From 9e38c37a62c181d340af68db6b10f27840d17ffc Mon Sep 17 00:00:00 2001 From: Peter Marko Date: Sat, 3 Jan 2026 09:48:32 +0100 Subject: [PATCH] sassc: ignore CVE-2022-43357 This CVE is fixed in current libsass recipe version. So wrapper around it will also not show this problem. It's usual usecase is to be statically linked with libsass which is probably the reason why this is listed as vulnerable component. [1] links [2] as issue tracker which points to [3] as fix. [4] as base repository for the recipe is not involved and files from [3] are not present in this repository. [1] https://nvd.nist.gov/vuln/detail/CVE-2022-43357 [2] https://github.com/sass/libsass/issues/3177 [3] https://github.com/sass/libsass/pull/3184 [4] https://github.com/sass/sassc/ Signed-off-by: Peter Marko Signed-off-by: Khem Raj (cherry picked from commit 576b84263bac4dda26d84d116a9e7628a126f866) Adapted to Kirkstone (CVE_STATUS -> CVE_CHECK_IGNORE) Kirkstone has also the fixed libsass version (3.6.6), the CVE can be considered fixed. Signed-off-by: Gyorgy Sarvari --- meta-oe/recipes-support/sass/sassc_git.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta-oe/recipes-support/sass/sassc_git.bb b/meta-oe/recipes-support/sass/sassc_git.bb index 9bb8c76e87..12e201a3d7 100644 --- a/meta-oe/recipes-support/sass/sassc_git.bb +++ b/meta-oe/recipes-support/sass/sassc_git.bb @@ -11,4 +11,7 @@ SRCREV = "66f0ef37e7f0ad3a65d2f481eff09d09408f42d0" S = "${WORKDIR}/git" PV = "3.6.2" +# cpe-incorrect: this is CVE for libsass, not sassc wrapper +CVE_CHECK_IGNORE = "CVE-2022-43357" + BBCLASSEXTEND = "native"