[PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[Geoffrey GIRY]

Multiple CVE are patched in kernel but appears as active because the NVD
database is not up to date.

CVE are ignored if and only if all versions of kernel used by master are patched.

Also ignore CVEs with wrong CPE (applied to kernel but actually are for
 another package)

Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
---
 .../distro/include/cve-extra-exclusions.inc   | 296 ++++++++++++++++++
 1 file changed, 296 insertions(+)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 8b5f8d49b8..a281a8ac65 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -78,9 +78,34 @@ CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-108
 CVE_CHECK_IGNORE += "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887"
 # 2020
 CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2020-27784
+# Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
+# Patched in kernel since v5.10	e8d5f92b8d30bb4ade76494490c3c065e12411b1
+# Backported in version v5.4.73	e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
+CVE_CHECK_IGNORE += "CVE-2020-27784"
+
 # 2021
 CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
                      CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3669
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
+CVE_CHECK_IGNORE += "CVE-2021-3669"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
+# Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
+# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
+# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
+# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
+CVE_CHECK_IGNORE += "CVE-2021-3759"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2021-4218
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
+CVE_CHECK_IGNORE += "CVE-2021-4218"
+
 # 2022
 CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
                      CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
@@ -90,6 +115,277 @@ CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE
                      CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
                      CVE-2022-29582 CVE-2022-29968"
 
+# https://nvd.nist.gov/vuln/detail/CVE-2022-0480
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
+CVE_CHECK_IGNORE += "CVE-2022-0480"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1184
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.19 46c116b920ebec58031f0a78c5ea9599b0d2a371
+# Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
+# Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
+# Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
+CVE_CHECK_IGNORE += "CVE-2022-1184"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
+# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
+# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
+# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
+CVE_CHECK_IGNORE += "CVE-2022-1462"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2308
+# Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
+# Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
+# Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
+# Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
+CVE_CHECK_IGNORE += "CVE-2022-2308"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2327
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
+CVE_CHECK_IGNORE += "CVE-2022-2327"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
+# Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
+# Patched in kernel since v6.0 0efe125cfb99e6773a7434f3463f7c2fa28f3a43
+# Backported in version v5.4.213 36f7b71f8ad8e4d224b45f7d6ecfeff63b091547
+# Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
+# Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
+# Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
+CVE_CHECK_IGNORE += "CVE-2022-2663"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-2785
+# Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
+# Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
+# Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
+CVE_CHECK_IGNORE += "CVE-2022-2785"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3176
+# Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
+# Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
+# Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
+CVE_CHECK_IGNORE += "CVE-2022-3176"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3435
+# Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
+# Breaking commit backported in v5.4.189 f5064531c23ad646da7be8b938292b00a7e61438
+# Breaking commit backported in v5.10.111 63ea57478aaa3e06a597081a0f537318fc04e49f
+# Breaking commit backported in v5.15.34 907c97986d6fa77318d17659dd76c94b65dd27c5
+# Patched in kernel since v6.1 61b91eb33a69c3be11b259c5ea484505cd79f883
+# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
+# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
+# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
+CVE_CHECK_IGNORE += "CVE-2022-3435"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3526
+# Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
+# Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
+# Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
+CVE_CHECK_IGNORE += "CVE-2022-3526"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3534
+# Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
+# Patched in kernel since v6.2 93c660ca40b5d2f7c1b1626e955a8e9fa30e0749
+# Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
+# Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
+# Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
+CVE_CHECK_IGNORE += "CVE-2022-3534"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3564
+# Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
+# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
+# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
+# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
+CVE_CHECK_IGNORE += "CVE-2022-3564"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3619
+# Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
+# Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
+# Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
+CVE_CHECK_IGNORE += "CVE-2022-3619"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3621
+# Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
+# Patched in kernel since v6.1 21a87d88c2253350e115029f14fe2a10a7e6c856
+# Backported in version v5.4.218 792211333ad77fcea50a44bb7f695783159fc63c
+# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
+# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
+# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
+CVE_CHECK_IGNORE += "CVE-2022-3621"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3623
+# Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
+# Patched in kernel since v6.1 fac35ba763ed07ba93154c95ffc0c4a55023707f
+# Backported in version v5.4.228 176ba4c19d1bb153aa6baaa61d586e785b7d736c
+# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
+# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
+# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
+CVE_CHECK_IGNORE += "CVE-2022-3623"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3624
+# Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
+# Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
+CVE_CHECK_IGNORE += "CVE-2022-3624"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3625
+# Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
+# Patched in kernel since v6.0 6b4db2e528f650c7fb712961aac36455468d5902
+# Backported in version v5.4.211 1ad4ba9341f15412cf86dc6addbb73871a10212f
+# Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
+# Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
+# Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
+CVE_CHECK_IGNORE += "CVE-2022-3625"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3629
+# Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
+# Patched in kernel since v6.0 7e97cfed9929eaabc41829c395eb0d1350fccb9d
+# Backported in version v5.4.211 f82f1e2042b397277cd39f16349950f5abade58d
+# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
+# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
+# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
+CVE_CHECK_IGNORE += "CVE-2022-3629"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3630
+# Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
+# Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
+# Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
+CVE_CHECK_IGNORE += "CVE-2022-3630"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3633
+# Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
+# Patched in kernel since v6.0 8c21c54a53ab21842f5050fa090f26b03c0313d6
+# Backported in version v5.4.211 04e41b6bacf474f5431491f92e981096e8cc8e93
+# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
+# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
+# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
+CVE_CHECK_IGNORE += "CVE-2022-3633"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3635
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.0 3f4093e2bf4673f218c0bf17d8362337c400e77b
+# Backported in version v5.4.211 9a6cbaa50f263b12df18a051b37f3f42f9fb5253
+# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
+# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
+# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
+CVE_CHECK_IGNORE += "CVE-2022-3635"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3636
+# Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
+# Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
+CVE_CHECK_IGNORE += "CVE-2022-3636"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3640
+# Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
+# Breaking commit backported in v5.4.209 098e07ef0059296e710a801cdbd74b59016e6624
+# Breaking commit backported in v5.10.135 de5d4654ac6c22b1be756fdf7db18471e7df01ea
+# Breaking commit backported in v5.15.59 f32d5615a78a1256c4f557ccc6543866e75d03f4
+# Patched in kernel since v6.1 0d0e2d032811280b927650ff3c15fe5020e82533
+# Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
+# Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
+# Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
+CVE_CHECK_IGNORE += "CVE-2022-3640"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3646
+# Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
+# Patched in kernel since v6.1 d0d51a97063db4704a5ef6bc978dddab1636a306
+# Backported in version v5.4.218 b7e409d11db9ce9f8bc05fcdfa24d143f60cd393
+# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
+# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
+# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
+CVE_CHECK_IGNORE += "CVE-2022-3646"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3649
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 d325dc6eb763c10f591c239550b8c7e5466a5d09
+# Backported in version v5.4.220 d1c2d820a2cd73867b7d352e89e92fb3ac29e926
+# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
+# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
+# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
+CVE_CHECK_IGNORE += "CVE-2022-3649"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-4382
+# Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
+# Patched in kernel since v6.2-rc5 d18dcfe9860e842f394e37ba01ca9440ab2178f4
+# Backported in version v5.4.230 9a39f4626b361ee7aa10fd990401c37ec3b466ae
+# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
+# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
+# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
+CVE_CHECK_IGNORE += "CVE-2022-4382"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.19 2f446ffe9d737e9a844b97887919c4fda18246e7
+# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
+# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
+# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
+CVE_CHECK_IGNORE += "CVE-2022-26365"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33740
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.19 307c8de2b02344805ebead3440d8feed28f2f010
+# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
+# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
+# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
+CVE_CHECK_IGNORE += "CVE-2022-33740"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33741
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.19 4491001c2e0fa69efbb748c96ec96b100a5cdb7e
+# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
+# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
+# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
+CVE_CHECK_IGNORE += "CVE-2022-33741"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-33742
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.19 2400617da7eebf9167d71a46122828bc479d64c9
+# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
+# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
+# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
+CVE_CHECK_IGNORE += "CVE-2022-33742"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42895
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
+CVE_CHECK_IGNORE += "CVE-2022-42895"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2022-42896
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.1 711f8c3fb3db61897080468586b970c87c61d9e4
+# Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
+# Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
+# Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
+CVE_CHECK_IGNORE += "CVE-2022-42896"
+
+
+# 2023
+# https://nvd.nist.gov/vuln/detail/CVE-2023-0266
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
+# Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
+# Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
+CVE_CHECK_IGNORE += "CVE-2023-0266"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-0394
+# Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
+# Patched in kernel since v6.2 cb3e9864cdbe35ff6378966660edbcbac955fe17
+# Backported in version v5.4.229 3998dba0f78a59922b0ef333ccfeb58d9410cd3d
+# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
+# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
+# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
+CVE_CHECK_IGNORE += "CVE-2023-0394"
+
+# Wrong CPE in NVD database
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3563
+# https://nvd.nist.gov/vuln/detail/CVE-2022-3637
+# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
+CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
 
 # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
 # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-- 
2.30.2

Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 20092 bytes --]

Hello Geoffroy,
Thank you for the work. Have you contacted NVD to update the database
instead? What did they say?

Kind regards
Marta

On Mon, 27 Feb 2023, 12:00 Geoffrey GIRY, <geoffrey.giry@smile.fr> wrote:

> Multiple CVE are patched in kernel but appears as active because the NVD
> database is not up to date.
>
> CVE are ignored if and only if all versions of kernel used by master are
> patched.
>
> Also ignore CVEs with wrong CPE (applied to kernel but actually are for
>  another package)
>
> Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
> Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
> ---
>  .../distro/include/cve-extra-exclusions.inc   | 296 ++++++++++++++++++
>  1 file changed, 296 insertions(+)
>
> diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc
> b/meta/conf/distro/include/cve-extra-exclusions.inc
> index 8b5f8d49b8..a281a8ac65 100644
> --- a/meta/conf/distro/include/cve-extra-exclusions.inc
> +++ b/meta/conf/distro/include/cve-extra-exclusions.inc
> @@ -78,9 +78,34 @@ CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840
> CVE-2018-10876 CVE-2018-108
>  CVE_CHECK_IGNORE += "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910
> CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887"
>  # 2020
>  CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119
> CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2020-27784
> +# Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
> +# Patched in kernel since v5.10
> e8d5f92b8d30bb4ade76494490c3c065e12411b1
> +# Backported in version v5.4.73
> e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
> +CVE_CHECK_IGNORE += "CVE-2020-27784"
> +
>  # 2021
>  CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265
> CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
>                       CVE-2021-4090 CVE-2021-4095 CVE-2021-4197
> CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2021-3669
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
> +CVE_CHECK_IGNORE += "CVE-2021-3669"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2021-3759
> +# Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
> +# Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
> +# Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
> +# Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
> +CVE_CHECK_IGNORE += "CVE-2021-3759"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2021-4218
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
> +CVE_CHECK_IGNORE += "CVE-2021-4218"
> +
>  # 2022
>  CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286
> CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
>                       CVE-2022-0492 CVE-2022-0494 CVE-2022-0500
> CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
> @@ -90,6 +115,277 @@ CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264
> CVE-2022-0286 CVE-2022-0330 CVE
>                       CVE-2022-28356 CVE-2022-28388 CVE-2022-28389
> CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
>                       CVE-2022-29582 CVE-2022-29968"
>
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-0480
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
> +CVE_CHECK_IGNORE += "CVE-2022-0480"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1184
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.19 46c116b920ebec58031f0a78c5ea9599b0d2a371
> +# Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
> +# Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
> +# Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
> +CVE_CHECK_IGNORE += "CVE-2022-1184"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
> +# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
> +# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
> +# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
> +CVE_CHECK_IGNORE += "CVE-2022-1462"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2308
> +# Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
> +# Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
> +# Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
> +# Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
> +CVE_CHECK_IGNORE += "CVE-2022-2308"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2327
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.10.125
> df3f3bb5059d20ef094d6b2f0256c4bf4127a859
> +CVE_CHECK_IGNORE += "CVE-2022-2327"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2663
> +# Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
> +# Patched in kernel since v6.0 0efe125cfb99e6773a7434f3463f7c2fa28f3a43
> +# Backported in version v5.4.213 36f7b71f8ad8e4d224b45f7d6ecfeff63b091547
> +# Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
> +# Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
> +# Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
> +CVE_CHECK_IGNORE += "CVE-2022-2663"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-2785
> +# Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
> +# Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
> +# Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
> +CVE_CHECK_IGNORE += "CVE-2022-2785"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3176
> +# Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
> +# Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
> +# Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
> +CVE_CHECK_IGNORE += "CVE-2022-3176"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3435
> +# Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
> +# Breaking commit backported in v5.4.189
> f5064531c23ad646da7be8b938292b00a7e61438
> +# Breaking commit backported in v5.10.111
> 63ea57478aaa3e06a597081a0f537318fc04e49f
> +# Breaking commit backported in v5.15.34
> 907c97986d6fa77318d17659dd76c94b65dd27c5
> +# Patched in kernel since v6.1 61b91eb33a69c3be11b259c5ea484505cd79f883
> +# Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
> +# Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
> +# Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
> +CVE_CHECK_IGNORE += "CVE-2022-3435"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3526
> +# Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
> +# Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
> +# Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
> +CVE_CHECK_IGNORE += "CVE-2022-3526"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3534
> +# Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
> +# Patched in kernel since v6.2 93c660ca40b5d2f7c1b1626e955a8e9fa30e0749
> +# Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
> +# Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
> +# Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
> +CVE_CHECK_IGNORE += "CVE-2022-3534"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3564
> +# Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
> +# Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
> +# Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
> +# Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
> +CVE_CHECK_IGNORE += "CVE-2022-3564"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3619
> +# Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
> +# Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
> +# Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
> +CVE_CHECK_IGNORE += "CVE-2022-3619"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3621
> +# Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
> +# Patched in kernel since v6.1 21a87d88c2253350e115029f14fe2a10a7e6c856
> +# Backported in version v5.4.218 792211333ad77fcea50a44bb7f695783159fc63c
> +# Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
> +# Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
> +# Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
> +CVE_CHECK_IGNORE += "CVE-2022-3621"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3623
> +# Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
> +# Patched in kernel since v6.1 fac35ba763ed07ba93154c95ffc0c4a55023707f
> +# Backported in version v5.4.228 176ba4c19d1bb153aa6baaa61d586e785b7d736c
> +# Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
> +# Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
> +# Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
> +CVE_CHECK_IGNORE += "CVE-2022-3623"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3624
> +# Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
> +# Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
> +CVE_CHECK_IGNORE += "CVE-2022-3624"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3625
> +# Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
> +# Patched in kernel since v6.0 6b4db2e528f650c7fb712961aac36455468d5902
> +# Backported in version v5.4.211 1ad4ba9341f15412cf86dc6addbb73871a10212f
> +# Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
> +# Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
> +# Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
> +CVE_CHECK_IGNORE += "CVE-2022-3625"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3629
> +# Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
> +# Patched in kernel since v6.0 7e97cfed9929eaabc41829c395eb0d1350fccb9d
> +# Backported in version v5.4.211 f82f1e2042b397277cd39f16349950f5abade58d
> +# Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
> +# Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
> +# Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
> +CVE_CHECK_IGNORE += "CVE-2022-3629"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3630
> +# Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
> +# Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
> +# Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
> +CVE_CHECK_IGNORE += "CVE-2022-3630"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3633
> +# Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
> +# Patched in kernel since v6.0 8c21c54a53ab21842f5050fa090f26b03c0313d6
> +# Backported in version v5.4.211 04e41b6bacf474f5431491f92e981096e8cc8e93
> +# Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
> +# Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
> +# Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
> +CVE_CHECK_IGNORE += "CVE-2022-3633"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3635
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v6.0 3f4093e2bf4673f218c0bf17d8362337c400e77b
> +# Backported in version v5.4.211 9a6cbaa50f263b12df18a051b37f3f42f9fb5253
> +# Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
> +# Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
> +# Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
> +CVE_CHECK_IGNORE += "CVE-2022-3635"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3636
> +# Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
> +# Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
> +CVE_CHECK_IGNORE += "CVE-2022-3636"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3640
> +# Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
> +# Breaking commit backported in v5.4.209
> 098e07ef0059296e710a801cdbd74b59016e6624
> +# Breaking commit backported in v5.10.135
> de5d4654ac6c22b1be756fdf7db18471e7df01ea
> +# Breaking commit backported in v5.15.59
> f32d5615a78a1256c4f557ccc6543866e75d03f4
> +# Patched in kernel since v6.1 0d0e2d032811280b927650ff3c15fe5020e82533
> +# Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
> +# Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
> +# Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
> +CVE_CHECK_IGNORE += "CVE-2022-3640"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3646
> +# Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
> +# Patched in kernel since v6.1 d0d51a97063db4704a5ef6bc978dddab1636a306
> +# Backported in version v5.4.218 b7e409d11db9ce9f8bc05fcdfa24d143f60cd393
> +# Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
> +# Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
> +# Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
> +CVE_CHECK_IGNORE += "CVE-2022-3646"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3649
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v6.1 d325dc6eb763c10f591c239550b8c7e5466a5d09
> +# Backported in version v5.4.220 d1c2d820a2cd73867b7d352e89e92fb3ac29e926
> +# Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
> +# Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
> +# Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
> +CVE_CHECK_IGNORE += "CVE-2022-3649"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-4382
> +# Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
> +# Patched in kernel since v6.2-rc5
> d18dcfe9860e842f394e37ba01ca9440ab2178f4
> +# Backported in version v5.4.230 9a39f4626b361ee7aa10fd990401c37ec3b466ae
> +# Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
> +# Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
> +# Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
> +CVE_CHECK_IGNORE += "CVE-2022-4382"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-26365
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.19 2f446ffe9d737e9a844b97887919c4fda18246e7
> +# Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
> +# Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
> +# Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
> +CVE_CHECK_IGNORE += "CVE-2022-26365"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-33740
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.19 307c8de2b02344805ebead3440d8feed28f2f010
> +# Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
> +# Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
> +# Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
> +CVE_CHECK_IGNORE += "CVE-2022-33740"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-33741
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.19 4491001c2e0fa69efbb748c96ec96b100a5cdb7e
> +# Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
> +# Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
> +# Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
> +CVE_CHECK_IGNORE += "CVE-2022-33741"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-33742
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.19 2400617da7eebf9167d71a46122828bc479d64c9
> +# Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
> +# Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
> +# Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
> +CVE_CHECK_IGNORE += "CVE-2022-33742"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-42895
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
> +# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
> +# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
> +# Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
> +CVE_CHECK_IGNORE += "CVE-2022-42895"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-42896
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v6.1 711f8c3fb3db61897080468586b970c87c61d9e4
> +# Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
> +# Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
> +# Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
> +CVE_CHECK_IGNORE += "CVE-2022-42896"
> +
> +
> +# 2023
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-0266
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
> +# Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
> +# Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
> +CVE_CHECK_IGNORE += "CVE-2023-0266"
> +
> +# https://nvd.nist.gov/vuln/detail/CVE-2023-0394
> +# Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
> +# Patched in kernel since v6.2 cb3e9864cdbe35ff6378966660edbcbac955fe17
> +# Backported in version v5.4.229 3998dba0f78a59922b0ef333ccfeb58d9410cd3d
> +# Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
> +# Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
> +# Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
> +CVE_CHECK_IGNORE += "CVE-2023-0394"
> +
> +# Wrong CPE in NVD database
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3563
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-3637
> +# Those issue do not affect the kernel, patchs listed on CVE pages links
> to https://git.kernel.org/pub/scm/bluetooth/bluez.git
> +CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
>
>  # qemu:qemu-native:qemu-system-native
> https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
>  # There was a proposed patch
> https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
> --
> 2.30.2
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#177787):
> https://lists.openembedded.org/g/openembedded-core/message/177787
> Mute This Topic: https://lists.openembedded.org/mt/97263529/5827677
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> rybczynska@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

[-- Attachment #2: Type: text/html, Size: 27218 bytes --]

Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[Richard Purdie]

On Mon, 2023-02-27 at 18:49 +0100, Marta Rybczynska wrote:
> Thank you for the work. Have you contacted NVD to update the database
> instead? What did they say?

Ideally a large portion of these should be sent to NVD but we did talk
a little about the on the call last week. We agreed that it will take
time and it was better to document this and fix our reporting in the
meantime as well as share these useful details more widely. I'd suggest
that as things are submitted we could document that, hopefully we'll
also be able to remove many of these entries.

I'm sure Geoffrey can provide more status but I wanted to update on why
this was sent and why I think we should take it.

I will drop the kernel filtering so new kernel CVEs then show up in all
our metrics going forward.

Cheers,

Richard

Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[Geoffrey GIRY]

Hello Marta, Richard,

We sent to NVD an update for one CVE (CVE-2020-27784) 14 days ago, we
are still waiting for an answer.
This is the first time we ever do this, so we did send only the first as a test.
When the change is accepted, we will send updates requests for each
already patched CVE.

Richard, thank you for the details provided.

Regards,
Geoffrey GIRY
Research and Development Engineer
SMILE



Le lun. 27 févr. 2023 à 23:02, Richard Purdie
<richard.purdie@linuxfoundation.org> a écrit :
>
> On Mon, 2023-02-27 at 18:49 +0100, Marta Rybczynska wrote:
> > Thank you for the work. Have you contacted NVD to update the database
> > instead? What did they say?
>
> Ideally a large portion of these should be sent to NVD but we did talk
> a little about the on the call last week. We agreed that it will take
> time and it was better to document this and fix our reporting in the
> meantime as well as share these useful details more widely. I'd suggest
> that as things are submitted we could document that, hopefully we'll
> also be able to remove many of these entries.
>
> I'm sure Geoffrey can provide more status but I wanted to update on why
> this was sent and why I think we should take it.
>
> I will drop the kernel filtering so new kernel CVEs then show up in all
> our metrics going forward.
>
> Cheers,
>
> Richard
>
>

Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1765 bytes --]

Thank you for the explanation and the work done. Could you contact me off
list so that we confirm what and where was send? 14 days is longer than
I've ever had as a response time from NVD.

Kind regards
Marta

On Tue, 28 Feb 2023, 10:05 Geoffrey GIRY, <geoffrey.giry@smile.fr> wrote:

> Hello Marta, Richard,
>
> We sent to NVD an update for one CVE (CVE-2020-27784) 14 days ago, we
> are still waiting for an answer.
> This is the first time we ever do this, so we did send only the first as a
> test.
> When the change is accepted, we will send updates requests for each
> already patched CVE.
>
> Richard, thank you for the details provided.
>
> Regards,
> Geoffrey GIRY
> Research and Development Engineer
> SMILE
>
>
>
> Le lun. 27 févr. 2023 à 23:02, Richard Purdie
> <richard.purdie@linuxfoundation.org> a écrit :
> >
> > On Mon, 2023-02-27 at 18:49 +0100, Marta Rybczynska wrote:
> > > Thank you for the work. Have you contacted NVD to update the database
> > > instead? What did they say?
> >
> > Ideally a large portion of these should be sent to NVD but we did talk
> > a little about the on the call last week. We agreed that it will take
> > time and it was better to document this and fix our reporting in the
> > meantime as well as share these useful details more widely. I'd suggest
> > that as things are submitted we could document that, hopefully we'll
> > also be able to remove many of these entries.
> >
> > I'm sure Geoffrey can provide more status but I wanted to update on why
> > this was sent and why I think we should take it.
> >
> > I will drop the kernel filtering so new kernel CVEs then show up in all
> > our metrics going forward.
> >
> > Cheers,
> >
> > Richard
> >
> >
>

[-- Attachment #2: Type: text/html, Size: 2385 bytes --]

Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[Richard Purdie]

On Tue, 2023-02-28 at 10:05 +0100, Geoffrey GIRY wrote:
> Hello Marta, Richard,
> 
> We sent to NVD an update for one CVE (CVE-2020-27784) 14 days ago, we
> are still waiting for an answer.
> This is the first time we ever do this, so we did send only the first as a test.
> When the change is accepted, we will send updates requests for each
> already patched CVE.
> 
> Richard, thank you for the details provided.

Ross (cc'd) has quite a bit of experience at sending these. Perhaps you
could try another submission for one of these with him together, see if
we can work out what we need to do to get these in?

Cheers,

Richard

Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[Richard Purdie]

On Mon, 2023-02-27 at 12:00 +0100, Geoffrey GIRY wrote:
> Multiple CVE are patched in kernel but appears as active because the NVD
> database is not up to date.
> 
> CVE are ignored if and only if all versions of kernel used by master are patched.
> 
> Also ignore CVEs with wrong CPE (applied to kernel but actually are for
>  another package)
> 
> Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
> Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
> ---
>  .../distro/include/cve-extra-exclusions.inc   | 296 ++++++++++++++++++
>  1 file changed, 296 insertions(+)

FWIW, with this applied, the list reported by our tooling was reduced
to:

https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-master.txt

Cheers,

Richard

Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[Mikko Rapeli]

Hi,

On Wed, Mar 01, 2023 at 02:11:19PM +0000, Richard Purdie wrote:
> On Mon, 2023-02-27 at 12:00 +0100, Geoffrey GIRY wrote:
> > Multiple CVE are patched in kernel but appears as active because the NVD
> > database is not up to date.
> > 
> > CVE are ignored if and only if all versions of kernel used by master are patched.
> > 
> > Also ignore CVEs with wrong CPE (applied to kernel but actually are for
> >  another package)
> > 
> > Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
> > Reviewed-by: Yoann Congal <yoann.congal@smile.fr>
> > ---
> >  .../distro/include/cve-extra-exclusions.inc   | 296 ++++++++++++++++++
> >  1 file changed, 296 insertions(+)
> 
> FWIW, with this applied, the list reported by our tooling was reduced
> to:
> 
> https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-master.txt

I presume this is with 6.1.9 kernel. The data looks better but should
also be compared with
https://github.com/nluedtke/linux_kernel_cves/blob/master/data/6.1/6.1_security.txt
which shows that:

 * CVE-2022-27672 was not found but would be fixed in 6.1.12
 * CVE-2023-26545 was not found but would be fixed in 6.1.13
 * CVE-2022-2196 was found and would be fixed in 6.1.14

For the rest, few were not found in linux_kernel_cves at all for 6.1
kernels, and a few were found with unclear status.

Situation is messy overall, but that is by no means caused by the yocto
side CVE tooling. The CVE database for linux kernel issues is simply not
uptodate for all branches and point releases, and frankly same is true for the
linux_kernel_cves data. "Update to lastest kernel.org LTS branch
release" would be the way to go though...

Cheers,

-Mikko

Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs

[Geoffrey GIRY]

Hello Mikko,

Thank you for the link to linux_kernel_cves, it will be very helpful.

For the target version, since yocto allow building image for kernel
version 6.1 and 5.15, we preferred to only add to the ignored list CVE
patched in both this versions to avoid adding false negatives.

Concerning the CVE listed in your mail, the first two are still under
analysis on NVD site and therefore do not appear (yocto tools use NVD
database to get CVE information).
For the last one, the patch was not yet back ported when I did the analysis.

Regards,
Geoffrey GIRY
SMILE ECS - R&D Engineer

Clarifying CVEs for NVD (Was: Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs)

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1019 bytes --]

Hello all,
I'm in process of clarifying entries for NVD to have them fixed in the
sources. The comments in the patch linked do not include all the needed
information, however.

Let's take this one:

+# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
+# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
+# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
+# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
+# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
+# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
+CVE_CHECK_IGNORE += "CVE-2022-1462"

We need to write a set of rules on which versions are vulnerable, like this:
[v2.6.12 - v5.4.208]
[v5.5.0 ??? -  v5.10.134]
[v5.11.0 ??? - v5.15.58]
[v5.16.0 ??? - v5.19.0]

The values with ??? are uncertain. Geoffrey, Yann, as it was scripted out
according to one of the discussions, are you able to confirm those
"starting" versions ?

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 1481 bytes --]

RE: Clarifying CVEs for NVD (Was: Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs)

[Marko, Peter]

Hi,

> From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Marta Rybczynska via lists.openembedded.org
> Sent: Tuesday, June 6, 2023 7:34
> To: Geoffrey GIRY mailto:geoffrey.giry@smile.fr; Richard Purdie mailto:richard.purdie@linuxfoundation.org
> Cc: OE-core mailto:openembedded-core@lists.openembedded.org; Yoann Congal <yoann.congal@smile.fr>
> Subject: Clarifying CVEs for NVD (Was: Re: [OE-core] [PATCH] cve-extra-exclusions: ignore inapplicable linux-yocto CVEs)
>
> Hello all,
> I'm in process of clarifying entries for NVD to have them fixed in the sources. The comments in the patch linked do not include all the needed information, however.
>
> Let's take this one:
>
> +# https://nvd.nist.gov/vuln/detail/CVE-2022-1462
> +# Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
> +# Patched in kernel since v5.19 a501ab75e7624d133a5a3c7ec010687c8b961d23
> +# Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
> +# Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
> +# Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
> +CVE_CHECK_IGNORE += "CVE-2022-1462"
>
> We need to write a set of rules on which versions are vulnerable, like this:
> [v2.6.12 - v5.4.208]
> [v5.5.0 ??? -  v5.10.134]
> [v5.11.0 ??? - v5.15.58]
> [v5.16.0 ??? - v5.19.0]

New kernel branches start with tag vX.Y-rc1, so it should be v5.5-rc1, v5.11-rc1, v5.16.0-rc1.
In NVD DB 1.1 format: 5.5_rc1, 5.1_rc1, 5.16_rc1, ...

>
> The values with ??? are uncertain. Geoffrey, Yann, as it was scripted out according to one of the discussions, are you able to confirm those "starting" versions ?
>
> Kind regards,
> Marta