On Fri, 2023-05-05 at 11:36 +0000, Valek, Andrej wrote: > On Fri, 2023-05-05 at 12:30 +0100, Richard Purdie wrote: > > On Fri, 2023-05-05 at 13:18 +0200, Andrej Valek via > > lists.openembedded.org wrote: > > > CVE_CHECK_PATCHED - should contains an additional CVEs which have > > > been > > > fixed and shouldn't be mark as vulnerable nor ignored. > > > > > > Signed-off-by: Andrej Valek <andrej.va...@siemens.com> > > > --- > > > meta/classes/cve-check.bbclass | 8 ++++++++ > > > 1 file changed, 8 insertions(+) > > > > > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve- > > > check.bbclass > > > index bd9e7e7445c..957ea0130dc 100644 > > > --- a/meta/classes/cve-check.bbclass > > > +++ b/meta/classes/cve-check.bbclass > > > @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= "" > > > # > > > CVE_CHECK_IGNORE ?= "" > > > > > > +# Usually a CVE gets treated as patched when a patch with the name > > > of the CVE > > > +# gets applied. Basically this variable should not be used. But if > > > there are > > > +# other reasons to mark a CVE as patched it can be added to this > > > list. > > > +CVE_CHECK_PATCHED ?= "" > > > > We're not adding variables which are documented as "Basically this > > variable should not be used.". If you shouldn't need/use it, we don't > > need it. > Ok, maybe I should change the description a little bit. Do you have > some other preference? > > > > Can't you just use the ignore variable for the same end result? > Nope. If I use a ignore list, the output in the SBOM will be set to > "ignored", which is wrong, because it has been fixed. And that's the > reason. >
I suspect "ignored" is a bad way to describe things. Ignore might mean the issue doesn't apply, has been fixed in some way or we really are ignoring it. What does the SBOM spec say about different field values? Should we be providing more reasoning than just adding to an ignore list? I'm a bit worried we're not solving the real problem here by adding a new variable we tell people not to use. Cheers, Richard
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180915): https://lists.openembedded.org/g/openembedded-core/message/180915 Mute This Topic: https://lists.openembedded.org/mt/98703185/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
