mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-04-20 23:48:20 +00:00
Code Issues Projects Releases Wiki Activity

cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS

Browse Source 
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
  version

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
This commit is contained in:
Andrej Valek
2023-07-26 11:50:09 +02:00
committed by Khem Raj
parent 4c201ede93
commit 8af2f17a6f
33 changed files with 60 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
meta-initramfs/recipes-devtools/dracut/dracut_056.bb
View File

@@ -68,5 +68,4 @@ RRECOMMENDS:${PN} = " \
coreutils \ coreutils \
" "
# CVE-2010-4176 affects only Fedora CVE_STATUS[CVE-2010-4176] = "not-applicable-platform: Applies only to Fedora"
CVE_CHECK_IGNORE += "CVE-2010-4176"

6
meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb
View File

@@ -43,10 +43,8 @@ SRCREV = "d956f683d37ea40e7977cc5907361f3e6988a439"
UPSTREAM_CHECK_GITTAGREGEX = "release_(?P<pver>\d+(\_\d+)+)" UPSTREAM_CHECK_GITTAGREGEX = "release_(?P<pver>\d+(\_\d+)+)"
CVE_CHECK_IGNORE = "\ CVE_CHECK_STATUS[CVE-2002-0318] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2002-0318 \ CVE_CHECK_STATUS[CVE-2011-4966] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2011-4966 \
"
PARALLEL_MAKE = "" PARALLEL_MAKE = ""

6
meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb
View File

@@ -57,10 +57,8 @@ BBCLASSEXTEND = "native nativesdk"
CVE_PRODUCT = "mbed_tls" CVE_PRODUCT = "mbed_tls"
# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 CVE_STATUS[CVE-2021-43666] = "backported-patch: Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310"
CVE_CHECK_IGNORE += "CVE-2021-43666" CVE_STATUS[CVE-2021-43666] = "backported-patch: Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c"
# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c
CVE_CHECK_IGNORE += "CVE-2021-45451"
# Strip host paths from autogenerated test files # Strip host paths from autogenerated test files
do_compile:append() { do_compile:append() {

5
meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb
View File

@@ -58,11 +58,6 @@ BBCLASSEXTEND = "native nativesdk"
CVE_PRODUCT = "mbed_tls" CVE_PRODUCT = "mbed_tls"
# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310
CVE_CHECK_IGNORE += "CVE-2021-43666"
# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c
CVE_CHECK_IGNORE += "CVE-2021-45451"
# Strip host paths from autogenerated test files # Strip host paths from autogenerated test files
do_compile:append() { do_compile:append() {
sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || :

9
meta-networking/recipes-connectivity/openthread/wpantund_git.bb
View File

@@ -22,11 +22,8 @@ S = "${WORKDIR}/git"
inherit pkgconfig perlnative autotools inherit pkgconfig perlnative autotools
# CVE-2020-8916 has been fixed in commit
# 3f108441e23e033b936e85be5b6877dd0a1fbf1c which is included in the SRCREV
# CVE-2021-33889 has been fixed in commit
# a8f3f761f6753b567d1e5ad22cbe6b0ceb6f2649 which is included in the SRCREV
# There has not been a wpantund release as of yet that includes these fixes. # There has not been a wpantund release as of yet that includes these fixes.
# That means cve-check can not match them. Once a new release comes we can # That means cve-check can not match them. Once a new release comes we can
# remove the ignore statement. # remove the statement.
CVE_CHECK_IGNORE = "CVE-2020-8916 CVE-2021-33889" CVE_STATUS[CVE-2020-8916] = "backported-patch: fixed via 3f108441e23e033b936e85be5b6877dd0a1fbf1c"
CVE_STATUS[CVE-2021-33889] = "backported-patch: fixed via 3f108441e23e033b936e85be5b6877dd0a1fbf1c"

7
meta-networking/recipes-connectivity/samba/samba_4.18.4.bb
View File

@@ -38,12 +38,7 @@ UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.18(\.\d+)+).tar.gz"
inherit systemd waf-samba cpan-base perlnative update-rc.d perl-version pkgconfig inherit systemd waf-samba cpan-base perlnative update-rc.d perl-version pkgconfig
# CVE-2011-2411 is valnerble only on HP NonStop Servers. CVE_STATUS[CVE-2011-2411] = "not-applicable-platform: vulnerable only on HP NonStop Servers"
CVE_CHECK_IGNORE += "CVE-2011-2411"
# Patch for CVE-2018-1050 is applied in version 4.5.15, 4.6.13, 4.7.5.
CVE_CHECK_IGNORE += "CVE-2018-1050"
# Patch for CVE-2018-1057 is applied in version 4.3.13, 4.4.16.
CVE_CHECK_IGNORE += "CVE-2018-1057"
# remove default added RDEPENDS on perl # remove default added RDEPENDS on perl
RDEPENDS:${PN}:remove = "perl" RDEPENDS:${PN}:remove = "perl"

22
meta-networking/recipes-protocols/mdns/mdns_1790.80.10.bb
View File

@@ -46,18 +46,16 @@ PACKAGECONFIG[tls] = ",tls=no,mbedtls"
CVE_PRODUCT = "apple:mdnsresponder" CVE_PRODUCT = "apple:mdnsresponder"
# CVE-2007-0613 is not applicable as it only affects Apple products CVE_STATUS[CVE-2007-0613] = "not-applicable-platform: Issue affects Apple products \
# i.e. ichat,mdnsresponder, instant message framework and MacOS. i.e. ichat,mdnsresponder, instant message framework and MacOS. Also, \
# Also, https://www.exploit-db.com/exploits/3230 shows the part of code https://www.exploit-db.com/exploits/3230 shows the part of code \
# affected by CVE-2007-0613 which is not preset in upstream source code. affected by CVE-2007-0613 which is not preset in upstream source code. \
# Hence, CVE-2007-0613 does not affect other Yocto implementations and Hence, CVE-2007-0613 does not affect other Yocto implementations and \
# is not reported for other distros can be marked whitelisted. is not reported for other distros can be marked whitelisted. \
# Links: Links: https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 \
# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 \
# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 https://security-tracker.debian.org/tracker/CVE-2007-0613 \
# https://security-tracker.debian.org/tracker/CVE-2007-0613 https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613"
# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613
CVE_CHECK_IGNORE += "CVE-2007-0613"
PARALLEL_MAKE = "" PARALLEL_MAKE = ""

12
meta-networking/recipes-protocols/openflow/openflow.inc
View File

@@ -13,10 +13,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2"
SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master" SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master"
CVE_CHECK_IGNORE = "\ CVE_STATUS[CVE-2015-1611] = "not-applicable-config: Not referred to our implementation of openflow"
CVE-2015-1611 \ CVE_STATUS[CVE-2015-1612] = "not-applicable-config: Not referred to our implementation of openflow"
CVE-2015-1612 \ CVE_STATUS[CVE-2018-1078] = "cpe-incorrect: This CVE is not for this product but cve-check assumes it is \
" because two CPE collides when checking the NVD database"
DEPENDS = "virtual/libc" DEPENDS = "virtual/libc"
@@ -58,7 +58,3 @@ do_install:append() {
} }
FILES:${PN} += "${nonarch_libdir}/tmpfiles.d" FILES:${PN} += "${nonarch_libdir}/tmpfiles.d"
# This CVE is not for this product but cve-check assumes it is
# because two CPE collides when checking the NVD database
CVE_CHECK_IGNORE = "CVE-2018-1078"

3
meta-networking/recipes-support/dovecot/dovecot_2.3.20.bb
View File

@@ -71,5 +71,4 @@ FILES:${PN}-staticdev += "${libdir}/dovecot/*/*.a"
FILES:${PN}-dev += "${libdir}/dovecot/libdovecot*.so" FILES:${PN}-dev += "${libdir}/dovecot/libdovecot*.so"
FILES:${PN}-dbg += "${libdir}/dovecot/*/.debug" FILES:${PN}-dbg += "${libdir}/dovecot/*/.debug"
# CVE-2016-4983 affects only postinstall script on specific distribution CVE_STATUS[CVE-2016-4983] = "not-applicable-platform: Affects only postinstall script on specific distribution."
CVE_CHECK_IGNORE += "CVE-2016-4983"

12
meta-networking/recipes-support/ntp/ntp_4.2.8p17.bb
View File

@@ -26,12 +26,11 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g
SRC_URI[sha256sum] = "103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866" SRC_URI[sha256sum] = "103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866"
# CVE-2016-9312 is only for windows. CVE_STATUS[CVE-2016-9312] = "not-applicable-platform: Issue only applies on Windows"
# CVE-2019-11331 is inherent to RFC 5905 and cannot be fixed without breaking compatibility CVE_STATUS[CVE-2019-11331] = "upstream-wontfix: inherent to RFC 5905 and cannot be fixed without breaking compatibility"
# The other CVEs are not correctly identified because cve-check CVE_STATUS_GROUPS += "CVE_STATUS_NTP"
# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference) CVE_STATUS_NTP[status] = "fixed-version: Yocto CVE check can not handle 'p' in ntp version"
CVE_CHECK_IGNORE += "\ CVE_STATUS_NTP = " \
CVE-2016-9312 \
CVE-2015-5146 \ CVE-2015-5146 \
CVE-2015-5300 \ CVE-2015-5300 \
CVE-2015-7975 \ CVE-2015-7975 \
@@ -51,7 +50,6 @@ CVE_CHECK_IGNORE += "\
CVE-2016-7433 \ CVE-2016-7433 \
CVE-2016-9310 \ CVE-2016-9310 \
CVE-2016-9311 \ CVE-2016-9311 \
CVE-2019-11331 \
" "

3
meta-networking/recipes-support/openvpn/openvpn_2.6.3.bb
View File

@@ -16,8 +16,7 @@ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads"
SRC_URI[sha256sum] = "13b207a376d8880507c74ff78aabc3778a9da47c89f1e247dcee3c7237138ff6" SRC_URI[sha256sum] = "13b207a376d8880507c74ff78aabc3778a9da47c89f1e247dcee3c7237138ff6"
# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn"
CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569"
INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_PACKAGES = "${PN}"
INITSCRIPT_NAME:${PN} = "openvpn" INITSCRIPT_NAME:${PN} = "openvpn"

6
meta-networking/recipes-support/spice/spice_git.bb
View File

@@ -30,11 +30,7 @@ SRC_URI = " \
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
CVE_CHECK_IGNORE += "\ CVE_STATUS[CVE-2018-10893] = "fixed-version: patched already, caused by inaccurate CPE in the NVD database."
CVE-2016-0749 \
CVE-2016-2150 \
CVE-2018-10893 \
"
inherit autotools gettext python3native python3-dir pkgconfig inherit autotools gettext python3native python3-dir pkgconfig

7
meta-oe/dynamic-layers/meta-python/recipes-dbs/mongodb/mongodb_git.bb
View File

@@ -50,11 +50,8 @@ SRC_URI:append:toolchain-clang = "\
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
CVE_CHECK_IGNORE += "\ CVE_STATUS[CVE-2014-8180] = "not-applicable-config: Not affecting our configuration so it can be safely ignored."
CVE-2014-8180 \ CVE_STATUS[CVE-2017-2665] = "not-applicable-config: Not affecting our configuration so it can be safely ignored."
CVE-2017-18381 \
CVE-2017-2665 \
"
COMPATIBLE_HOST ?= '(x86_64|i.86|powerpc64|arm|aarch64).*-linux' COMPATIBLE_HOST ?= '(x86_64|i.86|powerpc64|arm|aarch64).*-linux'

4
meta-oe/recipes-connectivity/libtorrent/libtorrent_git.bb
View File

@@ -9,9 +9,7 @@ DEPENDS = "zlib libsigc++-2.0 openssl cppunit"
SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https" SRC_URI = "git://github.com/rakshasa/libtorrent;branch=master;protocol=https"
SRCREV = "e60f222241319aaae482789517ad00ae9344bd13" SRCREV = "e60f222241319aaae482789517ad00ae9344bd13"
CVE_CHECK_IGNORE += "\ CVE_STATUS[CVE-2009-1760] = "backported-patch: patched in our product"
CVE-2009-1760 \
"
PV = "0.13.8+git${SRCPV}" PV = "0.13.8+git${SRCPV}"

8
meta-oe/recipes-core/emlog/emlog_git.bb
View File

@@ -25,11 +25,9 @@ do_install() {
RRECOMMENDS:${PN} += "kernel-module-emlog" RRECOMMENDS:${PN} += "kernel-module-emlog"
# The NVD database doesn't have a CPE for this product, CVE_STATUS_GROUPS += "CVE_STATUS_EMLOG"
# the name of this product is exactly the same as github.com/emlog/emlog CVE_STATUS_EMLOG[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored."
# but it's not related in any way. The following CVEs are from that project CVE_STATUS_EMLOG = " \
# so they can be safely ignored
CVE_CHECK_IGNORE += "\
CVE-2019-16868 \ CVE-2019-16868 \
CVE-2019-17073 \ CVE-2019-17073 \
CVE-2021-44584 \ CVE-2021-44584 \

4
meta-oe/recipes-dbs/postgresql/postgresql_15.3.bb
View File

@@ -13,6 +13,4 @@ SRC_URI += "\
SRC_URI[sha256sum] = "ffc7d4891f00ffbf5c3f4eab7fbbced8460b8c0ee63c5a5167133b9e6599d932" SRC_URI[sha256sum] = "ffc7d4891f00ffbf5c3f4eab7fbbced8460b8c0ee63c5a5167133b9e6599d932"
CVE_CHECK_IGNORE += "\ CVE_STATUS[CVE-2017-8806] = "not-applicable-config: Ddoesn't apply to out configuration of postgresql so we can safely ignore it."
CVE-2017-8806 \
"

2
meta-oe/recipes-devtools/flatbuffers/flatbuffers.bb
View File

@@ -15,8 +15,6 @@ RDEPENDS:${PN}-dev += "${PN}-compiler"
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
CVE_CHECK_IGNORE += "CVE-2020-35864"
EXTRA_OECMAKE += " \ EXTRA_OECMAKE += " \
-DFLATBUFFERS_BUILD_TESTS=OFF \ -DFLATBUFFERS_BUILD_TESTS=OFF \
-DFLATBUFFERS_BUILD_SHAREDLIB=ON \ -DFLATBUFFERS_BUILD_SHAREDLIB=ON \

4
meta-oe/recipes-devtools/php/php_8.2.8.bb
View File

@@ -36,7 +36,9 @@ SRC_URI:append:class-target = " \
S = "${WORKDIR}/php-${PV}" S = "${WORKDIR}/php-${PV}"
SRC_URI[sha256sum] = "995ed4009c7917c962d31837a1a3658f36d4af4f357b673c97ffdbe6403f8517" SRC_URI[sha256sum] = "995ed4009c7917c962d31837a1a3658f36d4af4f357b673c97ffdbe6403f8517"
CVE_CHECK_IGNORE += "\ CVE_STATUS_GROUPS += "CVE_STATUS_PHP"
CVE_STATUS_PHP[status] = "fixed-version: The name of this product is exactly the same as github.com/emlog/emlog. CVE can be safely ignored."
CVE_STATUS_PHP = " \
CVE-2007-2728 \ CVE-2007-2728 \
CVE-2007-3205 \ CVE-2007-3205 \
CVE-2007-4596 \ CVE-2007-4596 \

4
meta-oe/recipes-devtools/uw-imap/uw-imap_2007f.bb
View File

@@ -22,9 +22,7 @@ SRC_URI[sha256sum] = "53e15a2b5c1bc80161d42e9f69792a3fa18332b7b771910131004eb520
S = "${WORKDIR}/imap-${PV}" S = "${WORKDIR}/imap-${PV}"
CVE_CHECK_IGNORE += "\ CVE_STATUS[CVE-2005-0198] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2005-0198 \
"
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}" PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'pam', d)}"
PACKAGECONFIG[pam] = ",,libpam" PACKAGECONFIG[pam] = ",,libpam"

4
meta-oe/recipes-extended/libimobiledevice/libplist_2.3.0.bb
View File

@@ -14,7 +14,9 @@ SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=mast
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
PR = "r1" PR = "r1"
CVE_CHECK_IGNORE += "\ CVE_STATUS_GROUPS += "CVE_STATUS_LIBLIST"
CVE_STATUS_LIBLIST[status] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE_STATUS_LIBLIST = " \
CVE-2017-5834 \ CVE-2017-5834 \
CVE-2017-5835 \ CVE-2017-5835 \
CVE-2017-5836 \ CVE-2017-5836 \

4
meta-oe/recipes-extended/libimobiledevice/libplist_git.bb
View File

@@ -15,7 +15,9 @@ SRC_URI = "git://github.com/libimobiledevice/libplist;protocol=https;branch=mast
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
CVE_CHECK_IGNORE += "\ CVE_STATUS_GROUPS += "CVE_STATUS_LIBLIST"
CVE_STATUS_LIBLIST[status] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE_STATUS_LIBLIST = " \
CVE-2017-5834 \ CVE-2017-5834 \
CVE-2017-5835 \ CVE-2017-5835 \
CVE-2017-5836 \ CVE-2017-5836 \

3
meta-oe/recipes-extended/libzip/libzip_1.10.0.bb
View File

@@ -23,7 +23,4 @@ SRC_URI = "https://libzip.org/download/libzip-${PV}.tar.xz"
SRC_URI[sha256sum] = "cd2a7ac9f1fb5bfa6218272d9929955dc7237515bba6e14b5ad0e1d1e2212b43" SRC_URI[sha256sum] = "cd2a7ac9f1fb5bfa6218272d9929955dc7237515bba6e14b5ad0e1d1e2212b43"
# Patch for CVE-2017-12858 is applied in version 1.2.0.
CVE_CHECK_IGNORE += "CVE-2017-12858"
BBCLASSEXTEND += "native" BBCLASSEXTEND += "native"

4
meta-oe/recipes-extended/sanlock/sanlock_3.8.5.bb
View File

@@ -21,9 +21,7 @@ SRCREV = "b820c63093c4ae85d7da4f719cf3026d7fca5d09"
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
CVE_CHECK_IGNORE += "\ CVE_STATUS[CVE-2012-5638] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2012-5638 \
"
DEPENDS = "libaio util-linux" DEPENDS = "libaio util-linux"

4
meta-oe/recipes-extended/sblim-sfcb/sblim-sfcb_1.4.9.bb
View File

@@ -34,9 +34,7 @@ SRC_URI = "http://downloads.sourceforge.net/sblim/${BP}.tar.bz2 \
SRC_URI[md5sum] = "28021cdabc73690a94f4f9d57254ce30" SRC_URI[md5sum] = "28021cdabc73690a94f4f9d57254ce30"
SRC_URI[sha256sum] = "634a67b2f7ac3b386a79160eb44413d618e33e4e7fc74ae68b0240484af149dd" SRC_URI[sha256sum] = "634a67b2f7ac3b386a79160eb44413d618e33e4e7fc74ae68b0240484af149dd"
CVE_CHECK_IGNORE += "\ CVE_STATUS[CVE-2012-3381] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2012-3381 \
"
inherit autotools inherit autotools
inherit systemd inherit systemd

4
meta-oe/recipes-graphics/graphviz/graphviz_8.1.0.bb
View File

@@ -29,10 +29,6 @@ SRC_URI:append:class-nativesdk = "\
" "
SRC_URI[sha256sum] = "d593695fdaa8a19297523b679ad13d3ef2027b0b7f14cc2bc23e77969ed81565" SRC_URI[sha256sum] = "d593695fdaa8a19297523b679ad13d3ef2027b0b7f14cc2bc23e77969ed81565"
CVE_CHECK_IGNORE += "\
CVE-2014-9157 \
"
PACKAGECONFIG ??= "librsvg" PACKAGECONFIG ??= "librsvg"
PACKAGECONFIG[librsvg] = "--with-librsvg,--without-librsvg,librsvg" PACKAGECONFIG[librsvg] = "--with-librsvg,--without-librsvg,librsvg"

4
meta-oe/recipes-graphics/jasper/jasper_2.0.33.bb
View File

@@ -6,9 +6,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=a80440d1d8f17d041c71c7271d6e06eb"
SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master" SRC_URI = "git://github.com/jasper-software/jasper.git;protocol=https;branch=master"
SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973" SRCREV = "fe00207dc10db1d7cc6f2757961c5c6bdfd10973"
CVE_CHECK_IGNORE += "\ CVE_STATUS[CVE-2015-8751] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2015-8751 \
"
S = "${WORKDIR}/git" S = "${WORKDIR}/git"

3
meta-oe/recipes-graphics/libsdl/libsdl_1.2.15.bb
View File

@@ -81,5 +81,4 @@ do_configure:prepend() {
BBCLASSEXTEND = "native nativesdk" BBCLASSEXTEND = "native nativesdk"
#CVE-2019-14906 is a RHEL specific vulnerability. CVE_STATUS[CVE-2019-14906] = "not-applicable-platform: Applies on RHEL only"
CVE_CHECK_IGNORE += "CVE-2019-14906"

3
meta-oe/recipes-networking/cyrus-sasl/cyrus-sasl_2.1.28.bb
View File

@@ -95,6 +95,3 @@ FILES:${PN}-dbg += "${libdir}/sasl2/.debug"
FILES:${PN}-staticdev += "${libdir}/sasl2/*.a" FILES:${PN}-staticdev += "${libdir}/sasl2/*.a"
INSANE_SKIP:${PN} += "dev-so" INSANE_SKIP:${PN} += "dev-so"
# CVE-2020-8032 affects only openSUSE
CVE_CHECK_IGNORE += "CVE-2020-8032"

4
meta-oe/recipes-support/atop/atop_2.4.0.bb
View File

@@ -24,9 +24,7 @@ SRC_URI = "http://www.atoptool.nl/download/${BP}.tar.gz \
SRC_URI[md5sum] = "1077da884ed94f2bc3c81ac3ab970436" SRC_URI[md5sum] = "1077da884ed94f2bc3c81ac3ab970436"
SRC_URI[sha256sum] = "be1c010a77086b7d98376fce96514afcd73c3f20a8d1fe01520899ff69a73d69" SRC_URI[sha256sum] = "be1c010a77086b7d98376fce96514afcd73c3f20a8d1fe01520899ff69a73d69"
CVE_CHECK_IGNORE += "\ CVE_STATUS[CVE-2011-3618] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2011-3618 \
"
do_compile() { do_compile() {
oe_runmake all oe_runmake all

4
meta-oe/recipes-support/emacs/emacs_28.2.bb
View File

@@ -11,9 +11,7 @@ SRC_URI:append:class-target = " file://usemake-docfile-native.patch"
SRC_URI[sha256sum] = "ee21182233ef3232dc97b486af2d86e14042dbb65bbc535df562c3a858232488" SRC_URI[sha256sum] = "ee21182233ef3232dc97b486af2d86e14042dbb65bbc535df562c3a858232488"
CVE_CHECK_IGNORE = "\ CVE_CHECK_STATUS[CVE-2007-6109] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2007-6109 \
"
PACKAGECONFIG[gnutls] = "--with-gnutls=yes,--with-gnutls=no,gnutls" PACKAGECONFIG[gnutls] = "--with-gnutls=yes,--with-gnutls=no,gnutls"
PACKAGECONFIG[kerberos] = "--with-kerberos=yes,--with-kerberos=no,krb5" PACKAGECONFIG[kerberos] = "--with-kerberos=yes,--with-kerberos=no,krb5"

12
meta-oe/recipes-support/nss/nss_3.74.bb
View File

@@ -283,12 +283,8 @@ BBCLASSEXTEND = "native nativesdk"
CVE_PRODUCT += "network_security_services" CVE_PRODUCT += "network_security_services"
# CVE-2006-5201 affects only Sun Solaris CVE_STATUS_GROUPS += "CVE_STATUS_NSS"
CVE_CHECK_IGNORE += "CVE-2006-5201" CVE_STATUS_NSS[status] = "not-applicable-config: This only affect the legacy db (libnssdbm), only compiled with --enable-legacy-db"
CVE_STATUS_NSS = "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
# CVES CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698 only affect CVE_STATUS[CVE-2022-3479] = "not-applicable-config: vulnerability was introduced in 3.77 and fixed in 3.87"
# the legacy db (libnssdbm), only compiled with --enable-legacy-db.
CVE_CHECK_IGNORE += "CVE-2017-11695 CVE-2017-11696 CVE-2017-11697 CVE-2017-11698"
# vulnerability was introduced in 3.77 and fixed in 3.87
CVE_CHECK_IGNORE += "CVE-2022-3479"

3
meta-oe/recipes-support/openldap/openldap_2.5.13.bb
View File

@@ -233,6 +233,3 @@ python populate_packages:prepend () {
} }
BBCLASSEXTEND = "native" BBCLASSEXTEND = "native"
# CVE-2015-3276 has no target code.
CVE_CHECK_IGNORE += "CVE-2015-3276"

6
meta-oe/recipes-support/pidgin/pidgin_2.14.2.bb
View File

@@ -15,10 +15,8 @@ SRC_URI = "\
SRC_URI[sha256sum] = "19654ad276b149646371fbdac21bc7620742f2975f7399fed0ffc1a18fbaf603" SRC_URI[sha256sum] = "19654ad276b149646371fbdac21bc7620742f2975f7399fed0ffc1a18fbaf603"
CVE_CHECK_IGNORE += "\ CVE_CHECK_STATUS[CVE-2010-1624] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2010-1624 \ CVE_CHECK_STATUS[CVE-2011-3594] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions."
CVE-2011-3594 \
"
PACKAGECONFIG ??= "gnutls consoleui avahi dbus idn nss \ PACKAGECONFIG ??= "gnutls consoleui avahi dbus idn nss \
${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtk startup-notification', '', d)} \ ${@bb.utils.contains('DISTRO_FEATURES', 'x11', 'x11 gtk startup-notification', '', d)} \