diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2023-07-26 11:50:09 +0200 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2023-07-27 08:54:40 -0700 |
commit | 8af2f17a6fa8bf282c4c27054adbea1bf0873069 (patch) | |
tree | 22b6484379a0f3d3e2b89f958dda0fd45f2a1880 /meta-networking | |
parent | 4c201ede939610946847ccd4221320ed776224aa (diff) | |
download | meta-openembedded-8af2f17a6fa8bf282c4c27054adbea1bf0873069.tar.gz |
cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
- Try to add convert and apply statuses for old CVEs
- Drop some obsolete ignores, while they are not relevant for current
version
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
Diffstat (limited to 'meta-networking')
11 files changed, 30 insertions, 61 deletions
diff --git a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb index 9a2bbab39f..35733c5307 100644 --- a/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb +++ b/meta-networking/recipes-connectivity/freeradius/freeradius_3.0.26.bb @@ -43,10 +43,8 @@ SRCREV = "d956f683d37ea40e7977cc5907361f3e6988a439" UPSTREAM_CHECK_GITTAGREGEX = "release_(?P<pver>\d+(\_\d+)+)" -CVE_CHECK_IGNORE = "\ - CVE-2002-0318 \ - CVE-2011-4966 \ -" +CVE_CHECK_STATUS[CVE-2002-0318] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." +CVE_CHECK_STATUS[CVE-2011-4966] = "fixed-version: The CPE in the NVD database doesn't reflect correctly the vulnerable versions." PARALLEL_MAKE = "" diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb index ce094d5afb..fff320afd8 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_2.28.3.bb @@ -57,10 +57,8 @@ BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT = "mbed_tls" -# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 -CVE_CHECK_IGNORE += "CVE-2021-43666" -# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c -CVE_CHECK_IGNORE += "CVE-2021-45451" +CVE_STATUS[CVE-2021-43666] = "backported-patch: Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310" +CVE_STATUS[CVE-2021-43666] = "backported-patch: Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c" # Strip host paths from autogenerated test files do_compile:append() { diff --git a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb index b8c9662de7..10fb7de8ca 100644 --- a/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb +++ b/meta-networking/recipes-connectivity/mbedtls/mbedtls_3.4.0.bb @@ -58,11 +58,6 @@ BBCLASSEXTEND = "native nativesdk" CVE_PRODUCT = "mbed_tls" -# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/pull/5310 -CVE_CHECK_IGNORE += "CVE-2021-43666" -# Fix merged upstream https://github.com/Mbed-TLS/mbedtls/commit/9a4a9c66a48edfe9ece03c7e4a53310adf73a86c -CVE_CHECK_IGNORE += "CVE-2021-45451" - # Strip host paths from autogenerated test files do_compile:append() { sed -i 's+${S}/++g' ${B}/tests/*.c 2>/dev/null || : diff --git a/meta-networking/recipes-connectivity/openthread/wpantund_git.bb b/meta-networking/recipes-connectivity/openthread/wpantund_git.bb index a7fcc202a4..ebb3fc3c1c 100644 --- a/meta-networking/recipes-connectivity/openthread/wpantund_git.bb +++ b/meta-networking/recipes-connectivity/openthread/wpantund_git.bb @@ -22,11 +22,8 @@ S = "${WORKDIR}/git" inherit pkgconfig perlnative autotools -# CVE-2020-8916 has been fixed in commit -# 3f108441e23e033b936e85be5b6877dd0a1fbf1c which is included in the SRCREV -# CVE-2021-33889 has been fixed in commit -# a8f3f761f6753b567d1e5ad22cbe6b0ceb6f2649 which is included in the SRCREV # There has not been a wpantund release as of yet that includes these fixes. # That means cve-check can not match them. Once a new release comes we can -# remove the ignore statement. -CVE_CHECK_IGNORE = "CVE-2020-8916 CVE-2021-33889" +# remove the statement. +CVE_STATUS[CVE-2020-8916] = "backported-patch: fixed via 3f108441e23e033b936e85be5b6877dd0a1fbf1c" +CVE_STATUS[CVE-2021-33889] = "backported-patch: fixed via 3f108441e23e033b936e85be5b6877dd0a1fbf1c" diff --git a/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb b/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb index 66089edad5..3386b93b5e 100644 --- a/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb +++ b/meta-networking/recipes-connectivity/samba/samba_4.18.4.bb @@ -38,12 +38,7 @@ UPSTREAM_CHECK_REGEX = "samba\-(?P<pver>4\.18(\.\d+)+).tar.gz" inherit systemd waf-samba cpan-base perlnative update-rc.d perl-version pkgconfig -# CVE-2011-2411 is valnerble only on HP NonStop Servers. -CVE_CHECK_IGNORE += "CVE-2011-2411" -# Patch for CVE-2018-1050 is applied in version 4.5.15, 4.6.13, 4.7.5. -CVE_CHECK_IGNORE += "CVE-2018-1050" -# Patch for CVE-2018-1057 is applied in version 4.3.13, 4.4.16. -CVE_CHECK_IGNORE += "CVE-2018-1057" +CVE_STATUS[CVE-2011-2411] = "not-applicable-platform: vulnerable only on HP NonStop Servers" # remove default added RDEPENDS on perl RDEPENDS:${PN}:remove = "perl" diff --git a/meta-networking/recipes-protocols/mdns/mdns_1790.80.10.bb b/meta-networking/recipes-protocols/mdns/mdns_1790.80.10.bb index 46f1b70cb7..aff7954f50 100644 --- a/meta-networking/recipes-protocols/mdns/mdns_1790.80.10.bb +++ b/meta-networking/recipes-protocols/mdns/mdns_1790.80.10.bb @@ -46,18 +46,16 @@ PACKAGECONFIG[tls] = ",tls=no,mbedtls" CVE_PRODUCT = "apple:mdnsresponder" -# CVE-2007-0613 is not applicable as it only affects Apple products -# i.e. ichat,mdnsresponder, instant message framework and MacOS. -# Also, https://www.exploit-db.com/exploits/3230 shows the part of code -# affected by CVE-2007-0613 which is not preset in upstream source code. -# Hence, CVE-2007-0613 does not affect other Yocto implementations and -# is not reported for other distros can be marked whitelisted. -# Links: -# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 -# https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 -# https://security-tracker.debian.org/tracker/CVE-2007-0613 -# https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 -CVE_CHECK_IGNORE += "CVE-2007-0613" +CVE_STATUS[CVE-2007-0613] = "not-applicable-platform: Issue affects Apple products \ +i.e. ichat,mdnsresponder, instant message framework and MacOS. Also, \ +https://www.exploit-db.com/exploits/3230 shows the part of code \ +affected by CVE-2007-0613 which is not preset in upstream source code. \ +Hence, CVE-2007-0613 does not affect other Yocto implementations and \ +is not reported for other distros can be marked whitelisted. \ +Links: https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613 \ +https://www.incibe-cert.es/en/early-warning/vulnerabilities/cve-2007-0613 \ +https://security-tracker.debian.org/tracker/CVE-2007-0613 \ +https://vulmon.com/vulnerabilitydetails?qid=CVE-2007-0613" PARALLEL_MAKE = "" diff --git a/meta-networking/recipes-protocols/openflow/openflow.inc b/meta-networking/recipes-protocols/openflow/openflow.inc index aaad0e00e1..7062d21462 100644 --- a/meta-networking/recipes-protocols/openflow/openflow.inc +++ b/meta-networking/recipes-protocols/openflow/openflow.inc @@ -13,10 +13,10 @@ LIC_FILES_CHKSUM = "file://COPYING;md5=e870c934e2c3d6ccf085fd7cf0a1e2e2" SRC_URI = "git://gitosis.stanford.edu/openflow.git;protocol=git;branch=master" -CVE_CHECK_IGNORE = "\ - CVE-2015-1611 \ - CVE-2015-1612 \ -" +CVE_STATUS[CVE-2015-1611] = "not-applicable-config: Not referred to our implementation of openflow" +CVE_STATUS[CVE-2015-1612] = "not-applicable-config: Not referred to our implementation of openflow" +CVE_STATUS[CVE-2018-1078] = "cpe-incorrect: This CVE is not for this product but cve-check assumes it is \ +because two CPE collides when checking the NVD database" DEPENDS = "virtual/libc" @@ -58,7 +58,3 @@ do_install:append() { } FILES:${PN} += "${nonarch_libdir}/tmpfiles.d" - -# This CVE is not for this product but cve-check assumes it is -# because two CPE collides when checking the NVD database -CVE_CHECK_IGNORE = "CVE-2018-1078" diff --git a/meta-networking/recipes-support/dovecot/dovecot_2.3.20.bb b/meta-networking/recipes-support/dovecot/dovecot_2.3.20.bb index 01e060e2f5..e41dd93f5d 100644 --- a/meta-networking/recipes-support/dovecot/dovecot_2.3.20.bb +++ b/meta-networking/recipes-support/dovecot/dovecot_2.3.20.bb @@ -71,5 +71,4 @@ FILES:${PN}-staticdev += "${libdir}/dovecot/*/*.a" FILES:${PN}-dev += "${libdir}/dovecot/libdovecot*.so" FILES:${PN}-dbg += "${libdir}/dovecot/*/.debug" -# CVE-2016-4983 affects only postinstall script on specific distribution -CVE_CHECK_IGNORE += "CVE-2016-4983" +CVE_STATUS[CVE-2016-4983] = "not-applicable-platform: Affects only postinstall script on specific distribution." diff --git a/meta-networking/recipes-support/ntp/ntp_4.2.8p17.bb b/meta-networking/recipes-support/ntp/ntp_4.2.8p17.bb index fba4611b99..e80ea4c149 100644 --- a/meta-networking/recipes-support/ntp/ntp_4.2.8p17.bb +++ b/meta-networking/recipes-support/ntp/ntp_4.2.8p17.bb @@ -26,12 +26,11 @@ SRC_URI = "http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-${PV}.tar.g SRC_URI[sha256sum] = "103dd272e6a66c5b8df07dce5e9a02555fcd6f1397bdfb782237328e89d3a866" -# CVE-2016-9312 is only for windows. -# CVE-2019-11331 is inherent to RFC 5905 and cannot be fixed without breaking compatibility -# The other CVEs are not correctly identified because cve-check -# is not able to check the version correctly (it only checks for 4.2.8 omitting p15 that makes the difference) -CVE_CHECK_IGNORE += "\ - CVE-2016-9312 \ +CVE_STATUS[CVE-2016-9312] = "not-applicable-platform: Issue only applies on Windows" +CVE_STATUS[CVE-2019-11331] = "upstream-wontfix: inherent to RFC 5905 and cannot be fixed without breaking compatibility" +CVE_STATUS_GROUPS += "CVE_STATUS_NTP" +CVE_STATUS_NTP[status] = "fixed-version: Yocto CVE check can not handle 'p' in ntp version" +CVE_STATUS_NTP = " \ CVE-2015-5146 \ CVE-2015-5300 \ CVE-2015-7975 \ @@ -51,7 +50,6 @@ CVE_CHECK_IGNORE += "\ CVE-2016-7433 \ CVE-2016-9310 \ CVE-2016-9311 \ - CVE-2019-11331 \ " diff --git a/meta-networking/recipes-support/openvpn/openvpn_2.6.3.bb b/meta-networking/recipes-support/openvpn/openvpn_2.6.3.bb index 76bce7db53..a5fc158749 100644 --- a/meta-networking/recipes-support/openvpn/openvpn_2.6.3.bb +++ b/meta-networking/recipes-support/openvpn/openvpn_2.6.3.bb @@ -16,8 +16,7 @@ UPSTREAM_CHECK_URI = "https://openvpn.net/community-downloads" SRC_URI[sha256sum] = "13b207a376d8880507c74ff78aabc3778a9da47c89f1e247dcee3c7237138ff6" -# CVE-2020-7224 and CVE-2020-27569 are for Aviatrix OpenVPN client, not for openvpn. -CVE_CHECK_IGNORE += "CVE-2020-7224 CVE-2020-27569" +CVE_STATUS[CVE-2020-27569] = "not-applicable-config: Applies only Aviatrix OpenVPN client, not openvpn" INITSCRIPT_PACKAGES = "${PN}" INITSCRIPT_NAME:${PN} = "openvpn" diff --git a/meta-networking/recipes-support/spice/spice_git.bb b/meta-networking/recipes-support/spice/spice_git.bb index b3e687476b..5732f509b1 100644 --- a/meta-networking/recipes-support/spice/spice_git.bb +++ b/meta-networking/recipes-support/spice/spice_git.bb @@ -30,11 +30,7 @@ SRC_URI = " \ S = "${WORKDIR}/git" -CVE_CHECK_IGNORE += "\ - CVE-2016-0749 \ - CVE-2016-2150 \ - CVE-2018-10893 \ -" +CVE_STATUS[CVE-2018-10893] = "fixed-version: patched already, caused by inaccurate CPE in the NVD database." inherit autotools gettext python3native python3-dir pkgconfig |