[OE-core][PATCH] cve-check: add option to add additional patched CVEs

[OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Andrej Valek]

CVE_CHECK_PATCHED - should contains an additional CVEs which have been
fixed and shouldn't be mark as vulnerable nor ignored.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/classes/cve-check.bbclass | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..957ea0130dc 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= ""
 #
 CVE_CHECK_IGNORE ?= ""
 
+# Usually a CVE gets treated as patched when a patch with the name of the CVE
+# gets applied. Basically this variable should not be used. But if there are
+# other reasons to mark a CVE as patched it can be added to this list.
+CVE_CHECK_PATCHED ?= ""
+
 # Layers to be excluded
 CVE_CHECK_LAYER_EXCLUDELIST ??= ""
 
@@ -284,6 +289,9 @@ def check_cves(d, patched_cves):
 
     cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
 
+    # add additional patched CVEs into existing patched list
+    patched_cves.update(d.getVar("CVE_CHECK_PATCHED").split())
+
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
     conn = sqlite3.connect(db_file, uri=True)
-- 
2.40.1

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Richard Purdie]

On Fri, 2023-05-05 at 13:18 +0200, Andrej Valek via
lists.openembedded.org wrote:
> CVE_CHECK_PATCHED - should contains an additional CVEs which have been
> fixed and shouldn't be mark as vulnerable nor ignored.
> 
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  meta/classes/cve-check.bbclass | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index bd9e7e7445c..957ea0130dc 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= ""
>  #
>  CVE_CHECK_IGNORE ?= ""
>  
> +# Usually a CVE gets treated as patched when a patch with the name of the CVE
> +# gets applied. Basically this variable should not be used. But if there are
> +# other reasons to mark a CVE as patched it can be added to this list.
> +CVE_CHECK_PATCHED ?= ""

We're not adding variables which are documented as "Basically this
variable should not be used.". If you shouldn't need/use it, we don't
need it.

Can't you just use the ignore variable for the same end result?

Cheers,

Richard

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Valek, Andrej]

On Fri, 2023-05-05 at 12:30 +0100, Richard Purdie wrote:
> On Fri, 2023-05-05 at 13:18 +0200, Andrej Valek via
> lists.openembedded.org wrote:
> > CVE_CHECK_PATCHED - should contains an additional CVEs which have
> > been
> > fixed and shouldn't be mark as vulnerable nor ignored.
> > 
> > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > ---
> >  meta/classes/cve-check.bbclass | 8 ++++++++
> >  1 file changed, 8 insertions(+)
> > 
> > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-
> > check.bbclass
> > index bd9e7e7445c..957ea0130dc 100644
> > --- a/meta/classes/cve-check.bbclass
> > +++ b/meta/classes/cve-check.bbclass
> > @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= ""
> >  #
> >  CVE_CHECK_IGNORE ?= ""
> >  
> > +# Usually a CVE gets treated as patched when a patch with the name
> > of the CVE
> > +# gets applied. Basically this variable should not be used. But if
> > there are
> > +# other reasons to mark a CVE as patched it can be added to this
> > list.
> > +CVE_CHECK_PATCHED ?= ""
> 
> We're not adding variables which are documented as "Basically this
> variable should not be used.". If you shouldn't need/use it, we don't
> need it.
Ok, maybe I should change the description a little bit. Do you have
some other preference?
> 
> Can't you just use the ignore variable for the same end result?
Nope. If I use a ignore list, the output in the SBOM will be set to
"ignored", which is wrong, because it has been fixed. And that's the
reason.
> 
> Cheers,
> 
> Richard
> 
Regards,
Andrej

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Richard Purdie]

On Fri, 2023-05-05 at 11:36 +0000, Valek, Andrej wrote:
> On Fri, 2023-05-05 at 12:30 +0100, Richard Purdie wrote:
> > On Fri, 2023-05-05 at 13:18 +0200, Andrej Valek via
> > lists.openembedded.org wrote:
> > > CVE_CHECK_PATCHED - should contains an additional CVEs which have
> > > been
> > > fixed and shouldn't be mark as vulnerable nor ignored.
> > > 
> > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > ---
> > >  meta/classes/cve-check.bbclass | 8 ++++++++
> > >  1 file changed, 8 insertions(+)
> > > 
> > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-
> > > check.bbclass
> > > index bd9e7e7445c..957ea0130dc 100644
> > > --- a/meta/classes/cve-check.bbclass
> > > +++ b/meta/classes/cve-check.bbclass
> > > @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= ""
> > >  #
> > >  CVE_CHECK_IGNORE ?= ""
> > >  
> > > +# Usually a CVE gets treated as patched when a patch with the name
> > > of the CVE
> > > +# gets applied. Basically this variable should not be used. But if
> > > there are
> > > +# other reasons to mark a CVE as patched it can be added to this
> > > list.
> > > +CVE_CHECK_PATCHED ?= ""
> > 
> > We're not adding variables which are documented as "Basically this
> > variable should not be used.". If you shouldn't need/use it, we don't
> > need it.
> Ok, maybe I should change the description a little bit. Do you have
> some other preference?
> > 
> > Can't you just use the ignore variable for the same end result?
> Nope. If I use a ignore list, the output in the SBOM will be set to
> "ignored", which is wrong, because it has been fixed. And that's the
> reason.
> 

I suspect "ignored" is a bad way to describe things. Ignore might mean
the issue doesn't apply, has been fixed in some way or we really are
ignoring it. What does the SBOM spec say about different field values?
Should we be providing more reasoning than just adding to an ignore
list?

I'm a bit worried we're not solving the real problem here by adding a
new variable we tell people not to use.

Cheers,

Richard

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[adrian.freihofer]

On Fri, 2023-05-05 at 12:59 +0100, Richard Purdie wrote:
> > On Fri, 2023-05-05 at 11:36 +0000, Valek, Andrej wrote:
> > > > On Fri, 2023-05-05 at 12:30 +0100, Richard Purdie wrote:
> > > > > > On Fri, 2023-05-05 at 13:18 +0200, Andrej Valek via
> > > > > > lists.openembedded.org wrote:
> > > > > > > > CVE_CHECK_PATCHED - should contains an additional CVEs
> > > > > > > > which
> > > > > > > > have
> > > > > > > > been
> > > > > > > > fixed and shouldn't be mark as vulnerable nor ignored.
> > > > > > > > 
> > > > > > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > > > > > > ---
> > > > > > > >  meta/classes/cve-check.bbclass | 8 ++++++++
> > > > > > > >  1 file changed, 8 insertions(+)
> > > > > > > > 
> > > > > > > > diff --git a/meta/classes/cve-check.bbclass
> > > > > > > > b/meta/classes/cve-
> > > > > > > > check.bbclass
> > > > > > > > index bd9e7e7445c..957ea0130dc 100644
> > > > > > > > --- a/meta/classes/cve-check.bbclass
> > > > > > > > +++ b/meta/classes/cve-check.bbclass
> > > > > > > > @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= ""
> > > > > > > >  #
> > > > > > > >  CVE_CHECK_IGNORE ?= ""
> > > > > > > >  
> > > > > > > > +# Usually a CVE gets treated as patched when a patch
> > > > > > > > with the
> > > > > > > > name
> > > > > > > > of the CVE
> > > > > > > > +# gets applied. Basically this variable should not be
> > > > > > > > used.
> > > > > > > > But if
> > > > > > > > there are
> > > > > > > > +# other reasons to mark a CVE as patched it can be
> > > > > > > > added to
> > > > > > > > this
> > > > > > > > list.
> > > > > > > > +CVE_CHECK_PATCHED ?= ""
> > > > > > 
> > > > > > We're not adding variables which are documented as
> > > > > > "Basically
> > > > > > this
> > > > > > variable should not be used.". If you shouldn't need/use
> > > > > > it, we
> > > > > > don't
> > > > > > need it.
> > > > Ok, maybe I should change the description a little bit. Do you
> > > > have
> > > > some other preference?
> > > > > > 
> > > > > > Can't you just use the ignore variable for the same end
> > > > > > result?
> > > > Nope. If I use a ignore list, the output in the SBOM will be
> > > > set to
> > > > "ignored", which is wrong, because it has been fixed. And
> > > > that's
> > > > the
> > > > reason.
> > > > 
> > 
> > I suspect "ignored" is a bad way to describe things. Ignore might
> > mean
> > the issue doesn't apply, has been fixed in some way or we really
> > are
> > ignoring it. What does the SBOM spec say about different field
> > values?
> > Should we be providing more reasoning than just adding to an ignore
> > list?
> > 
> > I'm a bit worried we're not solving the real problem here by adding
> > a
> > new variable we tell people not to use.

The patch from Andrej tries to solves a real issue: The CVE checker
distinguishes between two types of patches. Ignored (= not applicable)
and patched. Patching is only supported by adding a real patch file to
the SRC_URI. However, there are other ways a patch can be implemented.
For example, a recipe that uses the git fetcher would update the git
hash to a commit that contains a fix instead of applying a patch file
to the recipe.

But I fully agree that the comment (originally suggested by me when
Andrej and I were discussing the solution) is bad. Maybe it should read
as follows:

Normally, a CVE is treated as patched when a patch with the name of the
CVE is applied. CVE_CHECK_PATCHED allows to extend the list of patched
CVEs without adding a patch file to SRC_URI.

Regarding the SBOM: It is important for customers that the CVEs of a
product with SBOM can be correctly identified as repaired or as
ignored. However, I'm not sure if the SBOM part is properly addressed
by the patch. The create-spdx.bbclass uses the function
oe.cve_check.get_patched_cves(d) which should probably handle the new
variable as well. We will check that and come up with a V2.

Thank you and regards,
Adrian


> > 
> > Cheers,
> > 
> > Richard
> > 
> > 
> > 
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#180915): 
> > https://lists.openembedded.org/g/openembedded-core/message/180915
> > Mute This Topic: https://lists.openembedded.org/mt/98703185/4454582
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe:
> > https://lists.openembedded.org/g/openembedded-core/unsub
> >  [adrian.freihofer@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> > 

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Michael Opdenacker]

Hi Andrej,

On 05.05.23 at 13:18, Andrej Valek via lists.openembedded.org wrote:
> CVE_CHECK_PATCHED - should contains an additional CVEs which have been
> fixed and shouldn't be mark as vulnerable nor ignored.
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>   meta/classes/cve-check.bbclass | 8 ++++++++
>   1 file changed, 8 insertions(+)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index bd9e7e7445c..957ea0130dc 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= ""
>   #
>   CVE_CHECK_IGNORE ?= ""
>   
> +# Usually a CVE gets treated as patched when a patch with the name of the CVE
> +# gets applied. Basically this variable should not be used. But if there are
> +# other reasons to mark a CVE as patched it can be added to this list.
> +CVE_CHECK_PATCHED ?= ""
> +
>   # Layers to be excluded
>   CVE_CHECK_LAYER_EXCLUDELIST ??= ""
>   
> @@ -284,6 +289,9 @@ def check_cves(d, patched_cves):
>   
>       cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
>   
> +    # add additional patched CVEs into existing patched list
> +    patched_cves.update(d.getVar("CVE_CHECK_PATCHED").split())
> +
>       import sqlite3
>       db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
>       conn = sqlite3.connect(db_file, uri=True)


Thanks for the patch!
However, we'd need you to add one thing to your git configuration, so 
that your patches are given an "Author" field which matches your 
"Signed-off-by" information. See 
https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded#Fixing_your_From_identity 
for details.

Don't hesitate to send a patch test directly to me, if you wish.
Thanks again,
Michael.

-- 
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Ross Burton]

On 8 May 2023, at 09:57, Adrian Freihofer via lists.openembedded.org <adrian.freihofer=gmail.com@lists.openembedded.org> wrote:
> The patch from Andrej tries to solves a real issue: The CVE checker
> distinguishes between two types of patches. Ignored (= not applicable)
> and patched. Patching is only supported by adding a real patch file to
> the SRC_URI. However, there are other ways a patch can be implemented.
> For example, a recipe that uses the git fetcher would update the git
> hash to a commit that contains a fix instead of applying a patch file
> to the recipe.
> 
> But I fully agree that the comment (originally suggested by me when
> Andrej and I were discussing the solution) is bad. Maybe it should read
> as follows:
> 
> Normally, a CVE is treated as patched when a patch with the name of the
> CVE is applied. CVE_CHECK_PATCHED allows to extend the list of patched
> CVEs without adding a patch file to SRC_URI.
> 
> Regarding the SBOM: It is important for customers that the CVEs of a
> product with SBOM can be correctly identified as repaired or as
> ignored. However, I'm not sure if the SBOM part is properly addressed
> by the patch. The create-spdx.bbclass uses the function
> oe.cve_check.get_patched_cves(d) which should probably handle the new
> variable as well. We will check that and come up with a V2.

So I’d suggest we deprecate CVE_CHECK_IGNORE and add a new, more flexible, variable instead.

How about a CVE_STATUS, which doesn’t have a direct value but has flags for each CVE:

# We moved to a git SHA that incorporates the fix
CVE_STATUS[CVE-1234–0001] = “Patched”

# We disabled frobnicate
CVE_STATUS[CVE-1234-0002] = “Patched”

# This is Windows-specific
CVE_STATUS[CVE-1234-0003” = “Not Applicable”

I’m not sure of the exact list of values the flags should accept beyond “patched” and “not applicable”. There probably does need to be a “reviewed and don’t consider this a problem” which feels like ‘ignored’ but I’m not a fan of that precise word.

Is there any defined language that we can simply adopt?

Cheers,
Ross

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Richard Purdie]

On Tue, 2023-05-09 at 09:02 +0000, Ross Burton wrote:
> On 8 May 2023, at 09:57, Adrian Freihofer via lists.openembedded.org <adrian.freihofer=gmail.com@lists.openembedded.org> wrote:
> > The patch from Andrej tries to solves a real issue: The CVE checker
> > distinguishes between two types of patches. Ignored (= not applicable)
> > and patched. Patching is only supported by adding a real patch file to
> > the SRC_URI. However, there are other ways a patch can be implemented.
> > For example, a recipe that uses the git fetcher would update the git
> > hash to a commit that contains a fix instead of applying a patch file
> > to the recipe.
> > 
> > But I fully agree that the comment (originally suggested by me when
> > Andrej and I were discussing the solution) is bad. Maybe it should read
> > as follows:
> > 
> > Normally, a CVE is treated as patched when a patch with the name of the
> > CVE is applied. CVE_CHECK_PATCHED allows to extend the list of patched
> > CVEs without adding a patch file to SRC_URI.
> > 
> > Regarding the SBOM: It is important for customers that the CVEs of a
> > product with SBOM can be correctly identified as repaired or as
> > ignored. However, I'm not sure if the SBOM part is properly addressed
> > by the patch. The create-spdx.bbclass uses the function
> > oe.cve_check.get_patched_cves(d) which should probably handle the new
> > variable as well. We will check that and come up with a V2.
> 
> So I’d suggest we deprecate CVE_CHECK_IGNORE and add a new, more
> flexible, variable instead.
> 
> How about a CVE_STATUS, which doesn’t have a direct value but has
> flags for each CVE:
> 
> # We moved to a git SHA that incorporates the fix
> CVE_STATUS[CVE-1234–0001] = “Patched”
> 
> # We disabled frobnicate
> CVE_STATUS[CVE-1234-0002] = “Patched”
> 
> # This is Windows-specific
> CVE_STATUS[CVE-1234-0003” = “Not Applicable”
> 
> I’m not sure of the exact list of values the flags should accept
> beyond “patched” and “not applicable”. There probably does need to be
> a “reviewed and don’t consider this a problem” which feels like
> ‘ignored’ but I’m not a fan of that precise word.
> 
> Is there any defined language that we can simply adopt?

The question is probably what actions might someone want to take? We
might want to separate out "N/A - configuration disabled" from "N/A -
OS mismatch" and "CPE incorrect" for example?

The reason being that someone would then know to look at things more
closely if they were changing configuration, or building windows
binaries?

Given we already put fairly robust reasoning in comments already,
should we capture that in a variable too?

CVS_STATUS_REASONING[[CVE-1234-0003] = "issue only applies on windows"

Cheers,

Richard (thinking out loud)

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Mikko Rapeli]

Hi,

On Tue, May 09, 2023 at 09:02:59AM +0000, Ross Burton wrote:
> On 8 May 2023, at 09:57, Adrian Freihofer via lists.openembedded.org <adrian.freihofer=gmail.com@lists.openembedded.org> wrote:
> > The patch from Andrej tries to solves a real issue: The CVE checker
> > distinguishes between two types of patches. Ignored (= not applicable)
> > and patched. Patching is only supported by adding a real patch file to
> > the SRC_URI. However, there are other ways a patch can be implemented.
> > For example, a recipe that uses the git fetcher would update the git
> > hash to a commit that contains a fix instead of applying a patch file
> > to the recipe.
> > 
> > But I fully agree that the comment (originally suggested by me when
> > Andrej and I were discussing the solution) is bad. Maybe it should read
> > as follows:
> > 
> > Normally, a CVE is treated as patched when a patch with the name of the
> > CVE is applied. CVE_CHECK_PATCHED allows to extend the list of patched
> > CVEs without adding a patch file to SRC_URI.
> > 
> > Regarding the SBOM: It is important for customers that the CVEs of a
> > product with SBOM can be correctly identified as repaired or as
> > ignored. However, I'm not sure if the SBOM part is properly addressed
> > by the patch. The create-spdx.bbclass uses the function
> > oe.cve_check.get_patched_cves(d) which should probably handle the new
> > variable as well. We will check that and come up with a V2.
> 
> So I’d suggest we deprecate CVE_CHECK_IGNORE and add a new, more flexible, variable instead.

Flexible but usefull and with clear definitions and checks which make
sure that only those definitions are used.

> How about a CVE_STATUS, which doesn’t have a direct value but has flags for each CVE:
> 
> # We moved to a git SHA that incorporates the fix
> CVE_STATUS[CVE-1234–0001] = “Patched”
> 
> # We disabled frobnicate
> CVE_STATUS[CVE-1234-0002] = “Patched”
> 
> # This is Windows-specific
> CVE_STATUS[CVE-1234-0003” = “Not Applicable”
> 
> I’m not sure of the exact list of values the flags should accept beyond “patched” and “not applicable”. There probably does need to be a “reviewed and don’t consider this a problem” which feels like ‘ignored’ but I’m not a fan of that precise word.

Sounds ok as long as the output reports as easy to read as now.

> Is there any defined language that we can simply adopt?

Since a lot of people talk about SPDX solving these issues would be nice
to know how that is going to work. I can't parse
https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue
and figure out how to mark a CVE issue which has been ignored after
analysis.

Debian has a bit more complex state for each CVE (and also non-CVE
security issues) which relates to package and distro versions.
I did not find clear definition of the states but at least
https://security-tracker.debian.org/tracker/data/json has the raw data
available.

Ubuntu seems to follow Debian a bit but then also adds more complex
states in the (at least) public database at
https://ubuntu.com/security/cves?q=CVE-2023-26117&package=&priority=&version=&status=

I think the data coming from CVE checker needs to serve the needs of the
distro maintainers so that their life is easier. SPDX and SBOM are
supposed to help but I'm afraid that they don't unless they actually
help with the maintenance and start to solve the problems there.

I'm used to the CVE checker ignore list (previously whitelist) and know
how to use it. Wether the data comes per CVE or as lists for each of the
state as variables is a small detail, as long as the generated report is
readable.

Cheers,

-Mikko

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Douglas Royds]

[-- Attachment #1: Type: text/plain, Size: 1087 bytes --]

On 9/05/23 9:32 pm, Mikko Rapeli wrote:
> On Tue, May 09, 2023 at 09:02:59AM +0000, Ross Burton wrote:
>> On 8 May 2023, at 09:57, Adrian Freihofer via lists.openembedded.org<adrian.freihofer=gmail.com@lists.openembedded.org>  wrote:
>> Is there any defined language that we can simply adopt?
> Since a lot of people talk about SPDX solving these issues would be nice
> to know how that is going to work. I can't parse
> https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue
> and figure out how to mark a CVE issue which has been ignored after
> analysis.


Perhaps this?

https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k16-linking-to-a-vulnerability-disclosure-document

    To communicate that a package is not vulnerable to a specific
    vulnerability it is recommended to reference a web page indicating
    why given vulnerabilities are not applicable.

    |"externalRefs" : [ { "referenceCategory" : "SECURITY",
    "referenceLocator" :
    "https://example.com/product-x/security-info.html", "referenceType"
    : "advisory" } ] |

[-- Attachment #2: Type: text/html, Size: 2580 bytes --]

Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs

[Mikko Rapeli]

Hi,

On Wed, May 10, 2023 at 09:37:13AM +1200, Douglas Royds wrote:
> On 9/05/23 9:32 pm, Mikko Rapeli wrote:
> > On Tue, May 09, 2023 at 09:02:59AM +0000, Ross Burton wrote:
> > > On 8 May 2023, at 09:57, Adrian Freihofer via lists.openembedded.org<adrian.freihofer=gmail.com@lists.openembedded.org>  wrote:
> > > Is there any defined language that we can simply adopt?
> > Since a lot of people talk about SPDX solving these issues would be nice
> > to know how that is going to work. I can't parse
> > https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue
> > and figure out how to mark a CVE issue which has been ignored after
> > analysis.
> 
> 
> Perhaps this?
> 
> https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k16-linking-to-a-vulnerability-disclosure-document
> 
>    To communicate that a package is not vulnerable to a specific
>    vulnerability it is recommended to reference a web page indicating
>    why given vulnerabilities are not applicable.
> 
>    |"externalRefs" : [ { "referenceCategory" : "SECURITY",
>    "referenceLocator" :
>    "https://example.com/product-x/security-info.html", "referenceType"
>    : "advisory" } ] |

Thanks but IMO this does not encode the information that analysis has been
done and the issue can safely be ignored, but I'm not an SPDX expert,
and frankly I should not need to be.

In recipes CVE_CHECK_IGNORE variable the ignore list is clear, obvious, and there
is usually a comment or a commit message explaining why. And
the reports generated by cve-check.bbclass for recipes and images show that the
CVE issue can be ignored and maintainer should check the CVEs with
"Unpatched" status instead.

Would be nice for these tools to firstly support yocto upstream stable
and LTS maintainers work in detecting and fixing CVE issues, and secondly
support maintaining CVE security issue/patching status of older releases
with complex layer configurations, when anyone has to use an old release due to
BSP etc dependencies (fact of life which IMO should not be completely ignored).

I have backported the cve-check.bbclass and other CVE management related patches
to really old yocto releases and these frankly saved the product from being
the usual embedded SW security nightmare to actually have only a few
known minor known CVE patching issues when shipping to customers. Older
versions of SPDX standard and open source license checks helped to
identify embedded open source SW but did not really help in the yocto
operating system/rootfs side CVE security patching.

Cheers,

-Mikko

[OE-core][PATCH v2] cve-check: add option to add additional patched CVEs

[Andrej Valek]

- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contains flag for each CVE with accepted
values "Ignored" or "Not applicable". It allows to add a status for CVEs
which could be fixed externally.
- Optional CVE_STATUS_REASONING flag variable could contains a reason
why the CVE status was used. It will be added in csv/json report like
a new "reason" entry.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.

Example of usage:
CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
CVE_STATUS[CVE-1234-0002] = "Not applicable"
CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/classes/cve-check.bbclass | 30 +++++++++++++++++++++++++-----
 meta/lib/oe/cve_check.py       |  6 ++++++
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..e081095037c 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,13 +70,17 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Ignore the check for a given CVE. Each of CVE has to be mentioned
+# separately with optional reason, why it has to ignored.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
+# CVE_STATUS[CVE-1234-0002] = "Ignored"
+# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"
 #
+# CVE_CHECK_IGNORE is depracated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE like a fallback.
 CVE_CHECK_IGNORE ?= ""
+CVE_STATUS ?= ""
 
 # Layers to be excluded
 CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -88,6 +92,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    for cve in d.getVar("CVE_CHECK_IGNORE").split():
+        d.setVarFlags("CVE_STATUS", {cve: "Ignored"})
+}
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -282,7 +292,11 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs
+    cve_ignore = []
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status in ["Not applicable", "Ignored"]:
+            cve_ignore.append(cve)
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -455,6 +469,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         else:
             unpatched_cves.append(cve)
             write_string += "CVE STATUS: Unpatched\n"
+        has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if has_reason:
+            write_string += "CVE REASON: %s\n" % has_reason
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -576,6 +593,9 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if has_reason:
+            cve_item["reason"] = has_reason
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a3..f47dd9920ef 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,12 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
-- 
2.40.1

Re: [OE-core][PATCH v2] cve-check: add option to add additional patched CVEs

[Mikko Rapeli]

Hi,

On Wed, May 17, 2023 at 07:41:38AM +0200, Andrej Valek via lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contains flag for each CVE with accepted
> values "Ignored" or "Not applicable". It allows to add a status for CVEs
> which could be fixed externally.
> - Optional CVE_STATUS_REASONING flag variable could contains a reason
> why the CVE status was used. It will be added in csv/json report like
> a new "reason" entry.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
> 
> Example of usage:
> CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
> CVE_STATUS[CVE-1234-0002] = "Not applicable"
> CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"

Looks good to me but would you add testing into
meta/lib/oeqa/selftest/cases/cve_check.py ?

And once merged update documentation in
documentation/dev-manual/vulnerabilities.rst,
documentation/ref-manual/classes.rst and
documentation/ref-manual/variables.rst ;)

Thanks,

-Mikko

> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  meta/classes/cve-check.bbclass | 30 +++++++++++++++++++++++++-----
>  meta/lib/oe/cve_check.py       |  6 ++++++
>  2 files changed, 31 insertions(+), 5 deletions(-)
> 
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index bd9e7e7445c..e081095037c 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -70,13 +70,17 @@ CVE_CHECK_COVERAGE ??= "1"
>  # Skip CVE Check for packages (PN)
>  CVE_CHECK_SKIP_RECIPE ?= ""
>  
> -# Ingore the check for a given list of CVEs. If a CVE is found,
> -# then it is considered patched. The value is a string containing
> -# space separated CVE values:
> +# Ignore the check for a given CVE. Each of CVE has to be mentioned
> +# separately with optional reason, why it has to ignored.
>  #
> -# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
> +# CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
> +# CVE_STATUS[CVE-1234-0002] = "Ignored"
> +# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"
>  #
> +# CVE_CHECK_IGNORE is depracated and CVE_STATUS has to be used instead.
> +# Keep CVE_CHECK_IGNORE like a fallback.
>  CVE_CHECK_IGNORE ?= ""
> +CVE_STATUS ?= ""
>  
>  # Layers to be excluded
>  CVE_CHECK_LAYER_EXCLUDELIST ??= ""
> @@ -88,6 +92,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
>  # set to "alphabetical" for version using single alphabetical character as increment release
>  CVE_VERSION_SUFFIX ??= ""
>  
> +python () {
> +    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
> +    for cve in d.getVar("CVE_CHECK_IGNORE").split():
> +        d.setVarFlags("CVE_STATUS", {cve: "Ignored"})
> +}
> +
>  def generate_json_report(d, out_path, link_path):
>      if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
>          import json
> @@ -282,7 +292,11 @@ def check_cves(d, patched_cves):
>          bb.note("Recipe has been skipped by cve-check")
>          return ([], [], [], [])
>  
> -    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
> +    # Convert CVE_STATUS into ignored CVEs
> +    cve_ignore = []
> +    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
> +        if status in ["Not applicable", "Ignored"]:
> +            cve_ignore.append(cve)
>  
>      import sqlite3
>      db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
> @@ -455,6 +469,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
>          else:
>              unpatched_cves.append(cve)
>              write_string += "CVE STATUS: Unpatched\n"
> +        has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
> +        if has_reason:
> +            write_string += "CVE REASON: %s\n" % has_reason
>          write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
>          write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
>          write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
> @@ -576,6 +593,9 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
>              "status" : status,
>              "link": issue_link
>          }
> +        has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
> +        if has_reason:
> +            cve_item["reason"] = has_reason
>          cve_list.append(cve_item)
>  
>      package_data["issue"] = cve_list
> diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
> index dbaa0b373a3..f47dd9920ef 100644
> --- a/meta/lib/oe/cve_check.py
> +++ b/meta/lib/oe/cve_check.py
> @@ -130,6 +130,12 @@ def get_patched_cves(d):
>          if not fname_match and not text_match:
>              bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
>  
> +    # Search for additional patched CVEs
> +    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
> +        if status == "Patched":
> +            bb.debug(2, "CVE %s is additionally patched" % cve)
> +            patched_cves.add(cve)
> +
>      return patched_cves
>  
>  
> -- 
> 2.40.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181444): https://lists.openembedded.org/g/openembedded-core/message/181444
> Mute This Topic: https://lists.openembedded.org/mt/98943046/7159507
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

[OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Andrej Valek]

- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contain flag for each CVE with accepted
values "Ignored", "Not applicable" or "Patched". It allows to add
a status for each CVEs.
- Optional CVE_STATUS_REASONING flag variable may contain a reason
why the CVE status was used. It will be added in csv/json report like
a new "reason" entry.
- Settings the same status and reason for multiple CVEs is possible
via CVE_STATUS_GROUPS variable.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
CVE_STATUS[CVE-1234-0002] = "Not applicable"
CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"

CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "Not applicable"
CVE_STATUS_WIN[reason] = "Issue only applies on Windows"

CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "Patched"
CVE_STATUS_PATCHED[reason] = "Fixed externally"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 documentation/dev-manual/new-recipe.rst      |  4 +-
 documentation/dev-manual/vulnerabilities.rst | 11 ++---
 documentation/ref-manual/classes.rst         |  9 ++--
 documentation/ref-manual/variables.rst       | 33 ++++++++++++---
 meta/classes/cve-check.bbclass               | 44 +++++++++++++++++---
 meta/lib/oe/cve_check.py                     |  6 +++
 6 files changed, 87 insertions(+), 20 deletions(-)

diff --git a/documentation/dev-manual/new-recipe.rst b/documentation/dev-manual/new-recipe.rst
index 4e74246a4e9..008f4b1ceb7 100644
--- a/documentation/dev-manual/new-recipe.rst
+++ b/documentation/dev-manual/new-recipe.rst
@@ -1253,8 +1253,8 @@ In the following example, ``lz4`` is a makefile-based package::
 
    S = "${WORKDIR}/git"
 
-   # Fixed in r118, which is larger than the current version.
-   CVE_CHECK_IGNORE += "CVE-2014-4715"
+   CVE_STATUS[CVE-2014-4715] = "Patched"
+   CVE_STATUS_REASONING[CVE-2014-4715] = "Fixed in r118, which is larger than the current version"
 
    EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
 
diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
index 0ee3ec52c5c..ca1ea87ba7e 100644
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -158,7 +158,8 @@ CVE checker will then capture this information and change the CVE status to ``Pa
 in the generated reports.
 
 If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
-version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable.
+version or other reasons, the CVE can be marked as ``Ignored`` or ``Not applicable`` using
+the :term:`CVE_STATUS[]` variable flag.
 As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those
 issues in the CVE database directly.
 
@@ -182,11 +183,11 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE:
 -  If the package name (:term:`PN`) is part of
    :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``.
 
--  If the CVE ID is part of :term:`CVE_CHECK_IGNORE`, it is
-   set as ``Ignored``.
+-  If the CVE ID has status :term:`CVE_STATUS[<CVE ID>] = "Ignored"`, it is
+   set as ``Ignored`` as same as for :term:`CVE_STATUS[<CVE ID>] = "Not applicable"`.
 
--  If the CVE ID is part of the patched CVE for the recipe, it is
-   already considered as ``Patched``.
+-  If the CVE ID is part of the patched CVE for the recipe or has status
+   :term:`CVE_STATUS[<CVE ID>] = "Patched"`, it is considered as ``Patched``.
 
 -  Otherwise, the code checks whether the recipe version (:term:`PV`)
    is within the range of versions impacted by the CVE. If so, the CVE
diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
index ab1628401e9..2811244b8f7 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -517,10 +517,13 @@ The ``Patched`` state of a CVE issue is detected from patch files with the forma
 ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
 CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
 
-If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported
-as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example::
+If the recipe adds the ``CVE-ID`` as flag of :term:`CVE_STATUS` variable with status
+``Ignored`` or ``Not applicable``, then the CVE state is reported as ``Ignored``.
 
-   CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+   CVE_STATUS[CVE-2020-15523] = "Ignored"
+
+Possible CVE's statuses are ``Ignored``, ``Not applicable`` and ``Patched``.
+Check :ref:`ref-variables-CVE_STATUS` for more details.
 
 If CVE check reports that a recipe contains false positives or false negatives, these may be
 fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables.
diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
index 6ee65e17884..cd5f1d65d27 100644
--- a/documentation/ref-manual/variables.rst
+++ b/documentation/ref-manual/variables.rst
@@ -1653,11 +1653,7 @@ system and gives an overview of their function and contents.
          and kernel module recipes).
 
    :term:`CVE_CHECK_IGNORE`
-      The list of CVE IDs which are ignored. Here is
-      an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
-
-         # This is windows only issue.
-         CVE_CHECK_IGNORE += "CVE-2020-15523"
+      Is deprecated and should be replaced by :term:`CVE_STATUS`
 
    :term:`CVE_CHECK_SHOW_WARNINGS`
       Specifies whether or not the :ref:`ref-classes-cve-check`
@@ -1698,6 +1694,33 @@ system and gives an overview of their function and contents.
 
          CVE_PRODUCT = "vendor:package"
 
+   :term:`CVE_STATUS`
+      The CVE ID which is patched or should be ignored. Here is
+      an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
+
+         CVE_STATUS[CVE-2020-15523] = "Ignored"
+
+      Possible CVE's statuses ``Ignored``, ``Not applicable`` or ``Patched``, while the ``reasoning``
+      is optional.
+
+   :term:`CVE_STATUS_GROUPS`
+      If there is a many CVEs with the same status and reason can by simplified by using this
+      variable instead of many similar lines with ``CVE_STATUS`` and ``CVE_STATUS_REASONING``
+
+         CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
+         CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
+         CVE_STATUS_WIN[status] = "Not applicable"
+         CVE_STATUS_WIN[reason] = "Issue only applies on Windows"
+
+         CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
+         CVE_STATUS_PATCHED[status] = "Patched"
+         CVE_STATUS_PATCHED[reason] = "Fixed externally"
+
+   :term:`CVE_STATUS_REASONING`
+      Optional explanation for :term:`CVE_STATUS`
+
+         CVE_STATUS_REASONING[CVE-2020-15523] = "Issue only applies on Windows"
+
    :term:`CVE_VERSION`
       In a recipe, defines the version used to match the recipe version
       against the version in the `NIST CVE database <https://nvd.nist.gov/>`__
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..44462de7445 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,15 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional reason for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
+# CVE_STATUS[CVE-1234-0002] = "Not applicable"
+# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
 #
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""
 
 # Layers to be excluded
@@ -88,6 +91,25 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE has been deprecated, use CVE_STATUS instead")
+        set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional reasons at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        set_cves_statuses(d, d.getVar(cve_status_group) or "",
+                          d.getVarFlag(cve_status_group, "status"),
+                          d.getVarFlag(cve_status_group, "reason"))
+}
+
+def set_cves_statuses(d, cves, status, reason=""):
+    for cve in cves.split():
+        d.setVarFlag("CVE_STATUS", cve, status)
+        d.setVarFlag("CVE_STATUS_REASONING", cve, reason)
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -282,7 +304,13 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status in ["Not applicable", "Ignored"]:
+            cve_ignore.append(cve)
+        elif status not in ["Patched"]:
+            bb.error("Unsupported status %s in CVE_STATUS[%s]" % (status, cve))
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -455,6 +483,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         else:
             unpatched_cves.append(cve)
             write_string += "CVE STATUS: Unpatched\n"
+        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if reasoning:
+            write_string += "CVE REASON: %s\n" % reasoning
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -576,6 +607,9 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if reasoning:
+            cve_item["reason"] = reasoning
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a3..f47dd9920ef 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,12 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
-- 
2.40.1

[OE-core][PATCH v3 2/3] oeqa/selftest/cve_check: add check for optional "reason" value

[Andrej Valek]

- After introducing the CVE_STATUS_REASONING flag variable, CVEs could
contain a reason for assigned statuses.
- Add an example conversion in logrotate recipe.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/lib/oeqa/selftest/cases/cve_check.py     | 20 ++++++++++++++-----
 .../logrotate/logrotate_3.21.0.bb             |  6 ++++--
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c8..ea37beba031 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,28 @@ CVE_CHECK_REPORT_PATCHED = "1"
             self.assertEqual(len(report["package"]), 1)
             package = report["package"][0]
             self.assertEqual(package["name"], "logrotate")
-            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            found_cves = {}
+            for issue in package["issue"]:
+                found_cves[issue["id"]] = {
+                    "status" : issue["status"],
+                    "reason" : issue["reason"] if "reason" in issue else ""
+                }
             # m4 CVE should not be in logrotate
             self.assertNotIn("CVE-2008-1687", found_cves)
             # logrotate has both Patched and Ignored CVEs
             self.assertIn("CVE-2011-1098", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["reason"]), 0)
+            reason = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
             self.assertIn("CVE-2011-1548", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["reason"], reason)
             self.assertIn("CVE-2011-1549", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["reason"], reason)
             self.assertIn("CVE-2011-1550", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["reason"], reason)
 
         self.assertExists(summary_json)
         check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60f..633987ceed6 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,10 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
 
 SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
 
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[reason] = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
 
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
 
-- 
2.40.1

[OE-core][PATCH v3 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING

[Andrej Valek]

- Try to add convert and apply statuses for old CVEs

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
 .../distro/include/cve-extra-exclusions.inc   | 281 +++++++++++-------
 meta/recipes-bsp/grub/grub2.inc               |   9 +-
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   4 +-
 .../recipes-connectivity/bind/bind_9.18.13.bb |   3 +-
 .../bluez5/bluez5_5.66.bb                     |   6 +-
 .../openssh/openssh_9.3p1.bb                  |  12 +-
 .../openssl/openssl_3.1.0.bb                  |   3 +-
 meta/recipes-core/coreutils/coreutils_9.1.bb  |   3 +-
 meta/recipes-core/glibc/glibc_2.37.bb         |  12 +-
 meta/recipes-core/libxml/libxml2_2.10.4.bb    |   3 +-
 meta/recipes-core/systemd/systemd_253.3.bb    |   4 +-
 meta/recipes-devtools/cmake/cmake.inc         |   5 +-
 meta/recipes-devtools/flex/flex_2.6.4.bb      |   3 +-
 meta/recipes-devtools/gcc/gcc-12.2.inc        |   3 -
 meta/recipes-devtools/git/git_2.39.2.bb       |  12 +-
 meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   6 +-
 .../recipes-devtools/python/python3_3.11.2.bb |  18 +-
 meta/recipes-devtools/qemu/qemu.inc           |  13 +-
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
 meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 +-
 meta/recipes-extended/cpio/cpio_2.13.bb       |   4 +-
 meta/recipes-extended/cups/cups.inc           |  24 +-
 .../ghostscript/ghostscript_10.0.0.bb         |   3 +-
 .../iputils/iputils_20221126.bb               |   7 +-
 .../libtirpc/libtirpc_1.3.3.bb                |   4 +-
 meta/recipes-extended/procps/procps_4.0.3.bb  |   4 +-
 meta/recipes-extended/shadow/shadow_4.13.bb   |   8 +-
 meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
 .../xinetd/xinetd_2.3.15.4.bb                 |   3 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   8 +-
 .../libnotify/libnotify_0.8.2.bb              |   4 +-
 meta/recipes-gnome/librsvg/librsvg_2.54.5.bb  |   4 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
 .../xorg-xserver/xserver-xorg.inc             |  13 +-
 .../linux/cve-exclusion_6.1.inc               |  14 +-
 .../libpng/libpng_1.6.39.bb                   |   4 +-
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |  10 +-
 .../libgcrypt/libgcrypt_1.10.1.bb             |   6 +-
 .../recipes-support/libxslt/libxslt_1.1.37.bb |   5 +-
 meta/recipes-support/lz4/lz4_1.9.4.bb         |   4 +-
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb |  13 +-
 41 files changed, 325 insertions(+), 230 deletions(-)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 0ca75bae3ef..1cb32db814d 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -19,7 +19,8 @@
 # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
 # CVE is more than 20 years old with no resolution evident
 # broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
+CVE_STATUS[CVE-2000-0006] = "Ignored"
+CVE_STATUS_REASONING[CVE-2000-0006] = "CVE is more than 20 years old with no resolution evident."
 
 # epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
 # The issue here is spoofing of domain names using characters from other character sets.
@@ -28,31 +29,39 @@ CVE_CHECK_IGNORE += "CVE-2000-0006"
 # there is unlikely ever to be a single fix to webkit or epiphany which addresses this
 # problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
 # we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
+CVE_STATUS[CVE-2005-0238] = "Ignored"
+CVE_STATUS_REASONING[CVE-2005-0238] = "There isn't any mitigation or fix or way to progress this further."
 
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
 # Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
 # Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
 # Upstream don't see it as a security issue, ftp servers shouldn't be passing
 # this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
+CVE_STATUS[CVE-2010-4756] = "Ignored"
+CVE_STATUS_REASONING[CVE-2010-4756] = "Upstream have no plans to add BSD's GLOB_LIMIT or similar."
 
 # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
 # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
 # The encoding/xml package in go can potentially be used for security exploits if not used correctly
 # CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
 # exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS[CVE-2020-29509] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-29509] = "We don't ship anything exposing this interface in an exploitable way."
+CVE_STATUS[CVE-2020-29511] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-29511] = "We don't ship anything exposing this interface in an exploitable way."
 
 # db
 # Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
 # supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "Ignored"
+CVE_STATUS_DB[reason] = "Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives"
 
 #
 # Kernel CVEs, e.g. linux-yocto*
@@ -65,60 +74,77 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
 # welcome than and then entries can likely be removed from here.
 #
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2019 CVE_STATUS_KERNEL_2020"
 # 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
-                     CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+                          CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "Ignored"
+
 # 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
-                     CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+                          CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "Ignored"
+
 # 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
-                     CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873 CVE-2018-6559"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+                          CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873 CVE-2018-6559"
+CVE_STATUS_KERNEL_2018[status] = "Ignored"
+
 # 2019
-CVE_CHECK_IGNORE += "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887"
+CVE_STATUS_KERNEL_2019 = "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887"
+CVE_STATUS_KERNEL_2019[status] = "Ignored"
+
 # 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2020-27784
 # Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
-# Patched in kernel since v5.10	e8d5f92b8d30bb4ade76494490c3c065e12411b1
-# Backported in version v5.4.73	e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1
+# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
+CVE_STATUS[CVE-2020-27784] = "Patched"
+CVE_STATUS_REASONING[CVE-2020-27784] = "Backported in version v5.4.73"
 
 # 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
-                     CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+                          CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3669
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3759
 # Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
 # Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
 # Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
 # Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "Patched"
+CVE_STATUS_REASONING[CVE-2021-3759] = "Backported in versions v5.4.224 and v5.10.154"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-4218
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "Patched"
 
 # 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
-                     CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
-                     CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
-                     CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
-                     CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
-                     CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
-                     CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+                          CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+                          CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+                          CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+                          CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+                          CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+                          CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-0480
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1184
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -126,7 +152,8 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
 # Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
 # Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
 # Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-1184] = "Backported in versions v5.4.198, v5.10.121 and v5.15.46"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1462
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -134,7 +161,8 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
 # Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
 # Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
 # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-1462] = "Backported in versions v5.4.208, v5.10.134 and v5.15.58"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2196
 # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -144,19 +172,21 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
 # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
 # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
 # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-2196] = "Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2308
 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
 # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
 # Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
 # Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-2308] = "Backported in versions v5.15.72 and v5.19.14"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2327
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2663
 # Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -165,19 +195,22 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
 # Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
 # Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
 # Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-2663] = "Backported in versions v5.4.213, v5.10.143, v5.15.68 and v5.19.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2785
 # Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
 # Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
 # Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-2785] = "Backported in version v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3176
 # Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
 # Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3176] = "Backported in version v5.15.65"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3424
 # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -186,7 +219,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
 # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
 # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
 # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3424] = "Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3435
 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -197,13 +231,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
 # Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
 # Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
 # Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3435] = "Backported in versions v5.4.226, v5.10.158 and v5.15.82"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3526
 # Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
 # Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
 # Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3526] = "Backported in version v5.15.35"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3534
 # Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -211,20 +247,23 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
 # Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
 # Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
 # Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3534] = "Backported in versions v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3564
 # Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
 # Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
 # Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
 # Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3564] = "Backported in versions v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3619
 # Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
 # Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
 # Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3619] = "Backported in version v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3621
 # Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -233,7 +272,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
 # Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
 # Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
 # Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3621] = "Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3623
 # Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -242,12 +282,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
 # Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
 # Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
 # Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3623] = "Backported in versions v5.4.228, v5.10.159, v5.15.78 and v5.19.17"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3624
 # Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
 # Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3625
 # Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -256,7 +297,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
 # Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
 # Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
 # Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3625] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3629
 # Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -265,13 +307,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
 # Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
 # Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
 # Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3629] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3630
 # Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
 # Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
 # Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3630] = "Backported in version v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3633
 # Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -280,7 +324,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
 # Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
 # Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
 # Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3633] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3635
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -289,12 +334,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
 # Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
 # Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
 # Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3635] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3636
 # Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
 # Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3640
 # Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -305,7 +351,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
 # Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
 # Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
 # Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3640] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3646
 # Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -314,7 +361,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
 # Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
 # Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
 # Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3646] = "Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3649
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -323,7 +371,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
 # Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
 # Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
 # Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3649] = "Backported in versions v5.4.220, v5.10.148, v5.15.74 and v5.19.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-4382
 # Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -332,7 +381,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
 # Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
 # Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
 # Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-4382] = "Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-26365
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -340,7 +390,8 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
 # Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
 # Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
 # Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-26365] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33740
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -348,7 +399,8 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
 # Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
 # Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
 # Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-33740] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33741
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -356,7 +408,8 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
 # Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
 # Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
 # Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-33741] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33742
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -364,15 +417,17 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
 # Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
 # Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
 # Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-33742] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42895
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
 # Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-42895] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42896
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -380,7 +435,8 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
 # Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
 # Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
 # Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-42896] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 
 
 # 2023
@@ -390,14 +446,16 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
 # Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
 # Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
 # Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0179] = "Backported in versions v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0266
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
 # Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
 # Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0266] = "Backported in versions v5.15.88 and v6.1.6"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0394
 # Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -406,7 +464,8 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
 # Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
 # Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
 # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0394] = "Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0461
 # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -415,28 +474,32 @@ CVE_CHECK_IGNORE += "CVE-2023-0394"
 # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
 # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0461] = "Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0386
 # Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
 # Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
-# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
+# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0386] = "Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1073
 # Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
 # Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
-# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
-# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
-# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_STATUS[CVE-2023-1073] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1073] = "Backported in versions v5.10.166, v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1074
 # Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
-# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
-# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_STATUS[CVE-2023-1074] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1074] = "Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1076
 # Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -445,19 +508,22 @@ CVE_CHECK_IGNORE += "CVE-2023-1074"
 # Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
 # Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
 # Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1076] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1077
 # Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
-# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
-# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+CVE_STATUS[CVE-2023-1077] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1077] = "Backported in versions v5.15.99 and v6.1.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1078
 # Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
-# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
-# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_STATUS[CVE-2023-1078] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1078] = "Backported in versions v5.15.94 and v6.1.12"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1079
 # Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -466,7 +532,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
 # Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
 # Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
 # Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1079] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1118
 # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -476,7 +543,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
 # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
 # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
 # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1118] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1281
 # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -484,7 +552,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
 # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
 # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
 # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1281] = "Backported in versions v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1513
 # Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -492,7 +561,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
 # Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
 # Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1513] = "Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1652
 # Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -500,7 +570,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
 # Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
 # Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1652] = "Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1829
 # Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -511,7 +582,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
 # Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
 # Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1829] = "Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-23005
 # Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
@@ -521,7 +593,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1829"
 # > in which a user can cause the alloc_memory_type error case to be reached.
 # See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
 # We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
+CVE_STATUS[CVE-2023-23005] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-23005] = "Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached."
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-28466
 # Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
@@ -529,31 +602,33 @@ CVE_CHECK_IGNORE += "CVE-2023-23005"
 # Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
 # Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
 # Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-28466] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-28466] = "Backported in versions v5.15.105, v6.1.20 and v6.2.7"
 
 # Wrong CPE in NVD database
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3563
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637
 # Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
+CVE_STATUS[CVE-2022-3563] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-3563] = "Wrong CPE in NVD database"
+CVE_STATUS[CVE-2022-3637] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-3637] = "Wrong CPE in NVD database"
 
 # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
 # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
 # qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
+CVE_STATUS[CVE-2021-20255] = "Ignored"
+CVE_STATUS_REASONING[CVE-2021-20255] = "Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
 
 # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
 # There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
 # still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
+CVE_STATUS[CVE-2019-12067] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-12067] = "Ignore from OE's perspective as we'll pick up any fix when upstream accepts one."
 
 # nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
 # It is a fuzzing related buffer overflow. It is of low impact since most devices
 # wouldn't expose an assembler. The upstream is inactive and there is little to be
 # done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
-
-
-
+CVE_STATUS[CVE-2020-18974] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-18974] = "Ignore from OE's perspective as the upstream is inactive and there is little to be done about the bug"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c3..7a457f37b23 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,11 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
 
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2019-14865] = "Applies only to RHEL"
+
+CVE_STATUS[CVE-2021-46705] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2021-46705] = "Applies only to SUSE"
 
 DEPENDS = "flex-native bison-native gettext-native"
 
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index bf6835e0d6f..a5b6174e37e 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,8 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
 SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
 SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
 
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2021-26720] = "Issue only affects Debian/SUSE"
 
 DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native gobject-introspection"
 
diff --git a/meta/recipes-connectivity/bind/bind_9.18.13.bb b/meta/recipes-connectivity/bind/bind_9.18.13.bb
index 8617137e870..c5a51695ef2 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.13.bb
@@ -28,7 +28,8 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
 
 # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
 # so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2019-6470] = "Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
 
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
index 2208b730b0e..3159584e9b5 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
@@ -2,8 +2,10 @@ require bluez5.inc
 
 SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574"
 
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2020-12352] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-12352] = "These issues have kernel fixes rather than bluez fixes."
+CVE_STATUS[CVE-2020-24490] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-24490] = "These issues have kernel fixes rather than bluez fixes"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index d3dedd1a5a7..d6ba7ef830e 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -27,15 +27,17 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            "
 SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
 
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2007-2768] = "This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
 
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2014-9278] = "This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
 
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2008-3844] = "Only applies to some distributed RHEL binaries."
 
 PAM_SRC_URI = "file://sshd"
 
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.0.bb b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
index b319c660440..00ee1cda61e 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
@@ -256,4 +256,5 @@ CVE_VERSION_SUFFIX = "alphabetical"
 
 # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-0190] = "Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.1.bb b/meta/recipes-core/coreutils/coreutils_9.1.bb
index e12a6d67971..7b201b0d797 100644
--- a/meta/recipes-core/coreutils/coreutils_9.1.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.1.bb
@@ -23,7 +23,8 @@ SRC_URI[sha256sum] = "61a1f410d78ba7e7f37a5a4f50e6d1320aca33375484a3255eddf17a38
 
 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
 # runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+CVE_STATUS[CVE-2016-2781] = "Ignored"
+CVE_STATUS_REASONING[CVE-2016-2781] = "runcon is not really a sandbox command"
 
 EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
 EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index b27f98fb199..98493442f91 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -6,16 +6,20 @@ require glibc-version.inc
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
 # Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
 # "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[reason] = "Upstream glibc maintainers dispute there is any issue and have no plans to address it further."
 
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
 # Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
 # easier access for another. "ASLR bypass itself is not a vulnerability."
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-1010025] = "ASLR bypass itself is not a vulnerability."
 
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-25139] = "This is integrated into the 2.37 branch as of 07b9521fc6"
 
 DEPENDS += "gperf-native bison-native"
 
diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb
index 288631504ce..d97a310aac0 100644
--- a/meta/recipes-core/libxml/libxml2_2.10.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb
@@ -28,7 +28,8 @@ BINCONFIG = "${bindir}/xml2-config"
 
 # Fixed since 2.9.11 via
 # https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
+CVE_STATUS[CVE-2016-3709] = "Patched"
+CVE_STATUS_REASONING[CVE-2016-3709] = "Fixed since 2.9.11"
 
 PACKAGECONFIG ??= "python \
     ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index a79d6cb3ca0..a0ff4ac7da2 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -831,5 +831,5 @@ pkg_prerm:udev-hwdb () {
 	rm -f $D${sysconfdir}/udev/hwdb.bin
 }
 
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
+CVE_STATUS[CVE-2022-4415] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-4415] = "This was also fixed in 252.4 with 9b75a3d0"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 2b6554690b6..60bd018d4a5 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,5 @@ SRC_URI[sha256sum] = "bbd8d39217509d163cb544a40d6428ac666ddc83e22905d3e52c925781
 
 UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "Ignored"
+CVE_STATUS_REASONING[CVE-2016-10642] = "This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5ccad..1cb9c5d07b4 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -29,7 +29,8 @@ GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
 # Disputed - yes there is stack exhaustion but no bug and it is building the
 # parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
 # https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-6293] = "There is stack exhaustion but no bug and it is building the parser, not running it"
 
 inherit autotools gettext texinfo ptest github-releases
 
diff --git a/meta/recipes-devtools/gcc/gcc-12.2.inc b/meta/recipes-devtools/gcc/gcc-12.2.inc
index 0dbbecad4ad..432c9094fe0 100644
--- a/meta/recipes-devtools/gcc/gcc-12.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-12.2.inc
@@ -109,6 +109,3 @@ EXTRA_OECONF_PATHS = "\
     --with-sysroot=/not/exist \
     --with-build-sysroot=${STAGING_DIR_TARGET} \
 "
-
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
diff --git a/meta/recipes-devtools/git/git_2.39.2.bb b/meta/recipes-devtools/git/git_2.39.2.bb
index 222e545f609..460cee42f1a 100644
--- a/meta/recipes-devtools/git/git_2.39.2.bb
+++ b/meta/recipes-devtools/git/git_2.39.2.bb
@@ -28,11 +28,13 @@ LIC_FILES_CHKSUM = "\
 CVE_PRODUCT = "git-scm:git"
 
 # This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
+# in mirrored git repos.
+CVE_STATUS[CVE-2022-24975] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-24975] = "Most OE users wouldn't build the docs and \
+we don't see this as a major issue for our general users/usecases."
+
+CVE_STATUS[CVE-2022-41953] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2022-41953] = "Issue only applies on Windows"
 
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d4..c3b67a3b7b2 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,9 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
 UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
 
 # https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "Ignored"
+CVE_STATUS_REASONING[CVE-2007-2379] = "There are ways jquery can expose security issues \
+but any issues are in the apps exposing them and there is little we can directly do."
 
 inherit allarch
 
diff --git a/meta/recipes-devtools/python/python3_3.11.2.bb b/meta/recipes-devtools/python/python3_3.11.2.bb
index 421a305e22f..32d83aff6c6 100644
--- a/meta/recipes-devtools/python/python3_3.11.2.bb
+++ b/meta/recipes-devtools/python/python3_3.11.2.bb
@@ -47,15 +47,17 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 
 CVE_PRODUCT = "python"
 
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "Ignored"
+CVE_STATUS_REASONING[CVE-2007-4559] = "Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-18348] = "This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2020-15523] = "Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2022-26488] = "Issue only applies on Windows"
 # The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
+CVE_STATUS[CVE-2015-20107] = "Ignored"
+CVE_STATUS_REASONING[CVE-2015-20107] = "The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
 
 PYTHON_MAJMIN = "3.11"
 
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 394fa2acabf..b3ff0d81763 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,16 +39,15 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113
 SRC_URI:append:class-target = " file://cross.patch"
 SRC_URI:append:class-nativesdk = " file://cross.patch"
 
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2017-5957] = "Applies against virglrender < 0.6.0 and not qemu itself"
 
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "Ignored"
+CVE_STATUS_REASONING[CVE-2007-0998] = "The VNC server can expose host files uder some circumstances. We don't enable it by default."
 
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
 # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-18438] = "The issues identified by this CVE were determined to not constitute a vulnerability."
 
 # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
 # https://bugzilla.redhat.com/show_bug.cgi?id=2167423
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1cd..130581a7853 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
            "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
 
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
 inherit autotools-brokensep
 
 PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb7..00db737b7d6 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,9 +29,9 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
 
 SRC_URI:class-native = "${BASE_SRC_URI}"
 
-# Upstream don't believe this is an exploitable issue
 # https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
+CVE_STATUS[CVE-2021-35331] = "Ignored"
+CVE_STATUS_REASONING[CVE-2021-35331] = "Upstream don't believe this is an exploitable issue"
 
 UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
 UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb
index 55bcc606b37..93a3360135d 100644
--- a/meta/recipes-extended/cpio/cpio_2.13.bb
+++ b/meta/recipes-extended/cpio/cpio_2.13.bb
@@ -22,8 +22,8 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8
 
 inherit autotools gettext texinfo ptest
 
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2010-4226] = "Issue applies to use of cpio in SUSE/OBS"
 
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
 
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index da320b10855..086c467b00c 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -19,14 +19,18 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
 
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2008-1033] = "Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "Ignored"
+CVE_STATUS_REASONING[CVE-2009-0032] = "Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2018-6553] = "This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-26691] = "This is fixed in 2.4.2 but the cve-check class still reports it"
+
+# -25317 concerns /var/log/cups having lp ownership.
+CVE_STATUS[CVE-2021-25317] = "Ignored"
+CVE_STATUS_REASONING[CVE-2009-0032] = "Our /var/log/cups is root:root, so this doesn't apply."
 
 LEAD_SONAME = "libcupsdriver.so"
 
@@ -114,7 +118,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
 	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
-
-# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
index 86ecdbe24af..79a9d255749 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
@@ -21,7 +21,8 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
 
 # As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources
 # however we use an external jpeg which doesn't have the issue.
-CVE_CHECK_IGNORE += "CVE-2013-6629"
+CVE_STATUS[CVE-2013-6629] = "Ignored"
+CVE_STATUS_REASONING[CVE-2013-6629] = "We use an external jpeg which doesn't have the issue"
 
 def gs_verdir(v):
     return "".join(v.split("."))
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3ea..7891f0ffa35 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,10 @@ S = "${WORKDIR}/git"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
 
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "Patched"
+CVE_STATUS_REASONING[CVE-2000-1213] = "Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "Patched"
+CVE_STATUS_REASONING[CVE-2000-1214] = "Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
 
 PACKAGECONFIG ??= "libcap"
 PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1d..fcccf68f070 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,8 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
 
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "Patched"
+CVE_STATUS_REASONING[CVE-2021-46828] = "fixed in 1.3.3rc1 so not present in 1.3.3"
 
 inherit autotools pkgconfig
 
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e0..d9571445288 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,9 +72,9 @@ python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
 # https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
+CVE_STATUS[CVE-2018-1121] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-1121] = "'ps' isn't suitable for use as a security tool so whitelist this CVE."
 
 PROCPS_PACKAGES = "${PN}-lib \
                    ${PN}-ps \
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593b..adef0461905 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,9 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 
 BBCLASSEXTEND = "native nativesdk"
 
-# Severity is low and marked as closed and won't fix.
 # https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
+CVE_STATUS[CVE-2013-4235] = "Ignored"
+CVE_STATUS_REASONING[CVE-2013-4235] = "Severity is low and marked as closed and won't fix."
 
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2016-15024] = "Ignored"
+CVE_STATUS_REASONING[CVE-2016-15024] = "This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index a4d10c30aa2..bd3e7f1fc88 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,7 +39,8 @@ SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
 
 # Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "Patched"
+CVE_STATUS_REASONING[CVE-2008-0888] = "Patch applied to 6.0 source"
 
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c4..7b1e8cd02a2 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,8 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
 S = "${WORKDIR}/git"
 
 # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "Patched"
+CVE_STATUS_REASONING[CVE-2013-4342] = "Fixed directly in git tree revision"
 
 inherit autotools update-rc.d systemd pkgconfig
 
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 1930a40140b..60cd565fe81 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -25,11 +25,11 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
 
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
+CVE_STATUS[CVE-2018-13410] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-13410] = "Disputed and also Debian doesn't consider a vulnerability"
 
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13684] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2018-13684] = "Not for zip but for smart contract implementation for it"
 
 # Enable largefile support
 CFLAGS += "-DLARGE_FILE_SUPPORT"
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00c..91dba7466da 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -32,5 +32,5 @@ RPROVIDES:${PN} += "libnotify3"
 RCONFLICTS:${PN} += "libnotify3"
 RREPLACES:${PN} += "libnotify3"
 
-# -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "Ignored"
+CVE_STATUS_REASONING[CVE-2013-7381] = "-7381 is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb b/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb
index 59278d1b169..5f4fd79bc0e 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb
@@ -50,8 +50,8 @@ do_compile:prepend() {
     sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
 }
 
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2018-1000041] = "Issue only applies on Windows"
 
 CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
 
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63ff..e70b30a7639 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -30,4 +30,5 @@ do_install () {
 }
 
 # -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "Ignored"
+CVE_STATUS_REASONING[CVE-2008-4178] = "This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf76..189619d8715 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,19 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 
 CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
+CVE_STATUS[CVE-2011-4613] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2011-4613] = "This is specific to Debian's xserver-wrapper.c"
+
 # As per upstream, exploiting this flaw is non-trivial and it requires exact
 # timing on the behalf of the attacker. Many graphical applications exit if their
 # connection to the X server is lost, so a typical desktop session is either
 # impossible or difficult to exploit. There is currently no upstream patch
 # available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+CVE_STATUS[CVE-2020-25697] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-25697] = "As per upstream, exploiting this flaw is non-trivial and it requires exact timing on the behalf of the attacker"
+
+CVE_STATUS[CVE-2022-3553] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2022-3553] = "This is specific to XQuartz, which is the macOS X server port"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 4cc151901b8..a7b12e3b57e 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,17 +1,17 @@
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3523
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3566
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3567
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "Ignored"
 
 
 # 2023
@@ -26,11 +26,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3567"
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-38457
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-40133
 #  * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-38457] = "Backported in version 6.1.7"
+CVE_STATUS[CVE-2022-40133] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-40133] = "Backported in version 6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1075
 # Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
 # Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
 # Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
 # 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "Ignored"
+CVE_STATUS_REASONING[CVE-2023-1075] = "Backported in version 6.1.11"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index a6c229f5cf0..38e18542c21 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -32,5 +32,5 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
 
 BBCLASSEXTEND = "native nativesdk"
 
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2019-17371] = "A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index f8a2482a848..499687207d1 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -16,14 +16,8 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
+CVE_STATUS[CVE-2022-1210] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-1210] = "Issue is in jbig which we don't enable"
 
 inherit autotools multilib_header
 
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb
index bf9d7cbd102..bf59069cfa5 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb
@@ -29,8 +29,10 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            "
 SRC_URI[sha256sum] = "ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de"
 
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-12433] = "CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-12438] = "CVE is disputed and not affecting crypto libraries for any distro."
 
 BINCONFIG = "${bindir}/libgcrypt-config"
 
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.37.bb b/meta/recipes-support/libxslt/libxslt_1.1.37.bb
index 361bb0f8dc9..76f7a34d05a 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.37.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.37.bb
@@ -19,9 +19,8 @@ SRC_URI[sha256sum] = "3a4b27dc8027ccd6146725950336f1ec520928f320f144eb5fa7990ae6
 
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-29824] = "Static linking to libxml2 is not enabled."
 
 S = "${WORKDIR}/libxslt-${PV}"
 
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b09..97217781f42 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,8 +21,8 @@ S = "${WORKDIR}/git"
 
 inherit ptest
 
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
+CVE_STATUS[CVE-2014-4715] = "Patched"
+CVE_STATUS_REASONING[CVE-2014-4715] = "Fixed in r118, which is larger than the current version."
 
 EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
 
diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
index b09e8e7f557..6af884b58fe 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
@@ -7,8 +7,11 @@ SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
 SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499"
 
 # -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
+CVE_STATUS[CVE-2019-19242] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-19242] = "This CVE is only an issue in specific development branch commits"
+# https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA
+CVE_STATUS[CVE-2015-3717] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2015-3717] = "This is believed to be iOS specific"
+# Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
+CVE_STATUS[CVE-2021-36690] = "Patched"
+CVE_STATUS_REASONING[CVE-2021-36690] = "Issue in an experimental extension we don't have/use."
-- 
2.40.1

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Mikko Rapeli]

Hi,

Looks really good but could you split the documentation to separate
patch and send to docs@lists.yoctoproject.org instead of oe-core?

Thanks!

-Mikko

On Fri, May 19, 2023 at 08:24:18AM +0200, Andrej Valek wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contain flag for each CVE with accepted
> values "Ignored", "Not applicable" or "Patched". It allows to add
> a status for each CVEs.
> - Optional CVE_STATUS_REASONING flag variable may contain a reason
> why the CVE status was used. It will be added in csv/json report like
> a new "reason" entry.
> - Settings the same status and reason for multiple CVEs is possible
> via CVE_STATUS_GROUPS variable.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
> 
> Examples of usage:
> CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
> CVE_STATUS[CVE-1234-0002] = "Not applicable"
> CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
> 
> CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
> CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
> CVE_STATUS_WIN[status] = "Not applicable"
> CVE_STATUS_WIN[reason] = "Issue only applies on Windows"
> 
> CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
> CVE_STATUS_PATCHED[status] = "Patched"
> CVE_STATUS_PATCHED[reason] = "Fixed externally"
> 
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  documentation/dev-manual/new-recipe.rst      |  4 +-
>  documentation/dev-manual/vulnerabilities.rst | 11 ++---
>  documentation/ref-manual/classes.rst         |  9 ++--
>  documentation/ref-manual/variables.rst       | 33 ++++++++++++---
>  meta/classes/cve-check.bbclass               | 44 +++++++++++++++++---
>  meta/lib/oe/cve_check.py                     |  6 +++
>  6 files changed, 87 insertions(+), 20 deletions(-)
> 
> diff --git a/documentation/dev-manual/new-recipe.rst b/documentation/dev-manual/new-recipe.rst
> index 4e74246a4e9..008f4b1ceb7 100644
> --- a/documentation/dev-manual/new-recipe.rst
> +++ b/documentation/dev-manual/new-recipe.rst
> @@ -1253,8 +1253,8 @@ In the following example, ``lz4`` is a makefile-based package::
>  
>     S = "${WORKDIR}/git"
>  
> -   # Fixed in r118, which is larger than the current version.
> -   CVE_CHECK_IGNORE += "CVE-2014-4715"
> +   CVE_STATUS[CVE-2014-4715] = "Patched"
> +   CVE_STATUS_REASONING[CVE-2014-4715] = "Fixed in r118, which is larger than the current version"
>  
>     EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
>  
> diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst
> index 0ee3ec52c5c..ca1ea87ba7e 100644
> --- a/documentation/dev-manual/vulnerabilities.rst
> +++ b/documentation/dev-manual/vulnerabilities.rst
> @@ -158,7 +158,8 @@ CVE checker will then capture this information and change the CVE status to ``Pa
>  in the generated reports.
>  
>  If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
> -version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable.
> +version or other reasons, the CVE can be marked as ``Ignored`` or ``Not applicable`` using
> +the :term:`CVE_STATUS[]` variable flag.
>  As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those
>  issues in the CVE database directly.
>  
> @@ -182,11 +183,11 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE:
>  -  If the package name (:term:`PN`) is part of
>     :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``.
>  
> --  If the CVE ID is part of :term:`CVE_CHECK_IGNORE`, it is
> -   set as ``Ignored``.
> +-  If the CVE ID has status :term:`CVE_STATUS[<CVE ID>] = "Ignored"`, it is
> +   set as ``Ignored`` as same as for :term:`CVE_STATUS[<CVE ID>] = "Not applicable"`.
>  
> --  If the CVE ID is part of the patched CVE for the recipe, it is
> -   already considered as ``Patched``.
> +-  If the CVE ID is part of the patched CVE for the recipe or has status
> +   :term:`CVE_STATUS[<CVE ID>] = "Patched"`, it is considered as ``Patched``.
>  
>  -  Otherwise, the code checks whether the recipe version (:term:`PV`)
>     is within the range of versions impacted by the CVE. If so, the CVE
> diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst
> index ab1628401e9..2811244b8f7 100644
> --- a/documentation/ref-manual/classes.rst
> +++ b/documentation/ref-manual/classes.rst
> @@ -517,10 +517,13 @@ The ``Patched`` state of a CVE issue is detected from patch files with the forma
>  ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using
>  CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
>  
> -If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported
> -as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example::
> +If the recipe adds the ``CVE-ID`` as flag of :term:`CVE_STATUS` variable with status
> +``Ignored`` or ``Not applicable``, then the CVE state is reported as ``Ignored``.
>  
> -   CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
> +   CVE_STATUS[CVE-2020-15523] = "Ignored"
> +
> +Possible CVE's statuses are ``Ignored``, ``Not applicable`` and ``Patched``.
> +Check :ref:`ref-variables-CVE_STATUS` for more details.
>  
>  If CVE check reports that a recipe contains false positives or false negatives, these may be
>  fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables.
> diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst
> index 6ee65e17884..cd5f1d65d27 100644
> --- a/documentation/ref-manual/variables.rst
> +++ b/documentation/ref-manual/variables.rst
> @@ -1653,11 +1653,7 @@ system and gives an overview of their function and contents.
>           and kernel module recipes).
>  
>     :term:`CVE_CHECK_IGNORE`
> -      The list of CVE IDs which are ignored. Here is
> -      an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
> -
> -         # This is windows only issue.
> -         CVE_CHECK_IGNORE += "CVE-2020-15523"
> +      Is deprecated and should be replaced by :term:`CVE_STATUS`
>  
>     :term:`CVE_CHECK_SHOW_WARNINGS`
>        Specifies whether or not the :ref:`ref-classes-cve-check`
> @@ -1698,6 +1694,33 @@ system and gives an overview of their function and contents.
>  
>           CVE_PRODUCT = "vendor:package"
>  
> +   :term:`CVE_STATUS`
> +      The CVE ID which is patched or should be ignored. Here is
> +      an example from the :oe_layerindex:`Python3 recipe</layerindex/recipe/23823>`::
> +
> +         CVE_STATUS[CVE-2020-15523] = "Ignored"
> +
> +      Possible CVE's statuses ``Ignored``, ``Not applicable`` or ``Patched``, while the ``reasoning``
> +      is optional.
> +
> +   :term:`CVE_STATUS_GROUPS`
> +      If there is a many CVEs with the same status and reason can by simplified by using this
> +      variable instead of many similar lines with ``CVE_STATUS`` and ``CVE_STATUS_REASONING``
> +
> +         CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
> +         CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
> +         CVE_STATUS_WIN[status] = "Not applicable"
> +         CVE_STATUS_WIN[reason] = "Issue only applies on Windows"
> +
> +         CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
> +         CVE_STATUS_PATCHED[status] = "Patched"
> +         CVE_STATUS_PATCHED[reason] = "Fixed externally"
> +
> +   :term:`CVE_STATUS_REASONING`
> +      Optional explanation for :term:`CVE_STATUS`
> +
> +         CVE_STATUS_REASONING[CVE-2020-15523] = "Issue only applies on Windows"
> +
>     :term:`CVE_VERSION`
>        In a recipe, defines the version used to match the recipe version
>        against the version in the `NIST CVE database <https://nvd.nist.gov/>`__
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index bd9e7e7445c..44462de7445 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -70,12 +70,15 @@ CVE_CHECK_COVERAGE ??= "1"
>  # Skip CVE Check for packages (PN)
>  CVE_CHECK_SKIP_RECIPE ?= ""
>  
> -# Ingore the check for a given list of CVEs. If a CVE is found,
> -# then it is considered patched. The value is a string containing
> -# space separated CVE values:
> +# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
> +# separately with optional reason for this status.
>  #
> -# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
> +# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
> +# CVE_STATUS[CVE-1234-0002] = "Not applicable"
> +# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
>  #
> +# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
> +# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
>  CVE_CHECK_IGNORE ?= ""
>  
>  # Layers to be excluded
> @@ -88,6 +91,25 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
>  # set to "alphabetical" for version using single alphabetical character as increment release
>  CVE_VERSION_SUFFIX ??= ""
>  
> +python () {
> +    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
> +    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
> +    if cve_check_ignore:
> +        bb.warn("CVE_CHECK_IGNORE has been deprecated, use CVE_STATUS instead")
> +        set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
> +
> +    # Process CVE_STATUS_GROUPS to set multiple statuses and optional reasons at once
> +    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
> +        set_cves_statuses(d, d.getVar(cve_status_group) or "",
> +                          d.getVarFlag(cve_status_group, "status"),
> +                          d.getVarFlag(cve_status_group, "reason"))
> +}
> +
> +def set_cves_statuses(d, cves, status, reason=""):
> +    for cve in cves.split():
> +        d.setVarFlag("CVE_STATUS", cve, status)
> +        d.setVarFlag("CVE_STATUS_REASONING", cve, reason)
> +
>  def generate_json_report(d, out_path, link_path):
>      if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
>          import json
> @@ -282,7 +304,13 @@ def check_cves(d, patched_cves):
>          bb.note("Recipe has been skipped by cve-check")
>          return ([], [], [], [])
>  
> -    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
> +    # Convert CVE_STATUS into ignored CVEs and check validity
> +    cve_ignore = []
> +    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
> +        if status in ["Not applicable", "Ignored"]:
> +            cve_ignore.append(cve)
> +        elif status not in ["Patched"]:
> +            bb.error("Unsupported status %s in CVE_STATUS[%s]" % (status, cve))
>  
>      import sqlite3
>      db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
> @@ -455,6 +483,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
>          else:
>              unpatched_cves.append(cve)
>              write_string += "CVE STATUS: Unpatched\n"
> +        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
> +        if reasoning:
> +            write_string += "CVE REASON: %s\n" % reasoning
>          write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
>          write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
>          write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
> @@ -576,6 +607,9 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
>              "status" : status,
>              "link": issue_link
>          }
> +        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
> +        if reasoning:
> +            cve_item["reason"] = reasoning
>          cve_list.append(cve_item)
>  
>      package_data["issue"] = cve_list
> diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
> index dbaa0b373a3..f47dd9920ef 100644
> --- a/meta/lib/oe/cve_check.py
> +++ b/meta/lib/oe/cve_check.py
> @@ -130,6 +130,12 @@ def get_patched_cves(d):
>          if not fname_match and not text_match:
>              bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
>  
> +    # Search for additional patched CVEs
> +    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
> +        if status == "Patched":
> +            bb.debug(2, "CVE %s is additionally patched" % cve)
> +            patched_cves.add(cve)
> +
>      return patched_cves
>  
>  
> -- 
> 2.40.1
> 

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Michael Opdenacker]

Hi Andrej

On 19.05.23 at 08:24, Andrej Valek via lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contain flag for each CVE with accepted
> values "Ignored", "Not applicable" or "Patched". It allows to add
> a status for each CVEs.
> - Optional CVE_STATUS_REASONING flag variable may contain a reason
> why the CVE status was used. It will be added in csv/json report like
> a new "reason" entry.
> - Settings the same status and reason for multiple CVEs is possible
> via CVE_STATUS_GROUPS variable.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
>
> Examples of usage:
> CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
> CVE_STATUS[CVE-1234-0002] = "Not applicable"
> CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
>
> CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
> CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
> CVE_STATUS_WIN[status] = "Not applicable"
> CVE_STATUS_WIN[reason] = "Issue only applies on Windows"
>
> CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
> CVE_STATUS_PATCHED[status] = "Patched"
> CVE_STATUS_PATCHED[reason] = "Fixed externally"
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>   documentation/dev-manual/new-recipe.rst      |  4 +-
>   documentation/dev-manual/vulnerabilities.rst | 11 ++---
>   documentation/ref-manual/classes.rst         |  9 ++--
>   documentation/ref-manual/variables.rst       | 33 ++++++++++++---
>   meta/classes/cve-check.bbclass               | 44 +++++++++++++++++---
>   meta/lib/oe/cve_check.py                     |  6 +++
>   6 files changed, 87 insertions(+), 20 deletions(-)

Many thanks for the patch and for the documentation changes too !
However, could you send the documentation changes separately, using the 
yocto-docs repository as a reference, and sending them to the 
docs@lists.yoctoproject.org mailing list?

You seem to have produced your patches against "poky", but that's a 
repository aggregating stuff from other repositories. Your code changes 
should be for the "openembedded-core" repository.

Another advantage is that we can merge the documentation changes only 
when the code changes are accepted.

Thanks in advance
Cheers
Michael.

-- 
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs

[Andrej Valek]

- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contain flag for each CVE with accepted
values "Ignored", "Not applicable" or "Patched". It allows to add
a status for each CVEs.
- Optional CVE_STATUS_REASONING flag variable may contain a reason
why the CVE status was used. It will be added in csv/json report like
a new "reason" entry.
- Settings the same status and reason for multiple CVEs is possible
via CVE_STATUS_GROUPS variable.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
CVE_STATUS[CVE-1234-0002] = "Not applicable"
CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"

CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "Not applicable"
CVE_STATUS_WIN[reason] = "Issue only applies on Windows"

CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "Patched"
CVE_STATUS_PATCHED[reason] = "Fixed externally"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 44 ++++++++++++++++++++++++++++++----
 meta/lib/oe/cve_check.py       |  6 +++++
 2 files changed, 45 insertions(+), 5 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..44462de7445 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,15 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional reason for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
+# CVE_STATUS[CVE-1234-0002] = "Not applicable"
+# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
 #
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""
 
 # Layers to be excluded
@@ -88,6 +91,25 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE has been deprecated, use CVE_STATUS instead")
+        set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional reasons at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        set_cves_statuses(d, d.getVar(cve_status_group) or "",
+                          d.getVarFlag(cve_status_group, "status"),
+                          d.getVarFlag(cve_status_group, "reason"))
+}
+
+def set_cves_statuses(d, cves, status, reason=""):
+    for cve in cves.split():
+        d.setVarFlag("CVE_STATUS", cve, status)
+        d.setVarFlag("CVE_STATUS_REASONING", cve, reason)
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -282,7 +304,13 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status in ["Not applicable", "Ignored"]:
+            cve_ignore.append(cve)
+        elif status not in ["Patched"]:
+            bb.error("Unsupported status %s in CVE_STATUS[%s]" % (status, cve))
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -455,6 +483,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         else:
             unpatched_cves.append(cve)
             write_string += "CVE STATUS: Unpatched\n"
+        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if reasoning:
+            write_string += "CVE REASON: %s\n" % reasoning
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -576,6 +607,9 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if reasoning:
+            cve_item["reason"] = reasoning
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a3..f47dd9920ef 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,12 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
-- 
2.40.1

[OE-core][PATCH v4 2/3] oeqa/selftest/cve_check: add check for optional "reason" value

[Andrej Valek]

- After introducing the CVE_STATUS_REASONING flag variable, CVEs could
contain a reason for assigned statuses.
- Add an example conversion in logrotate recipe.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/lib/oeqa/selftest/cases/cve_check.py     | 20 ++++++++++++++-----
 .../logrotate/logrotate_3.21.0.bb             |  6 ++++--
 2 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c8..ea37beba031 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,28 @@ CVE_CHECK_REPORT_PATCHED = "1"
             self.assertEqual(len(report["package"]), 1)
             package = report["package"][0]
             self.assertEqual(package["name"], "logrotate")
-            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            found_cves = {}
+            for issue in package["issue"]:
+                found_cves[issue["id"]] = {
+                    "status" : issue["status"],
+                    "reason" : issue["reason"] if "reason" in issue else ""
+                }
             # m4 CVE should not be in logrotate
             self.assertNotIn("CVE-2008-1687", found_cves)
             # logrotate has both Patched and Ignored CVEs
             self.assertIn("CVE-2011-1098", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["reason"]), 0)
+            reason = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
             self.assertIn("CVE-2011-1548", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["reason"], reason)
             self.assertIn("CVE-2011-1549", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["reason"], reason)
             self.assertIn("CVE-2011-1550", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["reason"], reason)
 
         self.assertExists(summary_json)
         check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60f..633987ceed6 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,10 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
 
 SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
 
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[reason] = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
 
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
 
-- 
2.40.1

[OE-core][PATCH v4 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING

[Andrej Valek]

- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
  version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
 .../distro/include/cve-extra-exclusions.inc   | 281 +++++++++++-------
 meta/recipes-bsp/grub/grub2.inc               |   9 +-
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   4 +-
 .../recipes-connectivity/bind/bind_9.18.13.bb |   3 +-
 .../bluez5/bluez5_5.66.bb                     |   6 +-
 .../openssh/openssh_9.3p1.bb                  |  12 +-
 .../openssl/openssl_3.1.0.bb                  |   3 +-
 meta/recipes-core/coreutils/coreutils_9.1.bb  |   3 +-
 meta/recipes-core/glibc/glibc_2.37.bb         |  12 +-
 meta/recipes-core/libxml/libxml2_2.10.4.bb    |   3 +-
 meta/recipes-core/systemd/systemd_253.3.bb    |   4 +-
 meta/recipes-devtools/cmake/cmake.inc         |   5 +-
 meta/recipes-devtools/flex/flex_2.6.4.bb      |   3 +-
 meta/recipes-devtools/gcc/gcc-12.2.inc        |   3 -
 meta/recipes-devtools/git/git_2.39.2.bb       |  12 +-
 meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   6 +-
 .../recipes-devtools/python/python3_3.11.2.bb |  18 +-
 meta/recipes-devtools/qemu/qemu.inc           |  13 +-
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
 meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 +-
 meta/recipes-extended/cpio/cpio_2.13.bb       |   4 +-
 meta/recipes-extended/cups/cups.inc           |  24 +-
 .../ghostscript/ghostscript_10.0.0.bb         |   3 +-
 .../iputils/iputils_20221126.bb               |   7 +-
 .../libtirpc/libtirpc_1.3.3.bb                |   4 +-
 meta/recipes-extended/procps/procps_4.0.3.bb  |   4 +-
 meta/recipes-extended/shadow/shadow_4.13.bb   |   8 +-
 meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
 .../xinetd/xinetd_2.3.15.4.bb                 |   3 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   8 +-
 .../libnotify/libnotify_0.8.2.bb              |   4 +-
 meta/recipes-gnome/librsvg/librsvg_2.54.5.bb  |   4 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
 .../xorg-xserver/xserver-xorg.inc             |  13 +-
 .../linux/cve-exclusion_6.1.inc               |  14 +-
 .../libpng/libpng_1.6.39.bb                   |   4 +-
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |  10 +-
 .../libgcrypt/libgcrypt_1.10.1.bb             |   6 +-
 .../recipes-support/libxslt/libxslt_1.1.37.bb |   5 +-
 meta/recipes-support/lz4/lz4_1.9.4.bb         |   4 +-
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb |  13 +-
 41 files changed, 325 insertions(+), 230 deletions(-)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 0ca75bae3ef..1cb32db814d 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -19,7 +19,8 @@
 # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
 # CVE is more than 20 years old with no resolution evident
 # broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
+CVE_STATUS[CVE-2000-0006] = "Ignored"
+CVE_STATUS_REASONING[CVE-2000-0006] = "CVE is more than 20 years old with no resolution evident."
 
 # epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
 # The issue here is spoofing of domain names using characters from other character sets.
@@ -28,31 +29,39 @@ CVE_CHECK_IGNORE += "CVE-2000-0006"
 # there is unlikely ever to be a single fix to webkit or epiphany which addresses this
 # problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
 # we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
+CVE_STATUS[CVE-2005-0238] = "Ignored"
+CVE_STATUS_REASONING[CVE-2005-0238] = "There isn't any mitigation or fix or way to progress this further."
 
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
 # Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
 # Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
 # Upstream don't see it as a security issue, ftp servers shouldn't be passing
 # this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
+CVE_STATUS[CVE-2010-4756] = "Ignored"
+CVE_STATUS_REASONING[CVE-2010-4756] = "Upstream have no plans to add BSD's GLOB_LIMIT or similar."
 
 # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
 # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
 # The encoding/xml package in go can potentially be used for security exploits if not used correctly
 # CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
 # exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS[CVE-2020-29509] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-29509] = "We don't ship anything exposing this interface in an exploitable way."
+CVE_STATUS[CVE-2020-29511] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-29511] = "We don't ship anything exposing this interface in an exploitable way."
 
 # db
 # Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
 # supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "Ignored"
+CVE_STATUS_DB[reason] = "Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives"
 
 #
 # Kernel CVEs, e.g. linux-yocto*
@@ -65,60 +74,77 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
 # welcome than and then entries can likely be removed from here.
 #
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2019 CVE_STATUS_KERNEL_2020"
 # 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
-                     CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+                          CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "Ignored"
+
 # 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
-                     CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+                          CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "Ignored"
+
 # 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
-                     CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873 CVE-2018-6559"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+                          CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873 CVE-2018-6559"
+CVE_STATUS_KERNEL_2018[status] = "Ignored"
+
 # 2019
-CVE_CHECK_IGNORE += "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887"
+CVE_STATUS_KERNEL_2019 = "CVE-2019-10126 CVE-2019-14899 CVE-2019-18910 CVE-2019-3016 CVE-2019-3819 CVE-2019-3846 CVE-2019-3887"
+CVE_STATUS_KERNEL_2019[status] = "Ignored"
+
 # 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2020-27784
 # Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
-# Patched in kernel since v5.10	e8d5f92b8d30bb4ade76494490c3c065e12411b1
-# Backported in version v5.4.73	e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+# Patched in kernel since v5.10 e8d5f92b8d30bb4ade76494490c3c065e12411b1
+# Backported in version v5.4.73 e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
+CVE_STATUS[CVE-2020-27784] = "Patched"
+CVE_STATUS_REASONING[CVE-2020-27784] = "Backported in version v5.4.73"
 
 # 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
-                     CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+                          CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3669
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3759
 # Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
 # Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
 # Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
 # Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "Patched"
+CVE_STATUS_REASONING[CVE-2021-3759] = "Backported in versions v5.4.224 and v5.10.154"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-4218
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "Patched"
 
 # 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
-                     CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
-                     CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
-                     CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
-                     CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
-                     CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
-                     CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+                          CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+                          CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+                          CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+                          CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+                          CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+                          CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-0480
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1184
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -126,7 +152,8 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
 # Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
 # Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
 # Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-1184] = "Backported in versions v5.4.198, v5.10.121 and v5.15.46"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1462
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -134,7 +161,8 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
 # Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
 # Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
 # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-1462] = "Backported in versions v5.4.208, v5.10.134 and v5.15.58"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2196
 # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -144,19 +172,21 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
 # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
 # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
 # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-2196] = "Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2308
 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
 # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
 # Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
 # Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-2308] = "Backported in versions v5.15.72 and v5.19.14"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2327
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2663
 # Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -165,19 +195,22 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
 # Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
 # Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
 # Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-2663] = "Backported in versions v5.4.213, v5.10.143, v5.15.68 and v5.19.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2785
 # Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
 # Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
 # Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-2785] = "Backported in version v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3176
 # Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
 # Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3176] = "Backported in version v5.15.65"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3424
 # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -186,7 +219,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
 # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
 # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
 # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3424] = "Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3435
 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -197,13 +231,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
 # Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
 # Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
 # Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3435] = "Backported in versions v5.4.226, v5.10.158 and v5.15.82"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3526
 # Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
 # Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
 # Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3526] = "Backported in version v5.15.35"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3534
 # Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -211,20 +247,23 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
 # Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
 # Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
 # Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3534] = "Backported in versions v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3564
 # Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
 # Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
 # Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
 # Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3564] = "Backported in versions v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3619
 # Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
 # Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
 # Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3619] = "Backported in version v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3621
 # Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -233,7 +272,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
 # Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
 # Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
 # Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3621] = "Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3623
 # Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -242,12 +282,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
 # Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
 # Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
 # Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3623] = "Backported in versions v5.4.228, v5.10.159, v5.15.78 and v5.19.17"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3624
 # Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
 # Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3625
 # Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -256,7 +297,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
 # Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
 # Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
 # Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3625] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3629
 # Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -265,13 +307,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
 # Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
 # Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
 # Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3629] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3630
 # Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
 # Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
 # Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3630] = "Backported in version v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3633
 # Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -280,7 +324,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
 # Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
 # Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
 # Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3633] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3635
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -289,12 +334,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
 # Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
 # Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
 # Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3635] = "Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3636
 # Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
 # Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "Patched"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3640
 # Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -305,7 +351,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
 # Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
 # Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
 # Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3640] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3646
 # Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -314,7 +361,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
 # Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
 # Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
 # Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3646] = "Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3649
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -323,7 +371,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
 # Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
 # Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
 # Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-3649] = "Backported in versions v5.4.220, v5.10.148, v5.15.74 and v5.19.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-4382
 # Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -332,7 +381,8 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
 # Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
 # Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
 # Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-4382] = "Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-26365
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -340,7 +390,8 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
 # Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
 # Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
 # Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-26365] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33740
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -348,7 +399,8 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
 # Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
 # Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
 # Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-33740] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33741
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -356,7 +408,8 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
 # Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
 # Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
 # Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-33741] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33742
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -364,15 +417,17 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
 # Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
 # Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
 # Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-33742] = "Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42895
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
 # Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-42895] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42896
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -380,7 +435,8 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
 # Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
 # Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
 # Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-42896] = "Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 
 
 # 2023
@@ -390,14 +446,16 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
 # Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
 # Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
 # Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0179] = "Backported in versions v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0266
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
 # Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
 # Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0266] = "Backported in versions v5.15.88 and v6.1.6"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0394
 # Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -406,7 +464,8 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
 # Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
 # Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
 # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0394] = "Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0461
 # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -415,28 +474,32 @@ CVE_CHECK_IGNORE += "CVE-2023-0394"
 # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
 # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0461] = "Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0386
 # Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
 # Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
-# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
+# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-0386] = "Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1073
 # Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
 # Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
-# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
-# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
-# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_STATUS[CVE-2023-1073] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1073] = "Backported in versions v5.10.166, v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1074
 # Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
-# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
-# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_STATUS[CVE-2023-1074] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1074] = "Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1076
 # Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -445,19 +508,22 @@ CVE_CHECK_IGNORE += "CVE-2023-1074"
 # Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
 # Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
 # Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1076] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1077
 # Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
-# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
-# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+CVE_STATUS[CVE-2023-1077] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1077] = "Backported in versions v5.15.99 and v6.1.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1078
 # Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
-# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
-# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_STATUS[CVE-2023-1078] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1078] = "Backported in versions v5.15.94 and v6.1.12"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1079
 # Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -466,7 +532,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
 # Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
 # Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
 # Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1079] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1118
 # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -476,7 +543,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
 # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
 # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
 # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1118] = "Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1281
 # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -484,7 +552,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
 # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
 # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
 # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1281] = "Backported in versions v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1513
 # Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -492,7 +561,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
 # Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
 # Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1513] = "Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1652
 # Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -500,7 +570,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
 # Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
 # Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1652] = "Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1829
 # Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -511,7 +582,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
 # Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
 # Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-1829] = "Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-23005
 # Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
@@ -521,7 +593,8 @@ CVE_CHECK_IGNORE += "CVE-2023-1829"
 # > in which a user can cause the alloc_memory_type error case to be reached.
 # See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
 # We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
+CVE_STATUS[CVE-2023-23005] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-23005] = "Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached."
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-28466
 # Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
@@ -529,31 +602,33 @@ CVE_CHECK_IGNORE += "CVE-2023-23005"
 # Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
 # Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
 # Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-28466] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-28466] = "Backported in versions v5.15.105, v6.1.20 and v6.2.7"
 
 # Wrong CPE in NVD database
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3563
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637
 # Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
+CVE_STATUS[CVE-2022-3563] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-3563] = "Wrong CPE in NVD database"
+CVE_STATUS[CVE-2022-3637] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-3637] = "Wrong CPE in NVD database"
 
 # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
 # There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
 # qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
+CVE_STATUS[CVE-2021-20255] = "Ignored"
+CVE_STATUS_REASONING[CVE-2021-20255] = "Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
 
 # qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
 # There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
 # still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
+CVE_STATUS[CVE-2019-12067] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-12067] = "Ignore from OE's perspective as we'll pick up any fix when upstream accepts one."
 
 # nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
 # It is a fuzzing related buffer overflow. It is of low impact since most devices
 # wouldn't expose an assembler. The upstream is inactive and there is little to be
 # done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
-
-
-
+CVE_STATUS[CVE-2020-18974] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-18974] = "Ignore from OE's perspective as the upstream is inactive and there is little to be done about the bug"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c3..7a457f37b23 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,11 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
 
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2019-14865] = "Applies only to RHEL"
+
+CVE_STATUS[CVE-2021-46705] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2021-46705] = "Applies only to SUSE"
 
 DEPENDS = "flex-native bison-native gettext-native"
 
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index bf6835e0d6f..a5b6174e37e 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,8 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
 SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
 SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
 
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2021-26720] = "Issue only affects Debian/SUSE"
 
 DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native gobject-introspection"
 
diff --git a/meta/recipes-connectivity/bind/bind_9.18.13.bb b/meta/recipes-connectivity/bind/bind_9.18.13.bb
index 8617137e870..c5a51695ef2 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.13.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.13.bb
@@ -28,7 +28,8 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
 
 # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
 # so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2019-6470] = "Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
 
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
index 2208b730b0e..3159584e9b5 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
@@ -2,8 +2,10 @@ require bluez5.inc
 
 SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574"
 
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2020-12352] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-12352] = "These issues have kernel fixes rather than bluez fixes."
+CVE_STATUS[CVE-2020-24490] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-24490] = "These issues have kernel fixes rather than bluez fixes"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index d3dedd1a5a7..d6ba7ef830e 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -27,15 +27,17 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            "
 SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
 
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2007-2768] = "This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
 
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2014-9278] = "This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
 
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2008-3844] = "Only applies to some distributed RHEL binaries."
 
 PAM_SRC_URI = "file://sshd"
 
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.0.bb b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
index b319c660440..00ee1cda61e 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.0.bb
@@ -256,4 +256,5 @@ CVE_VERSION_SUFFIX = "alphabetical"
 
 # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-0190] = "Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.1.bb b/meta/recipes-core/coreutils/coreutils_9.1.bb
index e12a6d67971..7b201b0d797 100644
--- a/meta/recipes-core/coreutils/coreutils_9.1.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.1.bb
@@ -23,7 +23,8 @@ SRC_URI[sha256sum] = "61a1f410d78ba7e7f37a5a4f50e6d1320aca33375484a3255eddf17a38
 
 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
 # runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+CVE_STATUS[CVE-2016-2781] = "Ignored"
+CVE_STATUS_REASONING[CVE-2016-2781] = "runcon is not really a sandbox command"
 
 EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
 EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index b27f98fb199..98493442f91 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -6,16 +6,20 @@ require glibc-version.inc
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
 # Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
 # "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[reason] = "Upstream glibc maintainers dispute there is any issue and have no plans to address it further."
 
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
 # Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
 # easier access for another. "ASLR bypass itself is not a vulnerability."
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-1010025] = "ASLR bypass itself is not a vulnerability."
 
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "Patched"
+CVE_STATUS_REASONING[CVE-2023-25139] = "This is integrated into the 2.37 branch as of 07b9521fc6"
 
 DEPENDS += "gperf-native bison-native"
 
diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb
index 288631504ce..d97a310aac0 100644
--- a/meta/recipes-core/libxml/libxml2_2.10.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb
@@ -28,7 +28,8 @@ BINCONFIG = "${bindir}/xml2-config"
 
 # Fixed since 2.9.11 via
 # https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
+CVE_STATUS[CVE-2016-3709] = "Patched"
+CVE_STATUS_REASONING[CVE-2016-3709] = "Fixed since 2.9.11"
 
 PACKAGECONFIG ??= "python \
     ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index a79d6cb3ca0..a0ff4ac7da2 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -831,5 +831,5 @@ pkg_prerm:udev-hwdb () {
 	rm -f $D${sysconfdir}/udev/hwdb.bin
 }
 
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
+CVE_STATUS[CVE-2022-4415] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-4415] = "This was also fixed in 252.4 with 9b75a3d0"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 2b6554690b6..60bd018d4a5 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,5 @@ SRC_URI[sha256sum] = "bbd8d39217509d163cb544a40d6428ac666ddc83e22905d3e52c925781
 
 UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "Ignored"
+CVE_STATUS_REASONING[CVE-2016-10642] = "This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5ccad..1cb9c5d07b4 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -29,7 +29,8 @@ GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
 # Disputed - yes there is stack exhaustion but no bug and it is building the
 # parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
 # https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-6293] = "There is stack exhaustion but no bug and it is building the parser, not running it"
 
 inherit autotools gettext texinfo ptest github-releases
 
diff --git a/meta/recipes-devtools/gcc/gcc-12.2.inc b/meta/recipes-devtools/gcc/gcc-12.2.inc
index 0dbbecad4ad..432c9094fe0 100644
--- a/meta/recipes-devtools/gcc/gcc-12.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-12.2.inc
@@ -109,6 +109,3 @@ EXTRA_OECONF_PATHS = "\
     --with-sysroot=/not/exist \
     --with-build-sysroot=${STAGING_DIR_TARGET} \
 "
-
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
diff --git a/meta/recipes-devtools/git/git_2.39.2.bb b/meta/recipes-devtools/git/git_2.39.2.bb
index 222e545f609..460cee42f1a 100644
--- a/meta/recipes-devtools/git/git_2.39.2.bb
+++ b/meta/recipes-devtools/git/git_2.39.2.bb
@@ -28,11 +28,13 @@ LIC_FILES_CHKSUM = "\
 CVE_PRODUCT = "git-scm:git"
 
 # This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
+# in mirrored git repos.
+CVE_STATUS[CVE-2022-24975] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-24975] = "Most OE users wouldn't build the docs and \
+we don't see this as a major issue for our general users/usecases."
+
+CVE_STATUS[CVE-2022-41953] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2022-41953] = "Issue only applies on Windows"
 
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d4..c3b67a3b7b2 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,9 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
 UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
 
 # https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "Ignored"
+CVE_STATUS_REASONING[CVE-2007-2379] = "There are ways jquery can expose security issues \
+but any issues are in the apps exposing them and there is little we can directly do."
 
 inherit allarch
 
diff --git a/meta/recipes-devtools/python/python3_3.11.2.bb b/meta/recipes-devtools/python/python3_3.11.2.bb
index 421a305e22f..32d83aff6c6 100644
--- a/meta/recipes-devtools/python/python3_3.11.2.bb
+++ b/meta/recipes-devtools/python/python3_3.11.2.bb
@@ -47,15 +47,17 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 
 CVE_PRODUCT = "python"
 
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "Ignored"
+CVE_STATUS_REASONING[CVE-2007-4559] = "Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-18348] = "This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2020-15523] = "Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2022-26488] = "Issue only applies on Windows"
 # The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
+CVE_STATUS[CVE-2015-20107] = "Ignored"
+CVE_STATUS_REASONING[CVE-2015-20107] = "The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
 
 PYTHON_MAJMIN = "3.11"
 
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 394fa2acabf..b3ff0d81763 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,16 +39,15 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113
 SRC_URI:append:class-target = " file://cross.patch"
 SRC_URI:append:class-nativesdk = " file://cross.patch"
 
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2017-5957] = "Applies against virglrender < 0.6.0 and not qemu itself"
 
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "Ignored"
+CVE_STATUS_REASONING[CVE-2007-0998] = "The VNC server can expose host files uder some circumstances. We don't enable it by default."
 
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
 # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-18438] = "The issues identified by this CVE were determined to not constitute a vulnerability."
 
 # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
 # https://bugzilla.redhat.com/show_bug.cgi?id=2167423
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1cd..130581a7853 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
            "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
 
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
 inherit autotools-brokensep
 
 PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb7..00db737b7d6 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,9 +29,9 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
 
 SRC_URI:class-native = "${BASE_SRC_URI}"
 
-# Upstream don't believe this is an exploitable issue
 # https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
+CVE_STATUS[CVE-2021-35331] = "Ignored"
+CVE_STATUS_REASONING[CVE-2021-35331] = "Upstream don't believe this is an exploitable issue"
 
 UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
 UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb
index 55bcc606b37..93a3360135d 100644
--- a/meta/recipes-extended/cpio/cpio_2.13.bb
+++ b/meta/recipes-extended/cpio/cpio_2.13.bb
@@ -22,8 +22,8 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8
 
 inherit autotools gettext texinfo ptest
 
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2010-4226] = "Issue applies to use of cpio in SUSE/OBS"
 
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
 
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index da320b10855..086c467b00c 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -19,14 +19,18 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
 
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2008-1033] = "Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "Ignored"
+CVE_STATUS_REASONING[CVE-2009-0032] = "Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2018-6553] = "This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "Patched"
+CVE_STATUS_REASONING[CVE-2022-26691] = "This is fixed in 2.4.2 but the cve-check class still reports it"
+
+# -25317 concerns /var/log/cups having lp ownership.
+CVE_STATUS[CVE-2021-25317] = "Ignored"
+CVE_STATUS_REASONING[CVE-2009-0032] = "Our /var/log/cups is root:root, so this doesn't apply."
 
 LEAD_SONAME = "libcupsdriver.so"
 
@@ -114,7 +118,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
 	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
-
-# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
index 86ecdbe24af..79a9d255749 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.0.0.bb
@@ -21,7 +21,8 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
 
 # As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources
 # however we use an external jpeg which doesn't have the issue.
-CVE_CHECK_IGNORE += "CVE-2013-6629"
+CVE_STATUS[CVE-2013-6629] = "Ignored"
+CVE_STATUS_REASONING[CVE-2013-6629] = "We use an external jpeg which doesn't have the issue"
 
 def gs_verdir(v):
     return "".join(v.split("."))
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3ea..7891f0ffa35 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,10 @@ S = "${WORKDIR}/git"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
 
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "Patched"
+CVE_STATUS_REASONING[CVE-2000-1213] = "Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "Patched"
+CVE_STATUS_REASONING[CVE-2000-1214] = "Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
 
 PACKAGECONFIG ??= "libcap"
 PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1d..fcccf68f070 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,8 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
 
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "Patched"
+CVE_STATUS_REASONING[CVE-2021-46828] = "fixed in 1.3.3rc1 so not present in 1.3.3"
 
 inherit autotools pkgconfig
 
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e0..d9571445288 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,9 +72,9 @@ python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
 # https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
+CVE_STATUS[CVE-2018-1121] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-1121] = "'ps' isn't suitable for use as a security tool so whitelist this CVE."
 
 PROCPS_PACKAGES = "${PN}-lib \
                    ${PN}-ps \
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593b..adef0461905 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,9 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 
 BBCLASSEXTEND = "native nativesdk"
 
-# Severity is low and marked as closed and won't fix.
 # https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
+CVE_STATUS[CVE-2013-4235] = "Ignored"
+CVE_STATUS_REASONING[CVE-2013-4235] = "Severity is low and marked as closed and won't fix."
 
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2016-15024] = "Ignored"
+CVE_STATUS_REASONING[CVE-2016-15024] = "This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index a4d10c30aa2..bd3e7f1fc88 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,7 +39,8 @@ SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
 
 # Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "Patched"
+CVE_STATUS_REASONING[CVE-2008-0888] = "Patch applied to 6.0 source"
 
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c4..7b1e8cd02a2 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,8 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
 S = "${WORKDIR}/git"
 
 # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "Patched"
+CVE_STATUS_REASONING[CVE-2013-4342] = "Fixed directly in git tree revision"
 
 inherit autotools update-rc.d systemd pkgconfig
 
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 1930a40140b..60cd565fe81 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -25,11 +25,11 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
 
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
+CVE_STATUS[CVE-2018-13410] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-13410] = "Disputed and also Debian doesn't consider a vulnerability"
 
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13684] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2018-13684] = "Not for zip but for smart contract implementation for it"
 
 # Enable largefile support
 CFLAGS += "-DLARGE_FILE_SUPPORT"
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00c..91dba7466da 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -32,5 +32,5 @@ RPROVIDES:${PN} += "libnotify3"
 RCONFLICTS:${PN} += "libnotify3"
 RREPLACES:${PN} += "libnotify3"
 
-# -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "Ignored"
+CVE_STATUS_REASONING[CVE-2013-7381] = "-7381 is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb b/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb
index 59278d1b169..5f4fd79bc0e 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.54.5.bb
@@ -50,8 +50,8 @@ do_compile:prepend() {
     sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
 }
 
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2018-1000041] = "Issue only applies on Windows"
 
 CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
 
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63ff..e70b30a7639 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -30,4 +30,5 @@ do_install () {
 }
 
 # -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "Ignored"
+CVE_STATUS_REASONING[CVE-2008-4178] = "This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf76..189619d8715 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,19 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 
 CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
+CVE_STATUS[CVE-2011-4613] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2011-4613] = "This is specific to Debian's xserver-wrapper.c"
+
 # As per upstream, exploiting this flaw is non-trivial and it requires exact
 # timing on the behalf of the attacker. Many graphical applications exit if their
 # connection to the X server is lost, so a typical desktop session is either
 # impossible or difficult to exploit. There is currently no upstream patch
 # available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+CVE_STATUS[CVE-2020-25697] = "Ignored"
+CVE_STATUS_REASONING[CVE-2020-25697] = "As per upstream, exploiting this flaw is non-trivial and it requires exact timing on the behalf of the attacker"
+
+CVE_STATUS[CVE-2022-3553] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2022-3553] = "This is specific to XQuartz, which is the macOS X server port"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 4cc151901b8..a7b12e3b57e 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,17 +1,17 @@
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3523
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3566
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "Ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3567
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "Ignored"
 
 
 # 2023
@@ -26,11 +26,15 @@ CVE_CHECK_IGNORE += "CVE-2022-3567"
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-38457
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-40133
 #  * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-38457] = "Backported in version 6.1.7"
+CVE_STATUS[CVE-2022-40133] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-40133] = "Backported in version 6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1075
 # Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
 # Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
 # Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
 # 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "Ignored"
+CVE_STATUS_REASONING[CVE-2023-1075] = "Backported in version 6.1.11"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index a6c229f5cf0..38e18542c21 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -32,5 +32,5 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
 
 BBCLASSEXTEND = "native nativesdk"
 
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2019-17371] = "A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index f8a2482a848..499687207d1 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -16,14 +16,8 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
+CVE_STATUS[CVE-2022-1210] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-1210] = "Issue is in jbig which we don't enable"
 
 inherit autotools multilib_header
 
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb
index bf9d7cbd102..bf59069cfa5 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.1.bb
@@ -29,8 +29,10 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            "
 SRC_URI[sha256sum] = "ef14ae546b0084cd84259f61a55e07a38c3b53afc0f546bffcef2f01baffe9de"
 
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-12433] = "CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "Ignored"
+CVE_STATUS_REASONING[CVE-2018-12438] = "CVE is disputed and not affecting crypto libraries for any distro."
 
 BINCONFIG = "${bindir}/libgcrypt-config"
 
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.37.bb b/meta/recipes-support/libxslt/libxslt_1.1.37.bb
index 361bb0f8dc9..76f7a34d05a 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.37.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.37.bb
@@ -19,9 +19,8 @@ SRC_URI[sha256sum] = "3a4b27dc8027ccd6146725950336f1ec520928f320f144eb5fa7990ae6
 
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "Ignored"
+CVE_STATUS_REASONING[CVE-2022-29824] = "Static linking to libxml2 is not enabled."
 
 S = "${WORKDIR}/libxslt-${PV}"
 
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b09..97217781f42 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,8 +21,8 @@ S = "${WORKDIR}/git"
 
 inherit ptest
 
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
+CVE_STATUS[CVE-2014-4715] = "Patched"
+CVE_STATUS_REASONING[CVE-2014-4715] = "Fixed in r118, which is larger than the current version."
 
 EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
 
diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
index b09e8e7f557..6af884b58fe 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
@@ -7,8 +7,11 @@ SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
 SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499"
 
 # -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
+CVE_STATUS[CVE-2019-19242] = "Ignored"
+CVE_STATUS_REASONING[CVE-2019-19242] = "This CVE is only an issue in specific development branch commits"
+# https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA
+CVE_STATUS[CVE-2015-3717] = "Not applicable"
+CVE_STATUS_REASONING[CVE-2015-3717] = "This is believed to be iOS specific"
+# Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
+CVE_STATUS[CVE-2021-36690] = "Patched"
+CVE_STATUS_REASONING[CVE-2021-36690] = "Issue in an experimental extension we don't have/use."
-- 
2.40.1

Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs

[Mikko Rapeli]

Hi,

Looks good to me now. Thanks a lot!

Acked-by: Mikko Rapeli <mikko.rapeli@linaro.org>

Cheers,

-Mikko

Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs

[Michael Opdenacker]

Hi Andrej,

On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contain flag for each CVE with accepted
> values "Ignored", "Not applicable" or "Patched". It allows to add
> a status for each CVEs.
> - Optional CVE_STATUS_REASONING flag variable may contain a reason
> why the CVE status was used. It will be added in csv/json report like
> a new "reason" entry.


I'm not a native English speaker, but what about just 
"CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"?

"Reasoning" is a mental process if I understand correctly. See 
https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm. 
It seems to me that the term "reason" should be sufficient, as the 
"reason" flag that you're using.

I'd be interested in what others think about this...
Thanks in advance
Cheers

Michael.

-- 
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 5512 bytes --]

Thank you for this work. I think we are going in a good direction. My
comments in the text.

In general, I would like that we come with the fixed list of possible
statuses and avoid adding new ones too frequently. Changing them will break
my parsing and status scripts each time.


On Fri, May 19, 2023 at 8:24 AM Andrej Valek via lists.openembedded.org
<andrej.valek=siemens.com@lists.openembedded.org> wrote:

> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contain flag for each CVE with accepted
> values "Ignored", "Not applicable" or "Patched". It allows to add
> a status for each CVEs.
>

I'm missing a status to cover the situation when the NVD (or any other
database) has an incorrect entry. We have quite many of those. This might
be a temporary situation, but not always.

SPDX (the 3.0 draft) has some other possible reasons
https://github.com/spdx/spdx-spec/blob/vulnerability-profile/chapters/profile-vulnerabilities.md
What looks like interesting ideas are:
* "Can't fix" / "Will not fix"
* "Not applicable" (SPDX language: Ineffective) when the code is not used
* "Invalid match" (this is our NVD mismatch case)
* "Mitigated" measures taken so that it cannot be exploited
* "Workarounded"

There is still one big missing part: related to configuration options. It
could be used with "Not applicable"/"Ineffective" code, but only in cases
where it is not possible to activate the code. If the user can switch
between vulnerable/not vulnerable versions by a packageconfig change or so,
this is not covered.

Addiional question: why CVE_STATUS_REASONING and not CVE_STATUS_REASON ?
(reason variable is used nearly everywhere)


> diff --git a/meta/classes/cve-check.bbclass
> b/meta/classes/cve-check.bbclass
> index bd9e7e7445c..44462de7445 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -70,12 +70,15 @@ CVE_CHECK_COVERAGE ??= "1"
>  # Skip CVE Check for packages (PN)
>  CVE_CHECK_SKIP_RECIPE ?= ""
>
> -# Ingore the check for a given list of CVEs. If a CVE is found,
> -# then it is considered patched. The value is a string containing
> -# space separated CVE values:
> +# Replace NVD DB check status for a given CVE. Each of CVE has to be
> mentioned
> +# separately with optional reason for this status.
>  #
> -# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
> +# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
> +# CVE_STATUS[CVE-1234-0002] = "Not applicable"
> +# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
>  #
> +# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
> +# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
>  CVE_CHECK_IGNORE ?= ""
>
>  # Layers to be excluded
> @@ -88,6 +91,25 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
>  # set to "alphabetical" for version using single alphabetical character
> as increment release
>  CVE_VERSION_SUFFIX ??= ""
>
> +python () {
> +    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
> +    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
> +    if cve_check_ignore:
> +        bb.warn("CVE_CHECK_IGNORE has been deprecated, use CVE_STATUS
> instead")
> +        set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
> +
> +    # Process CVE_STATUS_GROUPS to set multiple statuses and optional
> reasons at once
> +    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
> +        set_cves_statuses(d, d.getVar(cve_status_group) or "",
> +                          d.getVarFlag(cve_status_group, "status"),
> +                          d.getVarFlag(cve_status_group, "reason"))
> +}
> +
> +def set_cves_statuses(d, cves, status, reason=""):
> +    for cve in cves.split():
> +        d.setVarFlag("CVE_STATUS", cve, status)
> +        d.setVarFlag("CVE_STATUS_REASONING", cve, reason)
> +
>  def generate_json_report(d, out_path, link_path):
>      if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
>          import json
> @@ -282,7 +304,13 @@ def check_cves(d, patched_cves):
>          bb.note("Recipe has been skipped by cve-check")
>          return ([], [], [], [])
>
> -    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
> +    # Convert CVE_STATUS into ignored CVEs and check validity
> +    cve_ignore = []
> +    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
> +        if status in ["Not applicable", "Ignored"]:
> +            cve_ignore.append(cve)
> +        elif status not in ["Patched"]:
> +            bb.error("Unsupported status %s in CVE_STATUS[%s]" % (status,
> cve))
>
I do not see this entry added into the "Patched" list.

IMO would be better to handle Patched separately, and so a complete "else"
for all other reasons. Allows to avoid hard-coding all possible options.


>
>      import sqlite3
>      db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
> @@ -455,6 +483,9 @@ def cve_write_data_text(d, patched, unpatched,
> ignored, cve_data):
>          else:
>              unpatched_cves.append(cve)
>              write_string += "CVE STATUS: Unpatched\n"
> +        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
> +        if reasoning:
> +            write_string += "CVE REASON: %s\n" % reasoning
>

Do we want adding new features to the (deprecated) text output?

Kind regards,
Marta

>
>

[-- Attachment #2: Type: text/html, Size: 7820 bytes --]

Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs

[Valek, Andrej]

Hello Michael,

I wanted to use a "CVE_STATUS_REASON", but it was advised here
https://lists.openembedded.org/g/openembedded-core/message/181037 by Richard. So
I was thinking, that it has to correct.

Regards,
Andrej

On Fri, 2023-05-19 at 15:09 +0200, Michael Opdenacker wrote:
> Hi Andrej,
> 
> On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote:
> > - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> > more flexible. CVE_STATUS should contain flag for each CVE with accepted
> > values "Ignored", "Not applicable" or "Patched". It allows to add
> > a status for each CVEs.
> > - Optional CVE_STATUS_REASONING flag variable may contain a reason
> > why the CVE status was used. It will be added in csv/json report like
> > a new "reason" entry.
> 
> 
> I'm not a native English speaker, but what about just 
> "CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"?
> 
> "Reasoning" is a mental process if I understand correctly. See 
> https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm. 
> It seems to me that the term "reason" should be sufficient, as the 
> "reason" flag that you're using.
> 
> I'd be interested in what others think about this...
> Thanks in advance
> Cheers
> 
> Michael.
> 

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Valek, Andrej]

[-- Attachment #1: Type: text/plain, Size: 6024 bytes --]

Hello Marta,

On Fri, 2023-05-19 at 15:11 +0200, Marta Rybczynska wrote:
Thank you for this work. I think we are going in a good direction. My comments in the text.

In general, I would like that we come with the fixed list of possible statuses and avoid adding new ones too frequently. Changing them will break my parsing and status scripts each time.


On Fri, May 19, 2023 at 8:24 AM Andrej Valek via lists.openembedded.org<http://lists.openembedded.org> <andrej.valek=siemens.com@lists.openembedded.org<mailto:siemens.com@lists.openembedded.org>> wrote:
- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contain flag for each CVE with accepted
values "Ignored", "Not applicable" or "Patched". It allows to add
a status for each CVEs.


I'm missing a status to cover the situation when the NVD (or any other database) has an incorrect entry. We have quite many of those. This might be a temporary situation, but not always.

SPDX (the 3.0 draft) has some other possible reasons https://github.com/spdx/spdx-spec/blob/vulnerability-profile/chapters/profile-vulnerabilities.md
What looks like interesting ideas are:
* "Can't fix" / "Will not fix"
* "Not applicable" (SPDX language: Ineffective) when the code is not used
* "Invalid match" (this is our NVD mismatch case)
* "Mitigated" measures taken so that it cannot be exploited
* "Workarounded"

I would say, "Ignored", "Not applicable" or "Patched" are enough, because everything important is covered. Of course we can extend some keywords in the feature, but we shouldn't confuse users.

There is still one big missing part: related to configuration options. It could be used with "Not applicable"/"Ineffective" code, but only in cases where it is not possible to activate the code. If the user can switch between vulnerable/not vulnerable versions by a packageconfig change or so, this is not covered.

Addiional question: why CVE_STATUS_REASONING and not CVE_STATUS_REASON ? (reason variable is used nearly everywhere)

See explanation here: https://lists.openembedded.org/g/openembedded-core/message/181551 . Once we have a decision, I can change it.


diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..44462de7445 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,15 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""

-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional reason for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
+# CVE_STATUS[CVE-1234-0002] = "Not applicable"
+# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
 #
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""

 # Layers to be excluded
@@ -88,6 +91,25 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""

+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE has been deprecated, use CVE_STATUS instead")
+        set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional reasons at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        set_cves_statuses(d, d.getVar(cve_status_group) or "",
+                          d.getVarFlag(cve_status_group, "status"),
+                          d.getVarFlag(cve_status_group, "reason"))
+}
+
+def set_cves_statuses(d, cves, status, reason=""):
+    for cve in cves.split():
+        d.setVarFlag("CVE_STATUS", cve, status)
+        d.setVarFlag("CVE_STATUS_REASONING", cve, reason)
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -282,7 +304,13 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])

-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status in ["Not applicable", "Ignored"]:
+            cve_ignore.append(cve)
+        elif status not in ["Patched"]:
+            bb.error("Unsupported status %s in CVE_STATUS[%s]" % (status, cve))

I do not see this entry added into the "Patched" list.

Of course this code is not covering the "Patched" ;). Check cve_check.py how the "Patched" is handled. Elif case is covering the typos.

IMO would be better to handle Patched separately, and so a complete "else" for all other reasons. Allows to avoid hard-coding all possible options.


     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -455,6 +483,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         else:
             unpatched_cves.append(cve)
             write_string += "CVE STATUS: Unpatched\n"
+        reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if reasoning:
+            write_string += "CVE REASON: %s\n" % reasoning


Do we want adding new features to the (deprecated) text output?

Is "reasoning/reason" deprecated? We're just adding new entry.

Kind regards,
Marta


Regards,
Andrej

[-- Attachment #2: Type: text/html, Size: 10556 bytes --]

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Mikko Rapeli]

Hi,

On Fri, May 19, 2023 at 03:11:57PM +0200, Marta Rybczynska wrote:
> I'm missing a status to cover the situation when the NVD (or any other
> database) has an incorrect entry. We have quite many of those. This might
> be a temporary situation, but not always.
> 
> SPDX (the 3.0 draft) has some other possible reasons
> https://github.com/spdx/spdx-spec/blob/vulnerability-profile/chapters/profile-vulnerabilities.md
> What looks like interesting ideas are:
> * "Can't fix" / "Will not fix"
> * "Not applicable" (SPDX language: Ineffective) when the code is not used
> * "Invalid match" (this is our NVD mismatch case)
> * "Mitigated" measures taken so that it cannot be exploited
> * "Workarounded"

To me the SPDX details don't seem very usable when actually maintaining
a linux distro for a long time. Anyone from major Linux distro
stable/security teams participating in the work?

So I'd rather compare to Debian security tracker CVE status data and ask
what our LTS and master branch maintainers and those in the community
who maintain yocto based SW stacks need. Do the maintainers want to read
SPDX output, for example? What common statuses do the maintainers want to
encode for each CVE?

Debian security tracker https://security-team.debian.org/security_tracker.html
shows states:

 * vulnerable: binary package with specified version in their distro
   version is vulnerable to the issue

 * fixed: binary package in their distro version has fixed the issue

 * undetermined: it is not yet clear if the issue affects Debian and
   their version of the packages

And "vulnerable" has sub states:

 * ignored: the issue does not impact Debian packages

 * postponed: no security patch updates will be provided, e.g. such a
   minor issue that update will happen for example via normal package
   version updates to next stable version

There are a lot of additional "standards" and sub states when looking at
CVE data in the tracker (info not public, no upstream fix available, not
supported configuration etc), but those major high level states are enough.
And then there are security relevant bugs without CVEs.

I've been happy with "Unpatched", "Patched" and "Ignored" states for
each CVE detected by cve-check.bbclass. There could be a few more sub
stated to "Ignored" and the "Patched" state should better reflect reality,
which this patch set helps. But I'm happy with that.

I'm not so happy with the SPDX states names and meanings.

Cheers,

-Mikko

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Valek, Andrej]

Hello Richard,

Could you please take a look on the latest revision a make a decision there?
There are still bunch of unclear statements. So please make a final design and
we will try to implement it.

Thank you,
Andrej

On Mon, 2023-05-22 at 10:57 +0300, Mikko Rapeli wrote:
> Hi,
> 
> On Fri, May 19, 2023 at 03:11:57PM +0200, Marta Rybczynska wrote:
> > I'm missing a status to cover the situation when the NVD (or any other
> > database) has an incorrect entry. We have quite many of those. This might
> > be a temporary situation, but not always.
> > 
> > SPDX (the 3.0 draft) has some other possible reasons
> > https://github.com/spdx/spdx-spec/blob/vulnerability-profile/chapters/profile-vulnerabilities.md
> > What looks like interesting ideas are:
> > * "Can't fix" / "Will not fix"
> > * "Not applicable" (SPDX language: Ineffective) when the code is not used
> > * "Invalid match" (this is our NVD mismatch case)
> > * "Mitigated" measures taken so that it cannot be exploited
> > * "Workarounded"
> 
> To me the SPDX details don't seem very usable when actually maintaining
> a linux distro for a long time. Anyone from major Linux distro
> stable/security teams participating in the work?
> 
> So I'd rather compare to Debian security tracker CVE status data and ask
> what our LTS and master branch maintainers and those in the community
> who maintain yocto based SW stacks need. Do the maintainers want to read
> SPDX output, for example? What common statuses do the maintainers want to
> encode for each CVE?
> 
> Debian security tracker https://security-team.debian.org/security_tracker.html
> shows states:
> 
>  * vulnerable: binary package with specified version in their distro
>    version is vulnerable to the issue
> 
>  * fixed: binary package in their distro version has fixed the issue
> 
>  * undetermined: it is not yet clear if the issue affects Debian and
>    their version of the packages
> 
> And "vulnerable" has sub states:
> 
>  * ignored: the issue does not impact Debian packages
> 
>  * postponed: no security patch updates will be provided, e.g. such a
>    minor issue that update will happen for example via normal package
>    version updates to next stable version
> 
> There are a lot of additional "standards" and sub states when looking at
> CVE data in the tracker (info not public, no upstream fix available, not
> supported configuration etc), but those major high level states are enough.
> And then there are security relevant bugs without CVEs.
> 
> I've been happy with "Unpatched", "Patched" and "Ignored" states for
> each CVE detected by cve-check.bbclass. There could be a few more sub
> stated to "Ignored" and the "Patched" state should better reflect reality,
> which this patch set helps. But I'm happy with that.
> 
> I'm not so happy with the SPDX states names and meanings.
> 
> Cheers,
> 
> -Mikko

RE: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs

[Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)]

[-- Attachment #1: Type: text/plain, Size: 3275 bytes --]

Hello Richard and Andrej,

Recently, I have observed the OpenEmbedded team is going beyond "patched" status for CVE. This change is required and helps to capture additional status.
We can identify and define the reason for a whitelisted or CVE that are not "patched".

Customers can get this reason and identify whether their product is vulnerable or not with a specific vulnerability.

VEX is the standard tool used by many customers to check the vulnerability of the product.
I suggest we adopt the VEX standard instead of "Ignored" or "Not applicable".
○ NOT AFFECTED – No remediation is required regarding this vulnerability. 
○ AFFECTED – Actions are recommended to remediate or address this vulnerability. 
○ FIXED – These product versions contain a fix for the vulnerability. 
○ UNDER INVESTIGATION – It is not yet known whether these product versions are affected by the vulnerability. An update will be provided in a later release.

The main four categories of VEX standard cover all possible cases, which are required to consider all potential cases.
We can expand the cve-check to validate main VEX standard and we can use sub-status information as a possible reason for reference.

Please find below reference information on how VEX and SBOM can work together:
https://www.rezilion.com/guides/vulnerability-exploitability-exchange-vex-a-guide/

More information on VEX standards and use cases:
https://www.cisa.gov/sites/default/files/publications/VEX_Use_Cases_Aprill2022.pdf

Thanks,
Sanjay

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Andrej Valek via lists.openembedded.org
Sent: Friday, May 19, 2023 6:49 PM
To: openembedded-core@lists.openembedded.org; michael.opdenacker@bootlin.com
Cc: Marko, Peter <Peter.Marko@siemens.com>
Subject: Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs

Hello Michael,

I wanted to use a "CVE_STATUS_REASON", but it was advised here
https://lists.openembedded.org/g/openembedded-core/message/181037 by Richard. So I was thinking, that it has to correct.

Regards,
Andrej

On Fri, 2023-05-19 at 15:09 +0200, Michael Opdenacker wrote:
> Hi Andrej,
> 
> On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote:
> > - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] 
> > to be more flexible. CVE_STATUS should contain flag for each CVE 
> > with accepted values "Ignored", "Not applicable" or "Patched". It 
> > allows to add a status for each CVEs.
> > - Optional CVE_STATUS_REASONING flag variable may contain a reason 
> > why the CVE status was used. It will be added in csv/json report 
> > like a new "reason" entry.
> 
> 
> I'm not a native English speaker, but what about just 
> "CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"?
> 
> "Reasoning" is a mental process if I understand correctly. See 
> https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm.
> It seems to me that the term "reason" should be sufficient, as the 
> "reason" flag that you're using.
> 
> I'd be interested in what others think about this...
> Thanks in advance
> Cheers
> 
> Michael.
> 


[-- Attachment #2: Screenshot 2023-05-23 163104.png --]
[-- Type: image/png, Size: 72035 bytes --]

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Valek, Andrej]

Hello again Richard,

Maybe this email was little bit unclear..., so I will try to recap it here.
There are 2 open points, where some final decision has to be made.

- Could we rename the CVE_STATUS_REASONING -> CVE_STATUS_REASON? The first idea
came from you.
- What is the final enum for CVE_STATUS? I would say "patched" and "ignored".
Afaik, the "not applicable" status came also from you. Should we keep it, or
remove it? Of course all others are just like an additions which could be
implemented later on request.

So please, take a look on it and made a final decision.

Thank you,
Andrej

On Tue, 2023-05-23 at 10:41 +0200, Valek Andrej wrote:
> Hello Richard,
> 
> Could you please take a look on the latest revision a make a decision there?
> There are still bunch of unclear statements. So please make a final design and
> we will try to implement it.
> 
> Thank you,
> Andrej
> 
> On Mon, 2023-05-22 at 10:57 +0300, Mikko Rapeli wrote:
> > Hi,
> > 
> > On Fri, May 19, 2023 at 03:11:57PM +0200, Marta Rybczynska wrote:
> > > I'm missing a status to cover the situation when the NVD (or any other
> > > database) has an incorrect entry. We have quite many of those. This might
> > > be a temporary situation, but not always.
> > > 
> > > SPDX (the 3.0 draft) has some other possible reasons
> > > https://github.com/spdx/spdx-spec/blob/vulnerability-profile/chapters/profile-vulnerabilities.md
> > > What looks like interesting ideas are:
> > > * "Can't fix" / "Will not fix"
> > > * "Not applicable" (SPDX language: Ineffective) when the code is not used
> > > * "Invalid match" (this is our NVD mismatch case)
> > > * "Mitigated" measures taken so that it cannot be exploited
> > > * "Workarounded"
> > 
> > To me the SPDX details don't seem very usable when actually maintaining
> > a linux distro for a long time. Anyone from major Linux distro
> > stable/security teams participating in the work?
> > 
> > So I'd rather compare to Debian security tracker CVE status data and ask
> > what our LTS and master branch maintainers and those in the community
> > who maintain yocto based SW stacks need. Do the maintainers want to read
> > SPDX output, for example? What common statuses do the maintainers want to
> > encode for each CVE?
> > 
> > Debian security tracker
> > https://security-team.debian.org/security_tracker.html
> > shows states:
> > 
> >  * vulnerable: binary package with specified version in their distro
> >    version is vulnerable to the issue
> > 
> >  * fixed: binary package in their distro version has fixed the issue
> > 
> >  * undetermined: it is not yet clear if the issue affects Debian and
> >    their version of the packages
> > 
> > And "vulnerable" has sub states:
> > 
> >  * ignored: the issue does not impact Debian packages
> > 
> >  * postponed: no security patch updates will be provided, e.g. such a
> >    minor issue that update will happen for example via normal package
> >    version updates to next stable version
> > 
> > There are a lot of additional "standards" and sub states when looking at
> > CVE data in the tracker (info not public, no upstream fix available, not
> > supported configuration etc), but those major high level states are enough.
> > And then there are security relevant bugs without CVEs.
> > 
> > I've been happy with "Unpatched", "Patched" and "Ignored" states for
> > each CVE detected by cve-check.bbclass. There could be a few more sub
> > stated to "Ignored" and the "Patched" state should better reflect reality,
> > which this patch set helps. But I'm happy with that.
> > 
> > I'm not so happy with the SPDX states names and meanings.
> > 
> > Cheers,
> > 
> > -Mikko
> 

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Richard Purdie]

On Mon, 2023-05-29 at 07:32 +0000, Valek, Andrej wrote:
> Hello again Richard,
> 
> Maybe this email was little bit unclear..., so I will try to recap it here.
> There are 2 open points, where some final decision has to be made.
> 
> - Could we rename the CVE_STATUS_REASONING -> CVE_STATUS_REASON? The first idea
> came from you.
> - What is the final enum for CVE_STATUS? I would say "patched" and "ignored".
> Afaik, the "not applicable" status came also from you. Should we keep it, or
> remove it? Of course all others are just like an additions which could be
> implemented later on request.
> 
> So please, take a look on it and made a final decision.

Whilst it is true that I get to make a final decision on whether to
merge a patch or not (for better or worse), what we need here is a
community consensus about what we need to do. Usually that is done with
a proposal which gets tweaked until there aren't strong objections to
it and a majority are in agreement.

If do change, we need to get it right as we can't keep changing. We
also need to be mindful that the LTS releases are more closely coupled
in this area. That said, we need to get things right for master, then
work out how to work with the LTSes.

I think we're all in agreement we need to do something more than what
we currently have as it isn't scaling as we need.

FWIW I'm not sold on CVE_STATUS_REASON*, how about CVE_STATUS_DETAIL?

My original concern with "ignored" also remains. I'd really like to
encode more detail about why we think it can be ignored.

For example, this set of values would seem to match the common reasons
we see:

patched - we carry a patch meaning the CVE has been fixed

cpe-incorrect - the CPE entry versioning is incorrect and our version (and newer versions) are fixed. An update to the database is hopefully pending.

cpe-stable-backport - the CPE entry doesn't cover backports to stable series but patches are applied there (e.g. kernel LTS versions)

not-applicable-platform - the platform isn't applicable for us (e.g. windows or OS-X)

upstream-wontfix - the upstream maintainers don't believe the issue needs to be fixed

not-applicable-config - our configuration means the issue isn't enabled/present/applicable

other - CVE doesn't apply for some other reason

The reason for having these different categories is it means people can
group and act upon them differently. If you were building on windows,
you'd take a close look at the platform ones. If you were changing
kernels, you'd know cpe-stable-backport was potentially incorrect. If
you're changing PACKAGECONFIG, you'd take a closer look at not-
applicable-configuration.

I'm not 100% sure I have all the right categories but I'm trying to
articulate my own thoughts having written a number of the exclusions.
I'd be interested to understand if the above works for others. The
challenge is we all have different reasons and uses for the data.

Cheers,

Richard

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[adrian.freihofer]

Hi

I like the VEX proposal from Sanjay.

- It is a standard that can be supported by many tools and requested by
customers. One use case I see is where a vendor sells a product with an
SBOM. The customer can then match the open vulnerabilities to the
current state of the NIST database using a standard tool based on SBOM.
Aligning the categories to a standard would be helpful for this.
(Yocto's CVE check is great for Yocto, but cannot be used independently
of Yocto.)
- A minimum number of categories is defined. All details can be added
to the REASON variable.

Regards,
Adrian

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Richard Purdie]

On Fri, 2023-06-02 at 23:10 +0200, adrian.freihofer@gmail.com wrote:
> I like the VEX proposal from Sanjay.
> 
> - It is a standard that can be supported by many tools and requested by
> customers. One use case I see is where a vendor sells a product with an
> SBOM. The customer can then match the open vulnerabilities to the
> current state of the NIST database using a standard tool based on SBOM.
> Aligning the categories to a standard would be helpful for this.
> (Yocto's CVE check is great for Yocto, but cannot be used independently
> of Yocto.)
> - A minimum number of categories is defined. All details can be added
> to the REASON variable.

I think you could map some of the status items I proposed to VEX
statuses but I'm not convinced it makes sense to go directly to that.

Anything we don't have a status for is effectively "under
investigation", anything we don't list is fixed or not affected and if
we know something is affected, a fix would likely follow very quickly.
The data set doesn't really fit what we're able to do or the wrkflows
we can follow, even if it is what some product customers would want to
know. Part of the issue is we're not the actual product here.

Cheers,

Richard

RE: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)]

Hi Richard,

Thank you for acknowledgement on my proposal.
Please consider my additional input for VEX standard.

There is total four main VEX standard status:
- Fixed
- Affected
- Not Affected
- Under Investigation

Out for 4 standard we can adopt Fixed and Not affected status for CVE fixing.
As these two statuses will never get changed for specific package and CVE.

Regarding the CVE status of community and VEX standard, we can map like following:

Existing Status 	| VEX adoption
-------------------------------------------
Patched	 	| Fixed	 	
Ignore	 	| Not Affected
Not required 	| Not Affected

Remaining two statuses Affected and Under investigation would be changed with time as following:
* Under Investigation:
- When any new CVE is reported against any package then by default it would go with "under investigation" status
- Until we make the final status like fixed/not affected/affected status after our final investigation on specific CVE.
* Affected:
- Regarding affected status it would be temporary status until we find the actual fix for the CVE.
- Once we have a fix the CVE then status would be as fixed/not affected which we can input to our recipe.

Thanks,
Sanjay

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Richard Purdie
Sent: Saturday, June 3, 2023 2:57 AM
To: adrian.freihofer@gmail.com; Valek, Andrej <andrej.valek@siemens.com>
Cc: rybczynska@gmail.com; openembedded-core@lists.openembedded.org; mikko.rapeli@linaro.org; Marko, Peter <Peter.Marko@siemens.com>; Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) <schitrod@cisco.com>
Subject: Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

On Fri, 2023-06-02 at 23:10 +0200, adrian.freihofer@gmail.com wrote:
> I like the VEX proposal from Sanjay.
> 
> - It is a standard that can be supported by many tools and requested 
> by customers. One use case I see is where a vendor sells a product 
> with an SBOM. The customer can then match the open vulnerabilities to 
> the current state of the NIST database using a standard tool based on SBOM.
> Aligning the categories to a standard would be helpful for this.
> (Yocto's CVE check is great for Yocto, but cannot be used 
> independently of Yocto.)
> - A minimum number of categories is defined. All details can be added 
> to the REASON variable.

I think you could map some of the status items I proposed to VEX statuses but I'm not convinced it makes sense to go directly to that.

Anything we don't have a status for is effectively "under investigation", anything we don't list is fixed or not affected and if we know something is affected, a fix would likely follow very quickly.
The data set doesn't really fit what we're able to do or the wrkflows we can follow, even if it is what some product customers would want to know. Part of the issue is we're not the actual product here.

Cheers,

Richard

[OE-core][PATCH v5 0/2] CVE-check handling

[Andrej Valek]

After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.

Please guide us which direction do we need to go to get further with acceptance of this patch series.
The CVE_CHECK_IGNORE variable is now deprecated in favor of CVE_STATUS variable.
The variable contains the same values like before ("Ignored", "Patched"
and "Unpatched"). The previous implementation has been extended by two
additional optional variables, CVE_STATUS_DETAIL and CVE_STATUS_DESCRIPTION.

 meta/classes/cve-check.bbclass                | 89 ++++++++++++++++---
 meta/lib/oe/cve_check.py                      |  6 ++
 meta/lib/oeqa/selftest/cases/cve_check.py     | 26 ++++--
 .../logrotate/logrotate_3.21.0.bb             |  7 +-
 4 files changed, 109 insertions(+), 19 deletions(-)

-- 
2.40.1

[OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs

[Andrej Valek]

- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_DETAIL] +
[CVE_STATUS_DESCRIPTION] to be more flexible. CVE_STATUS should
contain flag for each CVE with accepted values "Ignored", "Patched"
or "Unpatched". It allows to add a status for each CVEs.
- Optional CVE_STATUS_DEATAIL flag variable may contain a detailed
status. Possible options for each status:
- Patched
 - fixed-version, backported-patch, cpe-stable-backport or other
- Unpatched
 - vulnerable-investigating or other
- Ignored
 - cpe-incorrect, not-applicable-platform, upstream-wontfix
   not-applicable-config, not-affected or other
- Optional CVE_STATUS_DESCRIPTION flag variable may contain a reason
why the CVE status was used. Both optionals will be added in csv/json
report like a new "detail" an "description" entries
- Settings the same status and reason for multiple CVEs is possible
via CVE_STATUS_GROUPS variable.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Patched" or "Unpatched"
CVE_STATUS[CVE-1234-0002] = "Ignored"
CVE_STATUS_DETAIL[CVE-1234-0002] = "not-applicable-platform"
CVE_STATUS_DESCRIPTION[CVE-1234-0002] = "Issue only applies on Windows"

CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "Ignored"
CVE_STATUS_DETAIL[detail] = "not-applicable-platform"
CVE_STATUS_WIN[description] = "Issue only applies on Windows"

CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "Patched"
CVE_STATUS_DETAIL[detail] = "fixed-version"
CVE_STATUS_PATCHED[description] = "Fixed externally"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 89 +++++++++++++++++++++++++++++-----
 meta/lib/oe/cve_check.py       |  6 +++
 2 files changed, 83 insertions(+), 12 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..62676ba5bc 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,16 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Patched" or "Unpatched"
+# CVE_STATUS[CVE-1234-0002] = "Ignored"
+# CVE_STATUS_DETAIL[CVE-1234-0002] = "not-applicable-platform"
+# CVE_STATUS_DESCRIPTION[CVE-1234-0002] = "Issue only applies on Windows"
 #
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""
 
 # Layers to be excluded
@@ -88,6 +92,47 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+        set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        cve_group = d.getVar(cve_status_group)
+        if cve_group is not None:
+            set_cves_statuses(d, cve_group,
+                              d.getVarFlag(cve_status_group, "status"),
+                              d.getVarFlag(cve_status_group, "detail"),
+                              d.getVarFlag(cve_status_group, "description"))
+        else:
+            bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
+def set_cves_statuses(d, cves, status, detail="", description=""):
+    for cve in cves.split():
+        d.setVarFlag("CVE_STATUS", cve, status)
+        d.setVarFlag("CVE_STATUS_DETAIL", cve, detail)
+        d.setVarFlag("CVE_STATUS_DESCRIPTION", cve, description)
+
+def get_cve_detail(d, cve, status):
+    detail = d.getVarFlag("CVE_STATUS_DETAIL", cve)
+    if detail is not None:
+        if status == "Patched":
+            if detail in ["fixed-version", "backported-patch", "cpe-stable-backport", "other"]:
+                return detail
+        elif status == "Unpatched":
+            if detail in ["vulnerable-investigating", "other"]:
+                return detail
+        else:
+            if detail in ["cpe-incorrect", "not-applicable-platform", "upstream-wontfix",
+                        "not-applicable-config", "not-affected", "other"]:
+                return detail
+        bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s"' % (detail, cve, status))
+    return ""
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -282,7 +327,13 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status == "Ignored":
+            cve_ignore.append(cve)
+        elif status not in ["Patched", "Unpatched"]:
+            bb.error("Unsupported status %s in CVE_STATUS[%s]" % (status, cve))
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -441,20 +492,28 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         is_patched = cve in patched
         is_ignored = cve in ignored
 
+        status = "Unpatched"
         if (is_patched or is_ignored) and not report_all:
             continue
+        if is_ignored:
+            status = "Ignored"
+        elif is_patched:
+            status = "Patched"
+        else:
+            # default value of status is Unpatched
+            unpatched_cves.append(cve)
 
         write_string += "LAYER: %s\n" % layer
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
         write_string += "CVE: %s\n" % cve
-        if is_ignored:
-            write_string += "CVE STATUS: Ignored\n"
-        elif is_patched:
-            write_string += "CVE STATUS: Patched\n"
-        else:
-            unpatched_cves.append(cve)
-            write_string += "CVE STATUS: Unpatched\n"
+        write_string += "CVE STATUS: %s\n" % status
+        detail = get_cve_detail(d, cve, status)
+        if detail:
+            write_string += "CVE DETAIL: %s\n" % detail
+        description = d.getVarFlag("CVE_STATUS_DESCRIPTION", cve)
+        if description:
+            write_string += "CVE DESCRIPTION: %s\n" % description
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -576,6 +635,12 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        detail = get_cve_detail(d, cve, status)
+        if detail:
+            cve_item["detail"] = detail
+        description = d.getVarFlag("CVE_STATUS_DESCRIPTION", cve)
+        if description:
+            cve_item["description"] = description
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..f47dd9920e 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,12 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
-- 
2.40.1

[OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Andrej Valek]

All mentioned CVEs are related to HSTS check feature, which is not
implemented in version 7.69.1 .

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-support/curl/curl_7.69.1.bb
index 899daf8eac..ea36c0bd3d 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-2021-22926 CVE-2021-229
 # This CVE issue affects Windows only Hence whitelisting this CVE
 CVE_CHECK_WHITELIST += "CVE-2021-22897"
 
+# HSTS check feature is not implemented
+CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
+
 inherit autotools pkgconfig binconfig multilib_header
 
 PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls libidn proxy threaded-resolver verbose zlib"
-- 
2.39.2

[OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values

[Andrej Valek]

- After introducing the CVE_STATUS_DETAIL and CVE_STATUS_DESCRIPTION flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/lib/oeqa/selftest/cases/cve_check.py     | 26 +++++++++++++++----
 .../logrotate/logrotate_3.21.0.bb             |  7 +++--
 2 files changed, 26 insertions(+), 7 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
             self.assertEqual(len(report["package"]), 1)
             package = report["package"][0]
             self.assertEqual(package["name"], "logrotate")
-            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            found_cves = {}
+            for issue in package["issue"]:
+                found_cves[issue["id"]] = {
+                    "status" : issue["status"],
+                    "detail" : issue["detail"] if "detail" in issue else "",
+                    "description" : issue["description"] if "description" in issue else ""
+                }
             # m4 CVE should not be in logrotate
             self.assertNotIn("CVE-2008-1687", found_cves)
             # logrotate has both Patched and Ignored CVEs
             self.assertIn("CVE-2011-1098", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+            detail = "not-applicable-platform"
+            description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
             self.assertIn("CVE-2011-1548", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
             self.assertIn("CVE-2011-1549", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
             self.assertIn("CVE-2011-1550", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
 
         self.assertExists(summary_json)
         check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..48497138be 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
 
 SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
 
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[detail] = "not-applicable-platform"
+CVE_STATUS_RECIPE[description] = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
 
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
 
-- 
2.40.1

Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551

[Valek, Andrej]

This was sent by misstate, ignore it please.

Andrej

On Mon, 2023-06-12 at 13:57 +0200, Andrej Valek wrote:
> All mentioned CVEs are related to HSTS check feature, which is not
> implemented in version 7.69.1 .
> 
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
>  meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
>  1 file changed, 3 insertions(+)
> 
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> support/curl/curl_7.69.1.bb
> index 899daf8eac..ea36c0bd3d 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-
> 2021-22926 CVE-2021-229
>  # This CVE issue affects Windows only Hence whitelisting this CVE
>  CVE_CHECK_WHITELIST += "CVE-2021-22897"
>  
> +# HSTS check feature is not implemented
> +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> +
>  inherit autotools pkgconfig binconfig multilib_header
>  
>  PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls
> libidn proxy threaded-resolver verbose zlib"

Re: [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs

[Richard Purdie]

On Mon, 2023-06-12 at 13:57 +0200, Andrej Valek via
lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_DETAIL] +
> [CVE_STATUS_DESCRIPTION] to be more flexible. CVE_STATUS should
> contain flag for each CVE with accepted values "Ignored", "Patched"
> or "Unpatched". It allows to add a status for each CVEs.
> - Optional CVE_STATUS_DEATAIL flag variable may contain a detailed
> status. Possible options for each status:
> - Patched
>  - fixed-version, backported-patch, cpe-stable-backport or other
> - Unpatched
>  - vulnerable-investigating or other
> - Ignored
>  - cpe-incorrect, not-applicable-platform, upstream-wontfix
>    not-applicable-config, not-affected or other
> - Optional CVE_STATUS_DESCRIPTION flag variable may contain a reason
> why the CVE status was used. Both optionals will be added in csv/json
> report like a new "detail" an "description" entries
> - Settings the same status and reason for multiple CVEs is possible
> via CVE_STATUS_GROUPS variable.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
> 
> Examples of usage:
> CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Patched" or "Unpatched"
> CVE_STATUS[CVE-1234-0002] = "Ignored"
> CVE_STATUS_DETAIL[CVE-1234-0002] = "not-applicable-platform"
> CVE_STATUS_DESCRIPTION[CVE-1234-0002] = "Issue only applies on Windows"
> 
> CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
> CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
> CVE_STATUS_WIN[status] = "Ignored"
> CVE_STATUS_DETAIL[detail] = "not-applicable-platform"
> CVE_STATUS_WIN[description] = "Issue only applies on Windows"
> 
> CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
> CVE_STATUS_PATCHED[status] = "Patched"
> CVE_STATUS_DETAIL[detail] = "fixed-version"
> CVE_STATUS_PATCHED[description] = "Fixed externally"
> 
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  meta/classes/cve-check.bbclass | 89 +++++++++++++++++++++++++++++-----
>  meta/lib/oe/cve_check.py       |  6 +++
>  2 files changed, 83 insertions(+), 12 deletions(-)

I'm afraid I really don't like this :(. Why?:

* we now have three different pieces of information, "status", "detail"
and "description" when we should only need two

* this needs a group mapping mechanism which is confusing above

* the information is spread over multiple differently named variables

* two pieces of the status information are connected in a hardcoded way

As a counter proposal, consider:

CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0003] = "fixed-version: Fixed externally"
CVE_STATUS[CVE-1234-0004] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

which conveys the same information with a slight bit of copy/paste but
not at a level I'd lose sleep over. To me it is a lot more readable.

Thoughts?

Cheers,

Richard

[OE-core][PATCH v6 0/2] RFC: CVE-check handling

[Andrej Valek]

After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.

This patches version is missing commit for CVE_CHECK_IGNORE to CVE_STATUS
conversion as it is large effort and current implementation is still in
discussion. Once the concept is agreed, that commit will be added in next
patchset version.

Documentation is not updated too while current implementation is still in
discussion.

 meta/classes/cve-check.bbclass                | 86 ++++++++++++++++---
 meta/lib/oe/cve_check.py                      | 25 ++++++
 meta/lib/oeqa/selftest/cases/cve_check.py     | 26 ++++--
 .../logrotate/logrotate_3.21.0.bb             |  5 +-
 4 files changed, 122 insertions(+), 20 deletions(-)

-- 
2.41.0

[OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs

[Andrej Valek]

- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 86 +++++++++++++++++++++++++++++-----
 meta/lib/oe/cve_check.py       | 25 ++++++++++
 2 files changed, 98 insertions(+), 13 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..6710c1d6bb 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,14 +70,35 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
 #
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""
 
+# Possible options for CVE statuses
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+CVE_CHECK_STATUSMAP[not-affected] = "Ignored"
+
 # Layers to be excluded
 CVE_CHECK_LAYER_EXCLUDELIST ??= ""
 
@@ -88,6 +109,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+        for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+            d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        cve_group = d.getVar(cve_status_group)
+        if cve_group is not None:
+            for cve in cve_group.split():
+                d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
+        else:
+            bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -260,7 +299,7 @@ def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
     """
-    from oe.cve_check import Version, convert_cve_version
+    from oe.cve_check import Version, convert_cve_version, decode_cve_status
 
     pn = d.getVar("PN")
     real_pv = d.getVar("PV")
@@ -282,7 +321,12 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Ignored":
+            cve_ignore.append(cve)
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +457,8 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
     CVE manifest if enabled.
     """
 
+    from oe.cve_check import decode_cve_status
+
     cve_file = d.getVar("CVE_CHECK_LOG")
     fdir_name  = d.getVar("FILE_DIRNAME")
     layer = fdir_name.split("/")[-3]
@@ -441,20 +487,27 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         is_patched = cve in patched
         is_ignored = cve in ignored
 
+        status = "Unpatched"
         if (is_patched or is_ignored) and not report_all:
             continue
+        if is_ignored:
+            status = "Ignored"
+        elif is_patched:
+            status = "Patched"
+        else:
+            # default value of status is Unpatched
+            unpatched_cves.append(cve)
 
         write_string += "LAYER: %s\n" % layer
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
         write_string += "CVE: %s\n" % cve
-        if is_ignored:
-            write_string += "CVE STATUS: Ignored\n"
-        elif is_patched:
-            write_string += "CVE STATUS: Patched\n"
-        else:
-            unpatched_cves.append(cve)
-            write_string += "CVE STATUS: Unpatched\n"
+        write_string += "CVE STATUS: %s\n" % status
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            write_string += "CVE DETAIL: %s\n" % detail
+        if description:
+            write_string += "CVE DESCRIPTION: %s\n" % description
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -516,6 +569,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
     Prepare CVE data for the JSON format, then write it.
     """
 
+    from oe.cve_check import decode_cve_status
+
     output = {"version":"1", "package": []}
     nvd_link = "https://nvd.nist.gov/vuln/detail/"
 
@@ -576,6 +631,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            cve_item["detail"] = detail
+        if description:
+            cve_item["description"] = description
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..5bf3caac47 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,13 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
@@ -218,3 +225,21 @@ def convert_cve_version(version):
 
     return version + update
 
+def decode_cve_status(d, cve):
+    """
+    Convert CVE_STATUS into status, detail and description.
+    """
+    status = d.getVarFlag("CVE_STATUS", cve)
+    if status is None:
+        return ("", "", "")
+
+    status_split = status.split(':', 1)
+    detail = status_split[0]
+    description = status_split[1].strip() if (len(status_split) > 1) else ""
+
+    status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+    if status_mapping is None:
+        bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+        status_mapping = "Unpatched"
+
+    return (status_mapping, detail, description)
-- 
2.41.0

[OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling

[Andrej Valek]

- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/lib/oeqa/selftest/cases/cve_check.py     | 26 +++++++++++++++----
 .../logrotate/logrotate_3.21.0.bb             |  5 ++--
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
             self.assertEqual(len(report["package"]), 1)
             package = report["package"][0]
             self.assertEqual(package["name"], "logrotate")
-            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            found_cves = {}
+            for issue in package["issue"]:
+                found_cves[issue["id"]] = {
+                    "status" : issue["status"],
+                    "detail" : issue["detail"] if "detail" in issue else "",
+                    "description" : issue["description"] if "description" in issue else ""
+                }
             # m4 CVE should not be in logrotate
             self.assertNotIn("CVE-2008-1687", found_cves)
             # logrotate has both Patched and Ignored CVEs
             self.assertIn("CVE-2011-1098", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+            detail = "not-applicable-platform"
+            description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
             self.assertIn("CVE-2011-1548", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
             self.assertIn("CVE-2011-1549", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
             self.assertIn("CVE-2011-1550", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
 
         self.assertExists(summary_json)
         check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
 
 SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
 
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
 
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
 
-- 
2.41.0

RE: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs

[Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)]

Dear Richard and Adrian,

I appreciate efforts of Andrej and Peter, you guys have done a great job for improvement in CVE specific security area.

As I mentioned information and importance of VEX status for future use case: 
https://patchwork.yoctoproject.org/project/oe-core/patch/20230519081850.82586-1-andrej.valek@siemens.com/#10797

I can see community members are also in favour of VEX:
https://patchwork.yoctoproject.org/project/oe-core/patch/20230519062420.37015-1-andrej.valek@siemens.com/#11120

We can start looking in that direction, because to adopt initial VEX template we just required minor modifications with development of Andrej.

In current implementation we have main three categories of status: "Patched", "Ignored" and "Unpatched".
On top of which we want to add comment information which can be added in JSON format to process further.

VEX have main 4 category: Fixed, Not Affected, Affected and Under Investigation.
Richard has rightly mentioned that we don't require affected status as those CVEs would fix in near future once fix is available in source of specific package.

We can map our existing status as below with VEX status.

Existing Status 	| VEX adoption
-------------------------------------------
Patched	 	| Fixed	 	
Ignore	 	| Not Affected
Not required 	| Not Affected
Unpatched	| Under Investigation

Fixed and Under Investigation don't require any sub-status as their status is sufficient to explain their case.
To get more information on possible sub-status of not affected status, we can follow one of below reference document.
https://www.cisa.gov/sites/default/files/publications/VEX_Status_Justification_Jun22.pdf : 2.0 Status Justifications Overview
This document covers all the possible cases which are already discuss or may come in future development.

Thank you, Richard, for considering my request.
I would appreciate comment from you and community people for the adoption of VEX.

Thanks,
Sanjay Chitroda

-----Original Message-----
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Andrej Valek via lists.openembedded.org
Sent: Tuesday, June 20, 2023 7:46 PM
To: openembedded-core@lists.openembedded.org
Cc: Andrej Valek <andrej.valek@siemens.com>; Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs

- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---

Re: [PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs

[Siddharth]

[-- Attachment #1: Type: text/plain, Size: 731 bytes --]

Hi Sanjay,

I feel the that the proposal by Andrej is a simpler one and makes me more inclined towards using it as compared to going to VEX status. I do agree that VEX is something which can be mapped but at the end of the day its always "simpler the better" and easy to maintain. Definately, as mentioned by Richard there would be a bit of copy/paste going way forward but will be easier to maintain and understand rather than leaving confusing trails at some points down the line. 2 status having one similar adoption can also add to confusion going forward.

the proposal by andrej inline with https://lists.openembedded.org/g/openembedded-core/message/182855 and is better suited to avoid confusion.

Cheers,
Siddharth

[-- Attachment #2: Type: text/html, Size: 890 bytes --]

Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

[Richard Purdie]

On Sun, 2023-06-04 at 09:59 +0000, Sanjaykumar kantibhai Chitroda -X
(schitrod - E-INFO CHIPS INC at Cisco) wrote:
> Hi Richard,
> 
> Thank you for acknowledgement on my proposal.
> Please consider my additional input for VEX standard.
> 
> There is total four main VEX standard status:
> - Fixed
> - Affected
> - Not Affected
> - Under Investigation
> 
> Out for 4 standard we can adopt Fixed and Not affected status for CVE fixing.
> As these two statuses will never get changed for specific package and CVE.
> 
> Regarding the CVE status of community and VEX standard, we can map like following:
> 
> Existing Status 	| VEX adoption
> -------------------------------------------
> Patched	 	| Fixed	 	
> Ignore	 	| Not Affected
> Not required 	| Not Affected
> 
> Remaining two statuses Affected and Under investigation would be changed with time as following:
> * Under Investigation:
> - When any new CVE is reported against any package then by default it would go with "under investigation" status
> - Until we make the final status like fixed/not affected/affected status after our final investigation on specific CVE.
> * Affected:
> - Regarding affected status it would be temporary status until we find the actual fix for the CVE.
> - Once we have a fix the CVE then status would be as fixed/not affected which we can input to our recipe.

Whilst I understand the desire to use VEX, I don't think we should
directly. It serves a very specific purpose and "loses" some
information by only having two states. Tying ourselves too closely to a
limiting standard like that can be problematic.

The v6 from Adrian can be mapped into this if that is what you need. I
think that is a good compromise as it doesn't lose the information
others may need.

Cheers,

Richard

Re: [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs

[Luca Ceresoli]

Hello Andrej,

On Tue, 20 Jun 2023 16:15:56 +0200
"Andrej Valek via lists.openembedded.org"
<andrej.valek=siemens.com@lists.openembedded.org> wrote:
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

As you can see your sender address has been mangled, and as a result
the patch is rejected by the the openembedded git server. This is not
your fault, but we need you to modify your git configuration to prevent
this from happening in the future. Have a look at the wiki for more
info and how to solve that:

https://www.openembedded.org/wiki/How_to_submit_a_patch_to_OpenEmbedded#Fixing_your_From_identity

I'm taking your patch for testing on the autobuilders fixing it
manually so you don't need to resend your patch this time.

Best regards,
Luca


-- 
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

[OE-core][PATCH v7 0/3] CVE-check handling

[Andrej Valek]

After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.

Changes compare to version 6:
 - added conversion from CVE_CHECK_IGNORE to CVE_STATUS
 - added comments for all statuses
 - dropped "not-affected" status
  - conversion showed that it is not very usefull
 - added "disputed" status

Documentation will be updated in separated repository.

 meta/classes/cve-check.bbclass                |  99 ++++-
 .../distro/include/cve-extra-exclusions.inc   | 371 +++++++++---------
 meta/lib/oe/cve_check.py                      |  25 ++
 meta/lib/oeqa/selftest/cases/cve_check.py     |  26 +-
 meta/recipes-bsp/grub/grub2.inc               |   6 +-
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   3 +-
 .../recipes-connectivity/bind/bind_9.18.15.bb |   2 +-
 .../bluez5/bluez5_5.66.bb                     |   4 +-
 .../openssh/openssh_9.3p1.bb                  |   9 +-
 .../openssl/openssl_3.1.1.bb                  |   3 +-
 meta/recipes-core/coreutils/coreutils_9.3.bb  |   4 +-
 meta/recipes-core/glibc/glibc_2.37.bb         |  17 +-
 meta/recipes-core/libxml/libxml2_2.10.4.bb    |   4 -
 meta/recipes-core/systemd/systemd_253.3.bb    |   3 -
 meta/recipes-devtools/cmake/cmake.inc         |   4 +-
 meta/recipes-devtools/flex/flex_2.6.4.bb      |   6 +-
 meta/recipes-devtools/gcc/gcc-13.1.inc        |   3 +-
 meta/recipes-devtools/git/git_2.39.3.bb       |   7 -
 meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   5 +-
 meta/recipes-devtools/ninja/ninja_1.11.1.bb   |   3 +-
 .../recipes-devtools/python/python3_3.11.3.bb |  13 +-
 meta/recipes-devtools/qemu/qemu.inc           |  13 +-
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
 meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 -
 meta/recipes-extended/cpio/cpio_2.14.bb       |   3 +-
 meta/recipes-extended/cups/cups.inc           |  17 +-
 .../ghostscript/ghostscript_10.01.1.bb        |   3 +-
 .../iputils/iputils_20221126.bb               |   5 +-
 .../libtirpc/libtirpc_1.3.3.bb                |   3 +-
 .../logrotate/logrotate_3.21.0.bb             |   5 +-
 meta/recipes-extended/procps/procps_4.0.3.bb  |   4 -
 meta/recipes-extended/shadow/shadow_4.13.bb   |   7 +-
 meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
 .../xinetd/xinetd_2.3.15.4.bb                 |   2 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   7 +-
 .../libnotify/libnotify_0.8.2.bb              |   2 +-
 meta/recipes-gnome/librsvg/librsvg_2.56.0.bb  |   3 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
 .../xorg-xserver/xserver-xorg.inc             |  19 +-
 .../linux/cve-exclusion_6.1.inc               |  11 +-
 .../libpng/libpng_1.6.39.bb                   |   3 +-
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |   9 +-
 .../libgcrypt/libgcrypt_1.10.2.bb             |   4 +-
 .../recipes-support/libxslt/libxslt_1.1.38.bb |   4 +-
 meta/recipes-support/lz4/lz4_1.9.4.bb         |   3 -
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb |   7 -
 46 files changed, 390 insertions(+), 374 deletions(-)

-- 
2.41.0

[OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs

[Andrej Valek]

From: Andrej Valek <andrej.valek@siemens.com>

- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 99 +++++++++++++++++++++++++++++-----
 meta/lib/oe/cve_check.py       | 25 +++++++++
 2 files changed, 111 insertions(+), 13 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..4eb6dff7de 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,14 +70,48 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
 #
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""
 
+# Possible options for CVE statuses
+
+# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+
+# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+
 # Layers to be excluded
 CVE_CHECK_LAYER_EXCLUDELIST ??= ""
 
@@ -88,6 +122,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+        for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+            d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        cve_group = d.getVar(cve_status_group)
+        if cve_group is not None:
+            for cve in cve_group.split():
+                d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
+        else:
+            bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -260,7 +312,7 @@ def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
     """
-    from oe.cve_check import Version, convert_cve_version
+    from oe.cve_check import Version, convert_cve_version, decode_cve_status
 
     pn = d.getVar("PN")
     real_pv = d.getVar("PV")
@@ -282,7 +334,12 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Ignored":
+            cve_ignore.append(cve)
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +470,8 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
     CVE manifest if enabled.
     """
 
+    from oe.cve_check import decode_cve_status
+
     cve_file = d.getVar("CVE_CHECK_LOG")
     fdir_name  = d.getVar("FILE_DIRNAME")
     layer = fdir_name.split("/")[-3]
@@ -441,20 +500,27 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         is_patched = cve in patched
         is_ignored = cve in ignored
 
+        status = "Unpatched"
         if (is_patched or is_ignored) and not report_all:
             continue
+        if is_ignored:
+            status = "Ignored"
+        elif is_patched:
+            status = "Patched"
+        else:
+            # default value of status is Unpatched
+            unpatched_cves.append(cve)
 
         write_string += "LAYER: %s\n" % layer
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
         write_string += "CVE: %s\n" % cve
-        if is_ignored:
-            write_string += "CVE STATUS: Ignored\n"
-        elif is_patched:
-            write_string += "CVE STATUS: Patched\n"
-        else:
-            unpatched_cves.append(cve)
-            write_string += "CVE STATUS: Unpatched\n"
+        write_string += "CVE STATUS: %s\n" % status
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            write_string += "CVE DETAIL: %s\n" % detail
+        if description:
+            write_string += "CVE DESCRIPTION: %s\n" % description
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -516,6 +582,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
     Prepare CVE data for the JSON format, then write it.
     """
 
+    from oe.cve_check import decode_cve_status
+
     output = {"version":"1", "package": []}
     nvd_link = "https://nvd.nist.gov/vuln/detail/"
 
@@ -576,6 +644,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            cve_item["detail"] = detail
+        if description:
+            cve_item["description"] = description
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..5bf3caac47 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,13 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
@@ -218,3 +225,21 @@ def convert_cve_version(version):
 
     return version + update
 
+def decode_cve_status(d, cve):
+    """
+    Convert CVE_STATUS into status, detail and description.
+    """
+    status = d.getVarFlag("CVE_STATUS", cve)
+    if status is None:
+        return ("", "", "")
+
+    status_split = status.split(':', 1)
+    detail = status_split[0]
+    description = status_split[1].strip() if (len(status_split) > 1) else ""
+
+    status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+    if status_mapping is None:
+        bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+        status_mapping = "Unpatched"
+
+    return (status_mapping, detail, description)
-- 
2.41.0

[OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling

[Andrej Valek]

From: Andrej Valek <andrej.valek@siemens.com>

- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/lib/oeqa/selftest/cases/cve_check.py     | 26 +++++++++++++++----
 .../logrotate/logrotate_3.21.0.bb             |  5 ++--
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
             self.assertEqual(len(report["package"]), 1)
             package = report["package"][0]
             self.assertEqual(package["name"], "logrotate")
-            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            found_cves = {}
+            for issue in package["issue"]:
+                found_cves[issue["id"]] = {
+                    "status" : issue["status"],
+                    "detail" : issue["detail"] if "detail" in issue else "",
+                    "description" : issue["description"] if "description" in issue else ""
+                }
             # m4 CVE should not be in logrotate
             self.assertNotIn("CVE-2008-1687", found_cves)
             # logrotate has both Patched and Ignored CVEs
             self.assertIn("CVE-2011-1098", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+            detail = "not-applicable-platform"
+            description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
             self.assertIn("CVE-2011-1548", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
             self.assertIn("CVE-2011-1549", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
             self.assertIn("CVE-2011-1550", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
 
         self.assertExists(summary_json)
         check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
 
 SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
 
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
 
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
 
-- 
2.41.0

[OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

[Andrej Valek]

From: Andrej Valek <andrej.valek@siemens.com>

- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
  version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
 .../distro/include/cve-extra-exclusions.inc   | 371 +++++++++---------
 meta/recipes-bsp/grub/grub2.inc               |   6 +-
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   3 +-
 .../recipes-connectivity/bind/bind_9.18.15.bb |   2 +-
 .../bluez5/bluez5_5.66.bb                     |   4 +-
 .../openssh/openssh_9.3p1.bb                  |   9 +-
 .../openssl/openssl_3.1.1.bb                  |   3 +-
 meta/recipes-core/coreutils/coreutils_9.3.bb  |   4 +-
 meta/recipes-core/glibc/glibc_2.37.bb         |  17 +-
 meta/recipes-core/libxml/libxml2_2.10.4.bb    |   4 -
 meta/recipes-core/systemd/systemd_253.3.bb    |   3 -
 meta/recipes-devtools/cmake/cmake.inc         |   4 +-
 meta/recipes-devtools/flex/flex_2.6.4.bb      |   6 +-
 meta/recipes-devtools/gcc/gcc-13.1.inc        |   3 +-
 meta/recipes-devtools/git/git_2.39.3.bb       |   7 -
 meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   5 +-
 meta/recipes-devtools/ninja/ninja_1.11.1.bb   |   3 +-
 .../recipes-devtools/python/python3_3.11.3.bb |  13 +-
 meta/recipes-devtools/qemu/qemu.inc           |  13 +-
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
 meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 -
 meta/recipes-extended/cpio/cpio_2.14.bb       |   3 +-
 meta/recipes-extended/cups/cups.inc           |  17 +-
 .../ghostscript/ghostscript_10.01.1.bb        |   3 +-
 .../iputils/iputils_20221126.bb               |   5 +-
 .../libtirpc/libtirpc_1.3.3.bb                |   3 +-
 meta/recipes-extended/procps/procps_4.0.3.bb  |   4 -
 meta/recipes-extended/shadow/shadow_4.13.bb   |   7 +-
 meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
 .../xinetd/xinetd_2.3.15.4.bb                 |   2 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   7 +-
 .../libnotify/libnotify_0.8.2.bb              |   2 +-
 meta/recipes-gnome/librsvg/librsvg_2.56.0.bb  |   3 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
 .../xorg-xserver/xserver-xorg.inc             |  19 +-
 .../linux/cve-exclusion_6.1.inc               |  11 +-
 .../libpng/libpng_1.6.39.bb                   |   3 +-
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |   9 +-
 .../libgcrypt/libgcrypt_1.10.2.bb             |   4 +-
 .../recipes-support/libxslt/libxslt_1.1.38.bb |   4 +-
 meta/recipes-support/lz4/lz4_1.9.4.bb         |   3 -
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb |   7 -
 42 files changed, 255 insertions(+), 354 deletions(-)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 1c3cc36c61..a5dd7d3866 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -16,43 +16,42 @@
 #
 
 
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
-# CVE is more than 20 years old with no resolution evident
-# broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
-
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
-# The issue here is spoofing of domain names using characters from other character sets.
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
-# we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
-
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
-
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old with no resolution evident. Broken links in CVE database references make resolution impractical."
+
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
+The issue here is spoofing of domain names using characters from other character sets. \
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
+problem. There isn't any mitigation or fix or way to progress this further."
+
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
+
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
+exposing this interface in an exploitable way"
 
 # db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
 
 #
 # Kernel CVEs, e.g. linux-yocto*
@@ -65,74 +64,83 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
 # welcome than and then entries can likely be removed from here.
 #
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020"
+
 # 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
-                     CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+                          CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
+
 # 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
-                     CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+                          CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
+
 # 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
-                     CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+                           CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
 
-# This is specific to Ubuntu
-CVE_CHECK_IGNORE += "CVE-2018-6559"
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: This is specific to Ubuntu"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3016
-# Fixed with 5.6
-CVE_CHECK_IGNORE += "CVE-2019-3016"
+CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed in version v5.6"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3819
-# Fixed with 5.1
-CVE_CHECK_IGNORE += "CVE-2019-3819"
+CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed in version v5.1"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3887
-# Fixed with 5.2
-CVE_CHECK_IGNORE += "CVE-2019-3887"
+CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed in version v5.2"
 
 # 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2020-27784
 # Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
 # Patched in kernel since v5.10	e8d5f92b8d30bb4ade76494490c3c065e12411b1
 # Backported in version v5.4.73	e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+CVE_STATUS[CVE-2020-27784] = "fixed-version: Fixed in versions v5.10"
 
 # 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
-                     CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+                          CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3669
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3759
 # Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
 # Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
 # Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
 # Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-4218
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed in version v5.8"
 
 # 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
-                     CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
-                     CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
-                     CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
-                     CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
-                     CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
-                     CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+                          CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+                          CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+                          CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+                          CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+                          CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+                          CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-0480
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1184
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -140,7 +148,7 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
 # Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
 # Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
 # Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1462
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -148,7 +156,7 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
 # Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
 # Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
 # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2196
 # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -158,19 +166,19 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
 # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
 # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
 # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "cpe-stable-backport: Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2308
 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
 # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
 # Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
 # Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2327
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed in version v5.10.125"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2663
 # Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -179,19 +187,19 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
 # Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
 # Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
 # Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2785
 # Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
 # Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
 # Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3176
 # Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
 # Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "fixed-version: Fixed in version v5.17"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3424
 # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -200,7 +208,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
 # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
 # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
 # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3435
 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -211,13 +219,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
 # Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
 # Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
 # Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3526
 # Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
 # Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
 # Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "fixed-version: Fixed in version v5.18"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3534
 # Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -225,20 +233,20 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
 # Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
 # Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
 # Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "cpe-stable-backport: Backported in versions v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3564
 # Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
 # Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
 # Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
 # Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3619
 # Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
 # Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
 # Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3621
 # Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -247,7 +255,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
 # Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
 # Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
 # Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3623
 # Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -256,12 +264,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
 # Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
 # Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
 # Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3624
 # Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
 # Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3625
 # Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -270,7 +278,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
 # Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
 # Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
 # Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3629
 # Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -279,13 +287,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
 # Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
 # Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
 # Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3630
 # Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
 # Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
 # Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3633
 # Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -294,7 +302,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
 # Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
 # Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
 # Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3635
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -303,12 +311,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
 # Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
 # Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
 # Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3636
 # Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
 # Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3640
 # Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -319,7 +327,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
 # Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
 # Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
 # Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3646
 # Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -328,7 +336,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
 # Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
 # Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
 # Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3649
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -337,7 +345,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
 # Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
 # Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
 # Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-4382
 # Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -346,7 +354,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
 # Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
 # Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
 # Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "cpe-stable-backport: Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-26365
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -354,7 +362,7 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
 # Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
 # Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
 # Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33740
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -362,7 +370,7 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
 # Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
 # Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
 # Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33741
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -370,7 +378,7 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
 # Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
 # Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
 # Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33742
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -378,15 +386,15 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
 # Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
 # Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
 # Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42895
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
 # Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42896
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -394,7 +402,7 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
 # Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
 # Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
 # Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "fixed-version: Fixed in version v6.1"
 
 
 # 2023
@@ -404,14 +412,14 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
 # Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
 # Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
 # Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "cpe-stable-backport: Backported in versions v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0266
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
 # Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
 # Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "cpe-stable-backport: Backported in versions v5.15.88 and v6.1.6"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0394
 # Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -420,7 +428,7 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
 # Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
 # Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
 # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0461
 # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -429,28 +437,28 @@ CVE_CHECK_IGNORE += "CVE-2023-0394"
 # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
 # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.5"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0386
 # Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
 # Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
-# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
+# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1073
 # Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
 # Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
-# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
-# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
-# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_STATUS[CVE-2023-1073] = "cpe-stable-backport: Backported in versions v5.10.166, v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1074
 # Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
-# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
-# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_STATUS[CVE-2023-1074] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1076
 # Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -459,19 +467,19 @@ CVE_CHECK_IGNORE += "CVE-2023-1074"
 # Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
 # Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
 # Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1077
 # Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
-# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
-# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+CVE_STATUS[CVE-2023-1077] = "cpe-stable-backport: Backported in versions v5.15.99 and v6.1.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1078
 # Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
-# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
-# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_STATUS[CVE-2023-1078] = "cpe-stable-backport: Backported in versions v5.15.94 and v6.1.12"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1079
 # Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -480,7 +488,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
 # Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
 # Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
 # Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1118
 # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -490,7 +498,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
 # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
 # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
 # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1281
 # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -498,7 +506,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
 # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
 # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
 # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "cpe-stable-backport: Backported in versions v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1513
 # Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -506,7 +514,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
 # Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
 # Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1652
 # Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -514,7 +522,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
 # Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
 # Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1829
 # Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -525,7 +533,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
 # Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
 # Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-23005
 # Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
@@ -535,7 +543,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1829"
 # > in which a user can cause the alloc_memory_type error case to be reached.
 # See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
 # We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
+CVE_STATUS[CVE-2023-23005] = "disputed: Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached."
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-28466
 # Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
@@ -543,127 +551,102 @@ CVE_CHECK_IGNORE += "CVE-2023-23005"
 # Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
 # Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
 # Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-28466] = "cpe-stable-backport: Backported in versions v5.15.105, v6.1.20 and v6.2.7"
 
-# Wrong CPE in NVD database
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3563
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
-# still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
-
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
-# done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
+qemu maintainers say the patch is incorrect and should not be applied \
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
+still be reproduced or where exactly any bug is. \
+We'll pick up any fix when upstream accepts one."
+
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
+It is a fuzzing related buffer overflow. It is of low impact since most devices
+wouldn't expose an assembler. The upstream is inactive and there is little to be
+done about the bug, ignore from an OE perspective."
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0459"
+CVE_STATUS[CVE-2023-0459] = "cpe-stable-backport: Backported in 6.1.14"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-0615
-# Fixed in 6.1 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0615"
+CVE_STATUS[CVE-2023-0615] = "cpe-stable-backport: Backported in 6.1"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1380
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-1380"
+CVE_STATUS[CVE-2023-1380] = "cpe-stable-backport: Backported in 6.1.27"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-1611"
+CVE_STATUS[CVE-2023-1611] = "cpe-stable-backport: Backported in 6.1.23"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1855
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1855"
+CVE_STATUS[CVE-2023-1855] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1859
-# Fixed in 6.1.25
-CVE_CHECK_IGNORE += "CVE-2023-1859"
+CVE_STATUS[CVE-2023-1859] = "cpe-stable-backport: Backported in 6.1.25"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1989
-# Fixed in 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-1989"
+CVE_STATUS[CVE-2023-1989] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1990
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1990"
+CVE_STATUS[CVE-2023-1990] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1999
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-1998"
+CVE_STATUS[CVE-2023-1998] = "cpe-stable-backport: Backported in 6.1.16"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2002
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-2002"
+CVE_STATUS[CVE-2023-2002] = "cpe-stable-backport: Backported in 6.1.27"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2156
-# Fixed in 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-2156"
+CVE_STATUS[CVE-2023-2156] = "cpe-stable-backport: Backported in 6.1.26"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-2162"
+CVE_STATUS[CVE-2023-2162] = "cpe-stable-backport: Backported in 6.1.11"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2194
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-2194"
+CVE_STATUS[CVE-2023-2194] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2235
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-2235"
+CVE_STATUS[CVE-2023-2235] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-28328"
+CVE_STATUS[CVE-2023-28328] = "cpe-stable-backport: Backported in 6.1.2"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2985
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-2985"
+CVE_STATUS[CVE-2023-2985] = "cpe-stable-backport: Backported in 6.1.16"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-28866
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-28866"
+CVE_STATUS[CVE-2023-28866] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-30456
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-30456"
+CVE_STATUS[CVE-2023-30456] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-30772
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-30772"
+CVE_STATUS[CVE-2023-30772] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-31436
-# Fixed with 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-31436"
+CVE_STATUS[CVE-2023-31436] = "cpe-stable-backport: Backported in 6.1.26"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-32233"
+CVE_STATUS[CVE-2023-32233] = "cpe-stable-backport: Backported in 6.1.28"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-33203
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33203"
+CVE_STATUS[CVE-2023-33203] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-33288
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33288"
+CVE_STATUS[CVE-2023-33288] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-34256
-# Fixed in 6.1.29
-CVE_CHECK_IGNORE += "CVE-2023-34256"
+CVE_STATUS[CVE-2023-34256] = "cpe-stable-backport: Backported in 6.1.29"
 
 # Backported to 6.1.30 as 9a342d4
-CVE_CHECK_IGNORE += "CVE-2023-3141"
+CVE_STATUS[CVE-2023-3141] = "cpe-stable-backport: Backported in 6.1.30"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..41839698dc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
 
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
+CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
 
 DEPENDS = "flex-native bison-native gettext-native"
 
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1764997c41..d1c6f7f54a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
 SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
 SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
 
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
 
 DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
 
diff --git a/meta/recipes-connectivity/bind/bind_9.18.15.bb b/meta/recipes-connectivity/bind/bind_9.18.15.bb
index 80164aad87..26a280c844 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.15.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.15.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
 
 # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
 # so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
 
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
index 2208b730b0..31f325e590 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
@@ -2,8 +2,8 @@ require bluez5.inc
 
 SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574"
 
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index 42ce814523..3edc123b9a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            "
 SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
 
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
 
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
 
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
 
 PAM_SRC_URI = "file://sshd"
 
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index f5f3f32a97..e3557348e8 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -253,6 +253,5 @@ CVE_PRODUCT = "openssl:openssl"
 
 CVE_VERSION_SUFFIX = "alphabetical"
 
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb
index 25da988f50..ba38169f05 100644
--- a/meta/recipes-core/coreutils/coreutils_9.3.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.3.bb
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
 SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa"
 
 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
-# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+# 
+CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
 
 EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
 EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index 3387441cad..851aa612b1 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -4,18 +4,19 @@ require glibc-version.inc
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
-# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
-# "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "disputed: \
+Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \
+this is being treated as a non-security bug and no real threat."
 
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
-# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
-# easier access for another. "ASLR bypass itself is not a vulnerability."
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "disputed: \
+Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
+easier access for another. 'ASLR bypass itself is not a vulnerability.'"
 
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6"
 
 DEPENDS += "gperf-native bison-native"
 
diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb
index 4f3b17093e..095ecf8602 100644
--- a/meta/recipes-core/libxml/libxml2_2.10.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb
@@ -26,10 +26,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
 
 BINCONFIG = "${bindir}/xml2-config"
 
-# Fixed since 2.9.11 via
-# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
-
 PACKAGECONFIG ??= "python \
     ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
 "
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index 87fbf6f785..cf0e17ff00 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () {
 pkg_prerm:udev-hwdb () {
 	rm -f $D${sysconfdir}/udev/hwdb.bin
 }
-
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 7788a5c45a..f57a77c7bb 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,4 @@ SRC_URI[sha256sum] = "313b6880c291bd4fe31c0aa51d6e62659282a521e695f30d5cc0d25abb
 
 UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..1ac88d65ef 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,10 +26,10 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
 
 GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
 
-# Disputed - yes there is stack exhaustion but no bug and it is building the
-# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
 # https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "upstream-wontfix: \
+there is stack exhaustion but no bug and it is building the \
+parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
 
 inherit autotools gettext texinfo ptest github-releases
 
diff --git a/meta/recipes-devtools/gcc/gcc-13.1.inc b/meta/recipes-devtools/gcc/gcc-13.1.inc
index 4da703db52..e94753eed0 100644
--- a/meta/recipes-devtools/gcc/gcc-13.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.1.inc
@@ -111,5 +111,4 @@ EXTRA_OECONF_PATHS = "\
     --with-build-sysroot=${STAGING_DIR_TARGET} \
 "
 
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
+CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
diff --git a/meta/recipes-devtools/git/git_2.39.3.bb b/meta/recipes-devtools/git/git_2.39.3.bb
index 54a863acd2..3393550c85 100644
--- a/meta/recipes-devtools/git/git_2.39.3.bb
+++ b/meta/recipes-devtools/git/git_2.39.3.bb
@@ -27,13 +27,6 @@ LIC_FILES_CHKSUM = "\
 
 CVE_PRODUCT = "git-scm:git"
 
-# This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
-
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
 PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d..db4745ad7a 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,8 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
 UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
 
 # https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "upstream-wontfix: There are ways jquery can expose security issues but any issues \
+are in the apps exposing them and there is little we can directly do."
 
 inherit allarch
 
diff --git a/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
index 83d2f01263..8e297ec4d4 100644
--- a/meta/recipes-devtools/ninja/ninja_1.11.1.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
@@ -30,5 +30,4 @@ do_install() {
 
 BBCLASSEXTEND = "native nativesdk"
 
-# This is a different Ninja
-CVE_CHECK_IGNORE += "CVE-2021-4336"
+CVE_STATUS[CVE-2021-4336] = "cpe-incorrect: This is a different Ninja"
diff --git a/meta/recipes-devtools/python/python3_3.11.3.bb b/meta/recipes-devtools/python/python3_3.11.3.bb
index c7974849b6..59f93861dd 100644
--- a/meta/recipes-devtools/python/python3_3.11.3.bb
+++ b/meta/recipes-devtools/python/python3_3.11.3.bb
@@ -47,15 +47,12 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 
 CVE_PRODUCT = "python"
 
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
 # The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
+CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
 
 PYTHON_MAJMIN = "3.11"
 
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6acda61425..480aa97c30 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,21 +39,16 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113
 SRC_URI:append:class-target = " file://cross.patch"
 SRC_URI:append:class-nativesdk = " file://cross.patch"
 
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself"
 
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
 
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
 # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability."
 
 # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
 # https://bugzilla.redhat.com/show_bug.cgi?id=2167423
-# this bug related to windows specific.
-CVE_CHECK_IGNORE += "CVE-2023-0664"
+CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows"
 
 COMPATIBLE_HOST:mipsarchn32 = "null"
 COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1c..130581a785 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
            "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
 
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
 inherit autotools-brokensep
 
 PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb..91fc81352e 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,10 +29,6 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
 
 SRC_URI:class-native = "${BASE_SRC_URI}"
 
-# Upstream don't believe this is an exploitable issue
-# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
-
 UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
 UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
 
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index e55fb70cb1..397bb5d87c 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
 
 inherit autotools gettext texinfo ptest
 
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
 
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
 
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index d77758fd3f..ec4abeb936 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,14 +20,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
 
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
 
 LEAD_SONAME = "libcupsdriver.so"
 
@@ -115,7 +112,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
 	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
-
-# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
index f03ebf4478..4c0888e6a7 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
@@ -18,8 +18,7 @@ DEPENDS = "tiff jpeg fontconfig cups libpng freetype zlib"
 UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
 
-# We use a system libjpeg-turbo which has this fix
-CVE_CHECK_IGNORE += "CVE-2013-6629"
+CVE_STATUS[CVE-2013-6629] = "not-applicable-config: We use a system libjpeg-turbo which has this fix"
 
 def gs_verdir(v):
     return "".join(v.split("."))
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
 
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
 
 PACKAGECONFIG ??= "libcap"
 PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
 
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
 
 inherit autotools pkgconfig
 
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
-
 PROCPS_PACKAGES = "${PN}-lib \
                    ${PN}-ps \
                    ${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 
 BBCLASSEXTEND = "native nativesdk"
 
-# Severity is low and marked as closed and won't fix.
 # https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
-
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
 
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
 
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
 S = "${WORKDIR}/git"
 
 # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
 
 inherit autotools update-rc.d systemd pkgconfig
 
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
 
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
-
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
 
 # zip.inc sets CFLAGS, but what Makefile actually uses is
 # CFLAGS_NOOPT.  It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00..6888c33d14 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -33,4 +33,4 @@ RCONFLICTS:${PN} += "libnotify3"
 RREPLACES:${PN} += "libnotify3"
 
 # -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "cpe-incorrect: The issue is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
index 1a5d8a6b04..1142afece1 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
@@ -51,8 +51,7 @@ do_compile:prepend() {
     sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
 }
 
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "not-applicable-platform: Issue only applies on Windows"
 
 CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
 
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
 	chown  builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
 }
 
-# -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 
 CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
-# timing on the behalf of the attacker. Many graphical applications exit if their
-# connection to the X server is lost, so a typical desktop session is either
-# impossible or difficult to exploit. There is currently no upstream patch
-# available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
+timing on the behalf of the attacker. Many graphical applications exit if their \
+connection to the X server is lost, so a typical desktop session is either \
+impossible or difficult to exploit. There is currently no upstream patch \
+available for this flaw."
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 4cc151901b..be632dec2a 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,17 +1,17 @@
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3523
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "fixed-version: Backported in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3566
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "fixed-version: Backported in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3567
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "fixed-version: Backported in version v6.1"
 
 
 # 2023
@@ -26,11 +26,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3567"
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-38457
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-40133
 #  * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "cpe-stable-backport: Backported in version v6.1.7"
+CVE_STATUS[CVE-2022-40133] = "cpe-stable-backport: Backported in version v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1075
 # Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
 # Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
 # Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
 # 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "cpe-stable-backport: Backported in version v6.1.11"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index a6c229f5cf..562745e3eb 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -32,5 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
 
 BBCLASSEXTEND = "native nativesdk"
 
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "cpe-incorrect: A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index ca4a3eff91..054b99586c 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -18,14 +18,7 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
+CVE_STATUS[CVE-2022-1210] = "not-applicable-config: Issue is in jbig which we don't enable"
 
 inherit autotools multilib_header
 
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
index 58f07a116d..524b06ca22 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
@@ -29,8 +29,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            "
 SRC_URI[sha256sum] = "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03"
 
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
 
 BINCONFIG = "${bindir}/libgcrypt-config"
 
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.38.bb b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
index bf35a94b7f..ed5b15badd 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.38.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
@@ -19,9 +19,7 @@ SRC_URI[sha256sum] = "1f32450425819a09acaff2ab7a5a7f8a2ec7956e505d7beeb45e843d0e
 
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
 
 S = "${WORKDIR}/libxslt-${PV}"
 
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b0..db52d96033 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,9 +21,6 @@ S = "${WORKDIR}/git"
 
 inherit ptest
 
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
-
 EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
 
 do_install() {
diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
index b09e8e7f55..181187bbd9 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
@@ -5,10 +5,3 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 
 SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
 SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499"
-
-# -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
-- 
2.41.0

[OE-core][PATCH v8 0/3] CVE-check handling

[Andrej Valek]

After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.

Changes compared to version 7:
 - reverted dropped CVE ignores for lz4 and tiff

Documentation will be updated in separated repository.

 meta/classes/cve-check.bbclass                |  99 ++++-
 .../distro/include/cve-extra-exclusions.inc   | 371 +++++++++---------
 meta/lib/oe/cve_check.py                      |  25 ++
 meta/lib/oeqa/selftest/cases/cve_check.py     |  26 +-
 meta/recipes-bsp/grub/grub2.inc               |   6 +-
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   3 +-
 .../recipes-connectivity/bind/bind_9.18.15.bb |   2 +-
 .../bluez5/bluez5_5.66.bb                     |   4 +-
 .../openssh/openssh_9.3p1.bb                  |   9 +-
 .../openssl/openssl_3.1.1.bb                  |   3 +-
 meta/recipes-core/coreutils/coreutils_9.3.bb  |   4 +-
 meta/recipes-core/glibc/glibc_2.37.bb         |  17 +-
 meta/recipes-core/libxml/libxml2_2.10.4.bb    |   4 -
 meta/recipes-core/systemd/systemd_253.3.bb    |   3 -
 meta/recipes-devtools/cmake/cmake.inc         |   4 +-
 meta/recipes-devtools/flex/flex_2.6.4.bb      |   6 +-
 meta/recipes-devtools/gcc/gcc-13.1.inc        |   3 +-
 meta/recipes-devtools/git/git_2.39.3.bb       |   7 -
 meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   5 +-
 meta/recipes-devtools/ninja/ninja_1.11.1.bb   |   3 +-
 .../recipes-devtools/python/python3_3.11.3.bb |  13 +-
 meta/recipes-devtools/qemu/qemu.inc           |  13 +-
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
 meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 -
 meta/recipes-extended/cpio/cpio_2.14.bb       |   3 +-
 meta/recipes-extended/cups/cups.inc           |  17 +-
 .../ghostscript/ghostscript_10.01.1.bb        |   3 +-
 .../iputils/iputils_20221126.bb               |   5 +-
 .../libtirpc/libtirpc_1.3.3.bb                |   3 +-
 .../logrotate/logrotate_3.21.0.bb             |   5 +-
 meta/recipes-extended/procps/procps_4.0.3.bb  |   4 -
 meta/recipes-extended/shadow/shadow_4.13.bb   |   7 +-
 meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
 .../xinetd/xinetd_2.3.15.4.bb                 |   2 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   7 +-
 .../libnotify/libnotify_0.8.2.bb              |   2 +-
 meta/recipes-gnome/librsvg/librsvg_2.56.0.bb  |   3 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
 .../xorg-xserver/xserver-xorg.inc             |  19 +-
 .../linux/cve-exclusion_6.1.inc               |  11 +-
 .../libpng/libpng_1.6.39.bb                   |   3 +-
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |  10 +-
 .../libgcrypt/libgcrypt_1.10.2.bb             |   4 +-
 .../recipes-support/libxslt/libxslt_1.1.38.bb |   4 +-
 meta/recipes-support/lz4/lz4_1.9.4.bb         |   3 +-
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb |   7 -
 46 files changed, 392 insertions(+), 373 deletions(-)

-- 
2.41.0

[OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs

[Andrej Valek]

From: Andrej Valek <andrej.valek@siemens.com>

- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 99 +++++++++++++++++++++++++++++-----
 meta/lib/oe/cve_check.py       | 25 +++++++++
 2 files changed, 111 insertions(+), 13 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..4eb6dff7de 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,14 +70,48 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
 #
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""
 
+# Possible options for CVE statuses
+
+# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+
+# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+
 # Layers to be excluded
 CVE_CHECK_LAYER_EXCLUDELIST ??= ""
 
@@ -88,6 +122,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+        for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+            d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        cve_group = d.getVar(cve_status_group)
+        if cve_group is not None:
+            for cve in cve_group.split():
+                d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
+        else:
+            bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -260,7 +312,7 @@ def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
     """
-    from oe.cve_check import Version, convert_cve_version
+    from oe.cve_check import Version, convert_cve_version, decode_cve_status
 
     pn = d.getVar("PN")
     real_pv = d.getVar("PV")
@@ -282,7 +334,12 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Ignored":
+            cve_ignore.append(cve)
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +470,8 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
     CVE manifest if enabled.
     """
 
+    from oe.cve_check import decode_cve_status
+
     cve_file = d.getVar("CVE_CHECK_LOG")
     fdir_name  = d.getVar("FILE_DIRNAME")
     layer = fdir_name.split("/")[-3]
@@ -441,20 +500,27 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         is_patched = cve in patched
         is_ignored = cve in ignored
 
+        status = "Unpatched"
         if (is_patched or is_ignored) and not report_all:
             continue
+        if is_ignored:
+            status = "Ignored"
+        elif is_patched:
+            status = "Patched"
+        else:
+            # default value of status is Unpatched
+            unpatched_cves.append(cve)
 
         write_string += "LAYER: %s\n" % layer
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
         write_string += "CVE: %s\n" % cve
-        if is_ignored:
-            write_string += "CVE STATUS: Ignored\n"
-        elif is_patched:
-            write_string += "CVE STATUS: Patched\n"
-        else:
-            unpatched_cves.append(cve)
-            write_string += "CVE STATUS: Unpatched\n"
+        write_string += "CVE STATUS: %s\n" % status
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            write_string += "CVE DETAIL: %s\n" % detail
+        if description:
+            write_string += "CVE DESCRIPTION: %s\n" % description
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -516,6 +582,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
     Prepare CVE data for the JSON format, then write it.
     """
 
+    from oe.cve_check import decode_cve_status
+
     output = {"version":"1", "package": []}
     nvd_link = "https://nvd.nist.gov/vuln/detail/"
 
@@ -576,6 +644,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            cve_item["detail"] = detail
+        if description:
+            cve_item["description"] = description
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..5bf3caac47 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,13 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
@@ -218,3 +225,21 @@ def convert_cve_version(version):
 
     return version + update
 
+def decode_cve_status(d, cve):
+    """
+    Convert CVE_STATUS into status, detail and description.
+    """
+    status = d.getVarFlag("CVE_STATUS", cve)
+    if status is None:
+        return ("", "", "")
+
+    status_split = status.split(':', 1)
+    detail = status_split[0]
+    description = status_split[1].strip() if (len(status_split) > 1) else ""
+
+    status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+    if status_mapping is None:
+        bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+        status_mapping = "Unpatched"
+
+    return (status_mapping, detail, description)
-- 
2.41.0

[OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling

[Andrej Valek]

From: Andrej Valek <andrej.valek@siemens.com>

- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/lib/oeqa/selftest/cases/cve_check.py     | 26 +++++++++++++++----
 .../logrotate/logrotate_3.21.0.bb             |  5 ++--
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
             self.assertEqual(len(report["package"]), 1)
             package = report["package"][0]
             self.assertEqual(package["name"], "logrotate")
-            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            found_cves = {}
+            for issue in package["issue"]:
+                found_cves[issue["id"]] = {
+                    "status" : issue["status"],
+                    "detail" : issue["detail"] if "detail" in issue else "",
+                    "description" : issue["description"] if "description" in issue else ""
+                }
             # m4 CVE should not be in logrotate
             self.assertNotIn("CVE-2008-1687", found_cves)
             # logrotate has both Patched and Ignored CVEs
             self.assertIn("CVE-2011-1098", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+            detail = "not-applicable-platform"
+            description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
             self.assertIn("CVE-2011-1548", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
             self.assertIn("CVE-2011-1549", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
             self.assertIn("CVE-2011-1550", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
 
         self.assertExists(summary_json)
         check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
 
 SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
 
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
 
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
 
-- 
2.41.0

[OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

[Andrej Valek]

From: Andrej Valek <andrej.valek@siemens.com>

- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
  version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
 .../distro/include/cve-extra-exclusions.inc   | 371 +++++++++---------
 meta/recipes-bsp/grub/grub2.inc               |   6 +-
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   3 +-
 .../recipes-connectivity/bind/bind_9.18.15.bb |   2 +-
 .../bluez5/bluez5_5.66.bb                     |   4 +-
 .../openssh/openssh_9.3p1.bb                  |   9 +-
 .../openssl/openssl_3.1.1.bb                  |   3 +-
 meta/recipes-core/coreutils/coreutils_9.3.bb  |   4 +-
 meta/recipes-core/glibc/glibc_2.37.bb         |  17 +-
 meta/recipes-core/libxml/libxml2_2.10.4.bb    |   4 -
 meta/recipes-core/systemd/systemd_253.3.bb    |   3 -
 meta/recipes-devtools/cmake/cmake.inc         |   4 +-
 meta/recipes-devtools/flex/flex_2.6.4.bb      |   6 +-
 meta/recipes-devtools/gcc/gcc-13.1.inc        |   3 +-
 meta/recipes-devtools/git/git_2.39.3.bb       |   7 -
 meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   5 +-
 meta/recipes-devtools/ninja/ninja_1.11.1.bb   |   3 +-
 .../recipes-devtools/python/python3_3.11.3.bb |  13 +-
 meta/recipes-devtools/qemu/qemu.inc           |  13 +-
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
 meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 -
 meta/recipes-extended/cpio/cpio_2.14.bb       |   3 +-
 meta/recipes-extended/cups/cups.inc           |  17 +-
 .../ghostscript/ghostscript_10.01.1.bb        |   3 +-
 .../iputils/iputils_20221126.bb               |   5 +-
 .../libtirpc/libtirpc_1.3.3.bb                |   3 +-
 meta/recipes-extended/procps/procps_4.0.3.bb  |   4 -
 meta/recipes-extended/shadow/shadow_4.13.bb   |   7 +-
 meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
 .../xinetd/xinetd_2.3.15.4.bb                 |   2 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   7 +-
 .../libnotify/libnotify_0.8.2.bb              |   2 +-
 meta/recipes-gnome/librsvg/librsvg_2.56.0.bb  |   3 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
 .../xorg-xserver/xserver-xorg.inc             |  19 +-
 .../linux/cve-exclusion_6.1.inc               |  11 +-
 .../libpng/libpng_1.6.39.bb                   |   3 +-
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |  10 +-
 .../libgcrypt/libgcrypt_1.10.2.bb             |   4 +-
 .../recipes-support/libxslt/libxslt_1.1.38.bb |   4 +-
 meta/recipes-support/lz4/lz4_1.9.4.bb         |   3 +-
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb |   7 -
 42 files changed, 257 insertions(+), 353 deletions(-)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 1c3cc36c61..a5dd7d3866 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -16,43 +16,42 @@
 #
 
 
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
-# CVE is more than 20 years old with no resolution evident
-# broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
-
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
-# The issue here is spoofing of domain names using characters from other character sets.
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
-# we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
-
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
-
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old with no resolution evident. Broken links in CVE database references make resolution impractical."
+
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
+The issue here is spoofing of domain names using characters from other character sets. \
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
+problem. There isn't any mitigation or fix or way to progress this further."
+
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
+
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
+exposing this interface in an exploitable way"
 
 # db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
 
 #
 # Kernel CVEs, e.g. linux-yocto*
@@ -65,74 +64,83 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
 # welcome than and then entries can likely be removed from here.
 #
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020"
+
 # 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
-                     CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+                          CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
+
 # 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
-                     CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+                          CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
+
 # 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
-                     CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+                           CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
 
-# This is specific to Ubuntu
-CVE_CHECK_IGNORE += "CVE-2018-6559"
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: This is specific to Ubuntu"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3016
-# Fixed with 5.6
-CVE_CHECK_IGNORE += "CVE-2019-3016"
+CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed in version v5.6"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3819
-# Fixed with 5.1
-CVE_CHECK_IGNORE += "CVE-2019-3819"
+CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed in version v5.1"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3887
-# Fixed with 5.2
-CVE_CHECK_IGNORE += "CVE-2019-3887"
+CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed in version v5.2"
 
 # 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2020-27784
 # Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
 # Patched in kernel since v5.10	e8d5f92b8d30bb4ade76494490c3c065e12411b1
 # Backported in version v5.4.73	e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+CVE_STATUS[CVE-2020-27784] = "fixed-version: Fixed in versions v5.10"
 
 # 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
-                     CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+                          CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3669
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3759
 # Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
 # Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
 # Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
 # Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-4218
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed in version v5.8"
 
 # 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
-                     CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
-                     CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
-                     CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
-                     CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
-                     CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
-                     CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+                          CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+                          CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+                          CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+                          CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+                          CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+                          CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-0480
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1184
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -140,7 +148,7 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
 # Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
 # Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
 # Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1462
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -148,7 +156,7 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
 # Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
 # Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
 # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2196
 # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -158,19 +166,19 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
 # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
 # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
 # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "cpe-stable-backport: Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2308
 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
 # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
 # Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
 # Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2327
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed in version v5.10.125"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2663
 # Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -179,19 +187,19 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
 # Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
 # Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
 # Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2785
 # Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
 # Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
 # Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3176
 # Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
 # Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "fixed-version: Fixed in version v5.17"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3424
 # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -200,7 +208,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
 # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
 # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
 # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3435
 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -211,13 +219,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
 # Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
 # Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
 # Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3526
 # Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
 # Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
 # Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "fixed-version: Fixed in version v5.18"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3534
 # Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -225,20 +233,20 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
 # Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
 # Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
 # Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "cpe-stable-backport: Backported in versions v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3564
 # Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
 # Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
 # Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
 # Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3619
 # Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
 # Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
 # Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3621
 # Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -247,7 +255,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
 # Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
 # Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
 # Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3623
 # Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -256,12 +264,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
 # Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
 # Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
 # Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3624
 # Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
 # Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3625
 # Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -270,7 +278,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
 # Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
 # Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
 # Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3629
 # Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -279,13 +287,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
 # Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
 # Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
 # Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3630
 # Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
 # Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
 # Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3633
 # Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -294,7 +302,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
 # Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
 # Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
 # Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3635
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -303,12 +311,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
 # Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
 # Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
 # Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3636
 # Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
 # Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3640
 # Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -319,7 +327,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
 # Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
 # Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
 # Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3646
 # Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -328,7 +336,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
 # Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
 # Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
 # Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3649
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -337,7 +345,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
 # Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
 # Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
 # Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-4382
 # Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -346,7 +354,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
 # Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
 # Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
 # Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "cpe-stable-backport: Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-26365
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -354,7 +362,7 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
 # Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
 # Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
 # Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33740
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -362,7 +370,7 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
 # Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
 # Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
 # Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33741
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -370,7 +378,7 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
 # Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
 # Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
 # Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33742
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -378,15 +386,15 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
 # Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
 # Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
 # Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42895
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
 # Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42896
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -394,7 +402,7 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
 # Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
 # Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
 # Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "fixed-version: Fixed in version v6.1"
 
 
 # 2023
@@ -404,14 +412,14 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
 # Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
 # Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
 # Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "cpe-stable-backport: Backported in versions v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0266
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
 # Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
 # Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "cpe-stable-backport: Backported in versions v5.15.88 and v6.1.6"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0394
 # Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -420,7 +428,7 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
 # Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
 # Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
 # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0461
 # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -429,28 +437,28 @@ CVE_CHECK_IGNORE += "CVE-2023-0394"
 # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
 # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.5"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0386
 # Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
 # Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
-# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
+# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1073
 # Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
 # Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
-# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
-# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
-# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_STATUS[CVE-2023-1073] = "cpe-stable-backport: Backported in versions v5.10.166, v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1074
 # Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
-# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
-# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_STATUS[CVE-2023-1074] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1076
 # Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -459,19 +467,19 @@ CVE_CHECK_IGNORE += "CVE-2023-1074"
 # Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
 # Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
 # Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1077
 # Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
-# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
-# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+CVE_STATUS[CVE-2023-1077] = "cpe-stable-backport: Backported in versions v5.15.99 and v6.1.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1078
 # Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
-# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
-# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_STATUS[CVE-2023-1078] = "cpe-stable-backport: Backported in versions v5.15.94 and v6.1.12"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1079
 # Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -480,7 +488,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
 # Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
 # Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
 # Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1118
 # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -490,7 +498,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
 # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
 # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
 # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1281
 # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -498,7 +506,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
 # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
 # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
 # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "cpe-stable-backport: Backported in versions v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1513
 # Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -506,7 +514,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
 # Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
 # Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1652
 # Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -514,7 +522,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
 # Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
 # Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1829
 # Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -525,7 +533,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
 # Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
 # Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-23005
 # Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
@@ -535,7 +543,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1829"
 # > in which a user can cause the alloc_memory_type error case to be reached.
 # See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
 # We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
+CVE_STATUS[CVE-2023-23005] = "disputed: Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached."
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-28466
 # Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
@@ -543,127 +551,102 @@ CVE_CHECK_IGNORE += "CVE-2023-23005"
 # Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
 # Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
 # Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-28466] = "cpe-stable-backport: Backported in versions v5.15.105, v6.1.20 and v6.2.7"
 
-# Wrong CPE in NVD database
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3563
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
-# still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
-
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
-# done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
+qemu maintainers say the patch is incorrect and should not be applied \
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
+still be reproduced or where exactly any bug is. \
+We'll pick up any fix when upstream accepts one."
+
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
+It is a fuzzing related buffer overflow. It is of low impact since most devices
+wouldn't expose an assembler. The upstream is inactive and there is little to be
+done about the bug, ignore from an OE perspective."
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0459"
+CVE_STATUS[CVE-2023-0459] = "cpe-stable-backport: Backported in 6.1.14"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-0615
-# Fixed in 6.1 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0615"
+CVE_STATUS[CVE-2023-0615] = "cpe-stable-backport: Backported in 6.1"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1380
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-1380"
+CVE_STATUS[CVE-2023-1380] = "cpe-stable-backport: Backported in 6.1.27"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-1611"
+CVE_STATUS[CVE-2023-1611] = "cpe-stable-backport: Backported in 6.1.23"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1855
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1855"
+CVE_STATUS[CVE-2023-1855] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1859
-# Fixed in 6.1.25
-CVE_CHECK_IGNORE += "CVE-2023-1859"
+CVE_STATUS[CVE-2023-1859] = "cpe-stable-backport: Backported in 6.1.25"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1989
-# Fixed in 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-1989"
+CVE_STATUS[CVE-2023-1989] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1990
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1990"
+CVE_STATUS[CVE-2023-1990] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1999
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-1998"
+CVE_STATUS[CVE-2023-1998] = "cpe-stable-backport: Backported in 6.1.16"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2002
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-2002"
+CVE_STATUS[CVE-2023-2002] = "cpe-stable-backport: Backported in 6.1.27"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2156
-# Fixed in 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-2156"
+CVE_STATUS[CVE-2023-2156] = "cpe-stable-backport: Backported in 6.1.26"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-2162"
+CVE_STATUS[CVE-2023-2162] = "cpe-stable-backport: Backported in 6.1.11"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2194
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-2194"
+CVE_STATUS[CVE-2023-2194] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2235
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-2235"
+CVE_STATUS[CVE-2023-2235] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-28328"
+CVE_STATUS[CVE-2023-28328] = "cpe-stable-backport: Backported in 6.1.2"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2985
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-2985"
+CVE_STATUS[CVE-2023-2985] = "cpe-stable-backport: Backported in 6.1.16"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-28866
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-28866"
+CVE_STATUS[CVE-2023-28866] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-30456
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-30456"
+CVE_STATUS[CVE-2023-30456] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-30772
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-30772"
+CVE_STATUS[CVE-2023-30772] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-31436
-# Fixed with 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-31436"
+CVE_STATUS[CVE-2023-31436] = "cpe-stable-backport: Backported in 6.1.26"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-32233"
+CVE_STATUS[CVE-2023-32233] = "cpe-stable-backport: Backported in 6.1.28"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-33203
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33203"
+CVE_STATUS[CVE-2023-33203] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-33288
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33288"
+CVE_STATUS[CVE-2023-33288] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-34256
-# Fixed in 6.1.29
-CVE_CHECK_IGNORE += "CVE-2023-34256"
+CVE_STATUS[CVE-2023-34256] = "cpe-stable-backport: Backported in 6.1.29"
 
 # Backported to 6.1.30 as 9a342d4
-CVE_CHECK_IGNORE += "CVE-2023-3141"
+CVE_STATUS[CVE-2023-3141] = "cpe-stable-backport: Backported in 6.1.30"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..41839698dc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
 
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
+CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
 
 DEPENDS = "flex-native bison-native gettext-native"
 
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1764997c41..d1c6f7f54a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
 SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
 SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
 
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
 
 DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
 
diff --git a/meta/recipes-connectivity/bind/bind_9.18.15.bb b/meta/recipes-connectivity/bind/bind_9.18.15.bb
index 80164aad87..26a280c844 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.15.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.15.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
 
 # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
 # so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
 
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
index 2208b730b0..31f325e590 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
@@ -2,8 +2,8 @@ require bluez5.inc
 
 SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574"
 
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index 42ce814523..3edc123b9a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            "
 SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
 
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
 
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
 
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
 
 PAM_SRC_URI = "file://sshd"
 
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index f5f3f32a97..e3557348e8 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -253,6 +253,5 @@ CVE_PRODUCT = "openssl:openssl"
 
 CVE_VERSION_SUFFIX = "alphabetical"
 
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb
index 25da988f50..ba38169f05 100644
--- a/meta/recipes-core/coreutils/coreutils_9.3.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.3.bb
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
 SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa"
 
 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
-# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+# 
+CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
 
 EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
 EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index 3387441cad..851aa612b1 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -4,18 +4,19 @@ require glibc-version.inc
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
-# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
-# "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "disputed: \
+Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \
+this is being treated as a non-security bug and no real threat."
 
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
-# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
-# easier access for another. "ASLR bypass itself is not a vulnerability."
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "disputed: \
+Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
+easier access for another. 'ASLR bypass itself is not a vulnerability.'"
 
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6"
 
 DEPENDS += "gperf-native bison-native"
 
diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb
index 4f3b17093e..095ecf8602 100644
--- a/meta/recipes-core/libxml/libxml2_2.10.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb
@@ -26,10 +26,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
 
 BINCONFIG = "${bindir}/xml2-config"
 
-# Fixed since 2.9.11 via
-# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
-
 PACKAGECONFIG ??= "python \
     ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
 "
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index 87fbf6f785..cf0e17ff00 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () {
 pkg_prerm:udev-hwdb () {
 	rm -f $D${sysconfdir}/udev/hwdb.bin
 }
-
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 7788a5c45a..f57a77c7bb 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,4 @@ SRC_URI[sha256sum] = "313b6880c291bd4fe31c0aa51d6e62659282a521e695f30d5cc0d25abb
 
 UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..1ac88d65ef 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,10 +26,10 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
 
 GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
 
-# Disputed - yes there is stack exhaustion but no bug and it is building the
-# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
 # https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "upstream-wontfix: \
+there is stack exhaustion but no bug and it is building the \
+parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
 
 inherit autotools gettext texinfo ptest github-releases
 
diff --git a/meta/recipes-devtools/gcc/gcc-13.1.inc b/meta/recipes-devtools/gcc/gcc-13.1.inc
index 4da703db52..e94753eed0 100644
--- a/meta/recipes-devtools/gcc/gcc-13.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.1.inc
@@ -111,5 +111,4 @@ EXTRA_OECONF_PATHS = "\
     --with-build-sysroot=${STAGING_DIR_TARGET} \
 "
 
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
+CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
diff --git a/meta/recipes-devtools/git/git_2.39.3.bb b/meta/recipes-devtools/git/git_2.39.3.bb
index 54a863acd2..3393550c85 100644
--- a/meta/recipes-devtools/git/git_2.39.3.bb
+++ b/meta/recipes-devtools/git/git_2.39.3.bb
@@ -27,13 +27,6 @@ LIC_FILES_CHKSUM = "\
 
 CVE_PRODUCT = "git-scm:git"
 
-# This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
-
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
 PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d..db4745ad7a 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,8 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
 UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
 
 # https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "upstream-wontfix: There are ways jquery can expose security issues but any issues \
+are in the apps exposing them and there is little we can directly do."
 
 inherit allarch
 
diff --git a/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
index 83d2f01263..8e297ec4d4 100644
--- a/meta/recipes-devtools/ninja/ninja_1.11.1.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
@@ -30,5 +30,4 @@ do_install() {
 
 BBCLASSEXTEND = "native nativesdk"
 
-# This is a different Ninja
-CVE_CHECK_IGNORE += "CVE-2021-4336"
+CVE_STATUS[CVE-2021-4336] = "cpe-incorrect: This is a different Ninja"
diff --git a/meta/recipes-devtools/python/python3_3.11.3.bb b/meta/recipes-devtools/python/python3_3.11.3.bb
index c7974849b6..59f93861dd 100644
--- a/meta/recipes-devtools/python/python3_3.11.3.bb
+++ b/meta/recipes-devtools/python/python3_3.11.3.bb
@@ -47,15 +47,12 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 
 CVE_PRODUCT = "python"
 
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
 # The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
+CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
 
 PYTHON_MAJMIN = "3.11"
 
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6acda61425..480aa97c30 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,21 +39,16 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113
 SRC_URI:append:class-target = " file://cross.patch"
 SRC_URI:append:class-nativesdk = " file://cross.patch"
 
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself"
 
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
 
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
 # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability."
 
 # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
 # https://bugzilla.redhat.com/show_bug.cgi?id=2167423
-# this bug related to windows specific.
-CVE_CHECK_IGNORE += "CVE-2023-0664"
+CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows"
 
 COMPATIBLE_HOST:mipsarchn32 = "null"
 COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1c..130581a785 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
            "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
 
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
 inherit autotools-brokensep
 
 PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb..91fc81352e 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,10 +29,6 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
 
 SRC_URI:class-native = "${BASE_SRC_URI}"
 
-# Upstream don't believe this is an exploitable issue
-# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
-
 UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
 UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
 
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index e55fb70cb1..397bb5d87c 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
 
 inherit autotools gettext texinfo ptest
 
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
 
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
 
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index d77758fd3f..ec4abeb936 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,14 +20,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
 
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
 
 LEAD_SONAME = "libcupsdriver.so"
 
@@ -115,7 +112,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
 	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
-
-# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
index f03ebf4478..4c0888e6a7 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
@@ -18,8 +18,7 @@ DEPENDS = "tiff jpeg fontconfig cups libpng freetype zlib"
 UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
 
-# We use a system libjpeg-turbo which has this fix
-CVE_CHECK_IGNORE += "CVE-2013-6629"
+CVE_STATUS[CVE-2013-6629] = "not-applicable-config: We use a system libjpeg-turbo which has this fix"
 
 def gs_verdir(v):
     return "".join(v.split("."))
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
 
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
 
 PACKAGECONFIG ??= "libcap"
 PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
 
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
 
 inherit autotools pkgconfig
 
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
-
 PROCPS_PACKAGES = "${PN}-lib \
                    ${PN}-ps \
                    ${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 
 BBCLASSEXTEND = "native nativesdk"
 
-# Severity is low and marked as closed and won't fix.
 # https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
-
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
 
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
 
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
 S = "${WORKDIR}/git"
 
 # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
 
 inherit autotools update-rc.d systemd pkgconfig
 
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
 
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
-
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
 
 # zip.inc sets CFLAGS, but what Makefile actually uses is
 # CFLAGS_NOOPT.  It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00..6888c33d14 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -33,4 +33,4 @@ RCONFLICTS:${PN} += "libnotify3"
 RREPLACES:${PN} += "libnotify3"
 
 # -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "cpe-incorrect: The issue is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
index 1a5d8a6b04..1142afece1 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
@@ -51,8 +51,7 @@ do_compile:prepend() {
     sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
 }
 
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "not-applicable-platform: Issue only applies on Windows"
 
 CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
 
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
 	chown  builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
 }
 
-# -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 
 CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
-# timing on the behalf of the attacker. Many graphical applications exit if their
-# connection to the X server is lost, so a typical desktop session is either
-# impossible or difficult to exploit. There is currently no upstream patch
-# available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
+timing on the behalf of the attacker. Many graphical applications exit if their \
+connection to the X server is lost, so a typical desktop session is either \
+impossible or difficult to exploit. There is currently no upstream patch \
+available for this flaw."
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 4cc151901b..be632dec2a 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,17 +1,17 @@
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3523
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "fixed-version: Backported in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3566
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "fixed-version: Backported in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3567
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "fixed-version: Backported in version v6.1"
 
 
 # 2023
@@ -26,11 +26,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3567"
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-38457
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-40133
 #  * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "cpe-stable-backport: Backported in version v6.1.7"
+CVE_STATUS[CVE-2022-40133] = "cpe-stable-backport: Backported in version v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1075
 # Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
 # Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
 # Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
 # 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "cpe-stable-backport: Backported in version v6.1.11"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index a6c229f5cf..562745e3eb 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -32,5 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
 
 BBCLASSEXTEND = "native nativesdk"
 
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "cpe-incorrect: A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index ca4a3eff91..c083acaa61 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -18,14 +18,8 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
+CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
+CVE_STATUS[CVE-2022-1210] = "not-applicable-config: Issue is in jbig which we don't enable"
 
 inherit autotools multilib_header
 
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
index 58f07a116d..524b06ca22 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
@@ -29,8 +29,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            "
 SRC_URI[sha256sum] = "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03"
 
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
 
 BINCONFIG = "${bindir}/libgcrypt-config"
 
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.38.bb b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
index bf35a94b7f..ed5b15badd 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.38.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
@@ -19,9 +19,7 @@ SRC_URI[sha256sum] = "1f32450425819a09acaff2ab7a5a7f8a2ec7956e505d7beeb45e843d0e
 
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
 
 S = "${WORKDIR}/libxslt-${PV}"
 
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b0..51a854d44a 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,8 +21,7 @@ S = "${WORKDIR}/git"
 
 inherit ptest
 
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
+CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version."
 
 EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
 
diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
index b09e8e7f55..181187bbd9 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
@@ -5,10 +5,3 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 
 SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
 SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499"
-
-# -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
-- 
2.41.0

Re: [OE-core][PATCH v7 0/3] CVE-check handling

[Luca Ceresoli]

Hello Andrej,

On Thu, 22 Jun 2023 08:59:02 +0200
"Andrej Valek via lists.openembedded.org"
<andrej.valek=siemens.com@lists.openembedded.org> wrote:

> After discussion in all parallel threads we proposed following variant which
> covers both expressed requirements to have very small number of different cve
> statuses and also very large number of them at the same time.
> This is a compromise version which maybe is not ideal but deals with
> conflicting responses we got.
> 
> Changes compare to version 6:
>  - added conversion from CVE_CHECK_IGNORE to CVE_STATUS
>  - added comments for all statuses
>  - dropped "not-affected" status
>   - conversion showed that it is not very usefull
>  - added "disputed" status
> 
> Documentation will be updated in separated repository.

This patchset generates a lot of warnings when run on the autobuilders.
Here are a few:

WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail cpe-incorrect for CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself", fallback to Unpatched
WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-config for CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default.", fallback to Unpatched
WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail disputed for CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability.", fallback to Unpatched
NOTE: recipe python3-calver-2022.6.26-r0: task do_create_runtime_spdx: Succeeded
WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-platform for CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows", fallback to Unpatched

WARNING: cpio-2.14-r0 do_create_spdx: Invalid detail not-applicable-platform for CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS", fallback to Unpatched

WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes", fallback to Unpatched
WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes", fallback to Unpatched

For a more complete list you can look at the build page:
https://swatbot.yoctoproject.org/collection/17294/

All/most of the warnings are about CVEs.

I haven't looked in detail at what is the intended behavior of your
patch set, however I'm removing it from my testing branch for the time
being.

Best regards,
Luca

-- 
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core][PATCH v7 0/3] CVE-check handling

[Valek, Andrej]

Hello Luca,

How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it
didn't print any warning. Should I build an image?

Regards,
Andrej

On Thu, 2023-06-22 at 14:42 +0200, Luca Ceresoli wrote:
> Hello Andrej,
> 
> On Thu, 22 Jun 2023 08:59:02 +0200
> "Andrej Valek via lists.openembedded.org"
> <andrej.valek=siemens.com@lists.openembedded.org> wrote:
> 
> > After discussion in all parallel threads we proposed following variant which
> > covers both expressed requirements to have very small number of different
> > cve
> > statuses and also very large number of them at the same time.
> > This is a compromise version which maybe is not ideal but deals with
> > conflicting responses we got.
> > 
> > Changes compare to version 6:
> >  - added conversion from CVE_CHECK_IGNORE to CVE_STATUS
> >  - added comments for all statuses
> >  - dropped "not-affected" status
> >   - conversion showed that it is not very usefull
> >  - added "disputed" status
> > 
> > Documentation will be updated in separated repository.
> 
> This patchset generates a lot of warnings when run on the autobuilders.
> Here are a few:
> 
> WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail cpe-incorrect for
> CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender <
> 0.6.0 and not qemu itself", fallback to Unpatched
> WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-config
> for CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can
> expose host files uder some circumstances. We don't enable it by default.",
> fallback to Unpatched
> WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail disputed for
> CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were
> determined to not constitute a vulnerability.", fallback to Unpatched
> NOTE: recipe python3-calver-2022.6.26-r0: task do_create_runtime_spdx:
> Succeeded
> WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-platform
> for CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies
> on Windows", fallback to Unpatched
> 
> WARNING: cpio-2.14-r0 do_create_spdx: Invalid detail not-applicable-platform
> for CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use
> of cpio in SUSE/OBS", fallback to Unpatched
> 
> WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for
> CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes
> rather than bluez fixes", fallback to Unpatched
> WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for
> CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes
> rather than bluez fixes", fallback to Unpatched
> 
> For a more complete list you can look at the build page:
> https://swatbot.yoctoproject.org/collection/17294/
> 
> All/most of the warnings are about CVEs.
> 
> I haven't looked in detail at what is the intended behavior of your
> patch set, however I'm removing it from my testing branch for the time
> being.
> 
> Best regards,
> Luca
> 

Re: [OE-core][PATCH v7 0/3] CVE-check handling

[Luca Ceresoli]

Hello Andrej,

On Thu, 22 Jun 2023 13:50:32 +0000
"Andrej Valek via lists.openembedded.org"
<andrej.valek=siemens.com@lists.openembedded.org> wrote:

> Hello Luca,
> 
> How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it
> didn't print any warning. Should I build an image?

I don't know how to reproduce _exactly_ the build environment of the
autobuilders, however the logs have some good hints (click the "stdio"
links in the page at the URL I provided). E.g. for the qemuarm64
builder it says:

Running '. ./oe-init-build-env; bitbake core-image-sato core-image-sato-sdk core-image-minimal core-image-minimal-dev core-image-sato:do_populate_sdk -k' ...
MACHINE = "qemuarm64"
DISTRO = "poky"
...and more settings you might want to put in your local.conf...

So you may try that.

Luca

-- 
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core][PATCH v7 0/3] CVE-check handling

[Valek, Andrej]

Hello Luca,

I wanted to check the logs, but it requires a login/password. Would it be
possible to send a link where is not required? Maybe here
https://autobuilder.yoctoproject.org/typhoon/#/ ?

Regards,
Andrej

On Thu, 2023-06-22 at 15:55 +0200, Luca Ceresoli wrote:
> Hello Andrej,
> 
> On Thu, 22 Jun 2023 13:50:32 +0000
> "Andrej Valek via lists.openembedded.org"
> <andrej.valek=siemens.com@lists.openembedded.org> wrote:
> 
> > Hello Luca,
> > 
> > How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it
> > didn't print any warning. Should I build an image?
> 
> I don't know how to reproduce _exactly_ the build environment of the
> autobuilders, however the logs have some good hints (click the "stdio"
> links in the page at the URL I provided). E.g. for the qemuarm64
> builder it says:
> 
> Running '. ./oe-init-build-env; bitbake core-image-sato core-image-sato-sdk
> core-image-minimal core-image-minimal-dev core-image-sato:do_populate_sdk -k'
> ...
> MACHINE = "qemuarm64"
> DISTRO = "poky"
> ...and more settings you might want to put in your local.conf...
> 
> So you may try that.
> 
> Luca
> 

Re: [OE-core][PATCH v7 0/3] CVE-check handling

[Valek, Andrej]

OK,

Now I know what's the problem. SPDX are being created without inheriting the
cve-check class.

Regards,
Andrej

On Thu, 2023-06-22 at 15:59 +0200, Valek Andrej wrote:
> Hello Luca,
> 
> I wanted to check the logs, but it requires a login/password. Would it be
> possible to send a link where is not required? Maybe here
> https://autobuilder.yoctoproject.org/typhoon/#/ ?
> 
> Regards,
> Andrej
> 
> On Thu, 2023-06-22 at 15:55 +0200, Luca Ceresoli wrote:
> > Hello Andrej,
> > 
> > On Thu, 22 Jun 2023 13:50:32 +0000
> > "Andrej Valek via lists.openembedded.org"
> > <andrej.valek=siemens.com@lists.openembedded.org> wrote:
> > 
> > > Hello Luca,
> > > 
> > > How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it
> > > didn't print any warning. Should I build an image?
> > 
> > I don't know how to reproduce _exactly_ the build environment of the
> > autobuilders, however the logs have some good hints (click the "stdio"
> > links in the page at the URL I provided). E.g. for the qemuarm64
> > builder it says:
> > 
> > Running '. ./oe-init-build-env; bitbake core-image-sato core-image-sato-sdk
> > core-image-minimal core-image-minimal-dev core-image-sato:do_populate_sdk -
> > k'
> > ...
> > MACHINE = "qemuarm64"
> > DISTRO = "poky"
> > ...and more settings you might want to put in your local.conf...
> > 
> > So you may try that.
> > 
> > Luca
> > 
> 

Re: [OE-core][PATCH v7 0/3] CVE-check handling

[Luca Ceresoli]

Hello Andrej,

On Thu, 22 Jun 2023 14:07:41 +0000
"Andrej Valek via lists.openembedded.org"
<andrej.valek=siemens.com@lists.openembedded.org> wrote:

> OK,
> 
> Now I know what's the problem. SPDX are being created without inheriting the
> cve-check class.
> 
> Regards,
> Andrej
> 
> On Thu, 2023-06-22 at 15:59 +0200, Valek Andrej wrote:
> > Hello Luca,
> > 
> > I wanted to check the logs, but it requires a login/password. Would it be
> > possible to send a link where is not required? Maybe here
> > https://autobuilder.yoctoproject.org/typhoon/#/ ?

Ouch, sorry about that! Apparently you already found the root cause,
however here is the a-full build public link, in case it were still
useful:

https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/5505

Luca

-- 
Luca Ceresoli, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs

[Ross Burton]

On 22 Jun 2023, at 13:00, Andrej Valek via lists.openembedded.org <andrej.valek=siemens.com@lists.openembedded.org> wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
> The CVE_STATUS should contain an information about status wich
> is decoded in 3 items:
> - generic status: "Ignored", "Patched" or "Unpatched"
> - more detailed status enum
> - description: free text describing reason for status

I think this needs to be clearer about what the intended use of the keywords are.

Is the canonical data the CVE_STATUS[CVE-1234-5678] attribute, and the mapping from the status there via CVE_CHECK_STATUSMAP simply for backwards compatibility with the existing file format? Is this deprecating the status fields in those files or is it just a high-level summary? Either way, that should be made clear.

> +# Possible options for CVE statuses
> +
> +# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
> +CVE_CHECK_STATUSMAP[patched] = "Patched"
> +# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
> +CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
> +# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
> +CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
> +# use when NVD DB does not mention correct version or does not mention any verion at all
> +CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

It bothers me that some of these status flags are working around the fact that the CPE is incorrect, when that CPE data can be fixed.  Instead of setting fixed-version, we can just mail NIST and fix the CPE.

> +# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
> +CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
> +# use when CVE is confirmed by upstream but fix is still not available
> +CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
> +
> +# used for migration from old concept, do not use for new vulnerabilities
> +CVE_CHECK_STATUSMAP[ignored] = "Ignored"
> +# use when NVD DB wrongly indicates vulnerability which is actually for a different component
> +CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
> +# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
> +CVE_CHECK_STATUSMAP[disputed] = "Ignored"
> +# use when vulnerability depends on build or runtime configuration which is not used
> +CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
> +# use when vulnerability affects other platform (e.g. Windows or Debian)
> +CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"

> +# use when upstream acknowledged the vulnerability but does not plan to fix it
> +CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"

Is this any different to ‘disputed’?

Do we expect to add a lot more statuses to this table, or for users to add their own values? It feels like maybe this should be a dict in lib/oe/cve_check.py instead of exposed in the data store.

> +    # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
> +    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
> +        cve_group = d.getVar(cve_status_group)
> +        if cve_group is not None:
> +            for cve in cve_group.split():
> +                d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
> +        else:
> +            bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
> +}

CVE_STATUS_GROUPS isn’t documented in the class or the commit message.

[OE-core][PATCH v9 0/3] CVE-check handling

[Andrej Valek]

After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.

Changes compared to version 8:
 - moved CVE_CHECK_STATUSMAP into separated cve-check-map.conf file
  - this will allow to use it without inheriting the cve-check class, like for SPDX

Documentation will be updated in separated repository.

 meta/classes/cve-check.bbclass                |  81 +++-
 meta/conf/bitbake.conf                        |   1 +
 meta/conf/cve-check-map.conf                  |  28 ++
 .../distro/include/cve-extra-exclusions.inc   | 371 +++++++++---------
 meta/lib/oe/cve_check.py                      |  25 ++
 meta/lib/oeqa/selftest/cases/cve_check.py     |  26 +-
 meta/recipes-bsp/grub/grub2.inc               |   6 +-
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   3 +-
 .../recipes-connectivity/bind/bind_9.18.15.bb |   2 +-
 .../bluez5/bluez5_5.66.bb                     |   4 +-
 .../openssh/openssh_9.3p1.bb                  |   9 +-
 .../openssl/openssl_3.1.1.bb                  |   3 +-
 meta/recipes-core/coreutils/coreutils_9.3.bb  |   4 +-
 meta/recipes-core/glibc/glibc_2.37.bb         |  17 +-
 meta/recipes-core/libxml/libxml2_2.10.4.bb    |   4 -
 meta/recipes-core/systemd/systemd_253.3.bb    |   3 -
 meta/recipes-devtools/cmake/cmake.inc         |   4 +-
 meta/recipes-devtools/flex/flex_2.6.4.bb      |   6 +-
 meta/recipes-devtools/gcc/gcc-13.1.inc        |   3 +-
 meta/recipes-devtools/git/git_2.39.3.bb       |   7 -
 meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   5 +-
 meta/recipes-devtools/ninja/ninja_1.11.1.bb   |   3 +-
 .../recipes-devtools/python/python3_3.11.3.bb |  13 +-
 meta/recipes-devtools/qemu/qemu.inc           |  13 +-
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
 meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 -
 meta/recipes-extended/cpio/cpio_2.14.bb       |   3 +-
 meta/recipes-extended/cups/cups.inc           |  17 +-
 .../ghostscript/ghostscript_10.01.1.bb        |   3 +-
 .../iputils/iputils_20221126.bb               |   5 +-
 .../libtirpc/libtirpc_1.3.3.bb                |   3 +-
 .../logrotate/logrotate_3.21.0.bb             |   5 +-
 meta/recipes-extended/procps/procps_4.0.3.bb  |   4 -
 meta/recipes-extended/shadow/shadow_4.13.bb   |   7 +-
 meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
 .../xinetd/xinetd_2.3.15.4.bb                 |   2 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   7 +-
 .../libnotify/libnotify_0.8.2.bb              |   2 +-
 meta/recipes-gnome/librsvg/librsvg_2.56.0.bb  |   3 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
 .../xorg-xserver/xserver-xorg.inc             |  19 +-
 .../linux/cve-exclusion_6.1.inc               |  11 +-
 .../libpng/libpng_1.6.39.bb                   |   3 +-
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |  10 +-
 .../libgcrypt/libgcrypt_1.10.2.bb             |   4 +-
 .../recipes-support/libxslt/libxslt_1.1.38.bb |   4 +-
 meta/recipes-support/lz4/lz4_1.9.4.bb         |   3 +-
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb |   7 -
 48 files changed, 403 insertions(+), 373 deletions(-)
 create mode 100644 meta/conf/cve-check-map.conf

-- 
2.41.0

[OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs

[Andrej Valek]

From: Andrej Valek <andrej.valek@siemens.com>

- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 81 ++++++++++++++++++++++++++++------
 meta/conf/bitbake.conf         |  1 +
 meta/conf/cve-check-map.conf   | 28 ++++++++++++
 meta/lib/oe/cve_check.py       | 25 +++++++++++
 4 files changed, 122 insertions(+), 13 deletions(-)
 create mode 100644 meta/conf/cve-check-map.conf

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..55e3baf1ed 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,28 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
 #
+# Settings the same status and reason for multiple CVEs is possible
+# via CVE_STATUS_GROUPS variable.
+#
+# CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
+#
+# CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0003"
+# CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows"
+# CVE_STATUS_PATCHED = "CVE-1234-0002 CVE-1234-0004"
+# CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally"
+#
+# All possible CVE statuses could be found in cve-check-map.conf
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
 CVE_CHECK_IGNORE ?= ""
 
 # Layers to be excluded
@@ -88,6 +104,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+    if cve_check_ignore:
+        bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+        for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+            d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+    # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
+    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+        cve_group = d.getVar(cve_status_group)
+        if cve_group is not None:
+            for cve in cve_group.split():
+                d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
+        else:
+            bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+}
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -260,7 +294,7 @@ def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
     """
-    from oe.cve_check import Version, convert_cve_version
+    from oe.cve_check import Version, convert_cve_version, decode_cve_status
 
     pn = d.getVar("PN")
     real_pv = d.getVar("PV")
@@ -282,7 +316,12 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs and check validity
+    cve_ignore = []
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Ignored":
+            cve_ignore.append(cve)
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +452,8 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
     CVE manifest if enabled.
     """
 
+    from oe.cve_check import decode_cve_status
+
     cve_file = d.getVar("CVE_CHECK_LOG")
     fdir_name  = d.getVar("FILE_DIRNAME")
     layer = fdir_name.split("/")[-3]
@@ -441,20 +482,27 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         is_patched = cve in patched
         is_ignored = cve in ignored
 
+        status = "Unpatched"
         if (is_patched or is_ignored) and not report_all:
             continue
+        if is_ignored:
+            status = "Ignored"
+        elif is_patched:
+            status = "Patched"
+        else:
+            # default value of status is Unpatched
+            unpatched_cves.append(cve)
 
         write_string += "LAYER: %s\n" % layer
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
         write_string += "CVE: %s\n" % cve
-        if is_ignored:
-            write_string += "CVE STATUS: Ignored\n"
-        elif is_patched:
-            write_string += "CVE STATUS: Patched\n"
-        else:
-            unpatched_cves.append(cve)
-            write_string += "CVE STATUS: Unpatched\n"
+        write_string += "CVE STATUS: %s\n" % status
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            write_string += "CVE DETAIL: %s\n" % detail
+        if description:
+            write_string += "CVE DESCRIPTION: %s\n" % description
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -516,6 +564,8 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
     Prepare CVE data for the JSON format, then write it.
     """
 
+    from oe.cve_check import decode_cve_status
+
     output = {"version":"1", "package": []}
     nvd_link = "https://nvd.nist.gov/vuln/detail/"
 
@@ -576,6 +626,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        _, detail, description = decode_cve_status(d, cve)
+        if detail:
+            cve_item["detail"] = detail
+        if description:
+            cve_item["description"] = description
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 9625a6fef4..30c813457e 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -831,6 +831,7 @@ include conf/distro/defaultsetup.conf
 include conf/documentation.conf
 include conf/licenses.conf
 require conf/sanity.conf
+require conf/cve-check-map.conf
 
 ##################################################################
 # Weak variables (usually to retain backwards compatibility)
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
new file mode 100644
index 0000000000..17b0f15571
--- /dev/null
+++ b/meta/conf/cve-check-map.conf
@@ -0,0 +1,28 @@
+# Possible options for CVE statuses
+
+# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+
+# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a..5bf3caac47 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,13 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
@@ -218,3 +225,21 @@ def convert_cve_version(version):
 
     return version + update
 
+def decode_cve_status(d, cve):
+    """
+    Convert CVE_STATUS into status, detail and description.
+    """
+    status = d.getVarFlag("CVE_STATUS", cve)
+    if status is None:
+        return ("", "", "")
+
+    status_split = status.split(':', 1)
+    detail = status_split[0]
+    description = status_split[1].strip() if (len(status_split) > 1) else ""
+
+    status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+    if status_mapping is None:
+        bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+        status_mapping = "Unpatched"
+
+    return (status_mapping, detail, description)
-- 
2.41.0

[OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling

[Andrej Valek]

From: Andrej Valek <andrej.valek@siemens.com>

- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/lib/oeqa/selftest/cases/cve_check.py     | 26 +++++++++++++++----
 .../logrotate/logrotate_3.21.0.bb             |  5 ++--
 2 files changed, 24 insertions(+), 7 deletions(-)

diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
             self.assertEqual(len(report["package"]), 1)
             package = report["package"][0]
             self.assertEqual(package["name"], "logrotate")
-            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            found_cves = {}
+            for issue in package["issue"]:
+                found_cves[issue["id"]] = {
+                    "status" : issue["status"],
+                    "detail" : issue["detail"] if "detail" in issue else "",
+                    "description" : issue["description"] if "description" in issue else ""
+                }
             # m4 CVE should not be in logrotate
             self.assertNotIn("CVE-2008-1687", found_cves)
             # logrotate has both Patched and Ignored CVEs
             self.assertIn("CVE-2011-1098", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+            detail = "not-applicable-platform"
+            description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
             self.assertIn("CVE-2011-1548", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
             self.assertIn("CVE-2011-1549", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
             self.assertIn("CVE-2011-1550", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
 
         self.assertExists(summary_json)
         check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
 
 SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
 
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
 
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
 
-- 
2.41.0

[OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

[Andrej Valek]

From: Andrej Valek <andrej.valek@siemens.com>

- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
  version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
 .../distro/include/cve-extra-exclusions.inc   | 371 +++++++++---------
 meta/recipes-bsp/grub/grub2.inc               |   6 +-
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   3 +-
 .../recipes-connectivity/bind/bind_9.18.15.bb |   2 +-
 .../bluez5/bluez5_5.66.bb                     |   4 +-
 .../openssh/openssh_9.3p1.bb                  |   9 +-
 .../openssl/openssl_3.1.1.bb                  |   3 +-
 meta/recipes-core/coreutils/coreutils_9.3.bb  |   4 +-
 meta/recipes-core/glibc/glibc_2.37.bb         |  17 +-
 meta/recipes-core/libxml/libxml2_2.10.4.bb    |   4 -
 meta/recipes-core/systemd/systemd_253.3.bb    |   3 -
 meta/recipes-devtools/cmake/cmake.inc         |   4 +-
 meta/recipes-devtools/flex/flex_2.6.4.bb      |   6 +-
 meta/recipes-devtools/gcc/gcc-13.1.inc        |   3 +-
 meta/recipes-devtools/git/git_2.39.3.bb       |   7 -
 meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   5 +-
 meta/recipes-devtools/ninja/ninja_1.11.1.bb   |   3 +-
 .../recipes-devtools/python/python3_3.11.3.bb |  13 +-
 meta/recipes-devtools/qemu/qemu.inc           |  13 +-
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
 meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 -
 meta/recipes-extended/cpio/cpio_2.14.bb       |   3 +-
 meta/recipes-extended/cups/cups.inc           |  17 +-
 .../ghostscript/ghostscript_10.01.1.bb        |   3 +-
 .../iputils/iputils_20221126.bb               |   5 +-
 .../libtirpc/libtirpc_1.3.3.bb                |   3 +-
 meta/recipes-extended/procps/procps_4.0.3.bb  |   4 -
 meta/recipes-extended/shadow/shadow_4.13.bb   |   7 +-
 meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
 .../xinetd/xinetd_2.3.15.4.bb                 |   2 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   7 +-
 .../libnotify/libnotify_0.8.2.bb              |   2 +-
 meta/recipes-gnome/librsvg/librsvg_2.56.0.bb  |   3 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
 .../xorg-xserver/xserver-xorg.inc             |  19 +-
 .../linux/cve-exclusion_6.1.inc               |  11 +-
 .../libpng/libpng_1.6.39.bb                   |   3 +-
 meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |  10 +-
 .../libgcrypt/libgcrypt_1.10.2.bb             |   4 +-
 .../recipes-support/libxslt/libxslt_1.1.38.bb |   4 +-
 meta/recipes-support/lz4/lz4_1.9.4.bb         |   3 +-
 meta/recipes-support/sqlite/sqlite3_3.41.2.bb |   7 -
 42 files changed, 257 insertions(+), 353 deletions(-)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 1c3cc36c61..a5dd7d3866 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -16,43 +16,42 @@
 #
 
 
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
-# CVE is more than 20 years old with no resolution evident
-# broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
-
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
-# The issue here is spoofing of domain names using characters from other character sets.
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
-# we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
-
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
-
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old with no resolution evident. Broken links in CVE database references make resolution impractical."
+
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
+The issue here is spoofing of domain names using characters from other character sets. \
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
+problem. There isn't any mitigation or fix or way to progress this further."
+
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
+
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
+exposing this interface in an exploitable way"
 
 # db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
 
 #
 # Kernel CVEs, e.g. linux-yocto*
@@ -65,74 +64,83 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
 # welcome than and then entries can likely be removed from here.
 #
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020"
+
 # 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
-                     CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+                          CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
+
 # 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
-                     CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+                          CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
+
 # 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
-                     CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+                           CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
 
-# This is specific to Ubuntu
-CVE_CHECK_IGNORE += "CVE-2018-6559"
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: This is specific to Ubuntu"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3016
-# Fixed with 5.6
-CVE_CHECK_IGNORE += "CVE-2019-3016"
+CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed in version v5.6"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3819
-# Fixed with 5.1
-CVE_CHECK_IGNORE += "CVE-2019-3819"
+CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed in version v5.1"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3887
-# Fixed with 5.2
-CVE_CHECK_IGNORE += "CVE-2019-3887"
+CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed in version v5.2"
 
 # 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2020-27784
 # Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
 # Patched in kernel since v5.10	e8d5f92b8d30bb4ade76494490c3c065e12411b1
 # Backported in version v5.4.73	e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+CVE_STATUS[CVE-2020-27784] = "fixed-version: Fixed in versions v5.10"
 
 # 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
-                     CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2021"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+                          CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3669
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3759
 # Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
 # Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
 # Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
 # Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-4218
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed in version v5.8"
 
 # 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
-                     CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
-                     CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
-                     CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
-                     CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
-                     CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
-                     CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2022"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+                          CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+                          CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+                          CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+                          CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+                          CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+                          CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-0480
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1184
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -140,7 +148,7 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
 # Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
 # Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
 # Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1462
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -148,7 +156,7 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
 # Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
 # Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
 # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2196
 # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -158,19 +166,19 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
 # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
 # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
 # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "cpe-stable-backport: Backported in versions v5.4.233, v5.10.170, v5.15.96 and v6.1.14"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2308
 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
 # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
 # Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
 # Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2327
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed in version v5.10.125"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2663
 # Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -179,19 +187,19 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
 # Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
 # Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
 # Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2785
 # Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
 # Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
 # Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3176
 # Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
 # Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "fixed-version: Fixed in version v5.17"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3424
 # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -200,7 +208,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
 # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
 # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
 # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3435
 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -211,13 +219,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
 # Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
 # Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
 # Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3526
 # Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
 # Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
 # Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "fixed-version: Fixed in version v5.18"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3534
 # Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -225,20 +233,20 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
 # Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
 # Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
 # Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "cpe-stable-backport: Backported in versions v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3564
 # Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
 # Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
 # Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
 # Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3619
 # Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
 # Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
 # Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3621
 # Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -247,7 +255,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
 # Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
 # Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
 # Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3623
 # Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -256,12 +264,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
 # Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
 # Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
 # Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3624
 # Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
 # Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3625
 # Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -270,7 +278,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
 # Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
 # Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
 # Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3629
 # Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -279,13 +287,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
 # Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
 # Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
 # Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3630
 # Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
 # Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
 # Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3633
 # Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -294,7 +302,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
 # Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
 # Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
 # Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3635
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -303,12 +311,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
 # Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
 # Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
 # Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3636
 # Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
 # Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3640
 # Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -319,7 +327,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
 # Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
 # Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
 # Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3646
 # Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -328,7 +336,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
 # Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
 # Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
 # Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3649
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -337,7 +345,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
 # Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
 # Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
 # Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-4382
 # Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -346,7 +354,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
 # Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
 # Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
 # Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "cpe-stable-backport: Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-26365
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -354,7 +362,7 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
 # Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
 # Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
 # Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33740
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -362,7 +370,7 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
 # Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
 # Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
 # Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33741
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -370,7 +378,7 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
 # Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
 # Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
 # Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33742
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -378,15 +386,15 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
 # Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
 # Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
 # Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "fixed-version: Fixed in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42895
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
 # Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42896
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -394,7 +402,7 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
 # Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
 # Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
 # Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "fixed-version: Fixed in version v6.1"
 
 
 # 2023
@@ -404,14 +412,14 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
 # Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
 # Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
 # Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "cpe-stable-backport: Backported in versions v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0266
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
 # Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
 # Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "cpe-stable-backport: Backported in versions v5.15.88 and v6.1.6"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0394
 # Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -420,7 +428,7 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
 # Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
 # Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
 # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0461
 # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -429,28 +437,28 @@ CVE_CHECK_IGNORE += "CVE-2023-0394"
 # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
 # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.5"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0386
 # Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
 # Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
-# Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version v5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
+# Backported in version v6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1073
 # Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
 # Patched in kernel v6.2 b12fece4c64857e5fab4290bf01b2e0317a88456
-# Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
-# Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
-# Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+# Backported in version v5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
+# Backported in version v5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
+# Backported in version v6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
+CVE_STATUS[CVE-2023-1073] = "cpe-stable-backport: Backported in versions v5.10.166, v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1074
 # Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
-# Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
-# Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+# Backported in version v5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
+# Backported in version v6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
+CVE_STATUS[CVE-2023-1074] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1076
 # Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -459,19 +467,19 @@ CVE_CHECK_IGNORE += "CVE-2023-1074"
 # Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
 # Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
 # Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1077
 # Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
-# Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
-# Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+# Backported in version v5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
+# Backported in version v6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
+CVE_STATUS[CVE-2023-1077] = "cpe-stable-backport: Backported in versions v5.15.99 and v6.1.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1078
 # Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
-# Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
-# Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+# Backported in version v5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
+# Backported in version v6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
+CVE_STATUS[CVE-2023-1078] = "cpe-stable-backport: Backported in versions v5.15.94 and v6.1.12"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1079
 # Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -480,7 +488,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
 # Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
 # Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
 # Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1118
 # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -490,7 +498,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
 # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
 # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
 # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1281
 # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -498,7 +506,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
 # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
 # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
 # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "cpe-stable-backport: Backported in versions v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1513
 # Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -506,7 +514,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
 # Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
 # Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1652
 # Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -514,7 +522,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
 # Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
 # Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1829
 # Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -525,7 +533,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
 # Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
 # Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-23005
 # Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
@@ -535,7 +543,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1829"
 # > in which a user can cause the alloc_memory_type error case to be reached.
 # See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
 # We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
+CVE_STATUS[CVE-2023-23005] = "disputed: Disputed by third parties because there are no realistic cases in which a user can cause the alloc_memory_type error case to be reached."
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-28466
 # Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
@@ -543,127 +551,102 @@ CVE_CHECK_IGNORE += "CVE-2023-23005"
 # Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
 # Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
 # Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-28466] = "cpe-stable-backport: Backported in versions v5.15.105, v6.1.20 and v6.2.7"
 
-# Wrong CPE in NVD database
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3563
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
-# still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
-
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
-# done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
+qemu maintainers say the patch is incorrect and should not be applied \
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
+still be reproduced or where exactly any bug is. \
+We'll pick up any fix when upstream accepts one."
+
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
+It is a fuzzing related buffer overflow. It is of low impact since most devices
+wouldn't expose an assembler. The upstream is inactive and there is little to be
+done about the bug, ignore from an OE perspective."
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0459"
+CVE_STATUS[CVE-2023-0459] = "cpe-stable-backport: Backported in 6.1.14"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-0615
-# Fixed in 6.1 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0615"
+CVE_STATUS[CVE-2023-0615] = "cpe-stable-backport: Backported in 6.1"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1380
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-1380"
+CVE_STATUS[CVE-2023-1380] = "cpe-stable-backport: Backported in 6.1.27"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-1611"
+CVE_STATUS[CVE-2023-1611] = "cpe-stable-backport: Backported in 6.1.23"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1855
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1855"
+CVE_STATUS[CVE-2023-1855] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1859
-# Fixed in 6.1.25
-CVE_CHECK_IGNORE += "CVE-2023-1859"
+CVE_STATUS[CVE-2023-1859] = "cpe-stable-backport: Backported in 6.1.25"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1989
-# Fixed in 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-1989"
+CVE_STATUS[CVE-2023-1989] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1990
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1990"
+CVE_STATUS[CVE-2023-1990] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-1999
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-1998"
+CVE_STATUS[CVE-2023-1998] = "cpe-stable-backport: Backported in 6.1.16"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2002
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-2002"
+CVE_STATUS[CVE-2023-2002] = "cpe-stable-backport: Backported in 6.1.27"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2156
-# Fixed in 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-2156"
+CVE_STATUS[CVE-2023-2156] = "cpe-stable-backport: Backported in 6.1.26"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-2162"
+CVE_STATUS[CVE-2023-2162] = "cpe-stable-backport: Backported in 6.1.11"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2194
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-2194"
+CVE_STATUS[CVE-2023-2194] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2235
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-2235"
+CVE_STATUS[CVE-2023-2235] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-28328"
+CVE_STATUS[CVE-2023-28328] = "cpe-stable-backport: Backported in 6.1.2"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2985
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-2985"
+CVE_STATUS[CVE-2023-2985] = "cpe-stable-backport: Backported in 6.1.16"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-28866
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-28866"
+CVE_STATUS[CVE-2023-28866] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-30456
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-30456"
+CVE_STATUS[CVE-2023-30456] = "cpe-stable-backport: Backported in 6.1.21"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-30772
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-30772"
+CVE_STATUS[CVE-2023-30772] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-31436
-# Fixed with 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-31436"
+CVE_STATUS[CVE-2023-31436] = "cpe-stable-backport: Backported in 6.1.26"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-32233"
+CVE_STATUS[CVE-2023-32233] = "cpe-stable-backport: Backported in 6.1.28"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-33203
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33203"
+CVE_STATUS[CVE-2023-33203] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-33288
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33288"
+CVE_STATUS[CVE-2023-33288] = "cpe-stable-backport: Backported in 6.1.22"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-34256
-# Fixed in 6.1.29
-CVE_CHECK_IGNORE += "CVE-2023-34256"
+CVE_STATUS[CVE-2023-34256] = "cpe-stable-backport: Backported in 6.1.29"
 
 # Backported to 6.1.30 as 9a342d4
-CVE_CHECK_IGNORE += "CVE-2023-3141"
+CVE_STATUS[CVE-2023-3141] = "cpe-stable-backport: Backported in 6.1.30"
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..41839698dc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
 
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
+CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
 
 DEPENDS = "flex-native bison-native gettext-native"
 
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1764997c41..d1c6f7f54a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
 SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
 SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
 
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
 
 DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
 
diff --git a/meta/recipes-connectivity/bind/bind_9.18.15.bb b/meta/recipes-connectivity/bind/bind_9.18.15.bb
index 80164aad87..26a280c844 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.15.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.15.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
 
 # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
 # so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
 
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
index 2208b730b0..31f325e590 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.66.bb
@@ -2,8 +2,8 @@ require bluez5.inc
 
 SRC_URI[sha256sum] = "39fea64b590c9492984a0c27a89fc203e1cdc74866086efb8f4698677ab2b574"
 
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index 42ce814523..3edc123b9a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            "
 SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
 
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
 
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
 
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
 
 PAM_SRC_URI = "file://sshd"
 
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index f5f3f32a97..e3557348e8 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -253,6 +253,5 @@ CVE_PRODUCT = "openssl:openssl"
 
 CVE_VERSION_SUFFIX = "alphabetical"
 
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb
index 25da988f50..ba38169f05 100644
--- a/meta/recipes-core/coreutils/coreutils_9.3.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.3.bb
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
 SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa"
 
 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
-# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+# 
+CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
 
 EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
 EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index 3387441cad..851aa612b1 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -4,18 +4,19 @@ require glibc-version.inc
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
-# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
-# "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "disputed: \
+Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \
+this is being treated as a non-security bug and no real threat."
 
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
-# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
-# easier access for another. "ASLR bypass itself is not a vulnerability."
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "disputed: \
+Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
+easier access for another. 'ASLR bypass itself is not a vulnerability.'"
 
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6"
 
 DEPENDS += "gperf-native bison-native"
 
diff --git a/meta/recipes-core/libxml/libxml2_2.10.4.bb b/meta/recipes-core/libxml/libxml2_2.10.4.bb
index 4f3b17093e..095ecf8602 100644
--- a/meta/recipes-core/libxml/libxml2_2.10.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.10.4.bb
@@ -26,10 +26,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
 
 BINCONFIG = "${bindir}/xml2-config"
 
-# Fixed since 2.9.11 via
-# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
-
 PACKAGECONFIG ??= "python \
     ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
 "
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index 87fbf6f785..cf0e17ff00 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () {
 pkg_prerm:udev-hwdb () {
 	rm -f $D${sysconfdir}/udev/hwdb.bin
 }
-
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 7788a5c45a..f57a77c7bb 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,4 @@ SRC_URI[sha256sum] = "313b6880c291bd4fe31c0aa51d6e62659282a521e695f30d5cc0d25abb
 
 UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..1ac88d65ef 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,10 +26,10 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
 
 GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
 
-# Disputed - yes there is stack exhaustion but no bug and it is building the
-# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
 # https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "upstream-wontfix: \
+there is stack exhaustion but no bug and it is building the \
+parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
 
 inherit autotools gettext texinfo ptest github-releases
 
diff --git a/meta/recipes-devtools/gcc/gcc-13.1.inc b/meta/recipes-devtools/gcc/gcc-13.1.inc
index 4da703db52..e94753eed0 100644
--- a/meta/recipes-devtools/gcc/gcc-13.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.1.inc
@@ -111,5 +111,4 @@ EXTRA_OECONF_PATHS = "\
     --with-build-sysroot=${STAGING_DIR_TARGET} \
 "
 
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
+CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
diff --git a/meta/recipes-devtools/git/git_2.39.3.bb b/meta/recipes-devtools/git/git_2.39.3.bb
index 54a863acd2..3393550c85 100644
--- a/meta/recipes-devtools/git/git_2.39.3.bb
+++ b/meta/recipes-devtools/git/git_2.39.3.bb
@@ -27,13 +27,6 @@ LIC_FILES_CHKSUM = "\
 
 CVE_PRODUCT = "git-scm:git"
 
-# This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
-
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
 PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d..db4745ad7a 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,8 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
 UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
 
 # https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "upstream-wontfix: There are ways jquery can expose security issues but any issues \
+are in the apps exposing them and there is little we can directly do."
 
 inherit allarch
 
diff --git a/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
index 83d2f01263..8e297ec4d4 100644
--- a/meta/recipes-devtools/ninja/ninja_1.11.1.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
@@ -30,5 +30,4 @@ do_install() {
 
 BBCLASSEXTEND = "native nativesdk"
 
-# This is a different Ninja
-CVE_CHECK_IGNORE += "CVE-2021-4336"
+CVE_STATUS[CVE-2021-4336] = "cpe-incorrect: This is a different Ninja"
diff --git a/meta/recipes-devtools/python/python3_3.11.3.bb b/meta/recipes-devtools/python/python3_3.11.3.bb
index c7974849b6..59f93861dd 100644
--- a/meta/recipes-devtools/python/python3_3.11.3.bb
+++ b/meta/recipes-devtools/python/python3_3.11.3.bb
@@ -47,15 +47,12 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 
 CVE_PRODUCT = "python"
 
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
 # The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
+CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
 
 PYTHON_MAJMIN = "3.11"
 
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 6acda61425..480aa97c30 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -39,21 +39,16 @@ SRC_URI[sha256sum] = "bb60f0341531181d6cc3969dd19a013d0427a87f918193970d9adb9113
 SRC_URI:append:class-target = " file://cross.patch"
 SRC_URI:append:class-nativesdk = " file://cross.patch"
 
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself"
 
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
 
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
 # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability."
 
 # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
 # https://bugzilla.redhat.com/show_bug.cgi?id=2167423
-# this bug related to windows specific.
-CVE_CHECK_IGNORE += "CVE-2023-0664"
+CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows"
 
 COMPATIBLE_HOST:mipsarchn32 = "null"
 COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1c..130581a785 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
            "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
 
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
 inherit autotools-brokensep
 
 PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb..91fc81352e 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,10 +29,6 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
 
 SRC_URI:class-native = "${BASE_SRC_URI}"
 
-# Upstream don't believe this is an exploitable issue
-# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
-
 UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
 UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
 
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index e55fb70cb1..397bb5d87c 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
 
 inherit autotools gettext texinfo ptest
 
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
 
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
 
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index d77758fd3f..ec4abeb936 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -20,14 +20,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
 
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
 
 LEAD_SONAME = "libcupsdriver.so"
 
@@ -115,7 +112,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
 	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
-
-# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
index f03ebf4478..4c0888e6a7 100644
--- a/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.01.1.bb
@@ -18,8 +18,7 @@ DEPENDS = "tiff jpeg fontconfig cups libpng freetype zlib"
 UPSTREAM_CHECK_URI = "https://github.com/ArtifexSoftware/ghostpdl-downloads/releases"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar"
 
-# We use a system libjpeg-turbo which has this fix
-CVE_CHECK_IGNORE += "CVE-2013-6629"
+CVE_STATUS[CVE-2013-6629] = "not-applicable-config: We use a system libjpeg-turbo which has this fix"
 
 def gs_verdir(v):
     return "".join(v.split("."))
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
 
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
 
 PACKAGECONFIG ??= "libcap"
 PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
 
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
 
 inherit autotools pkgconfig
 
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
-
 PROCPS_PACKAGES = "${PN}-lib \
                    ${PN}-ps \
                    ${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 
 BBCLASSEXTEND = "native nativesdk"
 
-# Severity is low and marked as closed and won't fix.
 # https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
-
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
 
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
 
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
 S = "${WORKDIR}/git"
 
 # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
 
 inherit autotools update-rc.d systemd pkgconfig
 
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
 
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
-
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
 
 # zip.inc sets CFLAGS, but what Makefile actually uses is
 # CFLAGS_NOOPT.  It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00..6888c33d14 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -33,4 +33,4 @@ RCONFLICTS:${PN} += "libnotify3"
 RREPLACES:${PN} += "libnotify3"
 
 # -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "cpe-incorrect: The issue is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
index 1a5d8a6b04..1142afece1 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.56.0.bb
@@ -51,8 +51,7 @@ do_compile:prepend() {
     sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
 }
 
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "not-applicable-platform: Issue only applies on Windows"
 
 CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
 
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
 	chown  builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
 }
 
-# -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 
 CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
-# timing on the behalf of the attacker. Many graphical applications exit if their
-# connection to the X server is lost, so a typical desktop session is either
-# impossible or difficult to exploit. There is currently no upstream patch
-# available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
+timing on the behalf of the attacker. Many graphical applications exit if their \
+connection to the X server is lost, so a typical desktop session is either \
+impossible or difficult to exploit. There is currently no upstream patch \
+available for this flaw."
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 4cc151901b..be632dec2a 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,17 +1,17 @@
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3523
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "fixed-version: Backported in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3566
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "fixed-version: Backported in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3567
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "fixed-version: Backported in version v6.1"
 
 
 # 2023
@@ -26,11 +26,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3567"
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-38457
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-40133
 #  * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "cpe-stable-backport: Backported in version v6.1.7"
+CVE_STATUS[CVE-2022-40133] = "cpe-stable-backport: Backported in version v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1075
 # Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
 # Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
 # Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
 # 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "cpe-stable-backport: Backported in version v6.1.11"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
index a6c229f5cf..562745e3eb 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.39.bb
@@ -32,5 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
 
 BBCLASSEXTEND = "native nativesdk"
 
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "cpe-incorrect: A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
index ca4a3eff91..c083acaa61 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.0.bb
@@ -18,14 +18,8 @@ SRC_URI[sha256sum] = "c7a1d9296649233979fa3eacffef3fa024d73d05d589cb622727b5b08c
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
-# These issues only affect libtiff post-4.3.0 but before 4.4.0,
-# caused by 3079627e and fixed by b4e79bfa.
-CVE_CHECK_IGNORE += "CVE-2022-1622 CVE-2022-1623"
-# Issue is in jbig which we don't enable
-CVE_CHECK_IGNORE += "CVE-2022-1210"
+CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
+CVE_STATUS[CVE-2022-1210] = "not-applicable-config: Issue is in jbig which we don't enable"
 
 inherit autotools multilib_header
 
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
index 58f07a116d..524b06ca22 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
@@ -29,8 +29,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            "
 SRC_URI[sha256sum] = "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03"
 
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
 
 BINCONFIG = "${bindir}/libgcrypt-config"
 
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.38.bb b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
index bf35a94b7f..ed5b15badd 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.38.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
@@ -19,9 +19,7 @@ SRC_URI[sha256sum] = "1f32450425819a09acaff2ab7a5a7f8a2ec7956e505d7beeb45e843d0e
 
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
 
 S = "${WORKDIR}/libxslt-${PV}"
 
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b0..51a854d44a 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,8 +21,7 @@ S = "${WORKDIR}/git"
 
 inherit ptest
 
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
+CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version."
 
 EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
 
diff --git a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
index b09e8e7f55..181187bbd9 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.41.2.bb
@@ -5,10 +5,3 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 
 SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
 SRC_URI[sha256sum] = "e98c100dd1da4e30fa460761dab7c0b91a50b785e167f8c57acc46514fae9499"
-
-# -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
-- 
2.41.0

Re: [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs

[Valek, Andrej]

On Fri, 2023-06-23 at 10:02 +0000, Ross Burton wrote:
> On 22 Jun 2023, at 13:00, Andrej Valek via lists.openembedded.org
> <andrej.valek=siemens.com@lists.openembedded.org> wrote:
> > - Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
> > The CVE_STATUS should contain an information about status wich
> > is decoded in 3 items:
> > - generic status: "Ignored", "Patched" or "Unpatched"
> > - more detailed status enum
> > - description: free text describing reason for status
> 
> I think this needs to be clearer about what the intended use of the keywords
> are.
> 
> Is the canonical data the CVE_STATUS[CVE-1234-5678] attribute, and the mapping
> from the status there via CVE_CHECK_STATUSMAP simply for backwards
> compatibility with the existing file format? Is this deprecating the status
> fields in those files or is it just a high-level summary? Either way, that
> should be made clear.
> 
Yes, it's for backport compatibility, and extending the existing "Ignored",
"Patched" statuses with reasons.

> > +# Possible options for CVE statuses
> > +
> > +# used by this class internally when fix is detected (NVD DB version check
> > or CVE patch file)
> > +CVE_CHECK_STATUSMAP[patched] = "Patched"
> > +# use when this class does not detect backported patch (e.g. vendor kernel
> > repo with cherry-picked CVE patch)
> > +CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
> > +# use when NVD DB does not mention patched versions of stable/LTS branches
> > which have upstream CVE backports
> > +CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
> > +# use when NVD DB does not mention correct version or does not mention any
> > verion at all
> > +CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
> 
> It bothers me that some of these status flags are working around the fact that
> the CPE is incorrect, when that CPE data can be fixed.  Instead of setting
> fixed-version, we can just mail NIST and fix the CPE.
> 
Yes, but while you're sending it, the current status has to be covered. And you
don't know, if the CPE will be fixed or not.
> > +# used internally by this class if CVE vulnerability is detected which is
> > not marked as fixed or ignored
> > +CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
> > +# use when CVE is confirmed by upstream but fix is still not available
> > +CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
> > +
> > +# used for migration from old concept, do not use for new vulnerabilities
> > +CVE_CHECK_STATUSMAP[ignored] = "Ignored"
> > +# use when NVD DB wrongly indicates vulnerability which is actually for a
> > different component
> > +CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
> > +# use when upstream does not accept the report as a vulnerability (e.g.
> > works as designed)
> > +CVE_CHECK_STATUSMAP[disputed] = "Ignored"
> > +# use when vulnerability depends on build or runtime configuration which is
> > not used
> > +CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
> > +# use when vulnerability affects other platform (e.g. Windows or Debian)
> > +CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
> 
> > +# use when upstream acknowledged the vulnerability but does not plan to fix
> > it
> > +CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
> 
> Is this any different to ‘disputed’?
> 
Of course. In the "upstream-wontfix" status, we know, that it won't be fixed.
But for "disputed" you don't know, if it's a bug or not.

> Do we expect to add a lot more statuses to this table, or for users to add
> their own values? It feels like maybe this should be a dict in
> lib/oe/cve_check.py instead of exposed in the data store.
> 
Exactly, know I moved it separated file, where users could extend their own
statuses. The current version is just a "basement" of supported one.

> > +    # Process CVE_STATUS_GROUPS to set multiple statuses and optional
> > detail or description at once
> > +    for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
> > +        cve_group = d.getVar(cve_status_group)
> > +        if cve_group is not None:
> > +            for cve in cve_group.split():
> > +                d.setVarFlag("CVE_STATUS", cve,
> > d.getVarFlag(cve_status_group, "status"))
> > +        else:
> > +            bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" %
> > cve_status_group)
> > +}
> 
> CVE_STATUS_GROUPS isn’t documented in the class or the commit message.
> 
Added a description directly into class.
> 

Regards,
Andrej

Re: [OE-core][PATCH v9 0/3] CVE-check handling

[Valek, Andrej]

Hello,

I would like to ask, what's the status here?

Regards,
Andrej

On Fri, 2023-06-23 at 13:14 +0200, Andrej Valek wrote:
> After discussion in all parallel threads we proposed following variant which
> covers both expressed requirements to have very small number of different cve
> statuses and also very large number of them at the same time.
> This is a compromise version which maybe is not ideal but deals with
> conflicting responses we got.
> 
> Changes compared to version 8:
>  - moved CVE_CHECK_STATUSMAP into separated cve-check-map.conf file
>   - this will allow to use it without inheriting the cve-check class, like for
> SPDX
> 
> Documentation will be updated in separated repository.
> 
>  meta/classes/cve-check.bbclass                |  81 +++-
>  meta/conf/bitbake.conf                        |   1 +
>  meta/conf/cve-check-map.conf                  |  28 ++
>  .../distro/include/cve-extra-exclusions.inc   | 371 +++++++++---------
>  meta/lib/oe/cve_check.py                      |  25 ++
>  meta/lib/oeqa/selftest/cases/cve_check.py     |  26 +-
>  meta/recipes-bsp/grub/grub2.inc               |   6 +-
>  meta/recipes-connectivity/avahi/avahi_0.8.bb  |   3 +-
>  .../recipes-connectivity/bind/bind_9.18.15.bb |   2 +-
>  .../bluez5/bluez5_5.66.bb                     |   4 +-
>  .../openssh/openssh_9.3p1.bb                  |   9 +-
>  .../openssl/openssl_3.1.1.bb                  |   3 +-
>  meta/recipes-core/coreutils/coreutils_9.3.bb  |   4 +-
>  meta/recipes-core/glibc/glibc_2.37.bb         |  17 +-
>  meta/recipes-core/libxml/libxml2_2.10.4.bb    |   4 -
>  meta/recipes-core/systemd/systemd_253.3.bb    |   3 -
>  meta/recipes-devtools/cmake/cmake.inc         |   4 +-
>  meta/recipes-devtools/flex/flex_2.6.4.bb      |   6 +-
>  meta/recipes-devtools/gcc/gcc-13.1.inc        |   3 +-
>  meta/recipes-devtools/git/git_2.39.3.bb       |   7 -
>  meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   5 +-
>  meta/recipes-devtools/ninja/ninja_1.11.1.bb   |   3 +-
>  .../recipes-devtools/python/python3_3.11.3.bb |  13 +-
>  meta/recipes-devtools/qemu/qemu.inc           |  13 +-
>  meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
>  meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 -
>  meta/recipes-extended/cpio/cpio_2.14.bb       |   3 +-
>  meta/recipes-extended/cups/cups.inc           |  17 +-
>  .../ghostscript/ghostscript_10.01.1.bb        |   3 +-
>  .../iputils/iputils_20221126.bb               |   5 +-
>  .../libtirpc/libtirpc_1.3.3.bb                |   3 +-
>  .../logrotate/logrotate_3.21.0.bb             |   5 +-
>  meta/recipes-extended/procps/procps_4.0.3.bb  |   4 -
>  meta/recipes-extended/shadow/shadow_4.13.bb   |   7 +-
>  meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
>  .../xinetd/xinetd_2.3.15.4.bb                 |   2 +-
>  meta/recipes-extended/zip/zip_3.0.bb          |   7 +-
>  .../libnotify/libnotify_0.8.2.bb              |   2 +-
>  meta/recipes-gnome/librsvg/librsvg_2.56.0.bb  |   3 +-
>  meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
>  .../xorg-xserver/xserver-xorg.inc             |  19 +-
>  .../linux/cve-exclusion_6.1.inc               |  11 +-
>  .../libpng/libpng_1.6.39.bb                   |   3 +-
>  meta/recipes-multimedia/libtiff/tiff_4.5.0.bb |  10 +-
>  .../libgcrypt/libgcrypt_1.10.2.bb             |   4 +-
>  .../recipes-support/libxslt/libxslt_1.1.38.bb |   4 +-
>  meta/recipes-support/lz4/lz4_1.9.4.bb         |   3 +-
>  meta/recipes-support/sqlite/sqlite3_3.41.2.bb |   7 -
>  48 files changed, 403 insertions(+), 373 deletions(-)
>  create mode 100644 meta/conf/cve-check-map.conf
> 

Re: [OE-core][PATCH v9 0/3] CVE-check handling

[Richard Purdie]

On Wed, 2023-07-19 at 10:26 +0000, Valek, Andrej wrote:
> Hello,
> 
> I would like to ask, what's the status here?

I've asked for some people to help review it and I'm waiting on their
feedback. FWIW they did promise "this morning" yesterday so they have
around 6 minutes!

Cheers,

Richard

Re: [OE-core][PATCH v9 0/3] CVE-check handling

[Ross Burton]

On 19 Jul 2023, at 11:54, Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
> 
> On Wed, 2023-07-19 at 10:26 +0000, Valek, Andrej wrote:
>> Hello,
>> 
>> I would like to ask, what's the status here?
> 
> I've asked for some people to help review it and I'm waiting on their
> feedback. FWIW they did promise "this morning" yesterday so they have
> around 6 minutes!

I suspect I was that person :). I have no major objections to the patch now.

Cheers,
Ross

Re: [OE-core][PATCH v9 0/3] CVE-check handling

[Valek, Andrej]

Even better,

So I will make one more rebase, just for "[OE-core][PATCH v9 3/3] cve_check:
convert CVE_CHECK_IGNORE to CVE_STATUS"

Regards,
Andrej

On Wed, 2023-07-19 at 11:16 +0000, Ross Burton wrote:
> On 19 Jul 2023, at 11:54, Richard Purdie <richard.purdie@linuxfoundation.org>
> wrote:
> > 
> > On Wed, 2023-07-19 at 10:26 +0000, Valek, Andrej wrote:
> > > Hello,
> > > 
> > > I would like to ask, what's the status here?
> > 
> > I've asked for some people to help review it and I'm waiting on their
> > feedback. FWIW they did promise "this morning" yesterday so they have
> > around 6 minutes!
> 
> I suspect I was that person :). I have no major objections to the patch now.
> 
> Cheers,
> Ross

[OE-core][PATCH] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

[Andrej Valek]

- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
  version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Reviewed-by: Peter Marko <peter.marko@siemens.com>
---
 .../distro/include/cve-extra-exclusions.inc   | 149 ++++----
 meta/recipes-bsp/grub/grub2.inc               |   6 +-
 meta/recipes-connectivity/avahi/avahi_0.8.bb  |   3 +-
 .../recipes-connectivity/bind/bind_9.18.16.bb |   2 +-
 .../bluez5/bluez5_5.68.bb                     |   4 +-
 .../openssh/openssh_9.3p1.bb                  |   9 +-
 .../openssl/openssl_3.1.1.bb                  |   3 +-
 meta/recipes-core/coreutils/coreutils_9.3.bb  |   4 +-
 meta/recipes-core/glibc/glibc_2.37.bb         |  17 +-
 meta/recipes-core/libxml/libxml2_2.11.4.bb    |   4 -
 meta/recipes-core/systemd/systemd_253.3.bb    |   3 -
 meta/recipes-devtools/cmake/cmake.inc         |   4 +-
 meta/recipes-devtools/flex/flex_2.6.4.bb      |   6 +-
 meta/recipes-devtools/gcc/gcc-13.1.inc        |   3 +-
 meta/recipes-devtools/git/git_2.39.3.bb       |   7 -
 meta/recipes-devtools/jquery/jquery_3.6.3.bb  |   5 +-
 meta/recipes-devtools/ninja/ninja_1.11.1.bb   |   3 +-
 .../recipes-devtools/python/python3_3.11.4.bb |  16 +-
 meta/recipes-devtools/qemu/qemu.inc           |  13 +-
 meta/recipes-devtools/rsync/rsync_3.2.7.bb    |   3 -
 meta/recipes-devtools/tcltk/tcl_8.6.13.bb     |   4 -
 meta/recipes-extended/cpio/cpio_2.14.bb       |   3 +-
 meta/recipes-extended/cups/cups.inc           |  17 +-
 .../iputils/iputils_20221126.bb               |   5 +-
 .../libtirpc/libtirpc_1.3.3.bb                |   3 +-
 meta/recipes-extended/procps/procps_4.0.3.bb  |   4 -
 meta/recipes-extended/shadow/shadow_4.13.bb   |   7 +-
 meta/recipes-extended/unzip/unzip_6.0.bb      |   3 +-
 .../xinetd/xinetd_2.3.15.4.bb                 |   2 +-
 meta/recipes-extended/zip/zip_3.0.bb          |   7 +-
 .../libnotify/libnotify_0.8.2.bb              |   2 +-
 meta/recipes-gnome/librsvg/librsvg_2.56.1.bb  |   3 +-
 meta/recipes-graphics/builder/builder_0.1.bb  |   3 +-
 .../xorg-xserver/xserver-xorg.inc             |  19 +-
 .../linux/cve-exclusion_6.1.inc               | 361 ++++++++----------
 .../libpng/libpng_1.6.40.bb                   |   3 +-
 meta/recipes-multimedia/libtiff/tiff_4.5.1.bb |   4 +-
 .../libgcrypt/libgcrypt_1.10.2.bb             |   4 +-
 .../recipes-support/libxslt/libxslt_1.1.38.bb |   4 +-
 meta/recipes-support/lz4/lz4_1.9.4.bb         |   3 +-
 meta/recipes-support/sqlite/sqlite3_3.42.0.bb |   6 -
 41 files changed, 310 insertions(+), 421 deletions(-)

diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc
index 0ae63e2c63..61fb08dbeb 100644
--- a/meta/conf/distro/include/cve-extra-exclusions.inc
+++ b/meta/conf/distro/include/cve-extra-exclusions.inc
@@ -15,44 +15,43 @@
 # the aim of sharing that work and ensuring we don't duplicate it.
 #
 
+# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006
+CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old \
+with no resolution evident. Broken links in CVE database references make resolution impractical."
 
-# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
-# CVE is more than 20 years old with no resolution evident
-# broken links in CVE database references make resolution impractical
-CVE_CHECK_IGNORE += "CVE-2000-0006"
-
-# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
-# The issue here is spoofing of domain names using characters from other character sets.
-# There has been much discussion amongst the epiphany and webkit developers and
-# whilst there are improvements about how domains are handled and displayed to the user
-# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
-# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further
-# we can seem to take.
-CVE_CHECK_IGNORE += "CVE-2005-0238"
-
-# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
-# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
-# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
-# Upstream don't see it as a security issue, ftp servers shouldn't be passing
-# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_IGNORE += "CVE-2010-4756"
-
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
-# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
-# The encoding/xml package in go can potentially be used for security exploits if not used correctly
-# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
-# exposing this interface in an exploitable way
-CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238
+CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \
+The issue here is spoofing of domain names using characters from other character sets. \
+There has been much discussion amongst the epiphany and webkit developers and \
+whilst there are improvements about how domains are handled and displayed to the user \
+there is unlikely ever to be a single fix to webkit or epiphany which addresses this \
+problem. There isn't any mitigation or fix or way to progress this further."
+
+# glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756
+CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \
+Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \
+Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \
+Upstream don't see it as a security issue, ftp servers shouldn't be passing \
+this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar."
+
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29509
+# go https://nvd.nist.gov/vuln/detail/CVE-2020-29511
+CVE_STATUS_GROUPS += "CVE_STATUS_GO"
+CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511"
+CVE_STATUS_GO[status] = "not-applicable-config: \
+The encoding/xml package in go can potentially be used for security exploits if not used correctly \
+CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \
+exposing this interface in an exploitable way"
 
 # db
-# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
-# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_STATUS_GROUPS += "CVE_STATUS_DB"
+CVE_STATUS_DB = "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
 CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
 CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
 CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
-
+CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \
+replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed."
 
 #
 # Kernel CVEs, e.g. linux-yocto*
@@ -65,50 +64,64 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981"
 # issues to be visible. If anyone wishes to clean up CPE entries with NIST for these, we'd
 # welcome than and then entries can likely be removed from here.
 #
+
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_2010 CVE_STATUS_KERNEL_2017 CVE_STATUS_KERNEL_2018 CVE_STATUS_KERNEL_2020 \
+                      CVE_STATUS_KERNEL_2021 CVE_STATUS_KERNEL_2022"
+
 # 1999-2010
-CVE_CHECK_IGNORE += "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
-                     CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010 = "CVE-1999-0524 CVE-1999-0656 CVE-2006-2932 CVE-2007-2764 CVE-2007-4998 CVE-2008-2544 \
+                          CVE-2008-4609 CVE-2010-0298 CVE-2010-4563"
+CVE_STATUS_KERNEL_2010[status] = "ignored"
+
 # 2011-2017
-CVE_CHECK_IGNORE += "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
-                     CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017 = "CVE-2011-0640 CVE-2014-2648 CVE-2014-8171 CVE-2016-0774 CVE-2016-3695 CVE-2016-3699 \
+                          CVE-2017-1000255 CVE-2017-1000377 CVE-2017-5897 CVE-2017-6264"
+CVE_STATUS_KERNEL_2017[status] = "ignored"
+
 # 2018
-CVE_CHECK_IGNORE += "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
-                     CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018 = "CVE-2018-1000026 CVE-2018-10840 CVE-2018-10876 CVE-2018-10882 CVE-2018-10901 CVE-2018-10902 \
+                           CVE-2018-14625 CVE-2018-16880 CVE-2018-16884 CVE-2018-5873"
+CVE_STATUS_KERNEL_2018[status] = "ignored"
+
 # 2020
-CVE_CHECK_IGNORE += "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020 = "CVE-2020-10732 CVE-2020-10742 CVE-2020-16119 CVE-2020-1749 CVE-2020-25672 CVE-2020-27820 CVE-2020-35501 CVE-2020-8834"
+CVE_STATUS_KERNEL_2020[status] = "ignored"
+
 # 2021
-CVE_CHECK_IGNORE += "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
-                     CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021 = "CVE-2021-20194 CVE-2021-20226 CVE-2021-20265 CVE-2021-3564 CVE-2021-3743 CVE-2021-3847 CVE-2021-4002 \
+                          CVE-2021-4090 CVE-2021-4095 CVE-2021-4197 CVE-2021-4202 CVE-2021-44879 CVE-2021-45402"
+CVE_STATUS_KERNEL_2021[status] = "ignored"
+
 # 2022
-CVE_CHECK_IGNORE += "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
-                     CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
-                     CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
-                     CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
-                     CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
-                     CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
-                     CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022 = "CVE-2022-0185 CVE-2022-0264 CVE-2022-0286 CVE-2022-0330 CVE-2022-0382 CVE-2022-0433 CVE-2022-0435 \
+                          CVE-2022-0492 CVE-2022-0494 CVE-2022-0500 CVE-2022-0516 CVE-2022-0617 CVE-2022-0742 CVE-2022-0854 \
+                          CVE-2022-0995 CVE-2022-0998 CVE-2022-1011 CVE-2022-1015 CVE-2022-1048 CVE-2022-1055 CVE-2022-1195 \
+                          CVE-2022-1353 CVE-2022-24122 CVE-2022-24448 CVE-2022-24958 CVE-2022-24959 CVE-2022-25258 CVE-2022-25265 \
+                          CVE-2022-25375 CVE-2022-26490 CVE-2022-26878 CVE-2022-26966 CVE-2022-27223 CVE-2022-27666 CVE-2022-27950 \
+                          CVE-2022-28356 CVE-2022-28388 CVE-2022-28389 CVE-2022-28390 CVE-2022-28796 CVE-2022-28893 CVE-2022-29156 \
+                          CVE-2022-29582 CVE-2022-29968"
+CVE_STATUS_KERNEL_2022[status] = "ignored"
 
 
-# Wrong CPE in NVD database
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3563
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3637
-# Those issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git
-CVE_CHECK_IGNORE += "CVE-2022-3563 CVE-2022-3637"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20255
-# There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html
-# qemu maintainers say the patch is incorrect and should not be applied
-# Ignore from OE's perspectivee as the issue is of low impact, at worst sitting in an infinite loop rather than exploitable
-CVE_CHECK_IGNORE += "CVE-2021-20255"
-
-# qemu:qemu-native:qemu-system-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-12067
-# There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can
-# still be reproduced or where exactly any bug is.
-# Ignore from OE's perspective as we'll pick up any fix when upstream accepts one.
-CVE_CHECK_IGNORE += "CVE-2019-12067"
-
-# nasm:nasm-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-18974
-# It is a fuzzing related buffer overflow. It is of low impact since most devices
-# wouldn't expose an assembler. The upstream is inactive and there is little to be
-# done about the bug, ignore from an OE perspective.
-CVE_CHECK_IGNORE += "CVE-2020-18974"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issue do not affect the kernel, patchs listed on CVE pages links to https://git.kernel.org/pub/scm/bluetooth/bluez.git"
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255
+CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \
+There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \
+qemu maintainers say the patch is incorrect and should not be applied \
+The issue is of low impact, at worst sitting in an infinite loop rather than exploitable."
+
+# qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067
+CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \
+There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \
+still be reproduced or where exactly any bug is. \
+We'll pick up any fix when upstream accepts one."
+
+# nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974
+CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \
+It is a fuzzing related buffer overflow. It is of low impact since most devices
+wouldn't expose an assembler. The upstream is inactive and there is little to be
+done about the bug, ignore from an OE perspective."
diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc
index 58b215d79c..41839698dc 100644
--- a/meta/recipes-bsp/grub/grub2.inc
+++ b/meta/recipes-bsp/grub/grub2.inc
@@ -46,10 +46,8 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \
 
 SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
 
-# Applies only to RHEL
-CVE_CHECK_IGNORE += "CVE-2019-14865"
-# Applies only to SUSE
-CVE_CHECK_IGNORE += "CVE-2021-46705"
+CVE_STATUS[CVE-2019-14865] = "not-applicable-platform: applies only to RHEL"
+CVE_STATUS[CVE-2021-46705] = "not-applicable-platform: Applies only to SUSE"
 
 DEPENDS = "flex-native bison-native gettext-native"
 
diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb
index 1764997c41..d1c6f7f54a 100644
--- a/meta/recipes-connectivity/avahi/avahi_0.8.bb
+++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb
@@ -32,8 +32,7 @@ GITHUB_BASE_URI = "https://github.com/lathiat/avahi/releases/"
 SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7"
 SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
 
-# Issue only affects Debian/SUSE, not us
-CVE_CHECK_IGNORE += "CVE-2021-26720"
+CVE_STATUS[CVE-2021-26720] = "not-applicable-platform: Issue only affects Debian/SUSE"
 
 DEPENDS = "expat libcap libdaemon glib-2.0 glib-2.0-native"
 
diff --git a/meta/recipes-connectivity/bind/bind_9.18.16.bb b/meta/recipes-connectivity/bind/bind_9.18.16.bb
index 1b1649566a..d9b62bb8b0 100644
--- a/meta/recipes-connectivity/bind/bind_9.18.16.bb
+++ b/meta/recipes-connectivity/bind/bind_9.18.16.bb
@@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"
 
 # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
 # so the issue doesn't affect us.
-CVE_CHECK_IGNORE += "CVE-2019-6470"
+CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
 
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
 
diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.68.bb b/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
index 921f739fb8..f8405ed091 100644
--- a/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
+++ b/meta/recipes-connectivity/bluez5/bluez5_5.68.bb
@@ -2,8 +2,8 @@ require bluez5.inc
 
 SRC_URI[sha256sum] = "fc505e6445cb579a55cacee6821fe70d633921522043d322b696de0a175ff933"
 
-# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
+CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
+CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes rather than bluez fixes"
 
 # noinst programs in Makefile.tools that are conditional on READLINE
 # support
diff --git a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
index 42ce814523..3edc123b9a 100644
--- a/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
+++ b/meta/recipes-connectivity/openssh/openssh_9.3p1.bb
@@ -28,15 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar
            "
 SRC_URI[sha256sum] = "e9baba7701a76a51f3d85a62c383a3c9dcd97fa900b859bc7db114c1868af8a8"
 
-# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_IGNORE += "CVE-2007-2768"
+CVE_STATUS[CVE-2007-2768] = "not-applicable-config: This CVE is specific to OpenSSH with the pam opie which we don't build/use here."
 
 # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2014-9278"
+CVE_STATUS[CVE-2014-9278] = "not-applicable-platform: This CVE is specific to OpenSSH server, as used in Fedora and \
+Red Hat Enterprise Linux 7 and when running in a Kerberos environment"
 
-# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_IGNORE += "CVE-2008-3844"
+CVE_STATUS[CVE-2008-3844] = "not-applicable-platform: Only applies to some distributed RHEL binaries."
 
 PAM_SRC_URI = "file://sshd"
 
diff --git a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
index 432ab4032b..c2a7173c84 100644
--- a/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
+++ b/meta/recipes-connectivity/openssl/openssl_3.1.1.bb
@@ -255,6 +255,5 @@ CVE_PRODUCT = "openssl:openssl"
 
 CVE_VERSION_SUFFIX = "alphabetical"
 
-# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
 # Apache in meta-webserver is already recent enough
-CVE_CHECK_IGNORE += "CVE-2019-0190"
+CVE_STATUS[CVE-2019-0190] = "not-applicable-config: Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37"
diff --git a/meta/recipes-core/coreutils/coreutils_9.3.bb b/meta/recipes-core/coreutils/coreutils_9.3.bb
index 25da988f50..ba38169f05 100644
--- a/meta/recipes-core/coreutils/coreutils_9.3.bb
+++ b/meta/recipes-core/coreutils/coreutils_9.3.bb
@@ -23,8 +23,8 @@ SRC_URI = "${GNU_MIRROR}/coreutils/${BP}.tar.xz \
 SRC_URI[sha256sum] = "adbcfcfe899235b71e8768dcf07cd532520b7f54f9a8064843f8d199a904bbaa"
 
 # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
-# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_IGNORE += "CVE-2016-2781"
+# 
+CVE_STATUS[CVE-2016-2781] = "disputed: runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue."
 
 EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
 EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
diff --git a/meta/recipes-core/glibc/glibc_2.37.bb b/meta/recipes-core/glibc/glibc_2.37.bb
index 3387441cad..851aa612b1 100644
--- a/meta/recipes-core/glibc/glibc_2.37.bb
+++ b/meta/recipes-core/glibc/glibc_2.37.bb
@@ -4,18 +4,19 @@ require glibc-version.inc
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
-# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
-# "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_STATUS_RECIPE[status] = "disputed: \
+Upstream glibc maintainers dispute there is any issue and have no plans to address it further. \
+this is being treated as a non-security bug and no real threat."
 
 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
-# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
-# easier access for another. "ASLR bypass itself is not a vulnerability."
 # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_IGNORE += "CVE-2019-1010025"
+CVE_STATUS[CVE-2019-1010025] = "disputed: \
+Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow \
+easier access for another. 'ASLR bypass itself is not a vulnerability.'"
 
-# This is integrated into the 2.37 branch as of 07b9521fc6
-CVE_CHECK_IGNORE += "CVE-2023-25139"
+CVE_STATUS[CVE-2023-25139] = "cpe-stable-backport: This is integrated into the 2.37 branch as of 07b9521fc6"
 
 DEPENDS += "gperf-native bison-native"
 
diff --git a/meta/recipes-core/libxml/libxml2_2.11.4.bb b/meta/recipes-core/libxml/libxml2_2.11.4.bb
index 713d0baf6c..cbf20504f8 100644
--- a/meta/recipes-core/libxml/libxml2_2.11.4.bb
+++ b/meta/recipes-core/libxml/libxml2_2.11.4.bb
@@ -23,10 +23,6 @@ SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be47223
 
 BINCONFIG = "${bindir}/xml2-config"
 
-# Fixed since 2.9.11 via
-# https://gitlab.gnome.org/GNOME/libxml2/-/commit/c1ba6f54d32b707ca6d91cb3257ce9de82876b6f
-CVE_CHECK_IGNORE += "CVE-2016-3709"
-
 PACKAGECONFIG ??= "python \
     ${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} \
 "
diff --git a/meta/recipes-core/systemd/systemd_253.3.bb b/meta/recipes-core/systemd/systemd_253.3.bb
index 87fbf6f785..cf0e17ff00 100644
--- a/meta/recipes-core/systemd/systemd_253.3.bb
+++ b/meta/recipes-core/systemd/systemd_253.3.bb
@@ -834,6 +834,3 @@ pkg_postinst:udev-hwdb () {
 pkg_prerm:udev-hwdb () {
 	rm -f $D${sysconfdir}/udev/hwdb.bin
 }
-
-# This was also fixed in 252.4 with 9b75a3d0
-CVE_CHECK_IGNORE += "CVE-2022-4415"
diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc
index 7788a5c45a..f57a77c7bb 100644
--- a/meta/recipes-devtools/cmake/cmake.inc
+++ b/meta/recipes-devtools/cmake/cmake.inc
@@ -23,6 +23,4 @@ SRC_URI[sha256sum] = "313b6880c291bd4fe31c0aa51d6e62659282a521e695f30d5cc0d25abb
 
 UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# This is specific to the npm package that installs cmake, so isn't
-# relevant to OpenEmbedded
-CVE_CHECK_IGNORE += "CVE-2016-10642"
+CVE_STATUS[CVE-2016-10642] = "cpe-incorrect: This is specific to the npm package that installs cmake, so isn't relevant to OpenEmbedded"
diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb
index 15cf6f5cca..1ac88d65ef 100644
--- a/meta/recipes-devtools/flex/flex_2.6.4.bb
+++ b/meta/recipes-devtools/flex/flex_2.6.4.bb
@@ -26,10 +26,10 @@ SRC_URI[sha256sum] = "e87aae032bf07c26f85ac0ed3250998c37621d95f8bd748b31f15b33c4
 
 GITHUB_BASE_URI = "https://github.com/westes/flex/releases"
 
-# Disputed - yes there is stack exhaustion but no bug and it is building the
-# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
 # https://github.com/westes/flex/issues/414
-CVE_CHECK_IGNORE += "CVE-2019-6293"
+CVE_STATUS[CVE-2019-6293] = "upstream-wontfix: \
+there is stack exhaustion but no bug and it is building the \
+parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address this."
 
 inherit autotools gettext texinfo ptest github-releases
 
diff --git a/meta/recipes-devtools/gcc/gcc-13.1.inc b/meta/recipes-devtools/gcc/gcc-13.1.inc
index 4da703db52..e94753eed0 100644
--- a/meta/recipes-devtools/gcc/gcc-13.1.inc
+++ b/meta/recipes-devtools/gcc/gcc-13.1.inc
@@ -111,5 +111,4 @@ EXTRA_OECONF_PATHS = "\
     --with-build-sysroot=${STAGING_DIR_TARGET} \
 "
 
-# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_IGNORE += "CVE-2021-37322"
+CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
diff --git a/meta/recipes-devtools/git/git_2.39.3.bb b/meta/recipes-devtools/git/git_2.39.3.bb
index 54a863acd2..3393550c85 100644
--- a/meta/recipes-devtools/git/git_2.39.3.bb
+++ b/meta/recipes-devtools/git/git_2.39.3.bb
@@ -27,13 +27,6 @@ LIC_FILES_CHKSUM = "\
 
 CVE_PRODUCT = "git-scm:git"
 
-# This is about a manpage not mentioning --mirror may "leak" information
-# in mirrored git repos. Most OE users wouldn't build the docs and
-# we don't see this as a major issue for our general users/usecases.
-CVE_CHECK_IGNORE += "CVE-2022-24975"
-# This is specific to Git-for-Windows
-CVE_CHECK_IGNORE += "CVE-2022-41953"
-
 PACKAGECONFIG ??= "expat curl"
 PACKAGECONFIG[cvsserver] = ""
 PACKAGECONFIG[svn] = ""
diff --git a/meta/recipes-devtools/jquery/jquery_3.6.3.bb b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
index 93f87f730d..db4745ad7a 100644
--- a/meta/recipes-devtools/jquery/jquery_3.6.3.bb
+++ b/meta/recipes-devtools/jquery/jquery_3.6.3.bb
@@ -20,9 +20,8 @@ SRC_URI[map.sha256sum] = "156b740931ade6c1a98d99713eeb186f93847ffc56057e973becab
 UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js"
 
 # https://github.com/jquery/jquery/issues/3927
-# There are ways jquery can expose security issues but any issues are in the apps exposing them
-# and there is little we can directly do
-CVE_CHECK_IGNORE += "CVE-2007-2379"
+CVE_STATUS[CVE-2007-2379] = "upstream-wontfix: There are ways jquery can expose security issues but any issues \
+are in the apps exposing them and there is little we can directly do."
 
 inherit allarch
 
diff --git a/meta/recipes-devtools/ninja/ninja_1.11.1.bb b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
index 83d2f01263..8e297ec4d4 100644
--- a/meta/recipes-devtools/ninja/ninja_1.11.1.bb
+++ b/meta/recipes-devtools/ninja/ninja_1.11.1.bb
@@ -30,5 +30,4 @@ do_install() {
 
 BBCLASSEXTEND = "native nativesdk"
 
-# This is a different Ninja
-CVE_CHECK_IGNORE += "CVE-2021-4336"
+CVE_STATUS[CVE-2021-4336] = "cpe-incorrect: This is a different Ninja"
diff --git a/meta/recipes-devtools/python/python3_3.11.4.bb b/meta/recipes-devtools/python/python3_3.11.4.bb
index 7a277facf7..b3534ad678 100644
--- a/meta/recipes-devtools/python/python3_3.11.4.bb
+++ b/meta/recipes-devtools/python/python3_3.11.4.bb
@@ -47,17 +47,13 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/"
 
 CVE_PRODUCT = "python"
 
-# Upstream consider this expected behaviour
-CVE_CHECK_IGNORE += "CVE-2007-4559"
-# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_IGNORE += "CVE-2019-18348"
-# These are specific to Microsoft Windows
-CVE_CHECK_IGNORE += "CVE-2020-15523 CVE-2022-26488"
-# The mailcap module is insecure by design, so this can't be fixed in a meaningful way.
+CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
+CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
+CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
+CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
 # The module will be removed in the future and flaws documented.
-CVE_CHECK_IGNORE += "CVE-2015-20107"
-# Not an issue, in fact expected behaviour
-CVE_CHECK_IGNORE += "CVE-2023-36632"
+CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
+# CVE_STATUS[CVE-2023-36632] = "disputed: Not an issue, in fact expected behaviour"
 
 PYTHON_MAJMIN = "3.11"
 
diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc
index 16581db69d..64bade86aa 100644
--- a/meta/recipes-devtools/qemu/qemu.inc
+++ b/meta/recipes-devtools/qemu/qemu.inc
@@ -38,21 +38,16 @@ SRC_URI[sha256sum] = "ecf4d32cbef9d397bfc8cc50e4d1e92a1b30253bf32e8ee73c7a8dcf9a
 SRC_URI:append:class-target = " file://cross.patch"
 SRC_URI:append:class-nativesdk = " file://cross.patch"
 
-# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_IGNORE += "CVE-2017-5957"
+CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < 0.6.0 and not qemu itself"
 
-# The VNC server can expose host files uder some circumstances. We don't
-# enable it by default.
-CVE_CHECK_IGNORE += "CVE-2007-0998"
+CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can expose host files uder some circumstances. We don't enable it by default."
 
-# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
 # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_IGNORE += "CVE-2018-18438"
+CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were determined to not constitute a vulnerability."
 
 # As per https://nvd.nist.gov/vuln/detail/CVE-2023-0664
 # https://bugzilla.redhat.com/show_bug.cgi?id=2167423
-# this bug related to windows specific.
-CVE_CHECK_IGNORE += "CVE-2023-0664"
+CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies on Windows"
 
 COMPATIBLE_HOST:mipsarchn32 = "null"
 COMPATIBLE_HOST:mipsarchn64 = "null"
diff --git a/meta/recipes-devtools/rsync/rsync_3.2.7.bb b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
index 19574bcb1c..130581a785 100644
--- a/meta/recipes-devtools/rsync/rsync_3.2.7.bb
+++ b/meta/recipes-devtools/rsync/rsync_3.2.7.bb
@@ -18,9 +18,6 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \
            "
 SRC_URI[sha256sum] = "4e7d9d3f6ed10878c58c5fb724a67dacf4b6aac7340b13e488fb2dc41346f2bb"
 
-# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_IGNORE += " CVE-2017-16548 "
-
 inherit autotools-brokensep
 
 PACKAGECONFIG ??= "acl attr \
diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
index 982f370edb..91fc81352e 100644
--- a/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
+++ b/meta/recipes-devtools/tcltk/tcl_8.6.13.bb
@@ -29,10 +29,6 @@ SRC_URI[sha256sum] = "c61f0d6699e2bc7691f119b41963aaa8dc980f23532c4e937739832a5f
 
 SRC_URI:class-native = "${BASE_SRC_URI}"
 
-# Upstream don't believe this is an exploitable issue
-# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_IGNORE += "CVE-2021-35331"
-
 UPSTREAM_CHECK_URI = "https://www.tcl.tk/software/tcltk/download.html"
 UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
 
diff --git a/meta/recipes-extended/cpio/cpio_2.14.bb b/meta/recipes-extended/cpio/cpio_2.14.bb
index 45eb9de8e0..560038d2a6 100644
--- a/meta/recipes-extended/cpio/cpio_2.14.bb
+++ b/meta/recipes-extended/cpio/cpio_2.14.bb
@@ -16,8 +16,7 @@ SRC_URI[sha256sum] = "145a340fd9d55f0b84779a44a12d5f79d77c99663967f8cfa168d7905c
 
 inherit autotools gettext texinfo ptest
 
-# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_IGNORE += "CVE-2010-4226"
+CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use of cpio in SUSE/OBS"
 
 EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
 
diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index da320b1085..36feaddcf8 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -19,14 +19,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/v${PV}/cups-${PV}-source.tar.gz \
 
 GITHUB_BASE_URI = "https://github.com/OpenPrinting/cups/releases"
 
-# Issue only applies to MacOS
-CVE_CHECK_IGNORE += "CVE-2008-1033"
-# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_IGNORE += "CVE-2009-0032"
-# This is an Ubuntu only issue.
-CVE_CHECK_IGNORE += "CVE-2018-6553"
-# This is fixed in 2.4.2 but the cve-check class still reports it
-CVE_CHECK_IGNORE += "CVE-2022-26691"
+CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacOS"
+CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
+CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
+CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
+CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."
 
 LEAD_SONAME = "libcupsdriver.so"
 
@@ -114,7 +111,3 @@ SYSROOT_PREPROCESS_FUNCS += "cups_sysroot_preprocess"
 cups_sysroot_preprocess () {
 	sed -i ${SYSROOT_DESTDIR}${bindir_crossscripts}/cups-config -e 's:cups_datadir=.*:cups_datadir=${datadir}/cups:' -e 's:cups_serverbin=.*:cups_serverbin=${libexecdir}/cups:'
 }
-
-# -25317 concerns /var/log/cups having lp ownership.  Our /var/log/cups is
-# root:root, so this doesn't apply.
-CVE_CHECK_IGNORE += "CVE-2021-25317"
diff --git a/meta/recipes-extended/iputils/iputils_20221126.bb b/meta/recipes-extended/iputils/iputils_20221126.bb
index cd5fe9bd3e..7d94271a64 100644
--- a/meta/recipes-extended/iputils/iputils_20221126.bb
+++ b/meta/recipes-extended/iputils/iputils_20221126.bb
@@ -17,9 +17,8 @@ S = "${WORKDIR}/git"
 
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"
 
-# Fixed in 2000-10-10, but the versioning of iputils
-# breaks the version order.
-CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
+CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
+CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
 
 PACKAGECONFIG ??= "libcap"
 PACKAGECONFIG[libcap] = "-DUSE_CAP=true, -DUSE_CAP=false -DNO_SETCAP_OR_SUID=true, libcap libcap-native"
diff --git a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
index f55e0b0ed1..d466905426 100644
--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.3.bb
@@ -14,8 +14,7 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[sha256sum] = "6474e98851d9f6f33871957ddee9714fdcd9d8a5ee9abb5a98d63ea2e60e12f3"
 
-# Was fixed in 1.3.3rc1 so not present in 1.3.3
-CVE_CHECK_IGNORE += "CVE-2021-46828"
+CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
 
 inherit autotools pkgconfig
 
diff --git a/meta/recipes-extended/procps/procps_4.0.3.bb b/meta/recipes-extended/procps/procps_4.0.3.bb
index cc3420df4e..dc0e957bda 100644
--- a/meta/recipes-extended/procps/procps_4.0.3.bb
+++ b/meta/recipes-extended/procps/procps_4.0.3.bb
@@ -72,10 +72,6 @@ python __anonymous() {
         d.setVarFlag('ALTERNATIVE_LINK_NAME', prog, '%s/%s' % (d.getVar('base_sbindir'), prog))
 }
 
-# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
-# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_IGNORE += "CVE-2018-1121"
-
 PROCPS_PACKAGES = "${PN}-lib \
                    ${PN}-ps \
                    ${PN}-sysctl"
diff --git a/meta/recipes-extended/shadow/shadow_4.13.bb b/meta/recipes-extended/shadow/shadow_4.13.bb
index d1a3fd5593..4e55446312 100644
--- a/meta/recipes-extended/shadow/shadow_4.13.bb
+++ b/meta/recipes-extended/shadow/shadow_4.13.bb
@@ -6,9 +6,6 @@ BUILD_LDFLAGS:append:class-target = " ${@bb.utils.contains('DISTRO_FEATURES', 'p
 
 BBCLASSEXTEND = "native nativesdk"
 
-# Severity is low and marked as closed and won't fix.
 # https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_IGNORE += "CVE-2013-4235"
-
-# This is an issue for a different shadow
-CVE_CHECK_IGNORE += "CVE-2016-15024"
+CVE_STATUS[CVE-2013-4235] = "upstream-wontfix: Severity is low and marked as closed and won't fix."
+CVE_STATUS[CVE-2016-15024] = "cpe-incorrect: This is an issue for a different shadow"
diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb
index 3051e9b5bc..a53663d086 100644
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@@ -39,8 +39,7 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "62b490407489521db863b523a7f86375"
 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
 
-# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_IGNORE += "CVE-2008-0888"
+CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
 
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
index c390fcf33c..72eb1ae067 100644
--- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
+++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb
@@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4"
 S = "${WORKDIR}/git"
 
 # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_IGNORE += "CVE-2013-4342"
+CVE_STATUS[CVE-2013-4342] = "fixed-version: Fixed directly in git tree revision"
 
 inherit autotools update-rc.d systemd pkgconfig
 
diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb
index 82153131b4..3425e8eb7b 100644
--- a/meta/recipes-extended/zip/zip_3.0.bb
+++ b/meta/recipes-extended/zip/zip_3.0.bb
@@ -26,11 +26,8 @@ UPSTREAM_VERSION_UNKNOWN = "1"
 SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37"
 SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
 
-# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_IGNORE += "CVE-2018-13410"
-
-# Not for zip but for smart contract implementation for it
-CVE_CHECK_IGNORE += "CVE-2018-13684"
+CVE_STATUS[CVE-2018-13410] = "disputed: Disputed and also Debian doesn't consider a vulnerability"
+CVE_STATUS[CVE-2018-13684] = "cpe-incorrect: Not for zip but for smart contract implementation for it"
 
 # zip.inc sets CFLAGS, but what Makefile actually uses is
 # CFLAGS_NOOPT.  It will also force -O3 optimization, overriding
diff --git a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
index 08e9899d00..6888c33d14 100644
--- a/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
+++ b/meta/recipes-gnome/libnotify/libnotify_0.8.2.bb
@@ -33,4 +33,4 @@ RCONFLICTS:${PN} += "libnotify3"
 RREPLACES:${PN} += "libnotify3"
 
 # -7381 is specific to the NodeJS bindings
-CVE_CHECK_IGNORE += "CVE-2013-7381"
+CVE_STATUS[CVE-2013-7381] = "cpe-incorrect: The issue is specific to the NodeJS bindings"
diff --git a/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb b/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb
index 5649ed7d17..edd7ad38fd 100644
--- a/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb
+++ b/meta/recipes-gnome/librsvg/librsvg_2.56.1.bb
@@ -50,8 +50,7 @@ do_compile:prepend() {
     sed -ie 's,"linker": ".*","linker": "${RUST_TARGET_CC}",g' ${RUST_TARGETS_DIR}/${RUST_HOST_SYS}.json
 }
 
-# Issue only on windows
-CVE_CHECK_IGNORE += "CVE-2018-1000041"
+CVE_STATUS[CVE-2018-1000041] = "not-applicable-platform: Issue only applies on Windows"
 
 CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
 
diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb
index 39be3bd63f..1700015ded 100644
--- a/meta/recipes-graphics/builder/builder_0.1.bb
+++ b/meta/recipes-graphics/builder/builder_0.1.bb
@@ -29,5 +29,4 @@ do_install () {
 	chown  builder.builder ${D}${sysconfdir}/mini_x/session.d/builder_session.sh
 }
 
-# -4178 is an unrelated 'builder'
-CVE_CHECK_IGNORE = "CVE-2008-4178"
+CVE_STATUS[CVE-2008-4178] = "cpe-incorrect: This CVE is for an unrelated builder"
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
index ecb164ddf7..085fcaf87a 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc
@@ -20,16 +20,15 @@ SRC_URI = "${XORG_MIRROR}/individual/xserver/${XORG_PN}-${PV}.tar.xz"
 UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar"
 
 CVE_PRODUCT = "xorg-server x_server"
-# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_IGNORE += "CVE-2011-4613"
-# As per upstream, exploiting this flaw is non-trivial and it requires exact
-# timing on the behalf of the attacker. Many graphical applications exit if their
-# connection to the X server is lost, so a typical desktop session is either
-# impossible or difficult to exploit. There is currently no upstream patch
-# available for this flaw.
-CVE_CHECK_IGNORE += "CVE-2020-25697"
-# This is specific to XQuartz, which is the macOS X server port
-CVE_CHECK_IGNORE += "CVE-2022-3553"
+
+CVE_STATUS[CVE-2011-4613] = "not-applicable-platform: This is specific to Debian's xserver-wrapper.c"
+CVE_STATUS[CVE-2020-25697] = "upstream-wontfix: \
+As per upstream, exploiting this flaw is non-trivial and it requires exact \
+timing on the behalf of the attacker. Many graphical applications exit if their \
+connection to the X server is lost, so a typical desktop session is either \
+impossible or difficult to exploit. There is currently no upstream patch \
+available for this flaw."
+CVE_STATUS[CVE-2022-3553] = "cpe-incorrect: This is specific to XQuartz, which is the macOS X server port"
 
 S = "${WORKDIR}/${XORG_PN}-${PV}"
 
diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
index 6a0bd19447..2eb4836c35 100644
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
@@ -1,26 +1,24 @@
-# This is specific to Ubuntu
-CVE_CHECK_IGNORE += "CVE-2018-6559"
+CVE_STATUS[CVE-2018-6559] = "not-applicable-platform: Issue only affects Ubuntu"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3016
 # Fixed with 5.6
-CVE_CHECK_IGNORE += "CVE-2019-3016"
+CVE_STATUS[CVE-2019-3016] = "fixed-version: Fixed in version v5.6"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3819
 # Fixed with 5.1
-CVE_CHECK_IGNORE += "CVE-2019-3819"
+CVE_STATUS[CVE-2019-3819] = "fixed-version: Fixed in version v5.1"
 
 # https://www.linuxkernelcves.com/cves/CVE-2019-3887
 # Fixed with 5.2
-CVE_CHECK_IGNORE += "CVE-2019-3887"
+CVE_STATUS[CVE-2019-3887] = "fixed-version: Fixed in version v5.2"
 
-# This is specific to aufs, which is not in linux-yocto
-CVE_CHECK_IGNORE += "CVE-2020-11935"
+CVE_STATUS[CVE-2020-11935] = "not-applicable-config: Issue only affects aufs, which is not in linux-yocto"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2020-27784
 # Introduced in version v4.1 b26394bd567e5ebe57ec4dee7fe6cd14023c96e9
 # Patched in kernel since v5.10	e8d5f92b8d30bb4ade76494490c3c065e12411b1
 # Backported in version v5.4.73	e9e791f5c39ab30e374a3b1a9c25ca7ff24988f3
-CVE_CHECK_IGNORE += "CVE-2020-27784"
+CVE_STATUS[CVE-2020-27784] = "cpe-stable-backport: Backported in version v5.4.73"
 
 
 # 2021
@@ -28,19 +26,19 @@ CVE_CHECK_IGNORE += "CVE-2020-27784"
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3669
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 20401d1058f3f841f35a594ac2fc1293710e55b9
-CVE_CHECK_IGNORE += "CVE-2021-3669"
+CVE_STATUS[CVE-2021-3669] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-3759
 # Introduced in version v4.5 a9bb7e620efdfd29b6d1c238041173e411670996
 # Patched in kernel since v5.15 18319498fdd4cdf8c1c2c48cd432863b1f915d6f
 # Backported in version v5.4.224 bad83d55134e647a739ebef2082541963f2cbc92
 # Backported in version v5.10.154 836686e1a01d7e2fda6a5a18252243ff30a6e196
-CVE_CHECK_IGNORE += "CVE-2021-3759"
+CVE_STATUS[CVE-2021-3759] = "cpe-stable-backport: Backported in versions v5.4.224 and v6.1.11"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2021-4218
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.8 32927393dc1ccd60fb2bdc05b9e8e88753761469
-CVE_CHECK_IGNORE += "CVE-2021-4218"
+CVE_STATUS[CVE-2021-4218] = "fixed-version: Fixed in version v5.8"
 
 
 # 2022
@@ -48,7 +46,7 @@ CVE_CHECK_IGNORE += "CVE-2021-4218"
 # https://nvd.nist.gov/vuln/detail/CVE-2022-0480
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.15 0f12156dff2862ac54235fc72703f18770769042
-CVE_CHECK_IGNORE += "CVE-2022-0480"
+CVE_STATUS[CVE-2022-0480] = "fixed-version: Fixed in version v5.15"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1184
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -56,7 +54,7 @@ CVE_CHECK_IGNORE += "CVE-2022-0480"
 # Backported in version v5.4.198 17034d45ec443fb0e3c0e7297f9cd10f70446064
 # Backported in version v5.10.121 da2f05919238c7bdc6e28c79539f55c8355408bb
 # Backported in version v5.15.46 ca17db384762be0ec38373a12460081d22a8b42d
-CVE_CHECK_IGNORE += "CVE-2022-1184"
+CVE_STATUS[CVE-2022-1184] = "cpe-stable-backport: Backported in versions v5.4.198, v5.10.121 and v5.15.46"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-1462
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -64,7 +62,7 @@ CVE_CHECK_IGNORE += "CVE-2022-1184"
 # Backported in version v5.4.208 f7785092cb7f022f59ebdaa181651f7c877df132
 # Backported in version v5.10.134 08afa87f58d83dfe040572ed591b47e8cb9e225c
 # Backported in version v5.15.58 b2d1e4cd558cffec6bfe318f5d74e6cffc374d29
-CVE_CHECK_IGNORE += "CVE-2022-1462"
+CVE_STATUS[CVE-2022-1462] = "cpe-stable-backport: Backported in versions v5.4.208, v5.10.134 and v5.15.58"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2196
 # Introduced in version v5.8 5c911beff20aa8639e7a1f28988736c13e03ed54
@@ -74,19 +72,19 @@ CVE_CHECK_IGNORE += "CVE-2022-1462"
 # Backported in version v5.10.170 1b0cafaae8884726c597caded50af185ffc13349
 # Backported in version v5.15.96 6b539a7dbb49250f92515c2ba60aea239efc9e35
 # Backported in version v6.1.14 63fada296062e91ad9f871970d4e7f19e21a6a15
-CVE_CHECK_IGNORE += "CVE-2022-2196"
+CVE_STATUS[CVE-2022-2196] = "cpe-stable-backport: Backported in versions v5.4.1233, v5.10.170, v5.15.46 and v6.1.14"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2308
 # Introduced in version v5.15 c8a6153b6c59d95c0e091f053f6f180952ade91e
 # Patched in kernel since v6.0 46f8a29272e51b6df7393d58fc5cb8967397ef2b
 # Backported in version v5.15.72 dc248ddf41eab4566e95b1ee2433c8a5134ad94a
 # Backported in version v5.19.14 38d854c4a11c3bbf6a96ea46f14b282670c784ac
-CVE_CHECK_IGNORE += "CVE-2022-2308"
+CVE_STATUS[CVE-2022-2308] = "cpe-stable-backport: Backported in versions v5.15.72 and v5.19.14"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2327
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v5.10.125 df3f3bb5059d20ef094d6b2f0256c4bf4127a859
-CVE_CHECK_IGNORE += "CVE-2022-2327"
+CVE_STATUS[CVE-2022-2327] = "fixed-version: Fixed in version v5.10.125"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2663
 # Introduced in version v2.6.20 869f37d8e48f3911eb70f38a994feaa8f8380008
@@ -95,19 +93,19 @@ CVE_CHECK_IGNORE += "CVE-2022-2327"
 # Backported in version v5.10.143 e12ce30fe593dd438c5b392290ad7316befc11ca
 # Backported in version v5.15.68 451c9ce1e2fc9b9e40303bef8e5a0dca1a923cc4
 # Backported in version v5.19.9 6cf0609154b2ce8d3ae160e7506ab316400a8d3d
-CVE_CHECK_IGNORE += "CVE-2022-2663"
+CVE_STATUS[CVE-2022-2663] = "cpe-stable-backport: Backported in versions v5.4.213, v5.10.143, v5.15.68 and v5.19.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-2785
 # Introduced in version v5.18 b1d18a7574d0df5eb4117c14742baf8bc2b9bb74
 # Patched in kernel since v6.0 86f44fcec22ce2979507742bc53db8400e454f46
 # Backported in version v5.19.4 b429d0b9a7a0f3dddb1f782b72629e6353f292fd
-CVE_CHECK_IGNORE += "CVE-2022-2785"
+CVE_STATUS[CVE-2022-2785] = "cpe-stable-backport: Backported in version v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3176
 # Introduced in version v5.1 221c5eb2338232f7340386de1c43decc32682e58
 # Patched in kernel since v5.17 791f3465c4afde02d7f16cf7424ca87070b69396
 # Backported in version v5.15.65 e9d7ca0c4640cbebe6840ee3bac66a25a9bacaf5
-CVE_CHECK_IGNORE += "CVE-2022-3176"
+CVE_STATUS[CVE-2022-3176] = "cpe-stable-backport: Backported in version v5.15.65"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3424
 # Introduced in version v2.6.33 55484c45dbeca2eec7642932ec3f60f8a2d4bdbf
@@ -116,7 +114,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3176"
 # Backported in version v5.10.163 0f67ed565f20ea2fdd98e3b0b0169d9e580bb83c
 # Backported in version v5.15.86 d5c8f9003a289ee2a9b564d109e021fc4d05d106
 # Backported in version v6.1.2 4e947fc71bec7c7da791f8562d5da233b235ba5e
-CVE_CHECK_IGNORE += "CVE-2022-3424"
+CVE_STATUS[CVE-2022-3424] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.86 and v 6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3435
 # Introduced in version v5.18 6bf92d70e690b7ff12b24f4bfff5e5434d019b82
@@ -127,18 +125,18 @@ CVE_CHECK_IGNORE += "CVE-2022-3424"
 # Backported in version v5.4.226 cc3cd130ecfb8b0ae52e235e487bae3f16a24a32
 # Backported in version v5.10.158 0b5394229ebae09afc07aabccb5ffd705ffd250e
 # Backported in version v5.15.82 25174d91e4a32a24204060d283bd5fa6d0ddf133
-CVE_CHECK_IGNORE += "CVE-2022-3435"
+CVE_STATUS[CVE-2022-3435] = "cpe-stable-backport: Backported in versions v5.4.226, v5.10.158 and v5.15.82"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3523
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 16ce101db85db694a91380aa4c89b25530871d33
-CVE_CHECK_IGNORE += "CVE-2022-3523"
+CVE_STATUS[CVE-2022-3523] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3526
 # Introduced in version v5.13 427f0c8c194b22edcafef1b0a42995ddc5c2227d
 # Patched in kernel since v5.18 e16b859872b87650bb55b12cca5a5fcdc49c1442
 # Backported in version v5.15.35 8f79ce226ad2e9b2ec598de2b9560863b7549d1b
-CVE_CHECK_IGNORE += "CVE-2022-3526"
+CVE_STATUS[CVE-2022-3526] = "cpe-stable-backport: Backported in version v5.15.35"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3534
 # Introduced in version v5.10 919d2b1dbb074d438027135ba644411931179a59
@@ -146,30 +144,30 @@ CVE_CHECK_IGNORE += "CVE-2022-3526"
 # Backported in version v5.10.163 c61650b869e0b6fb0c0a28ed42d928eea969afc8
 # Backported in version v5.15.86 a733bf10198eb5bb927890940de8ab457491ed3b
 # Backported in version v6.1.2 fbe08093fb2334549859829ef81d42570812597d
-CVE_CHECK_IGNORE += "CVE-2022-3534"
+CVE_STATUS[CVE-2022-3534] = "cpe-stable-backport: Backported in versions v5.10.163, v5.15.86 and v6.1.2"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3564
 # Introduced in version v3.6 4b51dae96731c9d82f5634e75ac7ffd3b9c1b060
 # Patched in kernel since v6.1 3aff8aaca4e36dc8b17eaa011684881a80238966
 # Backported in version v5.10.154 cb1c012099ef5904cd468bdb8d6fcdfdd9bcb569
 # Backported in version v5.15.78 8278a87bb1eeea94350d675ef961ee5a03341fde
-CVE_CHECK_IGNORE += "CVE-2022-3564"
+CVE_STATUS[CVE-2022-3564] = "cpe-stable-backport: Backported in versions v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3566
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 f49cd2f4d6170d27a2c61f1fecb03d8a70c91f57
-CVE_CHECK_IGNORE += "CVE-2022-3566"
+CVE_STATUS[CVE-2022-3566] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3567
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 364f997b5cfe1db0d63a390fe7c801fa2b3115f6
-CVE_CHECK_IGNORE += "CVE-2022-3567"
+CVE_STATUS[CVE-2022-3567] = "fixed-version: Fixed in version v6.1"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3619
 # Introduced in version v5.12 4d7ea8ee90e42fc75995f6fb24032d3233314528
 # Patched in kernel since v6.1 7c9524d929648935bac2bbb4c20437df8f9c3f42
 # Backported in version v5.15.78 aa16cac06b752e5f609c106735bd7838f444784c
-CVE_CHECK_IGNORE += "CVE-2022-3619"
+CVE_STATUS[CVE-2022-3619] = "cpe-stable-backport: Backported in version v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3621
 # Introduced in version v2.60.30 05fe58fdc10df9ebea04c0eaed57adc47af5c184
@@ -178,7 +176,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3619"
 # Backported in version v5.10.148 3f840480e31495ce674db4a69912882b5ac083f2
 # Backported in version v5.15.74 1e512c65b4adcdbdf7aead052f2162b079cc7f55
 # Backported in version v5.19.16 caf2c6b580433b3d3e413a3d54b8414a94725dcd
-CVE_CHECK_IGNORE += "CVE-2022-3621"
+CVE_STATUS[CVE-2022-3621] = "cpe-stable-backport: Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3623
 # Introduced in version v5.1 5480280d3f2d11d47f9be59d49b20a8d7d1b33e8
@@ -187,12 +185,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3621"
 # Backported in version v5.10.159 fccee93eb20d72f5390432ecea7f8c16af88c850
 # Backported in version v5.15.78 3a44ae4afaa5318baed3c6e2959f24454e0ae4ff
 # Backported in version v5.19.17 86a913d55c89dd13ba070a87f61a493563e94b54
-CVE_CHECK_IGNORE += "CVE-2022-3623"
+CVE_STATUS[CVE-2022-3623] = "cpe-stable-backport: Backported in versions v5.4.228, v5.10.159, v5.15.78 and v 5.19.17"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3624
 # Introduced in version v6.0 d5410ac7b0baeca91cf73ff5241d35998ecc8c9e
 # Patched in kernel since v6.0 4f5d33f4f798b1c6d92b613f0087f639d9836971
-CVE_CHECK_IGNORE += "CVE-2022-3624"
+CVE_STATUS[CVE-2022-3624] = "fixed-version: Fixed in version v6.0"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3625
 # Introduced in version v4.19 45f05def5c44c806f094709f1c9b03dcecdd54f0
@@ -201,7 +199,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3624"
 # Backported in version v5.10.138 0e28678a770df7989108327cfe86f835d8760c33
 # Backported in version v5.15.63 c4d09fd1e18bac11c2f7cf736048112568687301
 # Backported in version v5.19.4 26bef5616255066268c0e40e1da10cc9b78b82e9
-CVE_CHECK_IGNORE += "CVE-2022-3625"
+CVE_STATUS[CVE-2022-3625] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3629
 # Introduced in version v3.9 d021c344051af91f42c5ba9fdedc176740cbd238
@@ -210,13 +208,13 @@ CVE_CHECK_IGNORE += "CVE-2022-3625"
 # Backported in version v5.10.138 38ddccbda5e8b762c8ee06670bb1f64f1be5ee50
 # Backported in version v5.15.63 e4c0428f8a6fc8c218d7fd72bddd163f05b29795
 # Backported in version v5.19.4 8ff5db3c1b3d6797eda5cd326dcd31b9cd1c5f72
-CVE_CHECK_IGNORE += "CVE-2022-3629"
+CVE_STATUS[CVE-2022-3629] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3630
 # Introduced in version v5.19 85e4ea1049c70fb99de5c6057e835d151fb647da
 # Patched in kernel since v6.0 fb24771faf72a2fd62b3b6287af3c610c3ec9cf1
 # Backported in version v5.19.4 7a369dc87b66acc85d0cffcf39984344a203e20b
-CVE_CHECK_IGNORE += "CVE-2022-3630"
+CVE_STATUS[CVE-2022-3630] = "cpe-stable-backport: Backported in version v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3633
 # Introduced in version v5.4 9d71dd0c70099914fcd063135da3c580865e924c
@@ -225,7 +223,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3630"
 # Backported in version v5.10.138 a220ff343396bae8d3b6abee72ab51f1f34b3027
 # Backported in version v5.15.63 98dc8fb08299ab49e0b9c08daedadd2f4de1a2f2
 # Backported in version v5.19.4 a0278dbeaaf7ca60346c62a9add65ae7d62564de
-CVE_CHECK_IGNORE += "CVE-2022-3633"
+CVE_STATUS[CVE-2022-3633] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3635
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -234,12 +232,12 @@ CVE_CHECK_IGNORE += "CVE-2022-3633"
 # Backported in version v5.10.138 a0ae122e9aeccbff75014c4d36d11a9d32e7fb5e
 # Backported in version v5.15.63 a5d7ce086fe942c5ab422fd2c034968a152be4c4
 # Backported in version v5.19.4 af412b252550f9ac36d9add7b013c2a2c3463835
-CVE_CHECK_IGNORE += "CVE-2022-3635"
+CVE_STATUS[CVE-2022-3635] = "cpe-stable-backport: Backported in versions v5.4.211, v5.10.138, v5.15.63 and v5.19.4"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3636
 # Introduced in version v5.19 33fc42de33278b2b3ec6f3390512987bc29a62b7
 # Patched in kernel since v5.19 17a5f6a78dc7b8db385de346092d7d9f9dc24df6
-CVE_CHECK_IGNORE += "CVE-2022-3636"
+CVE_STATUS[CVE-2022-3636] = "cpe-stable-backport: Backported in version v5.19"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3640
 # Introduced in version v5.19 d0be8347c623e0ac4202a1d4e0373882821f56b0
@@ -250,7 +248,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3636"
 # Backported in version v5.4.224 c1f594dddd9ffd747c39f49cc5b67a9b7677d2ab
 # Backported in version v5.10.154 d9ec6e2fbd4a565b2345d4852f586b7ae3ab41fd
 # Backported in version v5.15.78 a3a7b2ac64de232edb67279e804932cb42f0b52a
-CVE_CHECK_IGNORE += "CVE-2022-3640"
+CVE_STATUS[CVE-2022-3640] = "cpe-stable-backport: Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3646
 # Introduced in version v2.6.30 9ff05123e3bfbb1d2b68ba1d9bf1f7d1dffc1453
@@ -259,7 +257,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3640"
 # Backported in version v5.10.148 aad4c997857f1d4b6c1e296c07e4729d3f8058ee
 # Backported in version v5.15.74 44b1ee304bac03f1b879be5afe920e3a844e40fc
 # Backported in version v5.19.16 4755fcd844240857b525f6e8d8b65ee140fe9570
-CVE_CHECK_IGNORE += "CVE-2022-3646"
+CVE_STATUS[CVE-2022-3646] = "cpe-stable-backport: Backported in versions v5.4.218, v5.10.148, v5.15.74 and v5.19.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-3649
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -268,7 +266,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3646"
 # Backported in version v5.10.148 21ee3cffed8fbabb669435facfd576ba18ac8652
 # Backported in version v5.15.74 cb602c2b654e26763226d8bd27a702f79cff4006
 # Backported in version v5.19.16 394b2571e9a74ddaed55aa9c4d0f5772f81c21e4
-CVE_CHECK_IGNORE += "CVE-2022-3649"
+CVE_STATUS[CVE-2022-3649] = "cpe-stable-backport: Backported in versions v5.4.220, v5.10.148, v5.15.74 and v5.19.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-4382
 # Introduced in version v5.3 e5d82a7360d124ae1a38c2a5eac92ba49b125191
@@ -277,7 +275,7 @@ CVE_CHECK_IGNORE += "CVE-2022-3649"
 # Backported in version v5.10.165 856e4b5e53f21edbd15d275dde62228dd94fb2b4
 # Backported in version v5.15.90 a2e075f40122d8daf587db126c562a67abd69cf9
 # Backported in version v6.1.8 616fd34d017000ecf9097368b13d8a266f4920b3
-CVE_CHECK_IGNORE += "CVE-2022-4382"
+CVE_STATUS[CVE-2022-4382] = "cpe-stable-backport: Backported in versions v5.4.230, v5.10.165, v5.15.90 and v6.1.8"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-26365
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -285,7 +283,7 @@ CVE_CHECK_IGNORE += "CVE-2022-4382"
 # Backported in version v5.4.204 42112e8f94617d83943f8f3b8de2b66041905506
 # Backported in version v5.10.129 cfea428030be836d79a7690968232bb7fa4410f1
 # Backported in version v5.15.53 7ed65a4ad8fa9f40bc3979b32c54243d6a684ec9
-CVE_CHECK_IGNORE += "CVE-2022-26365"
+CVE_STATUS[CVE-2022-26365] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33740
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -293,7 +291,7 @@ CVE_CHECK_IGNORE += "CVE-2022-26365"
 # Backported in version v5.4.204 04945b5beb73019145ac17a2565526afa7293c14
 # Backported in version v5.10.129 728d68bfe68d92eae1407b8a9edc7817d6227404
 # Backported in version v5.15.53 5dd0993c36832d33820238fc8dc741ba801b7961
-CVE_CHECK_IGNORE += "CVE-2022-33740"
+CVE_STATUS[CVE-2022-33740] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33741
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -301,7 +299,7 @@ CVE_CHECK_IGNORE += "CVE-2022-33740"
 # Backported in version v5.4.204 ede57be88a5fff42cd00e6bcd071503194d398dd
 # Backported in version v5.10.129 4923217af5742a796821272ee03f8d6de15c0cca
 # Backported in version v5.15.53 ed3cfc690675d852c3416aedb271e0e7d179bf49
-CVE_CHECK_IGNORE += "CVE-2022-33741"
+CVE_STATUS[CVE-2022-33741] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-33742
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -309,15 +307,15 @@ CVE_CHECK_IGNORE += "CVE-2022-33741"
 # Backported in version v5.4.204 60ac50daad36ef3fe9d70d89cfe3b95d381db997
 # Backported in version v5.10.129 cbbd2d2531539212ff090aecbea9877c996e6ce6
 # Backported in version v5.15.53 6d0a9127279a4533815202e30ad1b3a39f560ba3
-CVE_CHECK_IGNORE += "CVE-2022-33742"
+CVE_STATUS[CVE-2022-33742] = "cpe-stable-backport: Backported in versions v5.4.204, v5.10.129 and v5.15.53"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42895
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.1 b1a2cd50c0357f243b7435a732b4e62ba3157a2e
-# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
-# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
 # Backported in version v5.4.224 6949400ec9feca7f88c0f6ca5cb5fdbcef419c89
-CVE_CHECK_IGNORE += "CVE-2022-42895"
+# Backported in version v5.10.154 26ca2ac091b49281d73df86111d16e5a76e43bd7
+# Backported in version v5.15.78 3e4697ffdfbb38a2755012c4e571546c89ab6422
+CVE_STATUS[CVE-2022-42895] = "cpe-stable-backport: Backported in versions v5.4.224, v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-42896
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
@@ -325,7 +323,7 @@ CVE_CHECK_IGNORE += "CVE-2022-42895"
 # Backported in version v5.4.226 0d87bb6070361e5d1d9cb391ba7ee73413bc109b
 # Backported in version v5.10.154 6b6f94fb9a74dd2891f11de4e638c6202bc89476
 # Backported in version v5.15.78 81035e1201e26d57d9733ac59140a3e29befbc5a
-CVE_CHECK_IGNORE += "CVE-2022-42896"
+CVE_STATUS[CVE-2022-42896] = "cpe-stable-backport: Backported in versions v5.4.226, v5.10.154 and v5.15.78"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2022-38457
 # https://nvd.nist.gov/vuln/detail/CVE-2022-40133
@@ -337,10 +335,11 @@ CVE_CHECK_IGNORE += "CVE-2022-42896"
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-38457
 #  * https://www.linuxkernelcves.com/cves/CVE-2022-40133
 #  * https://lore.kernel.org/all/CAODzB9q3OBD0k6W2bcWrSZo2jC3EvV0PrLyWmO07rxR4nQgkJA@mail.gmail.com/T/
-CVE_CHECK_IGNORE += "CVE-2022-38457 CVE-2022-40133"
+CVE_STATUS[CVE-2022-38457] = "cpe-stable-backport: Backported in version v6.1.7"
+CVE_STATUS[CVE-2022-40133] = "cpe-stable-backport: Backported in version v6.1.7"
 
 # Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2022-48425"
+CVE_STATUS[CVE-2022-48425] = "cpe-stable-backport: Backported in version v6.1.33"
 
 # 2023
 
@@ -349,14 +348,14 @@ CVE_CHECK_IGNORE += "CVE-2022-48425"
 # Backported in version v5.10.164 550efeff989b041f3746118c0ddd863c39ddc1aa
 # Backported in version v5.15.89 a8acfe2c6fb99f9375a9325807a179cd8c32e6e3
 # Backported in version v6.1.7 76ef74d4a379faa451003621a84e3498044e7aa3
-CVE_CHECK_IGNORE += "CVE-2023-0179"
+CVE_STATUS[CVE-2023-0179] = "cpe-stable-backport: Backported in versions v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0266
 # Introduced in version v2.6.12 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 # Patched in kernel since v6.2 56b88b50565cd8b946a2d00b0c83927b7ebb055e
 # Backported in version v5.15.88 26350c21bc5e97a805af878e092eb8125843fe2c
 # Backported in version v6.1.6 d6ad4bd1d896ae1daffd7628cd50f124280fb8b1
-CVE_CHECK_IGNORE += "CVE-2023-0266"
+CVE_STATUS[CVE-2023-0266] = "cpe-stable-backport: Backported in versions v5.15.88 and v6.1.6"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0394
 # Introduced in version 2.6.12 357b40a18b04c699da1d45608436e9b76b50e251
@@ -365,14 +364,14 @@ CVE_CHECK_IGNORE += "CVE-2023-0266"
 # Backported in version v5.10.164 6c9e2c11c33c35563d34d12b343d43b5c12200b5
 # Backported in version v5.15.89 456e3794e08a0b59b259da666e31d0884b376bcf
 # Backported in version v6.1.7 0afa5f0736584411771299074bbeca8c1f9706d4
-CVE_CHECK_IGNORE += "CVE-2023-0394"
+CVE_STATUS[CVE-2023-0394] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.164, v5.15.89 and v6.1.7"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0386
 # Introduced in 5.11 459c7c565ac36ba09ffbf24231147f408fde4203
 # Patched in kernel v6.2 4f11ada10d0ad3fd53e2bd67806351de63a4f9c3
-# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
 # Backported in version 5.15.91 e91308e63710574c4b6a0cadda3e042a3699666e
-CVE_CHECK_IGNORE += "CVE-2023-0386"
+# Backported in version 6.1.9 42fea1c35254c49cce07c600d026cbc00c6d3c81
+CVE_STATUS[CVE-2023-0386] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-0461
 # Introduced in version v4.13 734942cc4ea6478eed125af258da1bdbb4afe578
@@ -381,7 +380,7 @@ CVE_CHECK_IGNORE += "CVE-2023-0386"
 # Backported in version v5.10.163 f8ed0a93b5d576bbaf01639ad816473bdfd1dcb0
 # Backported in version v5.15.88 dadd0dcaa67d27f550131de95c8e182643d2c9d6
 # Backported in version v6.1.5 7d242f4a0c8319821548c7176c09a6e0e71f223c
-CVE_CHECK_IGNORE += "CVE-2023-0461"
+CVE_STATUS[CVE-2023-0461] = "cpe-stable-backport: Backported in versions v5.4.229, v5.10.163, v5.15.88 and v6.1.5"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1073
 # Introduced in v3.16 1b15d2e5b8077670b1e6a33250a0d9577efff4a5
@@ -389,20 +388,20 @@ CVE_CHECK_IGNORE += "CVE-2023-0461"
 # Backported in version 5.10.166 5dc3469a1170dd1344d262a332b26994214eeb58
 # Backported in version 5.15.91 2b49568254365c9c247beb0eabbaa15d0e279d64
 # Backported in version 6.1.9 cdcdc0531a51659527fea4b4d064af343452062d
-CVE_CHECK_IGNORE += "CVE-2023-1073"
+CVE_STATUS[CVE-2023-1073] = "cpe-stable-backport: Backported in versions v5.10.166, v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1074
 # Patched in kernel v6.2 458e279f861d3f61796894cd158b780765a1569f
 # Backported in version 5.15.91 3391bd42351be0beb14f438c7556912b9f96cb32
 # Backported in version 6.1.9 9f08bb650078dca24a13fea1c375358ed6292df3
-CVE_CHECK_IGNORE += "CVE-2023-1074"
+CVE_STATUS[CVE-2023-1074] = "cpe-stable-backport: Backported in versions v5.15.91 andv6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1075
 # Introduced in v4.20 a42055e8d2c30d4decfc13ce943d09c7b9dad221
 # Patched in kernel v6.2 ffe2a22562444720b05bdfeb999c03e810d84cbb
 # Backported in version 6.1.11 37c0cdf7e4919e5f76381ac60817b67bcbdacb50
 # 5.15 still has issue, include/net/tls.h:is_tx_ready() would need patch
-CVE_CHECK_IGNORE += "CVE-2023-1075"
+CVE_STATUS[CVE-2023-1075] = "cpe-stable-backport: Backported in version v6.1.11"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1076
 # Patched in kernel v6.3 a096ccca6e503a5c575717ff8a36ace27510ab0a
@@ -411,19 +410,19 @@ CVE_CHECK_IGNORE += "CVE-2023-1075"
 # Backported in version v5.15.99 67f9f02928a34aad0a2c11dab5eea269f5ecf427
 # Backported in version v6.1.16 b4ada752eaf1341f47bfa3d8ada377eca75a8d44
 # Backported in version v6.2.3 4aa4b4b3b3e9551c4de2bf2987247c28805fb8f6
-CVE_CHECK_IGNORE += "CVE-2023-1076"
+CVE_STATUS[CVE-2023-1076] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1077
 # Patched in kernel 6.3rc1 7c4a5b89a0b5a57a64b601775b296abf77a9fe97
 # Backported in version 5.15.99 2c36c390a74981d03f04f01fe7ee9c3ac3ea11f7
 # Backported in version 6.1.16 6b4fcc4e8a3016e85766c161daf0732fca16c3a3
-CVE_CHECK_IGNORE += "CVE-2023-1077"
+CVE_STATUS[CVE-2023-1077] = "cpe-stable-backport: Backported in versions v5.15.99 and v6.1.16"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1078
 # Patched in kernel 6.2 f753a68980cf4b59a80fe677619da2b1804f526d
 # Backported in version 5.15.94 528e3f3a4b53df36dafd10cdf6b8c0fe2aa1c4ba
 # Backported in version 6.1.12 1d52bbfd469af69fbcae88c67f160ce1b968e7f3
-CVE_CHECK_IGNORE += "CVE-2023-1078"
+CVE_STATUS[CVE-2023-1078] = "cpe-stable-backport: Backported in versions v5.15.94 and v6.1.12"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1079
 # Patched in kernel since v6.3-rc1 4ab3a086d10eeec1424f2e8a968827a6336203df
@@ -432,7 +431,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1078"
 # Backported in version v5.15.99 3959316f8ceb17866646abc6be4a332655407138
 # Backported in version v6.1.16 ee907829b36949c452c6f89485cb2a58e97c048e
 # Backported in version v6.2.3 b08bcfb4c97d7bd41b362cff44b2c537ce9e8540
-CVE_CHECK_IGNORE += "CVE-2023-1079"
+CVE_STATUS[CVE-2023-1079] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1118
 # Introduced in version v2.6.36 9ea53b74df9c4681f5bb2da6b2e10e37d87ea6d6
@@ -442,7 +441,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1079"
 # Backported in version v5.15.99 29962c478e8b2e6a6154d8d84b8806dbe36f9c28
 # Backported in version v6.1.16 029c1410e345ce579db5c007276340d072aac54a
 # Backported in version v6.2.3 182ea492aae5b64067277e60a4ea5995c4628555
-CVE_CHECK_IGNORE += "CVE-2023-1118"
+CVE_STATUS[CVE-2023-1118] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.99, v6.1.16 and v6.2.3"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1281
 # Introduced in version v4.14 9b0d4446b56904b59ae3809913b0ac760fa941a6
@@ -450,7 +449,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1118"
 # Backported in version v5.10.169 eb8e9d8572d1d9df17272783ad8a84843ce559d4
 # Backported in version v5.15.95 becf55394f6acb60dd60634a1c797e73c747f9da
 # Backported in version v6.1.13 bd662ba56187b5ef8a62a3511371cd38299a507f
-CVE_CHECK_IGNORE += "CVE-2023-1281"
+CVE_STATUS[CVE-2023-1281] = "cpe-stable-backport: Backported in versions v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1513
 # Patched in kernel since v6.2 2c10b61421a28e95a46ab489fd56c0f442ff6952
@@ -458,7 +457,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1281"
 # Backported in version v5.10.169 6416c2108ba54d569e4c98d3b62ac78cb12e7107
 # Backported in version v5.15.95 35351e3060d67eed8af1575d74b71347a87425d8
 # Backported in version v6.1.13 747ca7c8a0c7bce004709143d1cd6596b79b1deb
-CVE_CHECK_IGNORE += "CVE-2023-1513"
+CVE_STATUS[CVE-2023-1513] = "cpe-stable-backport: Backported in versions v5.4.232, v5.10.169, v5.15.95 and v6.1.13"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1652
 # Patched in kernel since v6.2 e6cf91b7b47ff82b624bdfe2fdcde32bb52e71dd
@@ -466,7 +465,7 @@ CVE_CHECK_IGNORE += "CVE-2023-1513"
 # Backported in version v6.1.9 32d5eb95f8f0e362e37c393310b13b9e95404560
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1652
 # Ref: Debian kernel-sec team: https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/retired/CVE-2023-1652
-CVE_CHECK_IGNORE += "CVE-2023-1652"
+CVE_STATUS[CVE-2023-1652] = "cpe-stable-backport: Backported in versions v5.15.91 and v6.1.9"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-1829
 # Patched in kernel since v6.3-rc1 8c710f75256bb3cf05ac7b1672c82b92c43f3d28
@@ -477,178 +476,130 @@ CVE_CHECK_IGNORE += "CVE-2023-1652"
 # Backported in version v6.2.5 372ae77cf11d11fb118cbe2d37def9dd5f826abd
 # Ref: https://www.linuxkernelcves.com/cves/CVE-2023-1829
 # Ref: Debian kernel-sec team : https://salsa.debian.org/kernel-team/kernel-sec/-/blob/1fa77554d4721da54e2df06fa1908a83ba6b1045/active/CVE-2023-1829
-CVE_CHECK_IGNORE += "CVE-2023-1829"
+CVE_STATUS[CVE-2023-1829] = "cpe-stable-backport: Backported in versions v5.4.235, v5.10.173, v5.15.100, v6.1.18 and v6.2.5"
+
+# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
+# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
+# Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962
+# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
+# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
+# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
+CVE_STATUS[CVE-2023-28466] = "cpe-stable-backport: Backported in versions v5.15.05, v6.1.20 and v6.2.7"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-0459
-# Fixed in 6.1.14 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0459"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-0615
 # Fixed in 6.1 onwards
-CVE_CHECK_IGNORE += "CVE-2023-0615"
+CVE_STATUS[CVE-2023-0615] = "fixed-version: Fixed in version v6.1 onwards"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-1380
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-1380"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-1611
-# Fixed in 6.1.23
-CVE_CHECK_IGNORE += "CVE-2023-1611"
+# https://www.linuxkernelcves.com/cves/CVE-2023-28328
+# Fixed with 6.1.2
+CVE_STATUS[CVE-2023-28328] = "fixed-version: Fixed in version v6.1.2"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-1855
-# Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1855"
+# https://www.linuxkernelcves.com/cves/CVE-2023-2162
+# Fixed in 6.1.11
+CVE_STATUS[CVE-2023-2162] = "fixed-version: Fixed in version v6.1.11"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-1859
-# Fixed in 6.1.25
-CVE_CHECK_IGNORE += "CVE-2023-1859"
+# https://www.linuxkernelcves.com/cves/CVE-2023-0459
+# Fixed in 6.1.14 onwards
+CVE_STATUS[CVE-2023-0459] = "fixed-version: Fixed in version v6.1.14"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-1989
-# Fixed in 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-1989"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1999
+# https://www.linuxkernelcves.com/cves/CVE-2023-2985
+# Fixed in 6.1.16
+CVE_STATUS[CVE-2023-1998] = "fixed-version: Fixed in version v6.1.16"
+CVE_STATUS[CVE-2023-2985] = "fixed-version: Fixed in version v6.1.16"
 
+# https://www.linuxkernelcves.com/cves/CVE-2023-1855
 # https://www.linuxkernelcves.com/cves/CVE-2023-1990
+# https://www.linuxkernelcves.com/cves/CVE-2023-2235
+# https://www.linuxkernelcves.com/cves/CVE-2023-30456
 # Fixed in 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-1990"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6121"
+CVE_STATUS_KERNEL_6121 = "CVE-2023-1855 CVE-2023-1990 CVE-2023-2235 CVE-2023-30456"
+CVE_STATUS_KERNEL_6121[status] =  "fixed-version: Fixed in version v6.1.21"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-1999
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-1998"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1989
+# https://www.linuxkernelcves.com/cves/CVE-2023-2194
+# https://www.linuxkernelcves.com/cves/CVE-2023-28866
+# https://www.linuxkernelcves.com/cves/CVE-2023-30772
+# https://www.linuxkernelcves.com/cves/CVE-2023-33203
+# https://www.linuxkernelcves.com/cves/CVE-2023-33288
+# Fixed with 6.1.22
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6122"
+CVE_STATUS_KERNEL_6122 = "CVE-2023-2194 CVE-2023-1989 CVE-2023-28866 CVE-2023-30772 CVE-2023-33203 CVE-2023-33288"
+CVE_STATUS_KERNEL_6122[status] =  "fixed-version: Fixed in version v6.1.22"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-2002
-# Fixed in 6.1.27
-CVE_CHECK_IGNORE += "CVE-2023-2002"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1611
+# Fixed in 6.1.23
+CVE_STATUS[CVE-2023-1611] = "fixed-version: Fixed in version v6.1.23"
 
-# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2023-2124"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1859
+# Fixed in 6.1.25
+CVE_STATUS[CVE-2023-1859] = "fixed-version: Fixed in version v6.1.25"
 
 # https://www.linuxkernelcves.com/cves/CVE-2023-2156
+# https://www.linuxkernelcves.com/cves/CVE-2023-31436
 # Fixed in 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-2156"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-2162
-# Fixed in 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-2162"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-2194
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-2194"
+CVE_STATUS[CVE-2023-2156] = "fixed-version: Fixed in version v6.1.26"
+CVE_STATUS[CVE-2023-31436] = "fixed-version: Fixed in version v6.1.26"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-2235
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-2235"
+# https://www.linuxkernelcves.com/cves/CVE-2023-1380
+# https://www.linuxkernelcves.com/cves/CVE-2023-2002
+# Fixed in 6.1.27
+CVE_STATUS[CVE-2023-1380] = "fixed-version: Fixed in version v6.1.27"
+CVE_STATUS[CVE-2023-2002] = "fixed-version: Fixed in version v6.1.27"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-2985
-# Fixed in 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-2985"
+# https://www.linuxkernelcves.com/cves/CVE-2023-32233
+# Fixed with 6.1.28
+CVE_STATUS[CVE-2023-32233] = "fixed-version: Fixed in version v6.1.28"
 
-# Backported to 6.1.30
-CVE_CHECK_IGNORE += "CVE-2023-3090"
+# https://www.linuxkernelcves.com/cves/CVE-2023-34256
+# Fixed in 6.1.29
+CVE_STATUS[CVE-2023-34256] = "fixed-version: Fixed in version v6.1.29"
 
-# Backported to 6.1.35
-CVE_CHECK_IGNORE += "CVE-2023-3117"
 
-# Backported to 6.1.30 as 9a342d4
-CVE_CHECK_IGNORE += "CVE-2023-3141"
+# Backported to 6.1.9
+CVE_STATUS[CVE-2023-3358] = "cpe-stable-backport: Backported in version v6.1.9"
 
 # Backported to 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-3161"
-
-# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2023-3212"
-
-# Only in 6.2.0 to 6.2.14, and 6.3.0 to 6.3.1
-CVE_CHECK_IGNORE += "CVE-2023-3312"
+CVE_STATUS[CVE-2023-3359] = "cpe-stable-backport: Backported in version v6.1.11"
+CVE_STATUS[CVE-2023-3161] = "cpe-stable-backport: Backported in version v6.1.11"
 
 # Backported to 6.1.16
-CVE_CHECK_IGNORE += "CVE-2023-3220"
+CVE_STATUS[CVE-2023-3220] = "cpe-stable-backport: Backported in version v6.1.16"
 
 # Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-3268"
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6128"
+CVE_STATUS_KERNEL_6128 = "CVE-2023-3268 CVE-2023-35823 CVE-2023-35824 CVE-2023-35826 CVE-2023-35828 CVE-2023-35829"
+CVE_STATUS_KERNEL_6122[status] = "cpe-stable-backport: Backported in version v6.1.28"
 
-# Backported to 6.1.9
-CVE_CHECK_IGNORE += "CVE-2023-3358"
+# Backported to 6.1.30
+# Backported to 6.1.30 as 9a342d4
+CVE_STATUS[CVE-2023-3090] = "cpe-stable-backport: Backported in version v6.1.30"
+CVE_STATUS[CVE-2023-3141] = "cpe-stable-backport: Backported in version v6.1.30 as 9a342d4"
 
-# Backported to 6.1.11
-CVE_CHECK_IGNORE += "CVE-2023-3359"
+# Backported to 6.1.33
+CVE_STATUS_GROUPS += "CVE_STATUS_KERNEL_6133"
+CVE_STATUS_KERNEL_6133 = "CVE-2023-2124 CVE-2023-3212 CVE-2023-35788"
+CVE_STATUS_KERNEL_6133[status] = "cpe-stable-backport: Backported in version v6.1.33"
+
+# Backported to 6.1.35
+CVE_STATUS[CVE-2023-3117] = "cpe-stable-backport: Backported in version v6.1.35"
+CVE_STATUS[CVE-2023-3390] = "cpe-stable-backport: Backported in version v6.1.35"
 
 # Backported to 6.1.36
-CVE_CHECK_IGNORE += "CVE-2023-3389"
+CVE_STATUS[CVE-2023-3389] = "cpe-stable-backport: Backported in version v6.1.36"
+
+# Only in 6.2.0 to 6.2.14, and 6.3.0 to 6.3.1
+CVE_STATUS[CVE-2023-3312] = "not-applicable-config: Only in versions v6.2.0 to v6.2.4 and v6.3.0 to v6.3.1"
 
-# Backported to 6.1.35
-CVE_CHECK_IGNORE += "CVE-2023-3390"
 
 # https://nvd.nist.gov/vuln/detail/CVE-2023-23005
 # Introduced in version v6.1 7b88bda3761b95856cf97822efe8281c8100067b
 # Patched in kernel since v6.2 4a625ceee8a0ab0273534cb6b432ce6b331db5ee
 # But, the CVE is disputed:
-# > NOTE: this is disputed by third parties because there are no realistic cases
-# > in which a user can cause the alloc_memory_type error case to be reached.
-# See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2
-# We can safely ignore it.
-CVE_CHECK_IGNORE += "CVE-2023-23005"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-28328
-# Fixed with 6.1.2
-CVE_CHECK_IGNORE += "CVE-2023-28328"
-
-# Only in 6.3-rc
-CVE_CHECK_IGNORE += "CVE-2023-28464"
-
-# https://nvd.nist.gov/vuln/detail/CVE-2023-28466
-# Introduced in version v4.13 3c4d7559159bfe1e3b94df3a657b2cda3a34e218
-# Patched in kernel since v6.3-rc2 49c47cc21b5b7a3d8deb18fc57b0aa2ab1286962
-# Backported in version v5.15.105 0b54d75aa43a1edebc8a3770901f5c3557ee0daa
-# Backported in version v6.1.20 14c17c673e1bba08032d245d5fb025d1cbfee123
-# Backported in version v6.2.7 5231fa057bb0e52095591b303cf95ebd17bc62ce
-CVE_CHECK_IGNORE += "CVE-2023-28466"
+CVE_STATUS[CVE-2023-23005] = "disputed: There are no realistic cases \
+in which a user can cause the alloc_memory_type error case to be reached. \
+See: https://bugzilla.suse.com/show_bug.cgi?id=1208844#c2"
 
-# https://www.linuxkernelcves.com/cves/CVE-2023-28866
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-28866"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-30456
-# Fixed with 6.1.21
-CVE_CHECK_IGNORE += "CVE-2023-30456"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-30772
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-30772"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-31436
-# Fixed with 6.1.26
-CVE_CHECK_IGNORE += "CVE-2023-31436"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-32233
-# Fixed with 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-32233"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-33203
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33203"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-33288
-# Fixed with 6.1.22
-CVE_CHECK_IGNORE += "CVE-2023-33288"
-
-# https://www.linuxkernelcves.com/cves/CVE-2023-34256
-# Fixed in 6.1.29
-CVE_CHECK_IGNORE += "CVE-2023-34256"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35823"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35824"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35826"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35828"
-
-# Backported to 6.1.28
-CVE_CHECK_IGNORE += "CVE-2023-35829"
-
-# Backported to 6.1.33
-CVE_CHECK_IGNORE += "CVE-2023-35788"
+CVE_STATUS[CVE-2023-28464] = "not-applicable-config: Only in 6.3-rc"
diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.40.bb b/meta/recipes-multimedia/libpng/libpng_1.6.40.bb
index 0ef4b82d1c..293bf2858d 100644
--- a/meta/recipes-multimedia/libpng/libpng_1.6.40.bb
+++ b/meta/recipes-multimedia/libpng/libpng_1.6.40.bb
@@ -32,5 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp"
 
 BBCLASSEXTEND = "native nativesdk"
 
-# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_IGNORE += "CVE-2019-17371"
+CVE_STATUS[CVE-2019-17371] = "cpe-incorrect: A memory leak in gif2png 2.x"
diff --git a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
index 5af3f84265..6171a538e5 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.5.1.bb
@@ -15,9 +15,7 @@ SRC_URI[sha256sum] = "d7f38b6788e4a8f5da7940c5ac9424f494d8a79eba53d555f4a507167d
 # exclude betas
 UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar"
 
-# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
-# and 4.3.0 doesn't have the issue
-CVE_CHECK_IGNORE += "CVE-2015-7313"
+CVE_STATUS[CVE-2015-7313] = "fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue"
 
 inherit autotools multilib_header
 
diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
index 58f07a116d..524b06ca22 100644
--- a/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
+++ b/meta/recipes-support/libgcrypt/libgcrypt_1.10.2.bb
@@ -29,8 +29,8 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \
            "
 SRC_URI[sha256sum] = "3b9c02a004b68c256add99701de00b383accccf37177e0d6c58289664cce0c03"
 
-# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
+CVE_STATUS[CVE-2018-12433] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
+CVE_STATUS[CVE-2018-12438] = "disputed: CVE is disputed and not affecting crypto libraries for any distro."
 
 BINCONFIG = "${bindir}/libgcrypt-config"
 
diff --git a/meta/recipes-support/libxslt/libxslt_1.1.38.bb b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
index bf35a94b7f..ed5b15badd 100644
--- a/meta/recipes-support/libxslt/libxslt_1.1.38.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.38.bb
@@ -19,9 +19,7 @@ SRC_URI[sha256sum] = "1f32450425819a09acaff2ab7a5a7f8a2ec7956e505d7beeb45e843d0e
 
 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"
 
-# We have libxml2 2.9.14 and we don't link statically with it anyway
-# so this isn't an issue.
-CVE_CHECK_IGNORE += "CVE-2022-29824"
+CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
 
 S = "${WORKDIR}/libxslt-${PV}"
 
diff --git a/meta/recipes-support/lz4/lz4_1.9.4.bb b/meta/recipes-support/lz4/lz4_1.9.4.bb
index d2a25fd5b0..51a854d44a 100644
--- a/meta/recipes-support/lz4/lz4_1.9.4.bb
+++ b/meta/recipes-support/lz4/lz4_1.9.4.bb
@@ -21,8 +21,7 @@ S = "${WORKDIR}/git"
 
 inherit ptest
 
-# Fixed in r118, which is larger than the current version.
-CVE_CHECK_IGNORE += "CVE-2014-4715"
+CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version."
 
 EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
 
diff --git a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
index f60aca63d2..8783f620f4 100644
--- a/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
+++ b/meta/recipes-support/sqlite/sqlite3_3.42.0.bb
@@ -6,9 +6,3 @@ LIC_FILES_CHKSUM = "file://sqlite3.h;endline=11;md5=786d3dc581eff03f4fd9e4a77ed0
 SRC_URI = "http://www.sqlite.org/2023/sqlite-autoconf-${SQLITE_PV}.tar.gz"
 SRC_URI[sha256sum] = "7abcfd161c6e2742ca5c6c0895d1f853c940f203304a0b49da4e1eca5d088ca6"
 
-# -19242 is only an issue in specific development branch commits
-CVE_CHECK_IGNORE += "CVE-2019-19242"
-# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_IGNORE += "CVE-2015-3717"
-# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_IGNORE += "CVE-2021-36690"
-- 
2.41.0

Re: [OE-core][PATCH v9 0/3] CVE-check handling

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 521 bytes --]

On Wed, Jul 19, 2023 at 2:03 PM Andrej Valek via lists.openembedded.org
<andrej.valek=siemens.com@lists.openembedded.org> wrote:

> Even better,
>
> So I will make one more rebase, just for "[OE-core][PATCH v9 3/3]
> cve_check:
> convert CVE_CHECK_IGNORE to CVE_STATUS"
>
>
This version looks best from all I've seen. Let's get it in in this
version. I'll have a pachset to fix a few issues after we get multiple
fetchers in. I *think* I will be able to use it with multi-fetchers.

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 1155 bytes --]