Valek, Andrej
0 siblings, 1 reply; 73+ messages in thread
From: Valek, Andrej @ 2023-06-22 13:59 UTC (permalink / raw)
To: luca.ceresoli; +Cc: openembedded-core
Hello Luca,
I wanted to check the logs, but it requires a login/password. Would it be
possible to send a link where is not required? Maybe here
https://autobuilder.yoctoproject.org/typhoon/#/ ?
Regards,
Andrej
On Thu, 2023-06-22 at 15:55 +0200, Luca Ceresoli wrote:
> Hello Andrej,
>
> On Thu, 22 Jun 2023 13:50:32 +0000
> "Andrej Valek via lists.openembedded.org"
> <andrej.valek=siemens.com@lists.openembedded.org> wrote:
>
> > Hello Luca,
> >
> > How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it
> > didn't print any warning. Should I build an image?
>
> I don't know how to reproduce _exactly_ the build environment of the
> autobuilders, however the logs have some good hints (click the "stdio"
> links in the page at the URL I provided). E.g. for the qemuarm64
> builder it says:
>
> Running '. ./oe-init-build-env; bitbake core-image-sato core-image-sato-sdk
> core-image-minimal core-image-minimal-dev core-image-sato:do_populate_sdk -k'
> ...
> MACHINE = "qemuarm64"
> DISTRO = "poky"
> ...and more settings you might want to put in your local.conf...
>
> So you may try that.
>
> Luca
>
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v7 0/3] CVE-check handling
2023-06-22 13:59 ` Valek, Andrej
@ 2023-06-22 14:07 ` Valek, Andrej
2023-06-22 16:24 ` Luca Ceresoli
0 siblings, 1 reply; 73+ messages in thread
From: Valek, Andrej @ 2023-06-22 14:07 UTC (permalink / raw)
To: luca.ceresoli; +Cc: openembedded-core
OK,
Now I know what's the problem. SPDX are being created without inheriting the
cve-check class.
Regards,
Andrej
On Thu, 2023-06-22 at 15:59 +0200, Valek Andrej wrote:
> Hello Luca,
>
> I wanted to check the logs, but it requires a login/password. Would it be
> possible to send a link where is not required? Maybe here
> https://autobuilder.yoctoproject.org/typhoon/#/ ?
>
> Regards,
> Andrej
>
> On Thu, 2023-06-22 at 15:55 +0200, Luca Ceresoli wrote:
> > Hello Andrej,
> >
> > On Thu, 22 Jun 2023 13:50:32 +0000
> > "Andrej Valek via lists.openembedded.org"
> > <andrej.valek=siemens.com@lists.openembedded.org> wrote:
> >
> > > Hello Luca,
> > >
> > > How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it
> > > didn't print any warning. Should I build an image?
> >
> > I don't know how to reproduce _exactly_ the build environment of the
> > autobuilders, however the logs have some good hints (click the "stdio"
> > links in the page at the URL I provided). E.g. for the qemuarm64
> > builder it says:
> >
> > Running '. ./oe-init-build-env; bitbake core-image-sato core-image-sato-sdk
> > core-image-minimal core-image-minimal-dev core-image-sato:do_populate_sdk -
> > k'
> > ...
> > MACHINE = "qemuarm64"
> > DISTRO = "poky"
> > ...and more settings you might want to put in your local.conf...
> >
> > So you may try that.
> >
> > Luca
> >
>
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v7 0/3] CVE-check handling
2023-06-22 14:07 ` Valek, Andrej
@ 2023-06-22 16:24 ` Luca Ceresoli
0 siblings, 0 replies; 73+ messages in thread
From: Luca Ceresoli @ 2023-06-22 16:24 UTC (permalink / raw)
To: Andrej Valek via lists.openembedded.org; +Cc: andrej.valek, openembedded-core
Hello Andrej,
On Thu, 22 Jun 2023 14:07:41 +0000
"Andrej Valek via lists.openembedded.org"
<andrej.valek=siemens.com@lists.openembedded.org> wrote:
> OK,
>
> Now I know what's the problem. SPDX are being created without inheriting the
> cve-check class.
>
> Regards,
> Andrej
>
> On Thu, 2023-06-22 at 15:59 +0200, Valek Andrej wrote:
> > Hello Luca,
> >
> > I wanted to check the logs, but it requires a login/password. Would it be
> > possible to send a link where is not required? Maybe here
> > https://autobuilder.yoctoproject.org/typhoon/#/ ?
Ouch, sorry about that! Apparently you already found the root cause,
however here is the a-full build public link, in case it were still
useful:
https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5505
Luca
--
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (9 preceding siblings ...)
2023-06-22 6:59 ` [OE-core][PATCH v7 0/3] CVE-check handling Andrej Valek
@ 2023-06-22 6:59 ` Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
` (10 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-22 6:59 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek, Peter Marko
From: Andrej Valek <andrej.valek@siemens.com>
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 99 +++++++++++++++++++++++++++++-----
meta/lib/oe/cve_check.py | 25 +++++++++
2 files changed, 111 insertions(+), 13 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..4eb6dff7de 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,14 +70,48 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
#
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
+# Possible options for CVE statuses
+
+# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+
+# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -88,6 +122,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+ # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+ cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+ if cve_check_ignore:
+ bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+ for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+ d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+ # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+ for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+ cve_group = d.getVar(cve_status_group)
+ if cve_group is not None:
+ for cve in cve_group.split():
+ d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
+ else:
+ bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -260,7 +312,7 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
- from oe.cve_check import Version, convert_cve_version
+ from oe.cve_check import Version, convert_cve_version, decode_cve_status
pn = d.getVar("PN")
real_pv = d.getVar("PV")
@@ -282,7 +334,12 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
- cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+ # Convert CVE_STATUS into ignored CVEs and check validity
+ cve_ignore = []
+ for cve in (d.getVarFlags("CVE_STATUS") or {}):
+ decoded_status, _, _ = decode_cve_status(d, cve)
+ if decoded_status == "Ignored":
+ cve_ignore.append(cve)
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +470,8 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
CVE manifest if enabled.
"""
+ from oe.cve_check import decode_cve_status
+
cve_file = d.getVar("CVE_CHECK_LOG")
fdir_name = d.getVar("FILE_DIRNAME")
layer = fdir_name.split("/")[-3]
@@ -441,20 +500,27 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
is_patched = cve in patched
is_ignored = cve in ignored
+ status = "Unpatched"
if (is_patched or is_ignored) and not report_all:
continue
+ if is_ignored:
+ status = "Ignored"
+ elif is_patched:
+ status = "Patched"
+ else:
+ # default value of status is Unpatched
+ unpatched_cves.append(cve)
write_string += "LAYER: %s\n" % layer
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
write_string += "CVE: %s\n" % cve
- if is_ignored:
- write_string += "CVE STATUS: Ignored\n"
- elif is_patched:
- write_string += "CVE STATUS: Patched\n"
- else:
- unpatched_cves.append(cve)
- write_string += "CVE STATUS: Unpatched\n"
+ write_string += "CVE STATUS: %s\n" % status
+ _, detail, description = decode_cve_status(d, cve)
+ if detail:
+ write_string += "CVE DETAIL: %s\n" % detail
+ if description:
+ write_string += "CVE DESCRIPTION: %s\n" % description
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -516,6 +582,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
Prepare CVE data for the JSON format, then write it.
"""
+ from oe.cve_check import decode_cve_status
+
output = {"version":"1", "package": []}
nvd_link = "https://nvd.nist.gov/vuln/detail/"
@@ -576,6 +644,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
"status" : status,
"link": issue_link
}
+ _, detail, description = decode_cve_status(d, cve)
+ if detail:
+ cve_item["detail"] = detail
+ if description:
+ cve_item["description"] = description
cve_list.append(cve_item)
package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..5bf3caac47 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,13 @@ def get_patched_cves(d):
if not fname_match and not text_match:
bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+ # Search for additional patched CVEs
+ for cve in (d.getVarFlags("CVE_STATUS") or {}):
+ decoded_status, _, _ = decode_cve_status(d, cve)
+ if decoded_status == "Patched":
+ bb.debug(2, "CVE %s is additionally patched" % cve)
+ patched_cves.add(cve)
+
return patched_cves
@@ -218,3 +225,21 @@ def convert_cve_version(version):
return version + update
+def decode_cve_status(d, cve):
+ """
+ Convert CVE_STATUS into status, detail and description.
+ """
+ status = d.getVarFlag("CVE_STATUS", cve)
+ if status is None:
+ return ("", "", "")
+
+ status_split = status.split(':', 1)
+ detail = status_split[0]
+ description = status_split[1].strip() if (len(status_split) > 1) else ""
+
+ status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+ if status_mapping is None:
+ bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+ status_mapping = "Unpatched"
+
+ return (status_mapping, detail, description)
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (10 preceding siblings ...)
2023-06-22 6:59 ` [OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
@ 2023-06-22 6:59 ` Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
` (9 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-22 6:59 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
From: Andrej Valek <andrej.valek@siemens.com>
- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++++++++++++++----
.../logrotate/logrotate_3.21.0.bb | 5 ++--
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
- found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+ found_cves = {}
+ for issue in package["issue"]:
+ found_cves[issue["id"]] = {
+ "status" : issue["status"],
+ "detail" : issue["detail"] if "detail" in issue else "",
+ "description" : issue["description"] if "description" in issue else ""
+ }
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
- self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+ self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+ detail = "not-applicable-platform"
+ description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
- self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
self.assertIn("CVE-2011-1549", found_cves)
- self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
self.assertIn("CVE-2011-1550", found_cves)
- self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (11 preceding siblings ...)
2023-06-22 6:59 ` [OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
@ 2023-06-22 6:59 ` Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 0/3] CVE-check handling Andrej Valek
` (8 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-22 6:59 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek, Peter Marko
From: Andrej Valek <andrej.valek@siemens.com>
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
.../distro/include/cve-extra-exclusions.inc | 371 +++++++++---------
meta/recipes-bsp/grub/grub2.inc | 6 +-
meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +-
.../recipes-connectivity/bind/bind_9.18.15.bb | 2 +-
.../bluez5/bluez5_5.66.bb | 4 +-
.../openssh/openssh_9.3p1.bb | 9 +-
.../openssl/openssl_3.1.1.bb | 3 +-
meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +-
meta/recipes-core/glibc/glibc_2.37.bb | 17 +-
meta/recipes-core/libxml/libxml2_2.10.4.bb | 4 -
meta/recipes-core/systemd/systemd_253.3.bb | 3 -
meta/recipes-devtools/cmake/cmake.inc | 4 +-
meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +-
meta/recipes-devtools/gcc/gcc-13.1.inc | 3 +-
meta/recipes-devtools/git/git_2.39.3.bb | 7 -
meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +-
meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +-
.../recipes-devtools/python/python3_3.11.3.bb | 13 +-
meta/recipes-devtools/qemu/qemu.inc | 13 +-
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 -
meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 -
meta/recipes-extended/cpio/cpio_2.14.bb | 3 +-
meta/recipes-extended/cups/cups.inc | 17 +-
.../ghostscript/ghostscript_10.01.1.bb | 3 +-
.../iputils/iputils_20221126.bb | 5 +-
.../libtirpc/libtirpc_1.3.3.bb | 3 +-
meta/recipes-extended/procps/procps_4.0.3.bb | 4 -
meta/recipes-extended/shadow/shadow_4.13.bb | 7 +-
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +-
.../xinetd/xinetd_2.3.15.4.bb | 2 +-
meta/recipes-extended/zip/zip_3.0.bb | 7 +-
.../libnotify/libnotify_0.8.2.bb | 2 +-
meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +-
meta/recipes-graphics/builder/builder_0.1.bb | 3 +-
.../xorg-xserver/xserver-xorg.inc | 19 +-
.../linux/cve-exclusion_6.1.inc | 11 +-
.../libpng/libpng_1.6.39.bb | 3 +-
meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 9 +-
.../libgcrypt/libgcrypt_1.10.2.bb | 4 +-
.../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +-
meta/recipes-support/lz4/lz4_1.9.4.bb | 3 -
meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 -
42 files changed, 255 insertions(+), 354 deletions(-)
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 1c3cc36c61..a5dd7d3866 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -16,43 +16,42 @@
#
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
-# CVE is more than 20 years old with no resolution evident
-# broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
-
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
-# The issue here is spoofing of domain names using characters from other character sets.
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
-# we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
-
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
-
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old with no resolution evident. Broken links in CVE database references make resolution impractical."
+
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
+The issue here is spoofing of domain names using characters from other character sets. \
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
+problem. There isn't any mitigation or fix or way to progress this further."
+
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
+
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
+exposing this interface in an exploitable way"
# db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
#
# Kernel CVEs, e.g. linux-yocto*
@@ -65,74 +64,83 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
# issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
# welcome than and then entries can likely be removed from here.
#
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020"
+
# 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
- CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+ CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
+
# 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
- CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+ CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
+
# 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
- CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+ CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
-# This is specific to Ubuntu
-CVE_CHECK_IGNORE += "CVE-2018-6559"
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: This is specific to Ubuntu"
# https://www.linuxkernelcves.com/cves/CVE-2019-3016
-# Fixed with 5.6
-CVE_CHECK_IGNORE += "CVE-2019-3016"
+CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed in version v5.6"
# https://www.linuxkernelcves.com/cves/CVE-2019-3819
-# Fixed with 5.1
-CVE_CHECK_IGNORE += "CVE-2019-3819"
+CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed in version v5.1"
# https://www.linuxkernelcves.com/cves/CVE-2019-3887
-# Fixed with 5.2
-CVE_CHECK_IGNORE += "CVE-2019-3887"
+CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed in version v5.2"
# 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
# https://nvd.nist.gov/vuln/detail/CVE-2020-27784
# Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1
# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+CVE_STATUS[CVE-2020-27784] = "fixed-version: Fixed in versions v5.10"
# 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
- CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+ CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
# https://nvd.nist.gov/vuln/detail/CVE-2021-3669
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
# Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2021-4218
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed in version v5.8"
# 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
- CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
- CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
- CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
- CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
- CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
- CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+ CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+ CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+ CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+ CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+ CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+ CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
# https://nvd.nist.gov/vuln/detail/CVE-2022-0480
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2022-1184
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -140,7 +148,7 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
# Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
# Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
# Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -148,7 +156,7 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2196
# Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -158,19 +166,19 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
# Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
# Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
# Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "cpe-stable-backport: Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2308
# Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
# Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
# Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
# Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2327
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed in version v5.10.125"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
# Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -179,19 +187,19 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
# Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
# Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
# Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2785
# Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
# Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
# Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3176
# Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
# Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
# Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "fixed-version: Fixed in version v5.17"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3424
# Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -200,7 +208,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
# Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
# Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
# Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3435
# Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -211,13 +219,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3526
# Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
# Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
# Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "fixed-version: Fixed in version v5.18"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3534
# Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -225,20 +233,20 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
# Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
# Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
# Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "cpe-stable-backport: Backported in versions v5.10.163, v5.15.86 and v6.1.2"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3564
# Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3619
# Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
# Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
# Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3621
# Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -247,7 +255,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3623
# Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -256,12 +264,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3624
# Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
# Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3625
# Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -270,7 +278,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
# Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
# Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
# Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3629
# Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -279,13 +287,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3630
# Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
# Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
# Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3633
# Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -294,7 +302,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3635
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -303,12 +311,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3636
# Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
# Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3640
# Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -319,7 +327,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
# Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
# Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
# Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3646
# Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -328,7 +336,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3649
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -337,7 +345,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-4382
# Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -346,7 +354,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "cpe-stable-backport: Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -354,7 +362,7 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33740
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -362,7 +370,7 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33741
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -370,7 +378,7 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33742
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -378,15 +386,15 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-42895
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-42896
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -394,7 +402,7 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
# Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
# Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
# Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "fixed-version: Fixed in version v6.1"
# 2023
@@ -404,14 +412,14 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
# Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
# Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
# Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "cpe-stable-backport: Backported in versions v5.10.164, v5.15.89 and v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0266
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
# Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
# Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "cpe-stable-backport: Backported in versions v5.15.88 and v6.1.6"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0394
# Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -420,7 +428,7 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0461
# Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -429,28 +437,28 @@ CVE_CHECK_IGNORE += "CVE-2023-0394"
# Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.5"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0386
# Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
# Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
-# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
+# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1073
# Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
# Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
-# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
-# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
-# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_STATUS[CVE-2023-1073] = "cpe-stable-backport: Backported in versions v5.10.166, v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1074
# Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
-# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
-# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_STATUS[CVE-2023-1074] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1076
# Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -459,19 +467,19 @@ CVE_CHECK_IGNORE += "CVE-2023-1074"
# Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
# Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
# Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1077
# Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
-# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
-# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+CVE_STATUS[CVE-2023-1077] = "cpe-stable-backport: Backported in versions v5.15.99 and v6.1.16"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1078
# Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
-# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
-# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_STATUS[CVE-2023-1078] = "cpe-stable-backport: Backported in versions v5.15.94 and v6.1.12"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1079
# Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -480,7 +488,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
# Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
# Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
# Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1118
# Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -490,7 +498,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
# Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
# Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
# Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1281
# Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -498,7 +506,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
# Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
# Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
# Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "cpe-stable-backport: Backported in versions v5.10.169, v5.15.95 and v6.1.13"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1513
# Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -506,7 +514,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
# Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
# Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1652
# Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -514,7 +522,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
# Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
# Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
# Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1829
# Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -525,7 +533,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
# Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
# Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
# Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
# https://nvd.nist.gov/vuln/detail/CVE-2023-23005
# Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
@@ -535,7 +543,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1829"
# > in which a user can cause the alloc_memory_type error case to be reached.
# See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
# We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
+CVE_STATUS[CVE-2023-23005] = "disputed: Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached."
# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
@@ -543,127 +551,102 @@ CVE_CHECK_IGNORE += "CVE-2023-23005"
# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-28466] = "cpe-stable-backport: Backported in versions v5.15.105, v6.1.20 and v6.2.7"
-# Wrong CPE in NVD database
# https://nvd.nist.gov/vuln/detail/CVE-2022-3563
# https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
-# still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
-
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
-# done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
+qemu maintainers say the patch is incorrect and should not be applied \
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
+still be reproduced or where exactly any bug is. \
+We'll pick up any fix when upstream accepts one."
+
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
+It is a fuzzing related buffer overflow. It is of low impact since most devices
+wouldn't expose an assembler. The upstream is inactive and there is little to be
+done about the bug, ignore from an OE perspective."
# https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0459"
+CVE_STATUS[CVE-2023-0459] = "cpe-stable-backport: Backported in 6.1.14"
# https://www.linuxkernelcves.com/cves/CVE-2023-0615
-# Fixed in 6.1 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0615"
+CVE_STATUS[CVE-2023-0615] = "cpe-stable-backport: Backported in 6.1"
# https://www.linuxkernelcves.com/cves/CVE-2023-1380
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-1380"
+CVE_STATUS[CVE-2023-1380] = "cpe-stable-backport: Backported in 6.1.27"
# https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-1611"
+CVE_STATUS[CVE-2023-1611] = "cpe-stable-backport: Backported in 6.1.23"
# https://www.linuxkernelcves.com/cves/CVE-2023-1855
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1855"
+CVE_STATUS[CVE-2023-1855] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-1859
-# Fixed in 6.1.25
-CVE_CHECK_IGNORE += "CVE-2023-1859"
+CVE_STATUS[CVE-2023-1859] = "cpe-stable-backport: Backported in 6.1.25"
# https://www.linuxkernelcves.com/cves/CVE-2023-1989
-# Fixed in 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-1989"
+CVE_STATUS[CVE-2023-1989] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-1990
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1990"
+CVE_STATUS[CVE-2023-1990] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-1999
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-1998"
+CVE_STATUS[CVE-2023-1998] = "cpe-stable-backport: Backported in 6.1.16"
# https://www.linuxkernelcves.com/cves/CVE-2023-2002
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-2002"
+CVE_STATUS[CVE-2023-2002] = "cpe-stable-backport: Backported in 6.1.27"
# https://www.linuxkernelcves.com/cves/CVE-2023-2156
-# Fixed in 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-2156"
+CVE_STATUS[CVE-2023-2156] = "cpe-stable-backport: Backported in 6.1.26"
# https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-2162"
+CVE_STATUS[CVE-2023-2162] = "cpe-stable-backport: Backported in 6.1.11"
# https://www.linuxkernelcves.com/cves/CVE-2023-2194
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-2194"
+CVE_STATUS[CVE-2023-2194] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-2235
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-2235"
+CVE_STATUS[CVE-2023-2235] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-28328"
+CVE_STATUS[CVE-2023-28328] = "cpe-stable-backport: Backported in 6.1.2"
# https://www.linuxkernelcves.com/cves/CVE-2023-2985
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-2985"
+CVE_STATUS[CVE-2023-2985] = "cpe-stable-backport: Backported in 6.1.16"
# https://www.linuxkernelcves.com/cves/CVE-2023-28866
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-28866"
+CVE_STATUS[CVE-2023-28866] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-30456
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-30456"
+CVE_STATUS[CVE-2023-30456] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-30772
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-30772"
+CVE_STATUS[CVE-2023-30772] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-31436
-# Fixed with 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-31436"
+CVE_STATUS[CVE-2023-31436] = "cpe-stable-backport: Backported in 6.1.26"
# https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-32233"
+CVE_STATUS[CVE-2023-32233] = "cpe-stable-backport: Backported in 6.1.28"
# https://www.linuxkernelcves.com/cves/CVE-2023-33203
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33203"
+CVE_STATUS[CVE-2023-33203] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-33288
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33288"
+CVE_STATUS[CVE-2023-33288] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-34256
-# Fixed in 6.1.29
-CVE_CHECK_IGNORE += "CVE-2023-34256"
+CVE_STATUS[CVE-2023-34256] = "cpe-stable-backport: Backported in 6.1.29"
# Backported to 6.1.30 as 9a342d4
-CVE_CHECK_IGNORE += "CVE-2023-3141"
+CVE_STATUS[CVE-2023-3141] = "cpe-stable-backport: Backported in 6.1.30"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..41839698dc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
+CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
DEPENDS = "flex-native bison-native gettext-native"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1764997c41..d1c6f7f54a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
diff --git a/meta/recipes-connectivity/bind/bind_9.18.15.bb b/meta/recipes-connectivity/bind/bind_9.18.15.bb
index 80164aad87..26a280c844 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.15.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.15.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
# so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
index 2208b730b0..31f325e590 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
@@ -2,8 +2,8 @@ require bluez5.inc
SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574"
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
# noinst programs in Makefile.tools that are conditional on READLINE
# support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index 42ce814523..3edc123b9a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
"
SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
PAM_SRC_URI = "file://sshd"
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index f5f3f32a97..e3557348e8 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -253,6 +253,5 @@ CVE_PRODUCT = "openssl:openssl"
CVE_VERSION_SUFFIX = "alphabetical"
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
# Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb
index 25da988f50..ba38169f05 100644
--- a/meta/recipes-core/coreutils/coreutils_9.3.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.3.bb
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa"
# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
-# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+#
+CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index 3387441cad..851aa612b1 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -4,18 +4,19 @@ require glibc-version.inc
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
-# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
-# "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "disputed: \
+Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \
+this is being treated as a non-security bug and no real threat."
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
-# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
-# easier access for another. "ASLR bypass itself is not a vulnerability."
# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "disputed: \
+Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
+easier access for another. 'ASLR bypass itself is not a vulnerability.'"
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6"
DEPENDS += "gperf-native bison-native"
diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb
index 4f3b17093e..095ecf8602 100644
--- a/meta/recipes-core/libxml/libxml2_2.10.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb
@@ -26,10 +26,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
BINCONFIG = "${bindir}/xml2-config"
-# Fixed since 2.9.11 via
-# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
-
PACKAGECONFIG ??= "python \
${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
"
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index 87fbf6f785..cf0e17ff00 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () {
pkg_prerm:udev-hwdb () {
rm -f $D${sysconfdir}/udev/hwdb.bin
}
-
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 7788a5c45a..f57a77c7bb 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,4 @@ SRC_URI[sha256sum] = "313b6880c291bd4fe31c0aa51d6e62659282a521e695f30d5cc0d25abb
UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..1ac88d65ef 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,10 +26,10 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
-# Disputed - yes there is stack exhaustion but no bug and it is building the
-# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
# https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "upstream-wontfix: \
+there is stack exhaustion but no bug and it is building the \
+parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
inherit autotools gettext texinfo ptest github-releases
diff --git a/meta/recipes-devtools/gcc/gcc-13.1.inc b/meta/recipes-devtools/gcc/gcc-13.1.inc
index 4da703db52..e94753eed0 100644
--- a/meta/recipes-devtools/gcc/gcc-13.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.1.inc
@@ -111,5 +111,4 @@ EXTRA_OECONF_PATHS = "\
--with-build-sysroot=${STAGING_DIR_TARGET} \
"
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
+CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
diff --git a/meta/recipes-devtools/git/git_2.39.3.bb b/meta/recipes-devtools/git/git_2.39.3.bb
index 54a863acd2..3393550c85 100644
--- a/meta/recipes-devtools/git/git_2.39.3.bb
+++ b/meta/recipes-devtools/git/git_2.39.3.bb
@@ -27,13 +27,6 @@ LIC_FILES_CHKSUM = "\
CVE_PRODUCT = "git-scm:git"
-# This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
-
PACKAGECONFIG ??= "expat curl"
PACKAGECONFIG[cvsserver] = ""
PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d..db4745ad7a 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,8 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
# https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "upstream-wontfix: There are ways jquery can expose security issues but any issues \
+are in the apps exposing them and there is little we can directly do."
inherit allarch
diff --git a/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
index 83d2f01263..8e297ec4d4 100644
--- a/meta/recipes-devtools/ninja/ninja_1.11.1.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
@@ -30,5 +30,4 @@ do_install() {
BBCLASSEXTEND = "native nativesdk"
-# This is a different Ninja
-CVE_CHECK_IGNORE += "CVE-2021-4336"
+CVE_STATUS[CVE-2021-4336] = "cpe-incorrect: This is a different Ninja"
diff --git a/meta/recipes-devtools/python/python3_3.11.3.bb b/meta/recipes-devtools/python/python3_3.11.3.bb
index c7974849b6..59f93861dd 100644
--- a/meta/recipes-devtools/python/python3_3.11.3.bb
+++ b/meta/recipes-devtools/python/python3_3.11.3.bb
@@ -47,15 +47,12 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
CVE_PRODUCT = "python"
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
# The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
+CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
PYTHON_MAJMIN = "3.11"
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6acda61425..480aa97c30 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,21 +39,16 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113
SRC_URI:append:class-target = " file://cross.patch"
SRC_URI:append:class-nativesdk = " file://cross.patch"
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself"
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability."
# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
# https://bugzilla.redhat.com/show_bug.cgi?id=2167423
-# this bug related to windows specific.
-CVE_CHECK_IGNORE += "CVE-2023-0664"
+CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows"
COMPATIBLE_HOST:mipsarchn32 = "null"
COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1c..130581a785 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
"
SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
inherit autotools-brokensep
PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb..91fc81352e 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,10 +29,6 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
SRC_URI:class-native = "${BASE_SRC_URI}"
-# Upstream don't believe this is an exploitable issue
-# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
-
UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index e55fb70cb1..397bb5d87c 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
inherit autotools gettext texinfo ptest
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index d77758fd3f..ec4abeb936 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,14 +20,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
LEAD_SONAME = "libcupsdriver.so"
@@ -115,7 +112,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
cups_sysroot_preprocess () {
sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
}
-
-# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
index f03ebf4478..4c0888e6a7 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
@@ -18,8 +18,7 @@ DEPENDS = "tiff jpeg fontconfig cups libpng freetype zlib"
UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
-# We use a system libjpeg-turbo which has this fix
-CVE_CHECK_IGNORE += "CVE-2013-6629"
+CVE_STATUS[CVE-2013-6629] = "not-applicable-config: We use a system libjpeg-turbo which has this fix"
def gs_verdir(v):
return "".join(v.split("."))
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
PACKAGECONFIG ??= "libcap"
PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
inherit autotools pkgconfig
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
}
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
-
PROCPS_PACKAGES = "${PN}-lib \
${PN}-ps \
${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
BBCLASSEXTEND = "native nativesdk"
-# Severity is low and marked as closed and won't fix.
# https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
-
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
# exclude version 5.5.2 which triggers a false positive
UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
S = "${WORKDIR}/git"
# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
inherit autotools update-rc.d systemd pkgconfig
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
-
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
# zip.inc sets CFLAGS, but what Makefile actually uses is
# CFLAGS_NOOPT. It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00..6888c33d14 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -33,4 +33,4 @@ RCONFLICTS:${PN} += "libnotify3"
RREPLACES:${PN} += "libnotify3"
# -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "cpe-incorrect: The issue is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
index 1a5d8a6b04..1142afece1 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
@@ -51,8 +51,7 @@ do_compile:prepend() {
sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
}
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "not-applicable-platform: Issue only applies on Windows"
CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
}
-# -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
-# timing on the behalf of the attacker. Many graphical applications exit if their
-# connection to the X server is lost, so a typical desktop session is either
-# impossible or difficult to exploit. There is currently no upstream patch
-# available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
+timing on the behalf of the attacker. Many graphical applications exit if their \
+connection to the X server is lost, so a typical desktop session is either \
+impossible or difficult to exploit. There is currently no upstream patch \
+available for this flaw."
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
S = "${WORKDIR}/${XORG_PN}-${PV}"
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 4cc151901b..be632dec2a 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,17 +1,17 @@
# https://nvd.nist.gov/vuln/detail/CVE-2022-3523
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "fixed-version: Backported in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3566
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "fixed-version: Backported in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3567
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "fixed-version: Backported in version v6.1"
# 2023
@@ -26,11 +26,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3567"
# * https://www.linuxkernelcves.com/cves/CVE-2022-38457
# * https://www.linuxkernelcves.com/cves/CVE-2022-40133
# * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "cpe-stable-backport: Backported in version v6.1.7"
+CVE_STATUS[CVE-2022-40133] = "cpe-stable-backport: Backported in version v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1075
# Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
# Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
# Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
# 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "cpe-stable-backport: Backported in version v6.1.11"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index a6c229f5cf..562745e3eb 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -32,5 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
BBCLASSEXTEND = "native nativesdk"
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "cpe-incorrect: A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index ca4a3eff91..054b99586c 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -18,14 +18,7 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
+CVE_STATUS[CVE-2022-1210] = "not-applicable-config: Issue is in jbig which we don't enable"
inherit autotools multilib_header
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
index 58f07a116d..524b06ca22 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
@@ -29,8 +29,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
"
SRC_URI[sha256sum] = "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03"
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
BINCONFIG = "${bindir}/libgcrypt-config"
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.38.bb b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
index bf35a94b7f..ed5b15badd 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.38.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
@@ -19,9 +19,7 @@ SRC_URI[sha256sum] = "1f32450425819a09acaff2ab7a5a7f8a2ec7956e505d7beeb45e843d0e
UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
S = "${WORKDIR}/libxslt-${PV}"
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b0..db52d96033 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,9 +21,6 @@ S = "${WORKDIR}/git"
inherit ptest
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
-
EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
do_install() {
diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
index b09e8e7f55..181187bbd9 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
@@ -5,10 +5,3 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499"
-
-# -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH v8 0/3] CVE-check handling
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (12 preceding siblings ...)
2023-06-22 6:59 ` [OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
@ 2023-06-22 12:00 ` Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (7 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-22 12:00 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.
Changes compared to version 7:
- reverted dropped CVE ignores for lz4 and tiff
Documentation will be updated in separated repository.
meta/classes/cve-check.bbclass | 99 ++++-
.../distro/include/cve-extra-exclusions.inc | 371 +++++++++---------
meta/lib/oe/cve_check.py | 25 ++
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +-
meta/recipes-bsp/grub/grub2.inc | 6 +-
meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +-
.../recipes-connectivity/bind/bind_9.18.15.bb | 2 +-
.../bluez5/bluez5_5.66.bb | 4 +-
.../openssh/openssh_9.3p1.bb | 9 +-
.../openssl/openssl_3.1.1.bb | 3 +-
meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +-
meta/recipes-core/glibc/glibc_2.37.bb | 17 +-
meta/recipes-core/libxml/libxml2_2.10.4.bb | 4 -
meta/recipes-core/systemd/systemd_253.3.bb | 3 -
meta/recipes-devtools/cmake/cmake.inc | 4 +-
meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +-
meta/recipes-devtools/gcc/gcc-13.1.inc | 3 +-
meta/recipes-devtools/git/git_2.39.3.bb | 7 -
meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +-
meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +-
.../recipes-devtools/python/python3_3.11.3.bb | 13 +-
meta/recipes-devtools/qemu/qemu.inc | 13 +-
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 -
meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 -
meta/recipes-extended/cpio/cpio_2.14.bb | 3 +-
meta/recipes-extended/cups/cups.inc | 17 +-
.../ghostscript/ghostscript_10.01.1.bb | 3 +-
.../iputils/iputils_20221126.bb | 5 +-
.../libtirpc/libtirpc_1.3.3.bb | 3 +-
.../logrotate/logrotate_3.21.0.bb | 5 +-
meta/recipes-extended/procps/procps_4.0.3.bb | 4 -
meta/recipes-extended/shadow/shadow_4.13.bb | 7 +-
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +-
.../xinetd/xinetd_2.3.15.4.bb | 2 +-
meta/recipes-extended/zip/zip_3.0.bb | 7 +-
.../libnotify/libnotify_0.8.2.bb | 2 +-
meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +-
meta/recipes-graphics/builder/builder_0.1.bb | 3 +-
.../xorg-xserver/xserver-xorg.inc | 19 +-
.../linux/cve-exclusion_6.1.inc | 11 +-
.../libpng/libpng_1.6.39.bb | 3 +-
meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +-
.../libgcrypt/libgcrypt_1.10.2.bb | 4 +-
.../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +-
meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +-
meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 -
46 files changed, 392 insertions(+), 373 deletions(-)
--
2.41.0
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (13 preceding siblings ...)
2023-06-22 12:00 ` [OE-core][PATCH v8 0/3] CVE-check handling Andrej Valek
@ 2023-06-22 12:00 ` Andrej Valek
2023-06-23 10:02 ` Ross Burton
2023-06-22 12:00 ` [OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
` (6 subsequent siblings)
21 siblings, 1 reply; 73+ messages in thread
From: Andrej Valek @ 2023-06-22 12:00 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek, Peter Marko
From: Andrej Valek <andrej.valek@siemens.com>
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 99 +++++++++++++++++++++++++++++-----
meta/lib/oe/cve_check.py | 25 +++++++++
2 files changed, 111 insertions(+), 13 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..4eb6dff7de 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,14 +70,48 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
#
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
+# Possible options for CVE statuses
+
+# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+
+# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -88,6 +122,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+ # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+ cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+ if cve_check_ignore:
+ bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+ for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+ d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+ # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+ for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+ cve_group = d.getVar(cve_status_group)
+ if cve_group is not None:
+ for cve in cve_group.split():
+ d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
+ else:
+ bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -260,7 +312,7 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
- from oe.cve_check import Version, convert_cve_version
+ from oe.cve_check import Version, convert_cve_version, decode_cve_status
pn = d.getVar("PN")
real_pv = d.getVar("PV")
@@ -282,7 +334,12 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
- cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+ # Convert CVE_STATUS into ignored CVEs and check validity
+ cve_ignore = []
+ for cve in (d.getVarFlags("CVE_STATUS") or {}):
+ decoded_status, _, _ = decode_cve_status(d, cve)
+ if decoded_status == "Ignored":
+ cve_ignore.append(cve)
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +470,8 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
CVE manifest if enabled.
"""
+ from oe.cve_check import decode_cve_status
+
cve_file = d.getVar("CVE_CHECK_LOG")
fdir_name = d.getVar("FILE_DIRNAME")
layer = fdir_name.split("/")[-3]
@@ -441,20 +500,27 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
is_patched = cve in patched
is_ignored = cve in ignored
+ status = "Unpatched"
if (is_patched or is_ignored) and not report_all:
continue
+ if is_ignored:
+ status = "Ignored"
+ elif is_patched:
+ status = "Patched"
+ else:
+ # default value of status is Unpatched
+ unpatched_cves.append(cve)
write_string += "LAYER: %s\n" % layer
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
write_string += "CVE: %s\n" % cve
- if is_ignored:
- write_string += "CVE STATUS: Ignored\n"
- elif is_patched:
- write_string += "CVE STATUS: Patched\n"
- else:
- unpatched_cves.append(cve)
- write_string += "CVE STATUS: Unpatched\n"
+ write_string += "CVE STATUS: %s\n" % status
+ _, detail, description = decode_cve_status(d, cve)
+ if detail:
+ write_string += "CVE DETAIL: %s\n" % detail
+ if description:
+ write_string += "CVE DESCRIPTION: %s\n" % description
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -516,6 +582,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
Prepare CVE data for the JSON format, then write it.
"""
+ from oe.cve_check import decode_cve_status
+
output = {"version":"1", "package": []}
nvd_link = "https://nvd.nist.gov/vuln/detail/"
@@ -576,6 +644,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
"status" : status,
"link": issue_link
}
+ _, detail, description = decode_cve_status(d, cve)
+ if detail:
+ cve_item["detail"] = detail
+ if description:
+ cve_item["description"] = description
cve_list.append(cve_item)
package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..5bf3caac47 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,13 @@ def get_patched_cves(d):
if not fname_match and not text_match:
bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+ # Search for additional patched CVEs
+ for cve in (d.getVarFlags("CVE_STATUS") or {}):
+ decoded_status, _, _ = decode_cve_status(d, cve)
+ if decoded_status == "Patched":
+ bb.debug(2, "CVE %s is additionally patched" % cve)
+ patched_cves.add(cve)
+
return patched_cves
@@ -218,3 +225,21 @@ def convert_cve_version(version):
return version + update
+def decode_cve_status(d, cve):
+ """
+ Convert CVE_STATUS into status, detail and description.
+ """
+ status = d.getVarFlag("CVE_STATUS", cve)
+ if status is None:
+ return ("", "", "")
+
+ status_split = status.split(':', 1)
+ detail = status_split[0]
+ description = status_split[1].strip() if (len(status_split) > 1) else ""
+
+ status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+ if status_mapping is None:
+ bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+ status_mapping = "Unpatched"
+
+ return (status_mapping, detail, description)
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs
2023-06-22 12:00 ` [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
@ 2023-06-23 10:02 ` Ross Burton
2023-06-23 11:22 ` Valek, Andrej
0 siblings, 1 reply; 73+ messages in thread
From: Ross Burton @ 2023-06-23 10:02 UTC (permalink / raw)
To: andrej.valek; +Cc: openembedded-core, Peter Marko
On 22 Jun 2023, at 13:00, Andrej Valek via lists.openembedded.org <andrej.valek=siemens.com@lists.openembedded.org> wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
> The CVE_STATUS should contain an information about status wich
> is decoded in 3 items:
> - generic status: "Ignored", "Patched" or "Unpatched"
> - more detailed status enum
> - description: free text describing reason for status
I think this needs to be clearer about what the intended use of the keywords are.
Is the canonical data the CVE_STATUS[CVE-1234-5678] attribute, and the mapping from the status there via CVE_CHECK_STATUSMAP simply for backwards compatibility with the existing file format? Is this deprecating the status fields in those files or is it just a high-level summary? Either way, that should be made clear.
> +# Possible options for CVE statuses
> +
> +# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
> +CVE_CHECK_STATUSMAP[patched] = "Patched"
> +# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
> +CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
> +# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
> +CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
> +# use when NVD DB does not mention correct version or does not mention any verion at all
> +CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
It bothers me that some of these status flags are working around the fact that the CPE is incorrect, when that CPE data can be fixed. Instead of setting fixed-version, we can just mail NIST and fix the CPE.
> +# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
> +CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
> +# use when CVE is confirmed by upstream but fix is still not available
> +CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
> +
> +# used for migration from old concept, do not use for new vulnerabilities
> +CVE_CHECK_STATUSMAP[ignored] = "Ignored"
> +# use when NVD DB wrongly indicates vulnerability which is actually for a different component
> +CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
> +# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
> +CVE_CHECK_STATUSMAP[disputed] = "Ignored"
> +# use when vulnerability depends on build or runtime configuration which is not used
> +CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
> +# use when vulnerability affects other platform (e.g. Windows or Debian)
> +CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
> +# use when upstream acknowledged the vulnerability but does not plan to fix it
> +CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
Is this any different to ‘disputed’?
Do we expect to add a lot more statuses to this table, or for users to add their own values? It feels like maybe this should be a dict in lib/oe/cve_check.py instead of exposed in the data store.
> + # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
> + for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
> + cve_group = d.getVar(cve_status_group)
> + if cve_group is not None:
> + for cve in cve_group.split():
> + d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
> + else:
> + bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
> +}
CVE_STATUS_GROUPS isn’t documented in the class or the commit message.
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs
2023-06-23 10:02 ` Ross Burton
@ 2023-06-23 11:22 ` Valek, Andrej
0 siblings, 0 replies; 73+ messages in thread
From: Valek, Andrej @ 2023-06-23 11:22 UTC (permalink / raw)
To: Ross.Burton; +Cc: openembedded-core, Marko, Peter
On Fri, 2023-06-23 at 10:02 +0000, Ross Burton wrote:
> On 22 Jun 2023, at 13:00, Andrej Valek via lists.openembedded.org
> <andrej.valek=siemens.com@lists.openembedded.org> wrote:
> > - Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
> > The CVE_STATUS should contain an information about status wich
> > is decoded in 3 items:
> > - generic status: "Ignored", "Patched" or "Unpatched"
> > - more detailed status enum
> > - description: free text describing reason for status
>
> I think this needs to be clearer about what the intended use of the keywords
> are.
>
> Is the canonical data the CVE_STATUS[CVE-1234-5678] attribute, and the mapping
> from the status there via CVE_CHECK_STATUSMAP simply for backwards
> compatibility with the existing file format? Is this deprecating the status
> fields in those files or is it just a high-level summary? Either way, that
> should be made clear.
>
Yes, it's for backport compatibility, and extending the existing "Ignored",
"Patched" statuses with reasons.
> > +# Possible options for CVE statuses
> > +
> > +# used by this class internally when fix is detected (NVD DB version check
> > or CVE patch file)
> > +CVE_CHECK_STATUSMAP[patched] = "Patched"
> > +# use when this class does not detect backported patch (e.g. vendor kernel
> > repo with cherry-picked CVE patch)
> > +CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
> > +# use when NVD DB does not mention patched versions of stable/LTS branches
> > which have upstream CVE backports
> > +CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
> > +# use when NVD DB does not mention correct version or does not mention any
> > verion at all
> > +CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
>
> It bothers me that some of these status flags are working around the fact that
> the CPE is incorrect, when that CPE data can be fixed. Instead of setting
> fixed-version, we can just mail NIST and fix the CPE.
>
Yes, but while you're sending it, the current status has to be covered. And you
don't know, if the CPE will be fixed or not.
> > +# used internally by this class if CVE vulnerability is detected which is
> > not marked as fixed or ignored
> > +CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
> > +# use when CVE is confirmed by upstream but fix is still not available
> > +CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
> > +
> > +# used for migration from old concept, do not use for new vulnerabilities
> > +CVE_CHECK_STATUSMAP[ignored] = "Ignored"
> > +# use when NVD DB wrongly indicates vulnerability which is actually for a
> > different component
> > +CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
> > +# use when upstream does not accept the report as a vulnerability (e.g.
> > works as designed)
> > +CVE_CHECK_STATUSMAP[disputed] = "Ignored"
> > +# use when vulnerability depends on build or runtime configuration which is
> > not used
> > +CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
> > +# use when vulnerability affects other platform (e.g. Windows or Debian)
> > +CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
>
> > +# use when upstream acknowledged the vulnerability but does not plan to fix
> > it
> > +CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
>
> Is this any different to ‘disputed’?
>
Of course. In the "upstream-wontfix" status, we know, that it won't be fixed.
But for "disputed" you don't know, if it's a bug or not.
> Do we expect to add a lot more statuses to this table, or for users to add
> their own values? It feels like maybe this should be a dict in
> lib/oe/cve_check.py instead of exposed in the data store.
>
Exactly, know I moved it separated file, where users could extend their own
statuses. The current version is just a "basement" of supported one.
> > + # Process CVE_STATUS_GROUPS to set multiple statuses and optional
> > detail or description at once
> > + for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
> > + cve_group = d.getVar(cve_status_group)
> > + if cve_group is not None:
> > + for cve in cve_group.split():
> > + d.setVarFlag("CVE_STATUS", cve,
> > d.getVarFlag(cve_status_group, "status"))
> > + else:
> > + bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" %
> > cve_status_group)
> > +}
>
> CVE_STATUS_GROUPS isn’t documented in the class or the commit message.
>
Added a description directly into class.
>
Regards,
Andrej
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (14 preceding siblings ...)
2023-06-22 12:00 ` [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
@ 2023-06-22 12:00 ` Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
` (5 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-22 12:00 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek
From: Andrej Valek <andrej.valek@siemens.com>
- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++++++++++++++----
.../logrotate/logrotate_3.21.0.bb | 5 ++--
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
- found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+ found_cves = {}
+ for issue in package["issue"]:
+ found_cves[issue["id"]] = {
+ "status" : issue["status"],
+ "detail" : issue["detail"] if "detail" in issue else "",
+ "description" : issue["description"] if "description" in issue else ""
+ }
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
- self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+ self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+ detail = "not-applicable-platform"
+ description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
- self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
self.assertIn("CVE-2011-1549", found_cves)
- self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
self.assertIn("CVE-2011-1550", found_cves)
- self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (15 preceding siblings ...)
2023-06-22 12:00 ` [OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
@ 2023-06-22 12:00 ` Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 0/3] CVE-check handling Andrej Valek
` (4 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-22 12:00 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek, Peter Marko
From: Andrej Valek <andrej.valek@siemens.com>
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
.../distro/include/cve-extra-exclusions.inc | 371 +++++++++---------
meta/recipes-bsp/grub/grub2.inc | 6 +-
meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +-
.../recipes-connectivity/bind/bind_9.18.15.bb | 2 +-
.../bluez5/bluez5_5.66.bb | 4 +-
.../openssh/openssh_9.3p1.bb | 9 +-
.../openssl/openssl_3.1.1.bb | 3 +-
meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +-
meta/recipes-core/glibc/glibc_2.37.bb | 17 +-
meta/recipes-core/libxml/libxml2_2.10.4.bb | 4 -
meta/recipes-core/systemd/systemd_253.3.bb | 3 -
meta/recipes-devtools/cmake/cmake.inc | 4 +-
meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +-
meta/recipes-devtools/gcc/gcc-13.1.inc | 3 +-
meta/recipes-devtools/git/git_2.39.3.bb | 7 -
meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +-
meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +-
.../recipes-devtools/python/python3_3.11.3.bb | 13 +-
meta/recipes-devtools/qemu/qemu.inc | 13 +-
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 -
meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 -
meta/recipes-extended/cpio/cpio_2.14.bb | 3 +-
meta/recipes-extended/cups/cups.inc | 17 +-
.../ghostscript/ghostscript_10.01.1.bb | 3 +-
.../iputils/iputils_20221126.bb | 5 +-
.../libtirpc/libtirpc_1.3.3.bb | 3 +-
meta/recipes-extended/procps/procps_4.0.3.bb | 4 -
meta/recipes-extended/shadow/shadow_4.13.bb | 7 +-
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +-
.../xinetd/xinetd_2.3.15.4.bb | 2 +-
meta/recipes-extended/zip/zip_3.0.bb | 7 +-
.../libnotify/libnotify_0.8.2.bb | 2 +-
meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +-
meta/recipes-graphics/builder/builder_0.1.bb | 3 +-
.../xorg-xserver/xserver-xorg.inc | 19 +-
.../linux/cve-exclusion_6.1.inc | 11 +-
.../libpng/libpng_1.6.39.bb | 3 +-
meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +-
.../libgcrypt/libgcrypt_1.10.2.bb | 4 +-
.../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +-
meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +-
meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 -
42 files changed, 257 insertions(+), 353 deletions(-)
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 1c3cc36c61..a5dd7d3866 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -16,43 +16,42 @@
#
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
-# CVE is more than 20 years old with no resolution evident
-# broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
-
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
-# The issue here is spoofing of domain names using characters from other character sets.
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
-# we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
-
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
-
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old with no resolution evident. Broken links in CVE database references make resolution impractical."
+
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
+The issue here is spoofing of domain names using characters from other character sets. \
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
+problem. There isn't any mitigation or fix or way to progress this further."
+
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
+
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
+exposing this interface in an exploitable way"
# db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
#
# Kernel CVEs, e.g. linux-yocto*
@@ -65,74 +64,83 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
# issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
# welcome than and then entries can likely be removed from here.
#
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020"
+
# 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
- CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+ CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
+
# 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
- CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+ CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
+
# 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
- CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+ CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
-# This is specific to Ubuntu
-CVE_CHECK_IGNORE += "CVE-2018-6559"
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: This is specific to Ubuntu"
# https://www.linuxkernelcves.com/cves/CVE-2019-3016
-# Fixed with 5.6
-CVE_CHECK_IGNORE += "CVE-2019-3016"
+CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed in version v5.6"
# https://www.linuxkernelcves.com/cves/CVE-2019-3819
-# Fixed with 5.1
-CVE_CHECK_IGNORE += "CVE-2019-3819"
+CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed in version v5.1"
# https://www.linuxkernelcves.com/cves/CVE-2019-3887
-# Fixed with 5.2
-CVE_CHECK_IGNORE += "CVE-2019-3887"
+CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed in version v5.2"
# 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
# https://nvd.nist.gov/vuln/detail/CVE-2020-27784
# Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1
# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+CVE_STATUS[CVE-2020-27784] = "fixed-version: Fixed in versions v5.10"
# 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
- CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+ CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
# https://nvd.nist.gov/vuln/detail/CVE-2021-3669
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
# Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2021-4218
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed in version v5.8"
# 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
- CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
- CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
- CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
- CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
- CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
- CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+ CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+ CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+ CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+ CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+ CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+ CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
# https://nvd.nist.gov/vuln/detail/CVE-2022-0480
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2022-1184
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -140,7 +148,7 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
# Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
# Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
# Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -148,7 +156,7 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2196
# Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -158,19 +166,19 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
# Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
# Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
# Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "cpe-stable-backport: Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2308
# Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
# Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
# Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
# Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2327
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed in version v5.10.125"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
# Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -179,19 +187,19 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
# Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
# Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
# Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2785
# Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
# Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
# Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3176
# Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
# Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
# Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "fixed-version: Fixed in version v5.17"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3424
# Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -200,7 +208,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
# Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
# Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
# Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3435
# Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -211,13 +219,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3526
# Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
# Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
# Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "fixed-version: Fixed in version v5.18"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3534
# Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -225,20 +233,20 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
# Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
# Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
# Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "cpe-stable-backport: Backported in versions v5.10.163, v5.15.86 and v6.1.2"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3564
# Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3619
# Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
# Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
# Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3621
# Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -247,7 +255,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3623
# Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -256,12 +264,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3624
# Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
# Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3625
# Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -270,7 +278,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
# Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
# Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
# Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3629
# Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -279,13 +287,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3630
# Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
# Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
# Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3633
# Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -294,7 +302,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3635
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -303,12 +311,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3636
# Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
# Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3640
# Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -319,7 +327,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
# Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
# Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
# Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3646
# Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -328,7 +336,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3649
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -337,7 +345,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-4382
# Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -346,7 +354,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "cpe-stable-backport: Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -354,7 +362,7 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33740
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -362,7 +370,7 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33741
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -370,7 +378,7 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33742
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -378,15 +386,15 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-42895
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-42896
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -394,7 +402,7 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
# Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
# Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
# Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "fixed-version: Fixed in version v6.1"
# 2023
@@ -404,14 +412,14 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
# Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
# Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
# Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "cpe-stable-backport: Backported in versions v5.10.164, v5.15.89 and v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0266
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
# Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
# Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "cpe-stable-backport: Backported in versions v5.15.88 and v6.1.6"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0394
# Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -420,7 +428,7 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0461
# Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -429,28 +437,28 @@ CVE_CHECK_IGNORE += "CVE-2023-0394"
# Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.5"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0386
# Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
# Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
-# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
+# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1073
# Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
# Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
-# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
-# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
-# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_STATUS[CVE-2023-1073] = "cpe-stable-backport: Backported in versions v5.10.166, v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1074
# Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
-# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
-# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_STATUS[CVE-2023-1074] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1076
# Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -459,19 +467,19 @@ CVE_CHECK_IGNORE += "CVE-2023-1074"
# Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
# Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
# Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1077
# Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
-# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
-# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+CVE_STATUS[CVE-2023-1077] = "cpe-stable-backport: Backported in versions v5.15.99 and v6.1.16"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1078
# Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
-# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
-# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_STATUS[CVE-2023-1078] = "cpe-stable-backport: Backported in versions v5.15.94 and v6.1.12"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1079
# Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -480,7 +488,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
# Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
# Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
# Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1118
# Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -490,7 +498,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
# Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
# Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
# Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1281
# Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -498,7 +506,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
# Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
# Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
# Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "cpe-stable-backport: Backported in versions v5.10.169, v5.15.95 and v6.1.13"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1513
# Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -506,7 +514,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
# Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
# Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1652
# Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -514,7 +522,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
# Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
# Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
# Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1829
# Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -525,7 +533,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
# Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
# Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
# Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
# https://nvd.nist.gov/vuln/detail/CVE-2023-23005
# Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
@@ -535,7 +543,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1829"
# > in which a user can cause the alloc_memory_type error case to be reached.
# See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
# We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
+CVE_STATUS[CVE-2023-23005] = "disputed: Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached."
# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
@@ -543,127 +551,102 @@ CVE_CHECK_IGNORE += "CVE-2023-23005"
# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-28466] = "cpe-stable-backport: Backported in versions v5.15.105, v6.1.20 and v6.2.7"
-# Wrong CPE in NVD database
# https://nvd.nist.gov/vuln/detail/CVE-2022-3563
# https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
-# still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
-
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
-# done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
+qemu maintainers say the patch is incorrect and should not be applied \
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
+still be reproduced or where exactly any bug is. \
+We'll pick up any fix when upstream accepts one."
+
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
+It is a fuzzing related buffer overflow. It is of low impact since most devices
+wouldn't expose an assembler. The upstream is inactive and there is little to be
+done about the bug, ignore from an OE perspective."
# https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0459"
+CVE_STATUS[CVE-2023-0459] = "cpe-stable-backport: Backported in 6.1.14"
# https://www.linuxkernelcves.com/cves/CVE-2023-0615
-# Fixed in 6.1 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0615"
+CVE_STATUS[CVE-2023-0615] = "cpe-stable-backport: Backported in 6.1"
# https://www.linuxkernelcves.com/cves/CVE-2023-1380
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-1380"
+CVE_STATUS[CVE-2023-1380] = "cpe-stable-backport: Backported in 6.1.27"
# https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-1611"
+CVE_STATUS[CVE-2023-1611] = "cpe-stable-backport: Backported in 6.1.23"
# https://www.linuxkernelcves.com/cves/CVE-2023-1855
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1855"
+CVE_STATUS[CVE-2023-1855] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-1859
-# Fixed in 6.1.25
-CVE_CHECK_IGNORE += "CVE-2023-1859"
+CVE_STATUS[CVE-2023-1859] = "cpe-stable-backport: Backported in 6.1.25"
# https://www.linuxkernelcves.com/cves/CVE-2023-1989
-# Fixed in 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-1989"
+CVE_STATUS[CVE-2023-1989] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-1990
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1990"
+CVE_STATUS[CVE-2023-1990] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-1999
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-1998"
+CVE_STATUS[CVE-2023-1998] = "cpe-stable-backport: Backported in 6.1.16"
# https://www.linuxkernelcves.com/cves/CVE-2023-2002
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-2002"
+CVE_STATUS[CVE-2023-2002] = "cpe-stable-backport: Backported in 6.1.27"
# https://www.linuxkernelcves.com/cves/CVE-2023-2156
-# Fixed in 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-2156"
+CVE_STATUS[CVE-2023-2156] = "cpe-stable-backport: Backported in 6.1.26"
# https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-2162"
+CVE_STATUS[CVE-2023-2162] = "cpe-stable-backport: Backported in 6.1.11"
# https://www.linuxkernelcves.com/cves/CVE-2023-2194
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-2194"
+CVE_STATUS[CVE-2023-2194] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-2235
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-2235"
+CVE_STATUS[CVE-2023-2235] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-28328"
+CVE_STATUS[CVE-2023-28328] = "cpe-stable-backport: Backported in 6.1.2"
# https://www.linuxkernelcves.com/cves/CVE-2023-2985
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-2985"
+CVE_STATUS[CVE-2023-2985] = "cpe-stable-backport: Backported in 6.1.16"
# https://www.linuxkernelcves.com/cves/CVE-2023-28866
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-28866"
+CVE_STATUS[CVE-2023-28866] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-30456
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-30456"
+CVE_STATUS[CVE-2023-30456] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-30772
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-30772"
+CVE_STATUS[CVE-2023-30772] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-31436
-# Fixed with 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-31436"
+CVE_STATUS[CVE-2023-31436] = "cpe-stable-backport: Backported in 6.1.26"
# https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-32233"
+CVE_STATUS[CVE-2023-32233] = "cpe-stable-backport: Backported in 6.1.28"
# https://www.linuxkernelcves.com/cves/CVE-2023-33203
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33203"
+CVE_STATUS[CVE-2023-33203] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-33288
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33288"
+CVE_STATUS[CVE-2023-33288] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-34256
-# Fixed in 6.1.29
-CVE_CHECK_IGNORE += "CVE-2023-34256"
+CVE_STATUS[CVE-2023-34256] = "cpe-stable-backport: Backported in 6.1.29"
# Backported to 6.1.30 as 9a342d4
-CVE_CHECK_IGNORE += "CVE-2023-3141"
+CVE_STATUS[CVE-2023-3141] = "cpe-stable-backport: Backported in 6.1.30"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..41839698dc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
+CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
DEPENDS = "flex-native bison-native gettext-native"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1764997c41..d1c6f7f54a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
diff --git a/meta/recipes-connectivity/bind/bind_9.18.15.bb b/meta/recipes-connectivity/bind/bind_9.18.15.bb
index 80164aad87..26a280c844 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.15.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.15.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
# so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
index 2208b730b0..31f325e590 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
@@ -2,8 +2,8 @@ require bluez5.inc
SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574"
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
# noinst programs in Makefile.tools that are conditional on READLINE
# support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index 42ce814523..3edc123b9a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
"
SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
PAM_SRC_URI = "file://sshd"
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index f5f3f32a97..e3557348e8 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -253,6 +253,5 @@ CVE_PRODUCT = "openssl:openssl"
CVE_VERSION_SUFFIX = "alphabetical"
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
# Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb
index 25da988f50..ba38169f05 100644
--- a/meta/recipes-core/coreutils/coreutils_9.3.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.3.bb
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa"
# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
-# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+#
+CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index 3387441cad..851aa612b1 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -4,18 +4,19 @@ require glibc-version.inc
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
-# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
-# "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "disputed: \
+Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \
+this is being treated as a non-security bug and no real threat."
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
-# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
-# easier access for another. "ASLR bypass itself is not a vulnerability."
# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "disputed: \
+Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
+easier access for another. 'ASLR bypass itself is not a vulnerability.'"
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6"
DEPENDS += "gperf-native bison-native"
diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb
index 4f3b17093e..095ecf8602 100644
--- a/meta/recipes-core/libxml/libxml2_2.10.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb
@@ -26,10 +26,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
BINCONFIG = "${bindir}/xml2-config"
-# Fixed since 2.9.11 via
-# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
-
PACKAGECONFIG ??= "python \
${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
"
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index 87fbf6f785..cf0e17ff00 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () {
pkg_prerm:udev-hwdb () {
rm -f $D${sysconfdir}/udev/hwdb.bin
}
-
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 7788a5c45a..f57a77c7bb 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,4 @@ SRC_URI[sha256sum] = "313b6880c291bd4fe31c0aa51d6e62659282a521e695f30d5cc0d25abb
UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..1ac88d65ef 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,10 +26,10 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
-# Disputed - yes there is stack exhaustion but no bug and it is building the
-# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
# https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "upstream-wontfix: \
+there is stack exhaustion but no bug and it is building the \
+parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
inherit autotools gettext texinfo ptest github-releases
diff --git a/meta/recipes-devtools/gcc/gcc-13.1.inc b/meta/recipes-devtools/gcc/gcc-13.1.inc
index 4da703db52..e94753eed0 100644
--- a/meta/recipes-devtools/gcc/gcc-13.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.1.inc
@@ -111,5 +111,4 @@ EXTRA_OECONF_PATHS = "\
--with-build-sysroot=${STAGING_DIR_TARGET} \
"
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
+CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
diff --git a/meta/recipes-devtools/git/git_2.39.3.bb b/meta/recipes-devtools/git/git_2.39.3.bb
index 54a863acd2..3393550c85 100644
--- a/meta/recipes-devtools/git/git_2.39.3.bb
+++ b/meta/recipes-devtools/git/git_2.39.3.bb
@@ -27,13 +27,6 @@ LIC_FILES_CHKSUM = "\
CVE_PRODUCT = "git-scm:git"
-# This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
-
PACKAGECONFIG ??= "expat curl"
PACKAGECONFIG[cvsserver] = ""
PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d..db4745ad7a 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,8 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
# https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "upstream-wontfix: There are ways jquery can expose security issues but any issues \
+are in the apps exposing them and there is little we can directly do."
inherit allarch
diff --git a/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
index 83d2f01263..8e297ec4d4 100644
--- a/meta/recipes-devtools/ninja/ninja_1.11.1.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
@@ -30,5 +30,4 @@ do_install() {
BBCLASSEXTEND = "native nativesdk"
-# This is a different Ninja
-CVE_CHECK_IGNORE += "CVE-2021-4336"
+CVE_STATUS[CVE-2021-4336] = "cpe-incorrect: This is a different Ninja"
diff --git a/meta/recipes-devtools/python/python3_3.11.3.bb b/meta/recipes-devtools/python/python3_3.11.3.bb
index c7974849b6..59f93861dd 100644
--- a/meta/recipes-devtools/python/python3_3.11.3.bb
+++ b/meta/recipes-devtools/python/python3_3.11.3.bb
@@ -47,15 +47,12 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
CVE_PRODUCT = "python"
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
# The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
+CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
PYTHON_MAJMIN = "3.11"
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6acda61425..480aa97c30 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,21 +39,16 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113
SRC_URI:append:class-target = " file://cross.patch"
SRC_URI:append:class-nativesdk = " file://cross.patch"
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself"
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability."
# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
# https://bugzilla.redhat.com/show_bug.cgi?id=2167423
-# this bug related to windows specific.
-CVE_CHECK_IGNORE += "CVE-2023-0664"
+CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows"
COMPATIBLE_HOST:mipsarchn32 = "null"
COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1c..130581a785 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
"
SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
inherit autotools-brokensep
PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb..91fc81352e 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,10 +29,6 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
SRC_URI:class-native = "${BASE_SRC_URI}"
-# Upstream don't believe this is an exploitable issue
-# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
-
UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index e55fb70cb1..397bb5d87c 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
inherit autotools gettext texinfo ptest
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index d77758fd3f..ec4abeb936 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,14 +20,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
LEAD_SONAME = "libcupsdriver.so"
@@ -115,7 +112,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
cups_sysroot_preprocess () {
sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
}
-
-# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
index f03ebf4478..4c0888e6a7 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
@@ -18,8 +18,7 @@ DEPENDS = "tiff jpeg fontconfig cups libpng freetype zlib"
UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
-# We use a system libjpeg-turbo which has this fix
-CVE_CHECK_IGNORE += "CVE-2013-6629"
+CVE_STATUS[CVE-2013-6629] = "not-applicable-config: We use a system libjpeg-turbo which has this fix"
def gs_verdir(v):
return "".join(v.split("."))
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
PACKAGECONFIG ??= "libcap"
PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
inherit autotools pkgconfig
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
}
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
-
PROCPS_PACKAGES = "${PN}-lib \
${PN}-ps \
${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
BBCLASSEXTEND = "native nativesdk"
-# Severity is low and marked as closed and won't fix.
# https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
-
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
# exclude version 5.5.2 which triggers a false positive
UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
S = "${WORKDIR}/git"
# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
inherit autotools update-rc.d systemd pkgconfig
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
-
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
# zip.inc sets CFLAGS, but what Makefile actually uses is
# CFLAGS_NOOPT. It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00..6888c33d14 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -33,4 +33,4 @@ RCONFLICTS:${PN} += "libnotify3"
RREPLACES:${PN} += "libnotify3"
# -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "cpe-incorrect: The issue is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
index 1a5d8a6b04..1142afece1 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
@@ -51,8 +51,7 @@ do_compile:prepend() {
sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
}
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "not-applicable-platform: Issue only applies on Windows"
CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
}
-# -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
-# timing on the behalf of the attacker. Many graphical applications exit if their
-# connection to the X server is lost, so a typical desktop session is either
-# impossible or difficult to exploit. There is currently no upstream patch
-# available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
+timing on the behalf of the attacker. Many graphical applications exit if their \
+connection to the X server is lost, so a typical desktop session is either \
+impossible or difficult to exploit. There is currently no upstream patch \
+available for this flaw."
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
S = "${WORKDIR}/${XORG_PN}-${PV}"
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 4cc151901b..be632dec2a 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,17 +1,17 @@
# https://nvd.nist.gov/vuln/detail/CVE-2022-3523
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "fixed-version: Backported in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3566
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "fixed-version: Backported in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3567
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "fixed-version: Backported in version v6.1"
# 2023
@@ -26,11 +26,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3567"
# * https://www.linuxkernelcves.com/cves/CVE-2022-38457
# * https://www.linuxkernelcves.com/cves/CVE-2022-40133
# * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "cpe-stable-backport: Backported in version v6.1.7"
+CVE_STATUS[CVE-2022-40133] = "cpe-stable-backport: Backported in version v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1075
# Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
# Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
# Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
# 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "cpe-stable-backport: Backported in version v6.1.11"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index a6c229f5cf..562745e3eb 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -32,5 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
BBCLASSEXTEND = "native nativesdk"
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "cpe-incorrect: A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index ca4a3eff91..c083acaa61 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -18,14 +18,8 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
+CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
+CVE_STATUS[CVE-2022-1210] = "not-applicable-config: Issue is in jbig which we don't enable"
inherit autotools multilib_header
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
index 58f07a116d..524b06ca22 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
@@ -29,8 +29,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
"
SRC_URI[sha256sum] = "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03"
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
BINCONFIG = "${bindir}/libgcrypt-config"
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.38.bb b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
index bf35a94b7f..ed5b15badd 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.38.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
@@ -19,9 +19,7 @@ SRC_URI[sha256sum] = "1f32450425819a09acaff2ab7a5a7f8a2ec7956e505d7beeb45e843d0e
UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
S = "${WORKDIR}/libxslt-${PV}"
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b0..51a854d44a 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,8 +21,7 @@ S = "${WORKDIR}/git"
inherit ptest
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
+CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version."
EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
index b09e8e7f55..181187bbd9 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
@@ -5,10 +5,3 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499"
-
-# -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH v9 0/3] CVE-check handling
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (16 preceding siblings ...)
2023-06-22 12:00 ` [OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
@ 2023-06-23 11:14 ` Andrej Valek
2023-07-19 10:26 ` Valek, Andrej
2023-06-23 11:14 ` [OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (3 subsequent siblings)
21 siblings, 1 reply; 73+ messages in thread
From: Andrej Valek @ 2023-06-23 11:14 UTC (permalink / raw)
To: openembedded-core; +Cc: luca.ceresoli, Andrej Valek
After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.
Changes compared to version 8:
- moved CVE_CHECK_STATUSMAP into separated cve-check-map.conf file
- this will allow to use it without inheriting the cve-check class, like for SPDX
Documentation will be updated in separated repository.
meta/classes/cve-check.bbclass | 81 +++-
meta/conf/bitbake.conf | 1 +
meta/conf/cve-check-map.conf | 28 ++
.../distro/include/cve-extra-exclusions.inc | 371 +++++++++---------
meta/lib/oe/cve_check.py | 25 ++
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +-
meta/recipes-bsp/grub/grub2.inc | 6 +-
meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +-
.../recipes-connectivity/bind/bind_9.18.15.bb | 2 +-
.../bluez5/bluez5_5.66.bb | 4 +-
.../openssh/openssh_9.3p1.bb | 9 +-
.../openssl/openssl_3.1.1.bb | 3 +-
meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +-
meta/recipes-core/glibc/glibc_2.37.bb | 17 +-
meta/recipes-core/libxml/libxml2_2.10.4.bb | 4 -
meta/recipes-core/systemd/systemd_253.3.bb | 3 -
meta/recipes-devtools/cmake/cmake.inc | 4 +-
meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +-
meta/recipes-devtools/gcc/gcc-13.1.inc | 3 +-
meta/recipes-devtools/git/git_2.39.3.bb | 7 -
meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +-
meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +-
.../recipes-devtools/python/python3_3.11.3.bb | 13 +-
meta/recipes-devtools/qemu/qemu.inc | 13 +-
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 -
meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 -
meta/recipes-extended/cpio/cpio_2.14.bb | 3 +-
meta/recipes-extended/cups/cups.inc | 17 +-
.../ghostscript/ghostscript_10.01.1.bb | 3 +-
.../iputils/iputils_20221126.bb | 5 +-
.../libtirpc/libtirpc_1.3.3.bb | 3 +-
.../logrotate/logrotate_3.21.0.bb | 5 +-
meta/recipes-extended/procps/procps_4.0.3.bb | 4 -
meta/recipes-extended/shadow/shadow_4.13.bb | 7 +-
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +-
.../xinetd/xinetd_2.3.15.4.bb | 2 +-
meta/recipes-extended/zip/zip_3.0.bb | 7 +-
.../libnotify/libnotify_0.8.2.bb | 2 +-
meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +-
meta/recipes-graphics/builder/builder_0.1.bb | 3 +-
.../xorg-xserver/xserver-xorg.inc | 19 +-
.../linux/cve-exclusion_6.1.inc | 11 +-
.../libpng/libpng_1.6.39.bb | 3 +-
meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +-
.../libgcrypt/libgcrypt_1.10.2.bb | 4 +-
.../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +-
meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +-
meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 -
48 files changed, 403 insertions(+), 373 deletions(-)
create mode 100644 meta/conf/cve-check-map.conf
--
2.41.0
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v9 0/3] CVE-check handling
2023-06-23 11:14 ` [OE-core][PATCH v9 0/3] CVE-check handling Andrej Valek
@ 2023-07-19 10:26 ` Valek, Andrej
2023-07-19 10:54 ` Richard Purdie
0 siblings, 1 reply; 73+ messages in thread
From: Valek, Andrej @ 2023-07-19 10:26 UTC (permalink / raw)
To: openembedded-core; +Cc: richard.purdie
Hello,
I would like to ask, what's the status here?
Regards,
Andrej
On Fri, 2023-06-23 at 13:14 +0200, Andrej Valek wrote:
> After discussion in all parallel threads we proposed following variant which
> covers both expressed requirements to have very small number of different cve
> statuses and also very large number of them at the same time.
> This is a compromise version which maybe is not ideal but deals with
> conflicting responses we got.
>
> Changes compared to version 8:
> - moved CVE_CHECK_STATUSMAP into separated cve-check-map.conf file
> - this will allow to use it without inheriting the cve-check class, like for
> SPDX
>
> Documentation will be updated in separated repository.
>
> meta/classes/cve-check.bbclass | 81 +++-
> meta/conf/bitbake.conf | 1 +
> meta/conf/cve-check-map.conf | 28 ++
> .../distro/include/cve-extra-exclusions.inc | 371 +++++++++---------
> meta/lib/oe/cve_check.py | 25 ++
> meta/lib/oeqa/selftest/cases/cve_check.py | 26 +-
> meta/recipes-bsp/grub/grub2.inc | 6 +-
> meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +-
> .../recipes-connectivity/bind/bind_9.18.15.bb | 2 +-
> .../bluez5/bluez5_5.66.bb | 4 +-
> .../openssh/openssh_9.3p1.bb | 9 +-
> .../openssl/openssl_3.1.1.bb | 3 +-
> meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +-
> meta/recipes-core/glibc/glibc_2.37.bb | 17 +-
> meta/recipes-core/libxml/libxml2_2.10.4.bb | 4 -
> meta/recipes-core/systemd/systemd_253.3.bb | 3 -
> meta/recipes-devtools/cmake/cmake.inc | 4 +-
> meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +-
> meta/recipes-devtools/gcc/gcc-13.1.inc | 3 +-
> meta/recipes-devtools/git/git_2.39.3.bb | 7 -
> meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +-
> meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +-
> .../recipes-devtools/python/python3_3.11.3.bb | 13 +-
> meta/recipes-devtools/qemu/qemu.inc | 13 +-
> meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 -
> meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 -
> meta/recipes-extended/cpio/cpio_2.14.bb | 3 +-
> meta/recipes-extended/cups/cups.inc | 17 +-
> .../ghostscript/ghostscript_10.01.1.bb | 3 +-
> .../iputils/iputils_20221126.bb | 5 +-
> .../libtirpc/libtirpc_1.3.3.bb | 3 +-
> .../logrotate/logrotate_3.21.0.bb | 5 +-
> meta/recipes-extended/procps/procps_4.0.3.bb | 4 -
> meta/recipes-extended/shadow/shadow_4.13.bb | 7 +-
> meta/recipes-extended/unzip/unzip_6.0.bb | 3 +-
> .../xinetd/xinetd_2.3.15.4.bb | 2 +-
> meta/recipes-extended/zip/zip_3.0.bb | 7 +-
> .../libnotify/libnotify_0.8.2.bb | 2 +-
> meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +-
> meta/recipes-graphics/builder/builder_0.1.bb | 3 +-
> .../xorg-xserver/xserver-xorg.inc | 19 +-
> .../linux/cve-exclusion_6.1.inc | 11 +-
> .../libpng/libpng_1.6.39.bb | 3 +-
> meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +-
> .../libgcrypt/libgcrypt_1.10.2.bb | 4 +-
> .../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +-
> meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +-
> meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 -
> 48 files changed, 403 insertions(+), 373 deletions(-)
> create mode 100644 meta/conf/cve-check-map.conf
>
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v9 0/3] CVE-check handling
2023-07-19 10:26 ` Valek, Andrej
@ 2023-07-19 10:54 ` Richard Purdie
2023-07-19 11:16 ` Ross Burton
0 siblings, 1 reply; 73+ messages in thread
From: Richard Purdie @ 2023-07-19 10:54 UTC (permalink / raw)
To: Valek, Andrej, openembedded-core
On Wed, 2023-07-19 at 10:26 +0000, Valek, Andrej wrote:
> Hello,
>
> I would like to ask, what's the status here?
I've asked for some people to help review it and I'm waiting on their
feedback. FWIW they did promise "this morning" yesterday so they have
around 6 minutes!
Cheers,
Richard
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v9 0/3] CVE-check handling
2023-07-19 10:54 ` Richard Purdie
@ 2023-07-19 11:16 ` Ross Burton
2023-07-19 12:03 ` Valek, Andrej
0 siblings, 1 reply; 73+ messages in thread
From: Ross Burton @ 2023-07-19 11:16 UTC (permalink / raw)
To: Richard Purdie; +Cc: Valek, Andrej, openembedded-core
On 19 Jul 2023, at 11:54, Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
>
> On Wed, 2023-07-19 at 10:26 +0000, Valek, Andrej wrote:
>> Hello,
>>
>> I would like to ask, what's the status here?
>
> I've asked for some people to help review it and I'm waiting on their
> feedback. FWIW they did promise "this morning" yesterday so they have
> around 6 minutes!
I suspect I was that person :). I have no major objections to the patch now.
Cheers,
Ross
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v9 0/3] CVE-check handling
2023-07-19 11:16 ` Ross Burton
@ 2023-07-19 12:03 ` Valek, Andrej
2023-07-20 16:41 ` Marta Rybczynska
0 siblings, 1 reply; 73+ messages in thread
From: Valek, Andrej @ 2023-07-19 12:03 UTC (permalink / raw)
To: richard.purdie, Ross.Burton; +Cc: openembedded-core
Even better,
So I will make one more rebase, just for "[OE-core][PATCH v9 3/3] cve_check:
convert CVE_CHECK_IGNORE to CVE_STATUS"
Regards,
Andrej
On Wed, 2023-07-19 at 11:16 +0000, Ross Burton wrote:
> On 19 Jul 2023, at 11:54, Richard Purdie <richard.purdie@linuxfoundation.org>
> wrote:
> >
> > On Wed, 2023-07-19 at 10:26 +0000, Valek, Andrej wrote:
> > > Hello,
> > >
> > > I would like to ask, what's the status here?
> >
> > I've asked for some people to help review it and I'm waiting on their
> > feedback. FWIW they did promise "this morning" yesterday so they have
> > around 6 minutes!
>
> I suspect I was that person :). I have no major objections to the patch now.
>
> Cheers,
> Ross
^ permalink raw reply [flat|nested] 73+ messages in thread
* Re: [OE-core][PATCH v9 0/3] CVE-check handling
2023-07-19 12:03 ` Valek, Andrej
@ 2023-07-20 16:41 ` Marta Rybczynska
0 siblings, 0 replies; 73+ messages in thread
From: Marta Rybczynska @ 2023-07-20 16:41 UTC (permalink / raw)
To: andrej.valek; +Cc: richard.purdie, Ross.Burton, openembedded-core
[-- Attachment #1: Type: text/plain, Size: 521 bytes --]
On Wed, Jul 19, 2023 at 2:03 PM Andrej Valek via lists.openembedded.org
<andrej.valek=siemens.com@lists.openembedded.org> wrote:
> Even better,
>
> So I will make one more rebase, just for "[OE-core][PATCH v9 3/3]
> cve_check:
> convert CVE_CHECK_IGNORE to CVE_STATUS"
>
>
This version looks best from all I've seen. Let's get it in in this
version. I'll have a pachset to fix a few issues after we get multiple
fetchers in. I *think* I will be able to use it with multi-fetchers.
Kind regards,
Marta
[-- Attachment #2: Type: text/html, Size: 1155 bytes --]
^ permalink raw reply [flat|nested] 73+ messages in thread
* [OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (17 preceding siblings ...)
2023-06-23 11:14 ` [OE-core][PATCH v9 0/3] CVE-check handling Andrej Valek
@ 2023-06-23 11:14 ` Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
` (2 subsequent siblings)
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-23 11:14 UTC (permalink / raw)
To: openembedded-core; +Cc: luca.ceresoli, Andrej Valek, Peter Marko
From: Andrej Valek <andrej.valek@siemens.com>
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
meta/classes/cve-check.bbclass | 81 ++++++++++++++++++++++++++++------
meta/conf/bitbake.conf | 1 +
meta/conf/cve-check-map.conf | 28 ++++++++++++
meta/lib/oe/cve_check.py | 25 +++++++++++
4 files changed, 122 insertions(+), 13 deletions(-)
create mode 100644 meta/conf/cve-check-map.conf
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..55e3baf1ed 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,28 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
#
+# Settings the same status and reason for multiple CVEs is possible
+# via CVE_STATUS_GROUPS variable.
+#
+# CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
+#
+# CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0003"
+# CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS_PATCHED = "CVE-1234-0002 CVE-1234-0004"
+# CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally"
+#
+# All possible CVE statuses could be found in cve-check-map.conf
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
# Layers to be excluded
@@ -88,6 +104,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+ # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+ cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+ if cve_check_ignore:
+ bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+ for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+ d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+ # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+ for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+ cve_group = d.getVar(cve_status_group)
+ if cve_group is not None:
+ for cve in cve_group.split():
+ d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
+ else:
+ bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -260,7 +294,7 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
- from oe.cve_check import Version, convert_cve_version
+ from oe.cve_check import Version, convert_cve_version, decode_cve_status
pn = d.getVar("PN")
real_pv = d.getVar("PV")
@@ -282,7 +316,12 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
- cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+ # Convert CVE_STATUS into ignored CVEs and check validity
+ cve_ignore = []
+ for cve in (d.getVarFlags("CVE_STATUS") or {}):
+ decoded_status, _, _ = decode_cve_status(d, cve)
+ if decoded_status == "Ignored":
+ cve_ignore.append(cve)
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +452,8 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
CVE manifest if enabled.
"""
+ from oe.cve_check import decode_cve_status
+
cve_file = d.getVar("CVE_CHECK_LOG")
fdir_name = d.getVar("FILE_DIRNAME")
layer = fdir_name.split("/")[-3]
@@ -441,20 +482,27 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
is_patched = cve in patched
is_ignored = cve in ignored
+ status = "Unpatched"
if (is_patched or is_ignored) and not report_all:
continue
+ if is_ignored:
+ status = "Ignored"
+ elif is_patched:
+ status = "Patched"
+ else:
+ # default value of status is Unpatched
+ unpatched_cves.append(cve)
write_string += "LAYER: %s\n" % layer
write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
write_string += "CVE: %s\n" % cve
- if is_ignored:
- write_string += "CVE STATUS: Ignored\n"
- elif is_patched:
- write_string += "CVE STATUS: Patched\n"
- else:
- unpatched_cves.append(cve)
- write_string += "CVE STATUS: Unpatched\n"
+ write_string += "CVE STATUS: %s\n" % status
+ _, detail, description = decode_cve_status(d, cve)
+ if detail:
+ write_string += "CVE DETAIL: %s\n" % detail
+ if description:
+ write_string += "CVE DESCRIPTION: %s\n" % description
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -516,6 +564,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
Prepare CVE data for the JSON format, then write it.
"""
+ from oe.cve_check import decode_cve_status
+
output = {"version":"1", "package": []}
nvd_link = "https://nvd.nist.gov/vuln/detail/"
@@ -576,6 +626,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
"status" : status,
"link": issue_link
}
+ _, detail, description = decode_cve_status(d, cve)
+ if detail:
+ cve_item["detail"] = detail
+ if description:
+ cve_item["description"] = description
cve_list.append(cve_item)
package_data["issue"] = cve_list
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 9625a6fef4..30c813457e 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -831,6 +831,7 @@ include conf/distro/defaultsetup.conf
include conf/documentation.conf
include conf/licenses.conf
require conf/sanity.conf
+require conf/cve-check-map.conf
##################################################################
# Weak variables (usually to retain backwards compatibility)
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
new file mode 100644
index 0000000000..17b0f15571
--- /dev/null
+++ b/meta/conf/cve-check-map.conf
@@ -0,0 +1,28 @@
+# Possible options for CVE statuses
+
+# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+
+# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..5bf3caac47 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,13 @@ def get_patched_cves(d):
if not fname_match and not text_match:
bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+ # Search for additional patched CVEs
+ for cve in (d.getVarFlags("CVE_STATUS") or {}):
+ decoded_status, _, _ = decode_cve_status(d, cve)
+ if decoded_status == "Patched":
+ bb.debug(2, "CVE %s is additionally patched" % cve)
+ patched_cves.add(cve)
+
return patched_cves
@@ -218,3 +225,21 @@ def convert_cve_version(version):
return version + update
+def decode_cve_status(d, cve):
+ """
+ Convert CVE_STATUS into status, detail and description.
+ """
+ status = d.getVarFlag("CVE_STATUS", cve)
+ if status is None:
+ return ("", "", "")
+
+ status_split = status.split(':', 1)
+ detail = status_split[0]
+ description = status_split[1].strip() if (len(status_split) > 1) else ""
+
+ status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+ if status_mapping is None:
+ bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+ status_mapping = "Unpatched"
+
+ return (status_mapping, detail, description)
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (18 preceding siblings ...)
2023-06-23 11:14 ` [OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
@ 2023-06-23 11:14 ` Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-07-20 7:19 ` [OE-core][PATCH] " Andrej Valek
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-23 11:14 UTC (permalink / raw)
To: openembedded-core; +Cc: luca.ceresoli, Andrej Valek
From: Andrej Valek <andrej.valek@siemens.com>
- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++++++++++++++----
.../logrotate/logrotate_3.21.0.bb | 5 ++--
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
- found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+ found_cves = {}
+ for issue in package["issue"]:
+ found_cves[issue["id"]] = {
+ "status" : issue["status"],
+ "detail" : issue["detail"] if "detail" in issue else "",
+ "description" : issue["description"] if "description" in issue else ""
+ }
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
- self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+ self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+ detail = "not-applicable-platform"
+ description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
- self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
self.assertIn("CVE-2011-1549", found_cves)
- self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
self.assertIn("CVE-2011-1550", found_cves)
- self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+ self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (19 preceding siblings ...)
2023-06-23 11:14 ` [OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
@ 2023-06-23 11:14 ` Andrej Valek
2023-07-20 7:19 ` [OE-core][PATCH] " Andrej Valek
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-06-23 11:14 UTC (permalink / raw)
To: openembedded-core; +Cc: luca.ceresoli, Andrej Valek, Peter Marko
From: Andrej Valek <andrej.valek@siemens.com>
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
.../distro/include/cve-extra-exclusions.inc | 371 +++++++++---------
meta/recipes-bsp/grub/grub2.inc | 6 +-
meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +-
.../recipes-connectivity/bind/bind_9.18.15.bb | 2 +-
.../bluez5/bluez5_5.66.bb | 4 +-
.../openssh/openssh_9.3p1.bb | 9 +-
.../openssl/openssl_3.1.1.bb | 3 +-
meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +-
meta/recipes-core/glibc/glibc_2.37.bb | 17 +-
meta/recipes-core/libxml/libxml2_2.10.4.bb | 4 -
meta/recipes-core/systemd/systemd_253.3.bb | 3 -
meta/recipes-devtools/cmake/cmake.inc | 4 +-
meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +-
meta/recipes-devtools/gcc/gcc-13.1.inc | 3 +-
meta/recipes-devtools/git/git_2.39.3.bb | 7 -
meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +-
meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +-
.../recipes-devtools/python/python3_3.11.3.bb | 13 +-
meta/recipes-devtools/qemu/qemu.inc | 13 +-
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 -
meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 -
meta/recipes-extended/cpio/cpio_2.14.bb | 3 +-
meta/recipes-extended/cups/cups.inc | 17 +-
.../ghostscript/ghostscript_10.01.1.bb | 3 +-
.../iputils/iputils_20221126.bb | 5 +-
.../libtirpc/libtirpc_1.3.3.bb | 3 +-
meta/recipes-extended/procps/procps_4.0.3.bb | 4 -
meta/recipes-extended/shadow/shadow_4.13.bb | 7 +-
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +-
.../xinetd/xinetd_2.3.15.4.bb | 2 +-
meta/recipes-extended/zip/zip_3.0.bb | 7 +-
.../libnotify/libnotify_0.8.2.bb | 2 +-
meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +-
meta/recipes-graphics/builder/builder_0.1.bb | 3 +-
.../xorg-xserver/xserver-xorg.inc | 19 +-
.../linux/cve-exclusion_6.1.inc | 11 +-
.../libpng/libpng_1.6.39.bb | 3 +-
meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +-
.../libgcrypt/libgcrypt_1.10.2.bb | 4 +-
.../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +-
meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +-
meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 -
42 files changed, 257 insertions(+), 353 deletions(-)
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 1c3cc36c61..a5dd7d3866 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -16,43 +16,42 @@
#
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
-# CVE is more than 20 years old with no resolution evident
-# broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
-
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
-# The issue here is spoofing of domain names using characters from other character sets.
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
-# we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
-
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
-
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old with no resolution evident. Broken links in CVE database references make resolution impractical."
+
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
+The issue here is spoofing of domain names using characters from other character sets. \
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
+problem. There isn't any mitigation or fix or way to progress this further."
+
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
+
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
+exposing this interface in an exploitable way"
# db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
#
# Kernel CVEs, e.g. linux-yocto*
@@ -65,74 +64,83 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
# issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
# welcome than and then entries can likely be removed from here.
#
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020"
+
# 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
- CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+ CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
+
# 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
- CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+ CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
+
# 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
- CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+ CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
-# This is specific to Ubuntu
-CVE_CHECK_IGNORE += "CVE-2018-6559"
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: This is specific to Ubuntu"
# https://www.linuxkernelcves.com/cves/CVE-2019-3016
-# Fixed with 5.6
-CVE_CHECK_IGNORE += "CVE-2019-3016"
+CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed in version v5.6"
# https://www.linuxkernelcves.com/cves/CVE-2019-3819
-# Fixed with 5.1
-CVE_CHECK_IGNORE += "CVE-2019-3819"
+CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed in version v5.1"
# https://www.linuxkernelcves.com/cves/CVE-2019-3887
-# Fixed with 5.2
-CVE_CHECK_IGNORE += "CVE-2019-3887"
+CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed in version v5.2"
# 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
# https://nvd.nist.gov/vuln/detail/CVE-2020-27784
# Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1
# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+CVE_STATUS[CVE-2020-27784] = "fixed-version: Fixed in versions v5.10"
# 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
- CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+ CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
# https://nvd.nist.gov/vuln/detail/CVE-2021-3669
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
# Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2021-4218
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed in version v5.8"
# 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
- CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
- CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
- CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
- CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
- CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
- CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+ CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+ CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+ CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+ CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+ CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+ CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
# https://nvd.nist.gov/vuln/detail/CVE-2022-0480
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2022-1184
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -140,7 +148,7 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
# Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
# Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
# Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -148,7 +156,7 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2196
# Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -158,19 +166,19 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
# Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
# Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
# Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "cpe-stable-backport: Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2308
# Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
# Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
# Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
# Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2327
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed in version v5.10.125"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
# Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -179,19 +187,19 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
# Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
# Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
# Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2785
# Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
# Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
# Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3176
# Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
# Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
# Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "fixed-version: Fixed in version v5.17"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3424
# Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -200,7 +208,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
# Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
# Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
# Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3435
# Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -211,13 +219,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3526
# Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
# Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
# Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "fixed-version: Fixed in version v5.18"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3534
# Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -225,20 +233,20 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
# Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
# Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
# Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "cpe-stable-backport: Backported in versions v5.10.163, v5.15.86 and v6.1.2"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3564
# Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3619
# Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
# Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
# Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3621
# Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -247,7 +255,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3623
# Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -256,12 +264,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3624
# Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
# Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3625
# Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -270,7 +278,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
# Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
# Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
# Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3629
# Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -279,13 +287,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3630
# Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
# Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
# Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3633
# Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -294,7 +302,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3635
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -303,12 +311,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3636
# Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
# Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3640
# Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -319,7 +327,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
# Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
# Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
# Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3646
# Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -328,7 +336,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3649
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -337,7 +345,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-4382
# Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -346,7 +354,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "cpe-stable-backport: Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -354,7 +362,7 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33740
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -362,7 +370,7 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33741
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -370,7 +378,7 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33742
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -378,15 +386,15 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "fixed-version: Fixed in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-42895
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-42896
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -394,7 +402,7 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
# Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
# Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
# Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "fixed-version: Fixed in version v6.1"
# 2023
@@ -404,14 +412,14 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
# Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
# Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
# Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "cpe-stable-backport: Backported in versions v5.10.164, v5.15.89 and v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0266
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
# Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
# Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "cpe-stable-backport: Backported in versions v5.15.88 and v6.1.6"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0394
# Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -420,7 +428,7 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0461
# Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -429,28 +437,28 @@ CVE_CHECK_IGNORE += "CVE-2023-0394"
# Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.5"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0386
# Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
# Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
-# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
+# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1073
# Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
# Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
-# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
-# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
-# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_STATUS[CVE-2023-1073] = "cpe-stable-backport: Backported in versions v5.10.166, v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1074
# Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
-# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
-# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_STATUS[CVE-2023-1074] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1076
# Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -459,19 +467,19 @@ CVE_CHECK_IGNORE += "CVE-2023-1074"
# Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
# Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
# Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1077
# Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
-# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
-# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+CVE_STATUS[CVE-2023-1077] = "cpe-stable-backport: Backported in versions v5.15.99 and v6.1.16"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1078
# Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
-# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
-# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_STATUS[CVE-2023-1078] = "cpe-stable-backport: Backported in versions v5.15.94 and v6.1.12"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1079
# Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -480,7 +488,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
# Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
# Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
# Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1118
# Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -490,7 +498,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
# Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
# Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
# Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1281
# Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -498,7 +506,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
# Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
# Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
# Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "cpe-stable-backport: Backported in versions v5.10.169, v5.15.95 and v6.1.13"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1513
# Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -506,7 +514,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
# Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
# Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1652
# Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -514,7 +522,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
# Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
# Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
# Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1829
# Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -525,7 +533,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
# Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
# Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
# Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
# https://nvd.nist.gov/vuln/detail/CVE-2023-23005
# Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
@@ -535,7 +543,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1829"
# > in which a user can cause the alloc_memory_type error case to be reached.
# See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
# We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
+CVE_STATUS[CVE-2023-23005] = "disputed: Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached."
# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
@@ -543,127 +551,102 @@ CVE_CHECK_IGNORE += "CVE-2023-23005"
# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-28466] = "cpe-stable-backport: Backported in versions v5.15.105, v6.1.20 and v6.2.7"
-# Wrong CPE in NVD database
# https://nvd.nist.gov/vuln/detail/CVE-2022-3563
# https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
-# still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
-
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
-# done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
+qemu maintainers say the patch is incorrect and should not be applied \
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
+still be reproduced or where exactly any bug is. \
+We'll pick up any fix when upstream accepts one."
+
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
+It is a fuzzing related buffer overflow. It is of low impact since most devices
+wouldn't expose an assembler. The upstream is inactive and there is little to be
+done about the bug, ignore from an OE perspective."
# https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0459"
+CVE_STATUS[CVE-2023-0459] = "cpe-stable-backport: Backported in 6.1.14"
# https://www.linuxkernelcves.com/cves/CVE-2023-0615
-# Fixed in 6.1 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0615"
+CVE_STATUS[CVE-2023-0615] = "cpe-stable-backport: Backported in 6.1"
# https://www.linuxkernelcves.com/cves/CVE-2023-1380
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-1380"
+CVE_STATUS[CVE-2023-1380] = "cpe-stable-backport: Backported in 6.1.27"
# https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-1611"
+CVE_STATUS[CVE-2023-1611] = "cpe-stable-backport: Backported in 6.1.23"
# https://www.linuxkernelcves.com/cves/CVE-2023-1855
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1855"
+CVE_STATUS[CVE-2023-1855] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-1859
-# Fixed in 6.1.25
-CVE_CHECK_IGNORE += "CVE-2023-1859"
+CVE_STATUS[CVE-2023-1859] = "cpe-stable-backport: Backported in 6.1.25"
# https://www.linuxkernelcves.com/cves/CVE-2023-1989
-# Fixed in 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-1989"
+CVE_STATUS[CVE-2023-1989] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-1990
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1990"
+CVE_STATUS[CVE-2023-1990] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-1999
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-1998"
+CVE_STATUS[CVE-2023-1998] = "cpe-stable-backport: Backported in 6.1.16"
# https://www.linuxkernelcves.com/cves/CVE-2023-2002
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-2002"
+CVE_STATUS[CVE-2023-2002] = "cpe-stable-backport: Backported in 6.1.27"
# https://www.linuxkernelcves.com/cves/CVE-2023-2156
-# Fixed in 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-2156"
+CVE_STATUS[CVE-2023-2156] = "cpe-stable-backport: Backported in 6.1.26"
# https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-2162"
+CVE_STATUS[CVE-2023-2162] = "cpe-stable-backport: Backported in 6.1.11"
# https://www.linuxkernelcves.com/cves/CVE-2023-2194
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-2194"
+CVE_STATUS[CVE-2023-2194] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-2235
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-2235"
+CVE_STATUS[CVE-2023-2235] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-28328"
+CVE_STATUS[CVE-2023-28328] = "cpe-stable-backport: Backported in 6.1.2"
# https://www.linuxkernelcves.com/cves/CVE-2023-2985
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-2985"
+CVE_STATUS[CVE-2023-2985] = "cpe-stable-backport: Backported in 6.1.16"
# https://www.linuxkernelcves.com/cves/CVE-2023-28866
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-28866"
+CVE_STATUS[CVE-2023-28866] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-30456
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-30456"
+CVE_STATUS[CVE-2023-30456] = "cpe-stable-backport: Backported in 6.1.21"
# https://www.linuxkernelcves.com/cves/CVE-2023-30772
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-30772"
+CVE_STATUS[CVE-2023-30772] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-31436
-# Fixed with 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-31436"
+CVE_STATUS[CVE-2023-31436] = "cpe-stable-backport: Backported in 6.1.26"
# https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-32233"
+CVE_STATUS[CVE-2023-32233] = "cpe-stable-backport: Backported in 6.1.28"
# https://www.linuxkernelcves.com/cves/CVE-2023-33203
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33203"
+CVE_STATUS[CVE-2023-33203] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-33288
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33288"
+CVE_STATUS[CVE-2023-33288] = "cpe-stable-backport: Backported in 6.1.22"
# https://www.linuxkernelcves.com/cves/CVE-2023-34256
-# Fixed in 6.1.29
-CVE_CHECK_IGNORE += "CVE-2023-34256"
+CVE_STATUS[CVE-2023-34256] = "cpe-stable-backport: Backported in 6.1.29"
# Backported to 6.1.30 as 9a342d4
-CVE_CHECK_IGNORE += "CVE-2023-3141"
+CVE_STATUS[CVE-2023-3141] = "cpe-stable-backport: Backported in 6.1.30"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..41839698dc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
+CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
DEPENDS = "flex-native bison-native gettext-native"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1764997c41..d1c6f7f54a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
diff --git a/meta/recipes-connectivity/bind/bind_9.18.15.bb b/meta/recipes-connectivity/bind/bind_9.18.15.bb
index 80164aad87..26a280c844 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.15.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.15.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
# so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
index 2208b730b0..31f325e590 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
@@ -2,8 +2,8 @@ require bluez5.inc
SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574"
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
# noinst programs in Makefile.tools that are conditional on READLINE
# support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index 42ce814523..3edc123b9a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
"
SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
PAM_SRC_URI = "file://sshd"
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index f5f3f32a97..e3557348e8 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -253,6 +253,5 @@ CVE_PRODUCT = "openssl:openssl"
CVE_VERSION_SUFFIX = "alphabetical"
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
# Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb
index 25da988f50..ba38169f05 100644
--- a/meta/recipes-core/coreutils/coreutils_9.3.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.3.bb
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa"
# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
-# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+#
+CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index 3387441cad..851aa612b1 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -4,18 +4,19 @@ require glibc-version.inc
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
-# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
-# "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "disputed: \
+Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \
+this is being treated as a non-security bug and no real threat."
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
-# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
-# easier access for another. "ASLR bypass itself is not a vulnerability."
# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "disputed: \
+Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
+easier access for another. 'ASLR bypass itself is not a vulnerability.'"
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6"
DEPENDS += "gperf-native bison-native"
diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb
index 4f3b17093e..095ecf8602 100644
--- a/meta/recipes-core/libxml/libxml2_2.10.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb
@@ -26,10 +26,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
BINCONFIG = "${bindir}/xml2-config"
-# Fixed since 2.9.11 via
-# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
-
PACKAGECONFIG ??= "python \
${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
"
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index 87fbf6f785..cf0e17ff00 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () {
pkg_prerm:udev-hwdb () {
rm -f $D${sysconfdir}/udev/hwdb.bin
}
-
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 7788a5c45a..f57a77c7bb 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,4 @@ SRC_URI[sha256sum] = "313b6880c291bd4fe31c0aa51d6e62659282a521e695f30d5cc0d25abb
UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..1ac88d65ef 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,10 +26,10 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
-# Disputed - yes there is stack exhaustion but no bug and it is building the
-# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
# https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "upstream-wontfix: \
+there is stack exhaustion but no bug and it is building the \
+parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
inherit autotools gettext texinfo ptest github-releases
diff --git a/meta/recipes-devtools/gcc/gcc-13.1.inc b/meta/recipes-devtools/gcc/gcc-13.1.inc
index 4da703db52..e94753eed0 100644
--- a/meta/recipes-devtools/gcc/gcc-13.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.1.inc
@@ -111,5 +111,4 @@ EXTRA_OECONF_PATHS = "\
--with-build-sysroot=${STAGING_DIR_TARGET} \
"
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
+CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
diff --git a/meta/recipes-devtools/git/git_2.39.3.bb b/meta/recipes-devtools/git/git_2.39.3.bb
index 54a863acd2..3393550c85 100644
--- a/meta/recipes-devtools/git/git_2.39.3.bb
+++ b/meta/recipes-devtools/git/git_2.39.3.bb
@@ -27,13 +27,6 @@ LIC_FILES_CHKSUM = "\
CVE_PRODUCT = "git-scm:git"
-# This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
-
PACKAGECONFIG ??= "expat curl"
PACKAGECONFIG[cvsserver] = ""
PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d..db4745ad7a 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,8 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
# https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "upstream-wontfix: There are ways jquery can expose security issues but any issues \
+are in the apps exposing them and there is little we can directly do."
inherit allarch
diff --git a/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
index 83d2f01263..8e297ec4d4 100644
--- a/meta/recipes-devtools/ninja/ninja_1.11.1.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
@@ -30,5 +30,4 @@ do_install() {
BBCLASSEXTEND = "native nativesdk"
-# This is a different Ninja
-CVE_CHECK_IGNORE += "CVE-2021-4336"
+CVE_STATUS[CVE-2021-4336] = "cpe-incorrect: This is a different Ninja"
diff --git a/meta/recipes-devtools/python/python3_3.11.3.bb b/meta/recipes-devtools/python/python3_3.11.3.bb
index c7974849b6..59f93861dd 100644
--- a/meta/recipes-devtools/python/python3_3.11.3.bb
+++ b/meta/recipes-devtools/python/python3_3.11.3.bb
@@ -47,15 +47,12 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
CVE_PRODUCT = "python"
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
# The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
+CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
PYTHON_MAJMIN = "3.11"
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6acda61425..480aa97c30 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,21 +39,16 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113
SRC_URI:append:class-target = " file://cross.patch"
SRC_URI:append:class-nativesdk = " file://cross.patch"
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself"
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability."
# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
# https://bugzilla.redhat.com/show_bug.cgi?id=2167423
-# this bug related to windows specific.
-CVE_CHECK_IGNORE += "CVE-2023-0664"
+CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows"
COMPATIBLE_HOST:mipsarchn32 = "null"
COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1c..130581a785 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
"
SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
inherit autotools-brokensep
PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb..91fc81352e 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,10 +29,6 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
SRC_URI:class-native = "${BASE_SRC_URI}"
-# Upstream don't believe this is an exploitable issue
-# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
-
UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index e55fb70cb1..397bb5d87c 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
inherit autotools gettext texinfo ptest
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index d77758fd3f..ec4abeb936 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,14 +20,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
LEAD_SONAME = "libcupsdriver.so"
@@ -115,7 +112,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
cups_sysroot_preprocess () {
sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
}
-
-# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
index f03ebf4478..4c0888e6a7 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
@@ -18,8 +18,7 @@ DEPENDS = "tiff jpeg fontconfig cups libpng freetype zlib"
UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
-# We use a system libjpeg-turbo which has this fix
-CVE_CHECK_IGNORE += "CVE-2013-6629"
+CVE_STATUS[CVE-2013-6629] = "not-applicable-config: We use a system libjpeg-turbo which has this fix"
def gs_verdir(v):
return "".join(v.split("."))
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
PACKAGECONFIG ??= "libcap"
PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
inherit autotools pkgconfig
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
}
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
-
PROCPS_PACKAGES = "${PN}-lib \
${PN}-ps \
${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
BBCLASSEXTEND = "native nativesdk"
-# Severity is low and marked as closed and won't fix.
# https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
-
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
# exclude version 5.5.2 which triggers a false positive
UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
S = "${WORKDIR}/git"
# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
inherit autotools update-rc.d systemd pkgconfig
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
-
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
# zip.inc sets CFLAGS, but what Makefile actually uses is
# CFLAGS_NOOPT. It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00..6888c33d14 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -33,4 +33,4 @@ RCONFLICTS:${PN} += "libnotify3"
RREPLACES:${PN} += "libnotify3"
# -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "cpe-incorrect: The issue is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
index 1a5d8a6b04..1142afece1 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
@@ -51,8 +51,7 @@ do_compile:prepend() {
sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
}
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "not-applicable-platform: Issue only applies on Windows"
CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
}
-# -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
-# timing on the behalf of the attacker. Many graphical applications exit if their
-# connection to the X server is lost, so a typical desktop session is either
-# impossible or difficult to exploit. There is currently no upstream patch
-# available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
+timing on the behalf of the attacker. Many graphical applications exit if their \
+connection to the X server is lost, so a typical desktop session is either \
+impossible or difficult to exploit. There is currently no upstream patch \
+available for this flaw."
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
S = "${WORKDIR}/${XORG_PN}-${PV}"
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 4cc151901b..be632dec2a 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,17 +1,17 @@
# https://nvd.nist.gov/vuln/detail/CVE-2022-3523
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "fixed-version: Backported in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3566
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "fixed-version: Backported in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3567
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "fixed-version: Backported in version v6.1"
# 2023
@@ -26,11 +26,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3567"
# * https://www.linuxkernelcves.com/cves/CVE-2022-38457
# * https://www.linuxkernelcves.com/cves/CVE-2022-40133
# * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "cpe-stable-backport: Backported in version v6.1.7"
+CVE_STATUS[CVE-2022-40133] = "cpe-stable-backport: Backported in version v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1075
# Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
# Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
# Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
# 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "cpe-stable-backport: Backported in version v6.1.11"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index a6c229f5cf..562745e3eb 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -32,5 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
BBCLASSEXTEND = "native nativesdk"
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "cpe-incorrect: A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index ca4a3eff91..c083acaa61 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -18,14 +18,8 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
+CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
+CVE_STATUS[CVE-2022-1210] = "not-applicable-config: Issue is in jbig which we don't enable"
inherit autotools multilib_header
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
index 58f07a116d..524b06ca22 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
@@ -29,8 +29,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
"
SRC_URI[sha256sum] = "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03"
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
BINCONFIG = "${bindir}/libgcrypt-config"
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.38.bb b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
index bf35a94b7f..ed5b15badd 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.38.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
@@ -19,9 +19,7 @@ SRC_URI[sha256sum] = "1f32450425819a09acaff2ab7a5a7f8a2ec7956e505d7beeb45e843d0e
UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
S = "${WORKDIR}/libxslt-${PV}"
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b0..51a854d44a 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,8 +21,7 @@ S = "${WORKDIR}/git"
inherit ptest
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
+CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version."
EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
index b09e8e7f55..181187bbd9 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
@@ -5,10 +5,3 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499"
-
-# -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread
* [OE-core][PATCH] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
` (20 preceding siblings ...)
2023-06-23 11:14 ` [OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
@ 2023-07-20 7:19 ` Andrej Valek
21 siblings, 0 replies; 73+ messages in thread
From: Andrej Valek @ 2023-07-20 7:19 UTC (permalink / raw)
To: openembedded-core; +Cc: Andrej Valek, Peter Marko
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
.../distro/include/cve-extra-exclusions.inc | 149 ++++----
meta/recipes-bsp/grub/grub2.inc | 6 +-
meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +-
.../recipes-connectivity/bind/bind_9.18.16.bb | 2 +-
.../bluez5/bluez5_5.68.bb | 4 +-
.../openssh/openssh_9.3p1.bb | 9 +-
.../openssl/openssl_3.1.1.bb | 3 +-
meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +-
meta/recipes-core/glibc/glibc_2.37.bb | 17 +-
meta/recipes-core/libxml/libxml2_2.11.4.bb | 4 -
meta/recipes-core/systemd/systemd_253.3.bb | 3 -
meta/recipes-devtools/cmake/cmake.inc | 4 +-
meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +-
meta/recipes-devtools/gcc/gcc-13.1.inc | 3 +-
meta/recipes-devtools/git/git_2.39.3.bb | 7 -
meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +-
meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +-
.../recipes-devtools/python/python3_3.11.4.bb | 16 +-
meta/recipes-devtools/qemu/qemu.inc | 13 +-
meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 -
meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 -
meta/recipes-extended/cpio/cpio_2.14.bb | 3 +-
meta/recipes-extended/cups/cups.inc | 17 +-
.../iputils/iputils_20221126.bb | 5 +-
.../libtirpc/libtirpc_1.3.3.bb | 3 +-
meta/recipes-extended/procps/procps_4.0.3.bb | 4 -
meta/recipes-extended/shadow/shadow_4.13.bb | 7 +-
meta/recipes-extended/unzip/unzip_6.0.bb | 3 +-
.../xinetd/xinetd_2.3.15.4.bb | 2 +-
meta/recipes-extended/zip/zip_3.0.bb | 7 +-
.../libnotify/libnotify_0.8.2.bb | 2 +-
meta/recipes-gnome/librsvg/librsvg_2.56.1.bb | 3 +-
meta/recipes-graphics/builder/builder_0.1.bb | 3 +-
.../xorg-xserver/xserver-xorg.inc | 19 +-
.../linux/cve-exclusion_6.1.inc | 361 ++++++++----------
.../libpng/libpng_1.6.40.bb | 3 +-
meta/recipes-multimedia/libtiff/tiff_4.5.1.bb | 4 +-
.../libgcrypt/libgcrypt_1.10.2.bb | 4 +-
.../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +-
meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +-
meta/recipes-support/sqlite/sqlite3_3.42.0.bb | 6 -
41 files changed, 310 insertions(+), 421 deletions(-)
diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 0ae63e2c63..61fb08dbeb 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,44 +15,43 @@
# the aim of sharing that work and ensuring we don't duplicate it.
#
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old \
+with no resolution evident. Broken links in CVE database references make resolution impractical."
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
-# CVE is more than 20 years old with no resolution evident
-# broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
-
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
-# The issue here is spoofing of domain names using characters from other character sets.
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
-# we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
-
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
-
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
+The issue here is spoofing of domain names using characters from other character sets. \
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
+problem. There isn't any mitigation or fix or way to progress this further."
+
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
+
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
+exposing this interface in an exploitable way"
# db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
#
# Kernel CVEs, e.g. linux-yocto*
@@ -65,50 +64,64 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
# issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
# welcome than and then entries can likely be removed from here.
#
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020 \
+ CVE_STATUS_KERNEL_2021 CVE_STATUS_KERNEL_2022"
+
# 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
- CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+ CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
+
# 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
- CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+ CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
+
# 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
- CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+ CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
+
# 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
+
# 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
- CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+ CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
+
# 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
- CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
- CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
- CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
- CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
- CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
- CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+ CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+ CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+ CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+ CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+ CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+ CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
-# Wrong CPE in NVD database
# https://nvd.nist.gov/vuln/detail/CVE-2022-3563
# https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
-# still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
-
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
-# done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
+qemu maintainers say the patch is incorrect and should not be applied \
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
+still be reproduced or where exactly any bug is. \
+We'll pick up any fix when upstream accepts one."
+
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
+It is a fuzzing related buffer overflow. It is of low impact since most devices
+wouldn't expose an assembler. The upstream is inactive and there is little to be
+done about the bug, ignore from an OE perspective."
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..41839698dc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
+CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
DEPENDS = "flex-native bison-native gettext-native"
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1764997c41..d1c6f7f54a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
diff --git a/meta/recipes-connectivity/bind/bind_9.18.16.bb b/meta/recipes-connectivity/bind/bind_9.18.16.bb
index 1b1649566a..d9b62bb8b0 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.16.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.16.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
# so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.68.bb b/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
index 921f739fb8..f8405ed091 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
@@ -2,8 +2,8 @@ require bluez5.inc
SRC_URI[sha256sum] = "fc505e6445cb579a55cacee6821fe70d633921522043d322b696de0a175ff933"
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
# noinst programs in Makefile.tools that are conditional on READLINE
# support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index 42ce814523..3edc123b9a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
"
SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
PAM_SRC_URI = "file://sshd"
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index 432ab4032b..c2a7173c84 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -255,6 +255,5 @@ CVE_PRODUCT = "openssl:openssl"
CVE_VERSION_SUFFIX = "alphabetical"
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
# Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb
index 25da988f50..ba38169f05 100644
--- a/meta/recipes-core/coreutils/coreutils_9.3.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.3.bb
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa"
# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
-# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+#
+CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index 3387441cad..851aa612b1 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -4,18 +4,19 @@ require glibc-version.inc
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
-# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
-# "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "disputed: \
+Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \
+this is being treated as a non-security bug and no real threat."
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
-# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
-# easier access for another. "ASLR bypass itself is not a vulnerability."
# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "disputed: \
+Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
+easier access for another. 'ASLR bypass itself is not a vulnerability.'"
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6"
DEPENDS += "gperf-native bison-native"
diff --git a/meta/recipes-core/libxml/libxml2_2.11.4.bb b/meta/recipes-core/libxml/libxml2_2.11.4.bb
index 713d0baf6c..cbf20504f8 100644
--- a/meta/recipes-core/libxml/libxml2_2.11.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.11.4.bb
@@ -23,10 +23,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
BINCONFIG = "${bindir}/xml2-config"
-# Fixed since 2.9.11 via
-# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
-
PACKAGECONFIG ??= "python \
${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
"
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index 87fbf6f785..cf0e17ff00 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () {
pkg_prerm:udev-hwdb () {
rm -f $D${sysconfdir}/udev/hwdb.bin
}
-
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 7788a5c45a..f57a77c7bb 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,4 @@ SRC_URI[sha256sum] = "313b6880c291bd4fe31c0aa51d6e62659282a521e695f30d5cc0d25abb
UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..1ac88d65ef 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,10 +26,10 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
-# Disputed - yes there is stack exhaustion but no bug and it is building the
-# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
# https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "upstream-wontfix: \
+there is stack exhaustion but no bug and it is building the \
+parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
inherit autotools gettext texinfo ptest github-releases
diff --git a/meta/recipes-devtools/gcc/gcc-13.1.inc b/meta/recipes-devtools/gcc/gcc-13.1.inc
index 4da703db52..e94753eed0 100644
--- a/meta/recipes-devtools/gcc/gcc-13.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.1.inc
@@ -111,5 +111,4 @@ EXTRA_OECONF_PATHS = "\
--with-build-sysroot=${STAGING_DIR_TARGET} \
"
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
+CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
diff --git a/meta/recipes-devtools/git/git_2.39.3.bb b/meta/recipes-devtools/git/git_2.39.3.bb
index 54a863acd2..3393550c85 100644
--- a/meta/recipes-devtools/git/git_2.39.3.bb
+++ b/meta/recipes-devtools/git/git_2.39.3.bb
@@ -27,13 +27,6 @@ LIC_FILES_CHKSUM = "\
CVE_PRODUCT = "git-scm:git"
-# This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
-
PACKAGECONFIG ??= "expat curl"
PACKAGECONFIG[cvsserver] = ""
PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d..db4745ad7a 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,8 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
# https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "upstream-wontfix: There are ways jquery can expose security issues but any issues \
+are in the apps exposing them and there is little we can directly do."
inherit allarch
diff --git a/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
index 83d2f01263..8e297ec4d4 100644
--- a/meta/recipes-devtools/ninja/ninja_1.11.1.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
@@ -30,5 +30,4 @@ do_install() {
BBCLASSEXTEND = "native nativesdk"
-# This is a different Ninja
-CVE_CHECK_IGNORE += "CVE-2021-4336"
+CVE_STATUS[CVE-2021-4336] = "cpe-incorrect: This is a different Ninja"
diff --git a/meta/recipes-devtools/python/python3_3.11.4.bb b/meta/recipes-devtools/python/python3_3.11.4.bb
index 7a277facf7..b3534ad678 100644
--- a/meta/recipes-devtools/python/python3_3.11.4.bb
+++ b/meta/recipes-devtools/python/python3_3.11.4.bb
@@ -47,17 +47,13 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
CVE_PRODUCT = "python"
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
# The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
-# Not an issue, in fact expected behaviour
-CVE_CHECK_IGNORE += "CVE-2023-36632"
+CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
+# CVE_STATUS[CVE-2023-36632] = "disputed: Not an issue, in fact expected behaviour"
PYTHON_MAJMIN = "3.11"
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 16581db69d..64bade86aa 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -38,21 +38,16 @@ SRC_URI[sha256sum] = "ecf4d32cbef9d397bfc8cc50e4d1e92a1b30253bf32e8ee73c7a8dcf9a
SRC_URI:append:class-target = " file://cross.patch"
SRC_URI:append:class-nativesdk = " file://cross.patch"
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself"
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability."
# As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
# https://bugzilla.redhat.com/show_bug.cgi?id=2167423
-# this bug related to windows specific.
-CVE_CHECK_IGNORE += "CVE-2023-0664"
+CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows"
COMPATIBLE_HOST:mipsarchn32 = "null"
COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1c..130581a785 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
"
SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
inherit autotools-brokensep
PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb..91fc81352e 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,10 +29,6 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
SRC_URI:class-native = "${BASE_SRC_URI}"
-# Upstream don't believe this is an exploitable issue
-# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
-
UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index 45eb9de8e0..560038d2a6 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
inherit autotools gettext texinfo ptest
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index da320b1085..36feaddcf8 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -19,14 +19,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
LEAD_SONAME = "libcupsdriver.so"
@@ -114,7 +111,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
cups_sysroot_preprocess () {
sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
}
-
-# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
PACKAGECONFIG ??= "libcap"
PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
inherit autotools pkgconfig
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
}
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
-
PROCPS_PACKAGES = "${PN}-lib \
${PN}-ps \
${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
BBCLASSEXTEND = "native nativesdk"
-# Severity is low and marked as closed and won't fix.
# https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
-
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
# exclude version 5.5.2 which triggers a false positive
UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
S = "${WORKDIR}/git"
# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
inherit autotools update-rc.d systemd pkgconfig
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
-
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
# zip.inc sets CFLAGS, but what Makefile actually uses is
# CFLAGS_NOOPT. It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00..6888c33d14 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -33,4 +33,4 @@ RCONFLICTS:${PN} += "libnotify3"
RREPLACES:${PN} += "libnotify3"
# -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "cpe-incorrect: The issue is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb b/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb
index 5649ed7d17..edd7ad38fd 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb
@@ -50,8 +50,7 @@ do_compile:prepend() {
sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
}
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "not-applicable-platform: Issue only applies on Windows"
CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
chown builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
}
-# -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
-# timing on the behalf of the attacker. Many graphical applications exit if their
-# connection to the X server is lost, so a typical desktop session is either
-# impossible or difficult to exploit. There is currently no upstream patch
-# available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
+timing on the behalf of the attacker. Many graphical applications exit if their \
+connection to the X server is lost, so a typical desktop session is either \
+impossible or difficult to exploit. There is currently no upstream patch \
+available for this flaw."
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
S = "${WORKDIR}/${XORG_PN}-${PV}"
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 6a0bd19447..2eb4836c35 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,26 +1,24 @@
-# This is specific to Ubuntu
-CVE_CHECK_IGNORE += "CVE-2018-6559"
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: Issue only affects Ubuntu"
# https://www.linuxkernelcves.com/cves/CVE-2019-3016
# Fixed with 5.6
-CVE_CHECK_IGNORE += "CVE-2019-3016"
+CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed in version v5.6"
# https://www.linuxkernelcves.com/cves/CVE-2019-3819
# Fixed with 5.1
-CVE_CHECK_IGNORE += "CVE-2019-3819"
+CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed in version v5.1"
# https://www.linuxkernelcves.com/cves/CVE-2019-3887
# Fixed with 5.2
-CVE_CHECK_IGNORE += "CVE-2019-3887"
+CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed in version v5.2"
-# This is specific to aufs, which is not in linux-yocto
-CVE_CHECK_IGNORE += "CVE-2020-11935"
+CVE_STATUS[CVE-2020-11935] = "not-applicable-config: Issue only affects aufs, which is not in linux-yocto"
# https://nvd.nist.gov/vuln/detail/CVE-2020-27784
# Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1
# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+CVE_STATUS[CVE-2020-27784] = "cpe-stable-backport: Backported in version v5.4.73"
# 2021
@@ -28,19 +26,19 @@ CVE_CHECK_IGNORE += "CVE-2020-27784"
# https://nvd.nist.gov/vuln/detail/CVE-2021-3669
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
# Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "cpe-stable-backport: Backported in versions v5.4.224 and v6.1.11"
# https://nvd.nist.gov/vuln/detail/CVE-2021-4218
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed in version v5.8"
# 2022
@@ -48,7 +46,7 @@ CVE_CHECK_IGNORE += "CVE-2021-4218"
# https://nvd.nist.gov/vuln/detail/CVE-2022-0480
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "fixed-version: Fixed in version v5.15"
# https://nvd.nist.gov/vuln/detail/CVE-2022-1184
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -56,7 +54,7 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
# Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
# Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
# Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "cpe-stable-backport: Backported in versions v5.4.198, v5.10.121 and v5.15.46"
# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -64,7 +62,7 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "cpe-stable-backport: Backported in versions v5.4.208, v5.10.134 and v5.15.58"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2196
# Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -74,19 +72,19 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
# Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
# Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
# Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "cpe-stable-backport: Backported in versions v5.4.1233, v5.10.170, v5.15.46 and v6.1.14"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2308
# Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
# Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
# Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
# Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "cpe-stable-backport: Backported in versions v5.15.72 and v5.19.14"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2327
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed in version v5.10.125"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
# Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -95,19 +93,19 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
# Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
# Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
# Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "cpe-stable-backport: Backported in versions v5.4.213, v5.10.143, v5.15.68 and v5.19.9"
# https://nvd.nist.gov/vuln/detail/CVE-2022-2785
# Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
# Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
# Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "cpe-stable-backport: Backported in version v5.19.4"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3176
# Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
# Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
# Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "cpe-stable-backport: Backported in version v5.15.65"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3424
# Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -116,7 +114,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
# Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
# Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
# Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.86 and v 6.1.2"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3435
# Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -127,18 +125,18 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "cpe-stable-backport: Backported in versions v5.4.226, v5.10.158 and v5.15.82"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3523
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3526
# Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
# Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
# Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "cpe-stable-backport: Backported in version v5.15.35"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3534
# Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -146,30 +144,30 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
# Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
# Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
# Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "cpe-stable-backport: Backported in versions v5.10.163, v5.15.86 and v6.1.2"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3564
# Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "cpe-stable-backport: Backported in versions v5.10.154 and v5.15.78"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3566
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3567
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "fixed-version: Fixed in version v6.1"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3619
# Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
# Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
# Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "cpe-stable-backport: Backported in version v5.15.78"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3621
# Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -178,7 +176,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "cpe-stable-backport: Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3623
# Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -187,12 +185,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "cpe-stable-backport: Backported in versions v5.4.228, v5.10.159, v5.15.78 and v 5.19.17"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3624
# Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
# Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed in version v6.0"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3625
# Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -201,7 +199,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
# Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
# Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
# Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3629
# Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -210,13 +208,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3630
# Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
# Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
# Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "cpe-stable-backport: Backported in version v5.19.4"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3633
# Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -225,7 +223,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3635
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -234,12 +232,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3636
# Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
# Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "cpe-stable-backport: Backported in version v5.19"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3640
# Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -250,7 +248,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
# Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
# Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
# Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "cpe-stable-backport: Backported in versions v5.4.224, v5.10.154 and v5.15.78"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3646
# Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -259,7 +257,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "cpe-stable-backport: Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
# https://nvd.nist.gov/vuln/detail/CVE-2022-3649
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -268,7 +266,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "cpe-stable-backport: Backported in versions v5.4.220, v5.10.148, v5.15.74 and v5.19.16"
# https://nvd.nist.gov/vuln/detail/CVE-2022-4382
# Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -277,7 +275,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "cpe-stable-backport: Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -285,7 +283,7 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33740
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -293,7 +291,7 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33741
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -301,7 +299,7 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
# https://nvd.nist.gov/vuln/detail/CVE-2022-33742
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -309,15 +307,15 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
# https://nvd.nist.gov/vuln/detail/CVE-2022-42895
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "cpe-stable-backport: Backported in versions v5.4.224, v5.10.154 and v5.15.78"
# https://nvd.nist.gov/vuln/detail/CVE-2022-42896
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -325,7 +323,7 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
# Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
# Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
# Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "cpe-stable-backport: Backported in versions v5.4.226, v5.10.154 and v5.15.78"
# https://nvd.nist.gov/vuln/detail/CVE-2022-38457
# https://nvd.nist.gov/vuln/detail/CVE-2022-40133
@@ -337,10 +335,11 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
# * https://www.linuxkernelcves.com/cves/CVE-2022-38457
# * https://www.linuxkernelcves.com/cves/CVE-2022-40133
# * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "cpe-stable-backport: Backported in version v6.1.7"
+CVE_STATUS[CVE-2022-40133] = "cpe-stable-backport: Backported in version v6.1.7"
# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2022-48425"
+CVE_STATUS[CVE-2022-48425] = "cpe-stable-backport: Backported in version v6.1.33"
# 2023
@@ -349,14 +348,14 @@ CVE_CHECK_IGNORE += "CVE-2022-48425"
# Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
# Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
# Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "cpe-stable-backport: Backported in versions v5.10.164, v5.15.89 and v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0266
# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
# Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
# Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
# Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "cpe-stable-backport: Backported in versions v5.15.88 and v6.1.6"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0394
# Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -365,14 +364,14 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0386
# Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
# Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-0461
# Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -381,7 +380,7 @@ CVE_CHECK_IGNORE += "CVE-2023-0386"
# Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
# Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
# Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.5"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1073
# Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
@@ -389,20 +388,20 @@ CVE_CHECK_IGNORE += "CVE-2023-0461"
# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+CVE_STATUS[CVE-2023-1073] = "cpe-stable-backport: Backported in versions v5.10.166, v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1074
# Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+CVE_STATUS[CVE-2023-1074] = "cpe-stable-backport: Backported in versions v5.15.91 andv6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1075
# Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
# Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
# Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
# 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "cpe-stable-backport: Backported in version v6.1.11"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1076
# Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -411,19 +410,19 @@ CVE_CHECK_IGNORE += "CVE-2023-1075"
# Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
# Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
# Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1077
# Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+CVE_STATUS[CVE-2023-1077] = "cpe-stable-backport: Backported in versions v5.15.99 and v6.1.16"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1078
# Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+CVE_STATUS[CVE-2023-1078] = "cpe-stable-backport: Backported in versions v5.15.94 and v6.1.12"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1079
# Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -432,7 +431,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
# Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
# Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
# Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1118
# Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -442,7 +441,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
# Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
# Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
# Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1281
# Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -450,7 +449,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
# Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
# Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
# Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "cpe-stable-backport: Backported in versions v5.10.169, v5.15.95 and v6.1.13"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1513
# Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -458,7 +457,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
# Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
# Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
# Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1652
# Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -466,7 +465,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
# Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
# Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
# Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
# https://nvd.nist.gov/vuln/detail/CVE-2023-1829
# Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -477,178 +476,130 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
# Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
# Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
# Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
+# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
+# Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962
+# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
+# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
+# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
+CVE_STATUS[CVE-2023-28466] = "cpe-stable-backport: Backported in versions v5.15.05, v6.1.20 and v6.2.7"
-# https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0459"
# https://www.linuxkernelcves.com/cves/CVE-2023-0615
# Fixed in 6.1 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0615"
+CVE_STATUS[CVE-2023-0615] = "fixed-version: Fixed in version v6.1 onwards"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1380
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-1380"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-1611"
+# https://www.linuxkernelcves.com/cves/CVE-2023-28328
+# Fixed with 6.1.2
+CVE_STATUS[CVE-2023-28328] = "fixed-version: Fixed in version v6.1.2"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1855
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1855"
+# https://www.linuxkernelcves.com/cves/CVE-2023-2162
+# Fixed in 6.1.11
+CVE_STATUS[CVE-2023-2162] = "fixed-version: Fixed in version v6.1.11"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1859
-# Fixed in 6.1.25
-CVE_CHECK_IGNORE += "CVE-2023-1859"
+# https://www.linuxkernelcves.com/cves/CVE-2023-0459
+# Fixed in 6.1.14 onwards
+CVE_STATUS[CVE-2023-0459] = "fixed-version: Fixed in version v6.1.14"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1989
-# Fixed in 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-1989"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1999
+# https://www.linuxkernelcves.com/cves/CVE-2023-2985
+# Fixed in 6.1.16
+CVE_STATUS[CVE-2023-1998] = "fixed-version: Fixed in version v6.1.16"
+CVE_STATUS[CVE-2023-2985] = "fixed-version: Fixed in version v6.1.16"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1855
# https://www.linuxkernelcves.com/cves/CVE-2023-1990
+# https://www.linuxkernelcves.com/cves/CVE-2023-2235
+# https://www.linuxkernelcves.com/cves/CVE-2023-30456
# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1990"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6121"
+CVE_STATUS_KERNEL_6121 = "CVE-2023-1855 CVE-2023-1990 CVE-2023-2235 CVE-2023-30456"
+CVE_STATUS_KERNEL_6121[status] = "fixed-version: Fixed in version v6.1.21"
-# https://www.linuxkernelcves.com/cves/CVE-2023-1999
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-1998"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1989
+# https://www.linuxkernelcves.com/cves/CVE-2023-2194
+# https://www.linuxkernelcves.com/cves/CVE-2023-28866
+# https://www.linuxkernelcves.com/cves/CVE-2023-30772
+# https://www.linuxkernelcves.com/cves/CVE-2023-33203
+# https://www.linuxkernelcves.com/cves/CVE-2023-33288
+# Fixed with 6.1.22
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6122"
+CVE_STATUS_KERNEL_6122 = "CVE-2023-2194 CVE-2023-1989 CVE-2023-28866 CVE-2023-30772 CVE-2023-33203 CVE-2023-33288"
+CVE_STATUS_KERNEL_6122[status] = "fixed-version: Fixed in version v6.1.22"
-# https://www.linuxkernelcves.com/cves/CVE-2023-2002
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-2002"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1611
+# Fixed in 6.1.23
+CVE_STATUS[CVE-2023-1611] = "fixed-version: Fixed in version v6.1.23"
-# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2023-2124"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1859
+# Fixed in 6.1.25
+CVE_STATUS[CVE-2023-1859] = "fixed-version: Fixed in version v6.1.25"
# https://www.linuxkernelcves.com/cves/CVE-2023-2156
+# https://www.linuxkernelcves.com/cves/CVE-2023-31436
# Fixed in 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-2156"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-2162"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-2194
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-2194"
+CVE_STATUS[CVE-2023-2156] = "fixed-version: Fixed in version v6.1.26"
+CVE_STATUS[CVE-2023-31436] = "fixed-version: Fixed in version v6.1.26"
-# https://www.linuxkernelcves.com/cves/CVE-2023-2235
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-2235"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1380
+# https://www.linuxkernelcves.com/cves/CVE-2023-2002
+# Fixed in 6.1.27
+CVE_STATUS[CVE-2023-1380] = "fixed-version: Fixed in version v6.1.27"
+CVE_STATUS[CVE-2023-2002] = "fixed-version: Fixed in version v6.1.27"
-# https://www.linuxkernelcves.com/cves/CVE-2023-2985
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-2985"
+# https://www.linuxkernelcves.com/cves/CVE-2023-32233
+# Fixed with 6.1.28
+CVE_STATUS[CVE-2023-32233] = "fixed-version: Fixed in version v6.1.28"
-# Backported to 6.1.30
-CVE_CHECK_IGNORE += "CVE-2023-3090"
+# https://www.linuxkernelcves.com/cves/CVE-2023-34256
+# Fixed in 6.1.29
+CVE_STATUS[CVE-2023-34256] = "fixed-version: Fixed in version v6.1.29"
-# Backported to 6.1.35
-CVE_CHECK_IGNORE += "CVE-2023-3117"
-# Backported to 6.1.30 as 9a342d4
-CVE_CHECK_IGNORE += "CVE-2023-3141"
+# Backported to 6.1.9
+CVE_STATUS[CVE-2023-3358] = "cpe-stable-backport: Backported in version v6.1.9"
# Backported to 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-3161"
-
-# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2023-3212"
-
-# Only in 6.2.0 to 6.2.14, and 6.3.0 to 6.3.1
-CVE_CHECK_IGNORE += "CVE-2023-3312"
+CVE_STATUS[CVE-2023-3359] = "cpe-stable-backport: Backported in version v6.1.11"
+CVE_STATUS[CVE-2023-3161] = "cpe-stable-backport: Backported in version v6.1.11"
# Backported to 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-3220"
+CVE_STATUS[CVE-2023-3220] = "cpe-stable-backport: Backported in version v6.1.16"
# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-3268"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6128"
+CVE_STATUS_KERNEL_6128 = "CVE-2023-3268 CVE-2023-35823 CVE-2023-35824 CVE-2023-35826 CVE-2023-35828 CVE-2023-35829"
+CVE_STATUS_KERNEL_6122[status] = "cpe-stable-backport: Backported in version v6.1.28"
-# Backported to 6.1.9
-CVE_CHECK_IGNORE += "CVE-2023-3358"
+# Backported to 6.1.30
+# Backported to 6.1.30 as 9a342d4
+CVE_STATUS[CVE-2023-3090] = "cpe-stable-backport: Backported in version v6.1.30"
+CVE_STATUS[CVE-2023-3141] = "cpe-stable-backport: Backported in version v6.1.30 as 9a342d4"
-# Backported to 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-3359"
+# Backported to 6.1.33
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6133"
+CVE_STATUS_KERNEL_6133 = "CVE-2023-2124 CVE-2023-3212 CVE-2023-35788"
+CVE_STATUS_KERNEL_6133[status] = "cpe-stable-backport: Backported in version v6.1.33"
+
+# Backported to 6.1.35
+CVE_STATUS[CVE-2023-3117] = "cpe-stable-backport: Backported in version v6.1.35"
+CVE_STATUS[CVE-2023-3390] = "cpe-stable-backport: Backported in version v6.1.35"
# Backported to 6.1.36
-CVE_CHECK_IGNORE += "CVE-2023-3389"
+CVE_STATUS[CVE-2023-3389] = "cpe-stable-backport: Backported in version v6.1.36"
+
+# Only in 6.2.0 to 6.2.14, and 6.3.0 to 6.3.1
+CVE_STATUS[CVE-2023-3312] = "not-applicable-config: Only in versions v6.2.0 to v6.2.4 and v6.3.0 to v6.3.1"
-# Backported to 6.1.35
-CVE_CHECK_IGNORE += "CVE-2023-3390"
# https://nvd.nist.gov/vuln/detail/CVE-2023-23005
# Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
# Patched in kernel since v6.2 4a625ceee8a0ab0273534cb6b432ce6b331db5ee
# But, the CVE is disputed:
-# > NOTE: this is disputed by third parties because there are no realistic cases
-# > in which a user can cause the alloc_memory_type error case to be reached.
-# See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
-# We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-28328"
-
-# Only in 6.3-rc
-CVE_CHECK_IGNORE += "CVE-2023-28464"
-
-# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
-# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
-# Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962
-# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
-# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
-# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-23005] = "disputed: There are no realistic cases \
+in which a user can cause the alloc_memory_type error case to be reached. \
+See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2"
-# https://www.linuxkernelcves.com/cves/CVE-2023-28866
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-28866"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-30456
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-30456"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-30772
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-30772"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-31436
-# Fixed with 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-31436"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-32233"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-33203
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33203"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-33288
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33288"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-34256
-# Fixed in 6.1.29
-CVE_CHECK_IGNORE += "CVE-2023-34256"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35823"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35824"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35826"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35828"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35829"
-
-# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2023-35788"
+CVE_STATUS[CVE-2023-28464] = "not-applicable-config: Only in 6.3-rc"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.40.bb b/meta/recipes-multimedia/libpng/libpng_1.6.40.bb
index 0ef4b82d1c..293bf2858d 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.40.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.40.bb
@@ -32,5 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
BBCLASSEXTEND = "native nativesdk"
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "cpe-incorrect: A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index 5af3f84265..6171a538e5 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -15,9 +15,7 @@ SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167d
# exclude betas
UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
+CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
inherit autotools multilib_header
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
index 58f07a116d..524b06ca22 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
@@ -29,8 +29,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
"
SRC_URI[sha256sum] = "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03"
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
BINCONFIG = "${bindir}/libgcrypt-config"
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.38.bb b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
index bf35a94b7f..ed5b15badd 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.38.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
@@ -19,9 +19,7 @@ SRC_URI[sha256sum] = "1f32450425819a09acaff2ab7a5a7f8a2ec7956e505d7beeb45e843d0e
UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
S = "${WORKDIR}/libxslt-${PV}"
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b0..51a854d44a 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,8 +21,7 @@ S = "${WORKDIR}/git"
inherit ptest
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
+CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version."
EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
index f60aca63d2..8783f620f4 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
@@ -6,9 +6,3 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
SRC_URI[sha256sum] = "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6"
-# -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
--
2.41.0
^ permalink raw reply related [flat|nested] 73+ messages in thread