Hi Richard,

JFYI, it seems that keeping the name same conf/cve-check-map.conf also doesn't 
work. Attached are logs at the bottom.
Maybe due to the 'meta' dir?

BTW, your new patch (bitbake.conf: Include cve-check-map earlier, before 
distro) should allow it to work.


>-----Original Message-----
>From: Richard Purdie <richard.pur...@linuxfoundation.org>
>Sent: Monday, August 12, 2024 3:46 PM
>To: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco)
><dnago...@cisco.com>; Marko, Peter <peter.ma...@siemens.com>; Marta
>Rybczynska <rybczyn...@gmail.com>; openembedded-
>c...@lists.openembedded.org
>Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com>
>Subject: Re: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to
>"Unpatched" status
>
>On Mon, 2024-08-12 at 10:08 +0000, Dhairya Nagodra -X (dnagodra - E
>INFOCHIPS LIMITED at Cisco) wrote:
>>
>>
>> > -----Original Message-----
>> > From: Marko, Peter <peter.ma...@siemens.com>
>> > Sent: Wednesday, August 7, 2024 4:04 PM
>> > To: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco)
>> > <dnago...@cisco.com>; Richard Purdie
>> > <richard.pur...@linuxfoundation.org>;
>> > Marta Rybczynska <rybczyn...@gmail.com>; openembedded-
>> > c...@lists.openembedded.org
>> > Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com>
>> > Subject: RE: [OE-core] [PATCH] cve-check-map: Move
>> > 'upstream-wontfix' to "Unpatched" status
>> >
>> >
>> >
>> > > -----Original Message-----
>> > > From: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco)
>> > > <dnago...@cisco.com>
>> > > Sent: Wednesday, August 7, 2024 12:17
>> > > To: Marko, Peter (ADV D EU SK BFS1) <peter.ma...@siemens.com>;
>> > > Richard Purdie <richard.pur...@linuxfoundation.org>; Marta
>> > > Rybczynska <rybczyn...@gmail.com>;
>> > > openembedded-core@lists.openembedded.org
>> > > Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com>
>> > > Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix'
>> > > to "Unpatched" status
>> > >
>> > >
>> > >
>> > > > -----Original Message-----
>> > > > From: Marko, Peter <peter.ma...@siemens.com>
>> > > > Sent: Wednesday, July 24, 2024 12:04 PM
>> > > > To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
>> > > > <dnago...@cisco.com>; openembedded-
>c...@lists.openembedded.org
>> > > > Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com>
>> > > > Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-
>wontfix'
>> > > > to "Unpatched" status
>> > > >
>> > > > -----Original Message-----
>> > > > From: openembedded-
>c...@lists.openembedded.org <openembedded-
>> > > > c...@lists.openembedded.org> On Behalf Of Dhairya Nagodra via
>> > > > lists.openembedded.org
>> > > > Sent: Wednesday, July 24, 2024 6:45
>> > > > To: openembedded-core@lists.openembedded.org
>> > > > Cc: xe-linux-exter...@cisco.com; Dhairya Nagodra
>> > > > <dnago...@cisco.com>
>> > > > Subject: [OE-core] [PATCH] cve-check-map: Move
>> > > > 'upstream-wontfix' to "Unpatched" status
>> > > >
>> > > > > - The 'upstream-wontfix' is to be used when the CVE is
>> > > > > accepted by the
>> > > > >   upstream, but they are not planning to fix it.
>> > > > > - If the version used in Yocto is vulnerable, it should not
>> > > > > have
>> > > > >   "Ignored" status. The package is still exploitable by the CVE.
>> > > > > - Also, when the status is exported out of the SDK, it would
>> > > > > be
>> > > > >   incorrect to put it under Ignored catgory.
>> > > >
>> > > > The purpose of this entry is to remove meaningless CVEs from
>> > > > reports so that users don't spend countless hours over and over
>> > > > again on analyzing
>> > "open"
>> > > > CVEs if they were already closed upstream.
>> > > > If you look at comments of entries using this category (7 in
>> > > > oe-core
>> > > scarthgap)
>> > > > these CVEs are more or less irrelevant.
>> > > >
>> > > > So this patch is from my point of view step in the wrong direction.
>> > > > If you really need to show these due to your CVE handling
>> > > > process, you can easily override this variable assignment in your own
>layer.
>> > > >
>> > >
>> > >
>> > > I tried this in my layer, created a .conf and included in my distro.conf 
>> > > file.
>> > > The issue is, it gets overwritten by cve-check-map.conf (as it is
>> > > included
>> > later).
>> >
>> > If you create meta-<your-layer>/conf/cve-check-map.conf it will be
>> > included instead of the one from oe-core/poky.
>> >
>>
>> I tried this approach, it included both of the files, and my config was over
>written.
>>
>> #
>> <path>/distro/openembedded-core/../my-layer/conf/distro/my-cve-check-
>m
>> ap.conf #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/distro/defaultsetup.conf includes:
>> #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/distro/
>> include/default-providers.inc #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/distro/
>> include/default-versions.inc #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/distro/
>> include/default-distrovars.inc #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/distro/
>> include/maintainers.inc #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/distro/
>> include/tcmode-default.inc #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/distro/
>> include/tclibc-glibc.inc #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/distro/
>> include/uninative-flags.inc #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/distro/
>> include/init-manager-none.inc #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/documen
>> tation.conf #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/license
>> s.conf #
>> <path>/distro/openembedded-core/../openembedded-
>core/meta/conf/sanity.
>> conf #
>> <path>/distro/openembedded-core/../openembedded-core/meta/conf/cve-
>che
>> ck-map.conf
>
>
>For that to work you need to use the same path. Above you have:
>
>conf/distro/my-cve-check-map.conf
>
>but it would have to match:
>
>conf/cve-check-map.conf
>


#   /<path>/distro/openembedded-core/../meta-mylayer/conf/cve-check-map.conf
#   
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/defaultsetup.conf
 includes:
#     
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-providers.inc
#     
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-versions.inc
#     
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-distrovars.inc
#     
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/maintainers.inc
#     
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tcmode-default.inc
#     
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tclibc-glibc.inc
#     
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/uninative-flags.inc
#     
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/init-manager-none.inc
#   
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/documentation.conf
#   
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/licenses.conf
#   /<path>/distro/openembedded-core/../openembedded-core/meta/conf/sanity.conf
#   
/<path>/distro/openembedded-core/../openembedded-core/meta/conf/cve-check-map.conf


Regards,
Dhairya

>Cheers,
>
>Richard
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203220): 
https://lists.openembedded.org/g/openembedded-core/message/203220
Mute This Topic: https://lists.openembedded.org/mt/107518628/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to