- The 'upstream-wontfix' is to be used when the CVE is accepted by the upstream, but they are not planning to fix it. - If the version used in Yocto is vulnerable, it should not have "Ignored" status. The package is still exploitable by the CVE. - Also, when the status is exported out of the SDK, it would be incorrect to put it under Ignored catgory.
Signed-off-by: Dhairya Nagodra <dnago...@cisco.com> --- meta/conf/cve-check-map.conf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index b9df41a6f3..7ff53f5601 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -15,6 +15,8 @@ CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" # use when CVE fix is not compatible to the current version and cannot be backported. CVE_CHECK_STATUSMAP[cannot-backport] = "Unpatched" +# use when upstream acknowledged the vulnerability but does not plan to fix it +CVE_CHECK_STATUSMAP[upstream-wontfix] = "Unpatched" # used for migration from old concept, do not use for new vulnerabilities CVE_CHECK_STATUSMAP[ignored] = "Ignored" @@ -26,5 +28,3 @@ CVE_CHECK_STATUSMAP[disputed] = "Ignored" CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" # use when vulnerability affects other platform (e.g. Windows or Debian) CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" -# use when upstream acknowledged the vulnerability but does not plan to fix it -CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#202425): https://lists.openembedded.org/g/openembedded-core/message/202425 Mute This Topic: https://lists.openembedded.org/mt/107518628/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
