Hi Richard, JFYI, it seems that keeping the name same conf/cve-check-map.conf also doesn't work. Attached are logs at the bottom. Maybe due to the 'meta' dir?
BTW, your new patch (bitbake.conf: Include cve-check-map earlier, before distro) should allow it to work. >-----Original Message----- >From: Richard Purdie <richard.pur...@linuxfoundation.org> >Sent: Monday, August 12, 2024 3:46 PM >To: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) ><dnago...@cisco.com>; Marko, Peter <peter.ma...@siemens.com>; Marta >Rybczynska <rybczyn...@gmail.com>; openembedded- >c...@lists.openembedded.org >Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com> >Subject: Re: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to >"Unpatched" status > >On Mon, 2024-08-12 at 10:08 +0000, Dhairya Nagodra -X (dnagodra - E >INFOCHIPS LIMITED at Cisco) wrote: >> >> >> > -----Original Message----- >> > From: Marko, Peter <peter.ma...@siemens.com> >> > Sent: Wednesday, August 7, 2024 4:04 PM >> > To: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) >> > <dnago...@cisco.com>; Richard Purdie >> > <richard.pur...@linuxfoundation.org>; >> > Marta Rybczynska <rybczyn...@gmail.com>; openembedded- >> > c...@lists.openembedded.org >> > Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com> >> > Subject: RE: [OE-core] [PATCH] cve-check-map: Move >> > 'upstream-wontfix' to "Unpatched" status >> > >> > >> > >> > > -----Original Message----- >> > > From: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco) >> > > <dnago...@cisco.com> >> > > Sent: Wednesday, August 7, 2024 12:17 >> > > To: Marko, Peter (ADV D EU SK BFS1) <peter.ma...@siemens.com>; >> > > Richard Purdie <richard.pur...@linuxfoundation.org>; Marta >> > > Rybczynska <rybczyn...@gmail.com>; >> > > openembedded-core@lists.openembedded.org >> > > Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com> >> > > Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' >> > > to "Unpatched" status >> > > >> > > >> > > >> > > > -----Original Message----- >> > > > From: Marko, Peter <peter.ma...@siemens.com> >> > > > Sent: Wednesday, July 24, 2024 12:04 PM >> > > > To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) >> > > > <dnago...@cisco.com>; openembedded- >c...@lists.openembedded.org >> > > > Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com> >> > > > Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream- >wontfix' >> > > > to "Unpatched" status >> > > > >> > > > -----Original Message----- >> > > > From: openembedded- >c...@lists.openembedded.org <openembedded- >> > > > c...@lists.openembedded.org> On Behalf Of Dhairya Nagodra via >> > > > lists.openembedded.org >> > > > Sent: Wednesday, July 24, 2024 6:45 >> > > > To: openembedded-core@lists.openembedded.org >> > > > Cc: xe-linux-exter...@cisco.com; Dhairya Nagodra >> > > > <dnago...@cisco.com> >> > > > Subject: [OE-core] [PATCH] cve-check-map: Move >> > > > 'upstream-wontfix' to "Unpatched" status >> > > > >> > > > > - The 'upstream-wontfix' is to be used when the CVE is >> > > > > accepted by the >> > > > > upstream, but they are not planning to fix it. >> > > > > - If the version used in Yocto is vulnerable, it should not >> > > > > have >> > > > > "Ignored" status. The package is still exploitable by the CVE. >> > > > > - Also, when the status is exported out of the SDK, it would >> > > > > be >> > > > > incorrect to put it under Ignored catgory. >> > > > >> > > > The purpose of this entry is to remove meaningless CVEs from >> > > > reports so that users don't spend countless hours over and over >> > > > again on analyzing >> > "open" >> > > > CVEs if they were already closed upstream. >> > > > If you look at comments of entries using this category (7 in >> > > > oe-core >> > > scarthgap) >> > > > these CVEs are more or less irrelevant. >> > > > >> > > > So this patch is from my point of view step in the wrong direction. >> > > > If you really need to show these due to your CVE handling >> > > > process, you can easily override this variable assignment in your own >layer. >> > > > >> > > >> > > >> > > I tried this in my layer, created a .conf and included in my distro.conf >> > > file. >> > > The issue is, it gets overwritten by cve-check-map.conf (as it is >> > > included >> > later). >> > >> > If you create meta-<your-layer>/conf/cve-check-map.conf it will be >> > included instead of the one from oe-core/poky. >> > >> >> I tried this approach, it included both of the files, and my config was over >written. >> >> # >> <path>/distro/openembedded-core/../my-layer/conf/distro/my-cve-check- >m >> ap.conf # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/distro/defaultsetup.conf includes: >> # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/distro/ >> include/default-providers.inc # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/distro/ >> include/default-versions.inc # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/distro/ >> include/default-distrovars.inc # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/distro/ >> include/maintainers.inc # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/distro/ >> include/tcmode-default.inc # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/distro/ >> include/tclibc-glibc.inc # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/distro/ >> include/uninative-flags.inc # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/distro/ >> include/init-manager-none.inc # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/documen >> tation.conf # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/license >> s.conf # >> <path>/distro/openembedded-core/../openembedded- >core/meta/conf/sanity. >> conf # >> <path>/distro/openembedded-core/../openembedded-core/meta/conf/cve- >che >> ck-map.conf > > >For that to work you need to use the same path. Above you have: > >conf/distro/my-cve-check-map.conf > >but it would have to match: > >conf/cve-check-map.conf > # /<path>/distro/openembedded-core/../meta-mylayer/conf/cve-check-map.conf # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/defaultsetup.conf includes: # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-providers.inc # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-versions.inc # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-distrovars.inc # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/maintainers.inc # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tcmode-default.inc # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tclibc-glibc.inc # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/uninative-flags.inc # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/init-manager-none.inc # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/documentation.conf # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/licenses.conf # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/sanity.conf # /<path>/distro/openembedded-core/../openembedded-core/meta/conf/cve-check-map.conf Regards, Dhairya >Cheers, > >Richard > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#203220): https://lists.openembedded.org/g/openembedded-core/message/203220 Mute This Topic: https://lists.openembedded.org/mt/107518628/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-