On Fri, 2023-05-05 at 12:30 +0100, Richard Purdie wrote: > On Fri, 2023-05-05 at 13:18 +0200, Andrej Valek via > lists.openembedded.org wrote: > > CVE_CHECK_PATCHED - should contains an additional CVEs which have > > been > > fixed and shouldn't be mark as vulnerable nor ignored. > > > > Signed-off-by: Andrej Valek <andrej.va...@siemens.com> > > --- > > meta/classes/cve-check.bbclass | 8 ++++++++ > > 1 file changed, 8 insertions(+) > > > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve- > > check.bbclass > > index bd9e7e7445c..957ea0130dc 100644 > > --- a/meta/classes/cve-check.bbclass > > +++ b/meta/classes/cve-check.bbclass > > @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= "" > > # > > CVE_CHECK_IGNORE ?= "" > > > > +# Usually a CVE gets treated as patched when a patch with the name > > of the CVE > > +# gets applied. Basically this variable should not be used. But if > > there are > > +# other reasons to mark a CVE as patched it can be added to this > > list. > > +CVE_CHECK_PATCHED ?= "" > > We're not adding variables which are documented as "Basically this > variable should not be used.". If you shouldn't need/use it, we don't > need it. Ok, maybe I should change the description a little bit. Do you have some other preference? > > Can't you just use the ignore variable for the same end result? Nope. If I use a ignore list, the output in the SBOM will be set to "ignored", which is wrong, because it has been fixed. And that's the reason. > > Cheers, > > Richard > Regards, Andrej
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180913): https://lists.openembedded.org/g/openembedded-core/message/180913 Mute This Topic: https://lists.openembedded.org/mt/98703185/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
