diff options
52 files changed, 97 insertions, 97 deletions
diff --git a/meta/classes/archiver.bbclass b/meta/classes/archiver.bbclass index e830900574..c19c770d11 100644 --- a/meta/classes/archiver.bbclass +++ b/meta/classes/archiver.bbclass @@ -63,7 +63,7 @@ ARCHIVER_WORKDIR = "${WORKDIR}/archiver-work/" # When producing a combined mirror directory, allow duplicates for the case # where multiple recipes use the same SRC_URI. ARCHIVER_COMBINED_MIRRORDIR = "${ARCHIVER_TOPDIR}/mirror" -SSTATE_DUPWHITELIST += "${DEPLOY_DIR_SRC}/mirror" +SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_SRC}/mirror" do_dumpdata[dirs] = "${ARCHIVER_OUTDIR}" do_ar_recipe[dirs] = "${ARCHIVER_OUTDIR}" diff --git a/meta/classes/buildhistory.bbclass b/meta/classes/buildhistory.bbclass index 05f66d10b9..49797a6701 100644 --- a/meta/classes/buildhistory.bbclass +++ b/meta/classes/buildhistory.bbclass @@ -792,8 +792,8 @@ def buildhistory_get_sdkvars(d): sdkvars = "DISTRO DISTRO_VERSION SDK_NAME SDK_VERSION SDKMACHINE SDKIMAGE_FEATURES TOOLCHAIN_HOST_TASK TOOLCHAIN_TARGET_TASK BAD_RECOMMENDATIONS NO_RECOMMENDATIONS PACKAGE_EXCLUDE" if d.getVar('BB_CURRENTTASK') == 'populate_sdk_ext': # Extensible SDK uses some additional variables - sdkvars += " SDK_LOCAL_CONF_WHITELIST SDK_LOCAL_CONF_BLACKLIST SDK_INHERIT_BLACKLIST SDK_UPDATE_URL SDK_EXT_TYPE SDK_RECRDEP_TASKS SDK_INCLUDE_PKGDATA SDK_INCLUDE_TOOLCHAIN" - listvars = "SDKIMAGE_FEATURES BAD_RECOMMENDATIONS PACKAGE_EXCLUDE SDK_LOCAL_CONF_WHITELIST SDK_LOCAL_CONF_BLACKLIST SDK_INHERIT_BLACKLIST" + sdkvars += " ESDK_LOCALCONF_ALLOW ESDK_LOCALCONF_REMOVE ESDK_CLASS_INHERIT_DISABLE SDK_UPDATE_URL SDK_EXT_TYPE SDK_RECRDEP_TASKS SDK_INCLUDE_PKGDATA SDK_INCLUDE_TOOLCHAIN" + listvars = "SDKIMAGE_FEATURES BAD_RECOMMENDATIONS PACKAGE_EXCLUDE ESDK_LOCALCONF_ALLOW ESDK_LOCALCONF_REMOVE ESDK_CLASS_INHERIT_DISABLE" return outputvars(sdkvars, listvars, d) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 21d3da7974..2d69aeba4b 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -44,14 +44,14 @@ CVE_CHECK_CREATE_MANIFEST ??= "1" CVE_CHECK_REPORT_PATCHED ??= "1" # Whitelist for packages (PN) -CVE_CHECK_PN_WHITELIST ?= "" +CVE_CHECK_SKIP_RECIPE ?= "" # Whitelist for CVE. If a CVE is found, then it is considered patched. # The value is a string containing space separated CVE values: # -# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' +# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234' # -CVE_CHECK_WHITELIST ?= "" +CVE_CHECK_IGNORE ?= "" # Layers to be excluded CVE_CHECK_LAYER_EXCLUDELIST ??= "" @@ -178,11 +178,11 @@ def check_cves(d, patched_cves): pv = d.getVar("CVE_VERSION").split("+git")[0] # If the recipe has been whitelisted we return empty lists - if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split(): + if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split(): bb.note("Recipe has been whitelisted, skipping check") return ([], [], []) - cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() + cve_whitelist = d.getVar("CVE_CHECK_IGNORE").split() import sqlite3 db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") diff --git a/meta/classes/insane.bbclass b/meta/classes/insane.bbclass index a28fcd4798..4fc3c06c64 100644 --- a/meta/classes/insane.bbclass +++ b/meta/classes/insane.bbclass @@ -48,7 +48,7 @@ enabled tests are listed here, the do_package_qa task will run under fakeroot." ALL_QA = "${WARN_QA} ${ERROR_QA}" -UNKNOWN_CONFIGURE_WHITELIST ?= "--enable-nls --disable-nls --disable-silent-rules --disable-dependency-tracking --with-libtool-sysroot --disable-static" +UNKNOWN_CONFIGURE_OPT_IGNORE ?= "--enable-nls --disable-nls --disable-silent-rules --disable-dependency-tracking --with-libtool-sysroot --disable-static" # This is a list of directories that are expected to be empty. QA_EMPTY_DIRS ?= " \ @@ -1270,7 +1270,7 @@ Rerun configure task after fixing this.""" options = set() for line in output.splitlines(): options |= set(line.partition(flag)[2].split()) - whitelist = set(d.getVar("UNKNOWN_CONFIGURE_WHITELIST").split()) + whitelist = set(d.getVar("UNKNOWN_CONFIGURE_OPT_IGNORE").split()) options -= whitelist if options: pn = d.getVar('PN') diff --git a/meta/classes/populate_sdk_ext.bbclass b/meta/classes/populate_sdk_ext.bbclass index a6f1506a39..9c9561c5c6 100644 --- a/meta/classes/populate_sdk_ext.bbclass +++ b/meta/classes/populate_sdk_ext.bbclass @@ -22,8 +22,8 @@ SDK_INCLUDE_BUILDTOOLS ?= '1' SDK_RECRDEP_TASKS ?= "" SDK_CUSTOM_TEMPLATECONF ?= "0" -SDK_LOCAL_CONF_WHITELIST ?= "" -SDK_LOCAL_CONF_BLACKLIST ?= "CONF_VERSION \ +ESDK_LOCALCONF_ALLOW ?= "" +ESDK_LOCALCONF_REMOVE ?= "CONF_VERSION \ BB_NUMBER_THREADS \ BB_NUMBER_PARSE_THREADS \ PARALLEL_MAKE \ @@ -34,7 +34,7 @@ SDK_LOCAL_CONF_BLACKLIST ?= "CONF_VERSION \ TMPDIR \ BB_SERVER_TIMEOUT \ " -SDK_INHERIT_BLACKLIST ?= "buildhistory icecc" +ESDK_CLASS_INHERIT_DISABLE ?= "buildhistory icecc" SDK_UPDATE_URL ?= "" SDK_TARGETS ?= "${PN}" @@ -294,8 +294,8 @@ python copy_buildsystem () { if derivative: shutil.copyfile(builddir + '/conf/local.conf', baseoutpath + '/conf/local.conf') else: - local_conf_whitelist = (d.getVar('SDK_LOCAL_CONF_WHITELIST') or '').split() - local_conf_blacklist = (d.getVar('SDK_LOCAL_CONF_BLACKLIST') or '').split() + local_conf_whitelist = (d.getVar('ESDK_LOCALCONF_ALLOW') or '').split() + local_conf_blacklist = (d.getVar('ESDK_LOCALCONF_REMOVE') or '').split() def handle_var(varname, origvalue, op, newlines): if varname in local_conf_blacklist or (origvalue.strip().startswith('/') and not varname in local_conf_whitelist): newlines.append('# Removed original setting of %s\n' % varname) @@ -338,7 +338,7 @@ python copy_buildsystem () { f.write('CONF_VERSION = "%s"\n\n' % d.getVar('CONF_VERSION', False)) # Some classes are not suitable for SDK, remove them from INHERIT - f.write('INHERIT:remove = "%s"\n' % d.getVar('SDK_INHERIT_BLACKLIST', False)) + f.write('INHERIT:remove = "%s"\n' % d.getVar('ESDK_CLASS_INHERIT_DISABLE', False)) # Bypass the default connectivity check if any f.write('CONNECTIVITY_CHECK_URIS = ""\n\n') diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass index 86bf0395d2..787172b408 100644 --- a/meta/classes/sstate.bbclass +++ b/meta/classes/sstate.bbclass @@ -50,21 +50,21 @@ SSTATE_EXTRAPATH[vardepvalue] = "" SSTATE_EXTRAPATHWILDCARD[vardepvalue] = "" # For multilib rpm the allarch packagegroup files can overwrite (in theory they're identical) -SSTATE_DUPWHITELIST = "${DEPLOY_DIR}/licenses/" +SSTATE_ALLOW_OVERLAP_FILES = "${DEPLOY_DIR}/licenses/" # Avoid docbook/sgml catalog warnings for now -SSTATE_DUPWHITELIST += "${STAGING_ETCDIR_NATIVE}/sgml ${STAGING_DATADIR_NATIVE}/sgml" +SSTATE_ALLOW_OVERLAP_FILES += "${STAGING_ETCDIR_NATIVE}/sgml ${STAGING_DATADIR_NATIVE}/sgml" # sdk-provides-dummy-nativesdk and nativesdk-buildtools-perl-dummy overlap for different SDKMACHINE -SSTATE_DUPWHITELIST += "${DEPLOY_DIR_RPM}/sdk_provides_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-nativesdk/" -SSTATE_DUPWHITELIST += "${DEPLOY_DIR_RPM}/buildtools_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/buildtools-dummy-nativesdk/" +SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_RPM}/sdk_provides_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-nativesdk/" +SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_RPM}/buildtools_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/buildtools-dummy-nativesdk/" # target-sdk-provides-dummy overlaps that allarch is disabled when multilib is used -SSTATE_DUPWHITELIST += "${COMPONENTS_DIR}/sdk-provides-dummy-target/ ${DEPLOY_DIR_RPM}/sdk_provides_dummy_target/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-target/" +SSTATE_ALLOW_OVERLAP_FILES += "${COMPONENTS_DIR}/sdk-provides-dummy-target/ ${DEPLOY_DIR_RPM}/sdk_provides_dummy_target/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-target/" # Archive the sources for many architectures in one deploy folder -SSTATE_DUPWHITELIST += "${DEPLOY_DIR_SRC}" +SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_SRC}" # ovmf/grub-efi/systemd-boot/intel-microcode multilib recipes can generate identical overlapping files -SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/ovmf" -SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/grub-efi" -SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/systemd-boot" -SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/microcode" +SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/ovmf" +SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/grub-efi" +SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/systemd-boot" +SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/microcode" SSTATE_SCAN_FILES ?= "*.la *-config *_config postinst-*" SSTATE_SCAN_CMD ??= 'find ${SSTATE_BUILDDIR} \( -name "${@"\" -o -name \"".join(d.getVar("SSTATE_SCAN_FILES").split())}" \) -type f' @@ -260,7 +260,7 @@ def sstate_install(ss, d): shareddirs.append(dstdir) # Check the file list for conflicts against files which already exist - whitelist = (d.getVar("SSTATE_DUPWHITELIST") or "").split() + whitelist = (d.getVar("SSTATE_ALLOW_OVERLAP_FILES") or "").split() match = [] for f in sharedfiles: if os.path.exists(f) and not os.path.islink(f): @@ -296,7 +296,7 @@ def sstate_install(ss, d): "DISTRO_FEATURES on an existing build directory is not supported - you " \ "should really clean out tmp and rebuild (reusing sstate should be safe). " \ "It could be the overlapping files detected are harmless in which case " \ - "adding them to SSTATE_DUPWHITELIST may be the correct solution. It could " \ + "adding them to SSTATE_ALLOW_OVERLAP_FILES may be the correct solution. It could " \ "also be your build is including two different conflicting versions of " \ "things (e.g. bluez 4 and bluez 5 and the correct solution for that would " \ "be to resolve the conflict. If in doubt, please ask on the mailing list, " \ @@ -350,7 +350,7 @@ def sstate_install(ss, d): for lock in locks: bb.utils.unlockfile(lock) -sstate_install[vardepsexclude] += "SSTATE_DUPWHITELIST STATE_MANMACH SSTATE_MANFILEPREFIX" +sstate_install[vardepsexclude] += "SSTATE_ALLOW_OVERLAP_FILES STATE_MANMACH SSTATE_MANFILEPREFIX" sstate_install[vardeps] += "${SSTATEPOSTINSTFUNCS}" def sstate_installpkg(ss, d): diff --git a/meta/classes/staging.bbclass b/meta/classes/staging.bbclass index 574700260f..65499283da 100644 --- a/meta/classes/staging.bbclass +++ b/meta/classes/staging.bbclass @@ -24,7 +24,7 @@ SYSROOT_DIRS:append:class-cross = " ${SYSROOT_DIRS_NATIVE}" SYSROOT_DIRS:append:class-crosssdk = " ${SYSROOT_DIRS_NATIVE}" # These directories will not be staged in the sysroot -SYSROOT_DIRS_BLACKLIST = " \ +SYSROOT_DIRS_IGNORE = " \ ${mandir} \ ${docdir} \ ${infodir} \ @@ -65,7 +65,7 @@ sysroot_stage_dirs() { done # Remove directories we do not care about - for dir in ${SYSROOT_DIRS_BLACKLIST}; do + for dir in ${SYSROOT_DIRS_IGNORE}; do rm -rf "$to$dir" done } diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index e02a4d1fde..85b40207bf 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -19,7 +19,7 @@ # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 # CVE is more than 20 years old with no resolution evident # broken links in CVE database references make resolution impractical -CVE_CHECK_WHITELIST += "CVE-2000-0006" +CVE_CHECK_IGNORE += "CVE-2000-0006" # epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 # The issue here is spoofing of domain names using characters from other character sets. @@ -28,26 +28,26 @@ CVE_CHECK_WHITELIST += "CVE-2000-0006" # there is unlikely ever to be a single fix to webkit or epiphany which addresses this # problem. Whitelisted as there isn't any mitigation or fix or way to progress this further # we can seem to take. -CVE_CHECK_WHITELIST += "CVE-2005-0238" +CVE_CHECK_IGNORE += "CVE-2005-0238" # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 # Issue is memory exhaustion via glob() calls, e.g. from within an ftp server # Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 # Upstream don't see it as a security issue, ftp servers shouldn't be passing # this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar -CVE_CHECK_WHITELIST += "CVE-2010-4756" +CVE_CHECK_IGNORE += "CVE-2010-4756" # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 # The encoding/xml package in go can potentially be used for security exploits if not used correctly # CVE applies to a netapp product as well as flagging a general issue. We don't ship anything # exposing this interface in an exploitable way -CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511" +CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" # db # Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with # supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed. -CVE_CHECK_WHITELIST += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \ +CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \ CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \ CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \ CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \ @@ -58,7 +58,7 @@ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" # groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803 # Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7 # so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10. -#CVE_CHECK_WHITELIST += "CVE-2000-0803" +#CVE_CHECK_IGNORE += "CVE-2000-0803" diff --git a/meta/lib/oeqa/selftest/cases/eSDK.py b/meta/lib/oeqa/selftest/cases/eSDK.py index d0c402ba8a..f7279b3230 100644 --- a/meta/lib/oeqa/selftest/cases/eSDK.py +++ b/meta/lib/oeqa/selftest/cases/eSDK.py @@ -63,7 +63,7 @@ class oeSDKExtSelfTest(OESelftestTestCase): cls.env_eSDK = oeSDKExtSelfTest.get_esdk_environment('', cls.tmpdir_eSDKQA) sstate_config=""" -SDK_LOCAL_CONF_WHITELIST = "SSTATE_MIRRORS" +ESDK_LOCALCONF_ALLOW = "SSTATE_MIRRORS" SSTATE_MIRRORS = "file://.* file://%s/PATH" CORE_IMAGE_EXTRA_INSTALL = "perl" """ % sstate_dir @@ -91,7 +91,7 @@ CORE_IMAGE_EXTRA_INSTALL = "perl" # Configure eSDK to use sstate mirror from poky sstate_config=""" -SDK_LOCAL_CONF_WHITELIST = "SSTATE_MIRRORS" +ESDK_LOCALCONF_ALLOW = "SSTATE_MIRRORS" SSTATE_MIRRORS = "file://.* file://%s/PATH" """ % bb_vars["SSTATE_DIR"] with open(os.path.join(cls.tmpdir_eSDKQA, 'conf', 'local.conf'), 'a+') as f: diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index 193a92cb94..ba0596c938 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -27,7 +27,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" # Applies only to RHEL -CVE_CHECK_WHITELIST += "CVE-2019-14865" +CVE_CHECK_IGNORE += "CVE-2019-14865" DEPENDS = "flex-native bison-native gettext-native" diff --git a/meta/recipes-connectivity/avahi/avahi_0.8.bb b/meta/recipes-connectivity/avahi/avahi_0.8.bb index cc143ac490..3e020e6780 100644 --- a/meta/recipes-connectivity/avahi/avahi_0.8.bb +++ b/meta/recipes-connectivity/avahi/avahi_0.8.bb @@ -33,7 +33,7 @@ SRC_URI[md5sum] = "229c6aa30674fc43c202b22c5f8c2be7" SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda" # Issue only affects Debian/SUSE, not us -CVE_CHECK_WHITELIST += "CVE-2021-26720" +CVE_CHECK_IGNORE += "CVE-2021-26720" DEPENDS = "expat libcap libdaemon glib-2.0" diff --git a/meta/recipes-connectivity/bind/bind_9.16.25.bb b/meta/recipes-connectivity/bind/bind_9.16.25.bb index 27a1683a5c..7c16376b58 100644 --- a/meta/recipes-connectivity/bind/bind_9.16.25.bb +++ b/meta/recipes-connectivity/bind/bind_9.16.25.bb @@ -28,7 +28,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>9.(16|20|24|28)(\.\d+)+(-P\d+)*)/" # Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore # so the issue doesn't affect us. -CVE_CHECK_WHITELIST += "CVE-2019-6470" +CVE_CHECK_IGNORE += "CVE-2019-6470" inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives diff --git a/meta/recipes-connectivity/bluez5/bluez5_5.63.bb b/meta/recipes-connectivity/bluez5/bluez5_5.63.bb index 34c4767d2b..a9ee29135d 100644 --- a/meta/recipes-connectivity/bluez5/bluez5_5.63.bb +++ b/meta/recipes-connectivity/bluez5/bluez5_5.63.bb @@ -3,7 +3,7 @@ require bluez5.inc SRC_URI[sha256sum] = "9349e11e8160bb3d720835d271250d8a7424d3690f5289e6db6fe07cc66c6d76" # These issues have kernel fixes rather than bluez fixes so exclude here -CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490" +CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490" # noinst programs in Makefile.tools that are conditional on READLINE # support diff --git a/meta/recipes-connectivity/openssh/openssh_8.8p1.bb b/meta/recipes-connectivity/openssh/openssh_8.8p1.bb index ee86bb92ab..953c29dbf2 100644 --- a/meta/recipes-connectivity/openssh/openssh_8.8p1.bb +++ b/meta/recipes-connectivity/openssh/openssh_8.8p1.bb @@ -28,14 +28,14 @@ SRC_URI = "http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${PV}.tar SRC_URI[sha256sum] = "4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9" # This CVE is specific to OpenSSH with the pam opie which we don't build/use here -CVE_CHECK_WHITELIST += "CVE-2007-2768" +CVE_CHECK_IGNORE += "CVE-2007-2768" # This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7 # and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded -CVE_CHECK_WHITELIST += "CVE-2014-9278" +CVE_CHECK_IGNORE += "CVE-2014-9278" # CVE only applies to some distributed RHEL binaries -CVE_CHECK_WHITELIST += "CVE-2008-3844" +CVE_CHECK_IGNORE += "CVE-2008-3844" PAM_SRC_URI = "file://sshd" diff --git a/meta/recipes-connectivity/openssl/openssl_3.0.1.bb b/meta/recipes-connectivity/openssl/openssl_3.0.1.bb index d08d9b02dc..1128f6a737 100644 --- a/meta/recipes-connectivity/openssl/openssl_3.0.1.bb +++ b/meta/recipes-connectivity/openssl/openssl_3.0.1.bb @@ -255,4 +255,4 @@ CVE_VERSION_SUFFIX = "alphabetical" # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37 # Apache in meta-webserver is already recent enough -CVE_CHECK_WHITELIST += "CVE-2019-0190" +CVE_CHECK_IGNORE += "CVE-2019-0190" diff --git a/meta/recipes-core/coreutils/coreutils_9.0.bb b/meta/recipes-core/coreutils/coreutils_9.0.bb index 8b904fd56e..6a97c4d5cc 100644 --- a/meta/recipes-core/coreutils/coreutils_9.0.bb +++ b/meta/recipes-core/coreutils/coreutils_9.0.bb @@ -26,7 +26,7 @@ SRC_URI[sha256sum] = "ce30acdf4a41bc5bb30dd955e9eaa75fa216b4e3deb08889ed32433c7b # http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842 # runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue. -CVE_CHECK_WHITELIST += "CVE-2016-2781" +CVE_CHECK_IGNORE += "CVE-2016-2781" EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}" EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname" diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb index b785b61154..6ea5b1efb5 100644 --- a/meta/recipes-core/glibc/glibc_2.35.bb +++ b/meta/recipes-core/glibc/glibc_2.35.bb @@ -1,20 +1,20 @@ require glibc.inc require glibc-version.inc -CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2021-27645" +CVE_CHECK_IGNORE += "CVE-2020-10029 CVE-2021-27645" # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023 # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024 # Upstream glibc maintainers dispute there is any issue and have no plans to address it further. # "this is being treated as a non-security bug and no real threat." -CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" +CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024" # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025 # Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow # easier access for another. "ASLR bypass itself is not a vulnerability." # Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853 -CVE_CHECK_WHITELIST += "CVE-2019-1010025" +CVE_CHECK_IGNORE += "CVE-2019-1010025" DEPENDS += "gperf-native bison-native make-native" diff --git a/meta/recipes-core/meta/target-sdk-provides-dummy.bb b/meta/recipes-core/meta/target-sdk-provides-dummy.bb index e3beeb796c..849407cca5 100644 --- a/meta/recipes-core/meta/target-sdk-provides-dummy.bb +++ b/meta/recipes-core/meta/target-sdk-provides-dummy.bb @@ -58,4 +58,4 @@ DUMMYPROVIDES = "\ require dummy-sdk-package.inc -SSTATE_DUPWHITELIST += "${PKGDATA_DIR}/${PN} ${PKGDATA_DIR}/runtime/${PN}" +SSTATE_ALLOW_OVERLAP_FILES += "${PKGDATA_DIR}/${PN} ${PKGDATA_DIR}/runtime/${PN}" diff --git a/meta/recipes-devtools/cmake/cmake.inc b/meta/recipes-devtools/cmake/cmake.inc index 9276db3c56..a8bd4311c4 100644 --- a/meta/recipes-devtools/cmake/cmake.inc +++ b/meta/recipes-devtools/cmake/cmake.inc @@ -27,4 +27,4 @@ UPSTREAM_CHECK_REGEX = "cmake-(?P<pver>\d+(\.\d+)+)\.tar" # This is specific to the npm package that installs cmake, so isn't # relevant to OpenEmbedded -CVE_CHECK_WHITELIST += "CVE-2016-10642" +CVE_CHECK_IGNORE += "CVE-2016-10642" diff --git a/meta/recipes-devtools/flex/flex_2.6.4.bb b/meta/recipes-devtools/flex/flex_2.6.4.bb index 95e2c087ee..c7cd965347 100644 --- a/meta/recipes-devtools/flex/flex_2.6.4.bb +++ b/meta/recipes-devtools/flex/flex_2.6.4.bb @@ -31,7 +31,7 @@ UPSTREAM_CHECK_REGEX = "flex-(?P<pver>\d+(\.\d+)+)\.tar" # Disputed - yes there is stack exhaustion but no bug and it is building the # parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address # https://github.com/westes/flex/issues/414 -CVE_CHECK_WHITELIST += "CVE-2019-6293" +CVE_CHECK_IGNORE += "CVE-2019-6293" inherit autotools gettext texinfo ptest diff --git a/meta/recipes-devtools/gcc/gcc-11.2.inc b/meta/recipes-devtools/gcc/gcc-11.2.inc index d892182fd5..2394c86e29 100644 --- a/meta/recipes-devtools/gcc/gcc-11.2.inc +++ b/meta/recipes-devtools/gcc/gcc-11.2.inc @@ -119,4 +119,4 @@ EXTRA_OECONF_PATHS = "\ " # Is a binutils 2.26 issue, not gcc -CVE_CHECK_WHITELIST += "CVE-2021-37322" +CVE_CHECK_IGNORE += "CVE-2021-37322" diff --git a/meta/recipes-devtools/gcc/gcc-target.inc b/meta/recipes-devtools/gcc/gcc-target.inc index 66f737c9dc..cc65e995c3 100644 --- a/meta/recipes-devtools/gcc/gcc-target.inc +++ b/meta/recipes-devtools/gcc/gcc-target.inc @@ -256,4 +256,4 @@ do_install:append () { # and builds track file dependencies (e.g. perl and its makedepends code). # For determinism we don't install this ever and rely on the copy from gcc-cross. # [YOCTO #7287] -SYSROOT_DIRS_BLACKLIST += "${libdir}/gcc" +SYSROOT_DIRS_IGNORE += "${libdir}/gcc" diff --git a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc index 836c51a3de..8e926e81e1 100644 --- a/meta/recipes-devtools/gdb/gdb-cross-canadian.inc +++ b/meta/recipes-devtools/gdb/gdb-cross-canadian.inc @@ -20,7 +20,7 @@ PACKAGECONFIG[python] = "--with-python=${WORKDIR}/python,--without-python,native PACKAGECONFIG[readline] = "--with-system-readline,--without-system-readline,nativesdk-readline" PACKAGECONFIG[debuginfod] = "--with-debuginfod, --without-debuginfod, nativesdk-elfutils" -SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb" +SSTATE_ALLOW_OVERLAP_FILES += "${STAGING_DATADIR}/gdb" do_configure:prepend() { cat > ${WORKDIR}/python << EOF diff --git a/meta/recipes-devtools/go/go-1.17.7.inc b/meta/recipes-devtools/go/go-1.17.7.inc index e8c8c031ae..3832b65eae 100644 --- a/meta/recipes-devtools/go/go-1.17.7.inc +++ b/meta/recipes-devtools/go/go-1.17.7.inc @@ -22,4 +22,4 @@ SRC_URI[main.sha256sum] = "c108cd33b73b1911a02b697741df3dea43e01a5c4e08e409e8b3a # Upstream don't believe it is a signifiant real world issue and will only # fix in 1.17 onwards where we can drop this. # https://github.com/golang/go/issues/30999#issuecomment-910470358 -CVE_CHECK_WHITELIST += "CVE-2021-29923" +CVE_CHECK_IGNORE += "CVE-2021-29923" diff --git a/meta/recipes-devtools/jquery/jquery_3.6.0.bb b/meta/recipes-devtools/jquery/jquery_3.6.0.bb index 33b177d1d0..39ffd38114 100644 --- a/meta/recipes-devtools/jquery/jquery_3.6.0.bb +++ b/meta/recipes-devtools/jquery/jquery_3.6.0.bb @@ -22,7 +22,7 @@ UPSTREAM_CHECK_REGEX = "jquery-(?P<pver>\d+(\.\d+)+)\.js" # https://github.com/jquery/jquery/issues/3927 # There are ways jquery can expose security issues but any issues are in the apps exposing them # and there is little we can directly do -CVE_CHECK_WHITELIST += "CVE-2007-2379" +CVE_CHECK_IGNORE += "CVE-2007-2379" inherit allarch diff --git a/meta/recipes-devtools/libtool/libtool_2.4.6.bb b/meta/recipes-devtools/libtool/libtool_2.4.6.bb index fb40ce7317..44a4950574 100644 --- a/meta/recipes-devtools/libtool/libtool_2.4.6.bb +++ b/meta/recipes-devtools/libtool/libtool_2.4.6.bb @@ -7,7 +7,7 @@ RDEPENDS:${PN} += "bash" # # We want the results of libtool-cross preserved - don't stage anything ourselves. # -SYSROOT_DIRS_BLACKLIST += " \ +SYSROOT_DIRS_IGNORE += " \ ${bindir} \ ${datadir}/aclocal \ ${datadir}/libtool/build-aux \ diff --git a/meta/recipes-devtools/python/python3_3.10.2.bb b/meta/recipes-devtools/python/python3_3.10.2.bb index d07bb017ea..429839b622 100644 --- a/meta/recipes-devtools/python/python3_3.10.2.bb +++ b/meta/recipes-devtools/python/python3_3.10.2.bb @@ -49,12 +49,12 @@ UPSTREAM_CHECK_URI = "https://www.python.org/downloads/source/" CVE_PRODUCT = "python" # Upstream consider this expected behaviour -CVE_CHECK_WHITELIST += "CVE-2007-4559" +CVE_CHECK_IGNORE += "CVE-2007-4559" # This is not exploitable when glibc has CVE-2016-10739 fixed. -CVE_CHECK_WHITELIST += "CVE-2019-18348" +CVE_CHECK_IGNORE += "CVE-2019-18348" # This is windows only issue. -CVE_CHECK_WHITELIST += "CVE-2020-15523" +CVE_CHECK_IGNORE += "CVE-2020-15523" PYTHON_MAJMIN = "3.10" diff --git a/meta/recipes-devtools/qemu/qemu.inc b/meta/recipes-devtools/qemu/qemu.inc index 80b83be63f..94190b52f4 100644 --- a/meta/recipes-devtools/qemu/qemu.inc +++ b/meta/recipes-devtools/qemu/qemu.inc @@ -36,15 +36,15 @@ SRC_URI:append:class-target = " file://cross.patch" SRC_URI:append:class-nativesdk = " file://cross.patch" # Applies against virglrender < 0.6.0 and not qemu itself -CVE_CHECK_WHITELIST += "CVE-2017-5957" +CVE_CHECK_IGNORE += "CVE-2017-5957" # The VNC server can expose host files uder some circumstances. We don't # enable it by default. -CVE_CHECK_WHITELIST += "CVE-2007-0998" +CVE_CHECK_IGNORE += "CVE-2007-0998" # 'The issues identified by this CVE were determined to not constitute a vulnerability.' # https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11 -CVE_CHECK_WHITELIST += "CVE-2018-18438" +CVE_CHECK_IGNORE += "CVE-2018-18438" COMPATIBLE_HOST:mipsarchn32 = "null" COMPATIBLE_HOST:mipsarchn64 = "null" diff --git a/meta/recipes-devtools/rsync/rsync_3.2.3.bb b/meta/recipes-devtools/rsync/rsync_3.2.3.bb index 1cdf509004..b950e30b46 100644 --- a/meta/recipes-devtools/rsync/rsync_3.2.3.bb +++ b/meta/recipes-devtools/rsync/rsync_3.2.3.bb @@ -20,7 +20,7 @@ SRC_URI = "https://download.samba.org/pub/${BPN}/src/${BP}.tar.gz \ SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e" # -16548 required for v3.1.3pre1. Already in v3.1.3. -CVE_CHECK_WHITELIST += " CVE-2017-16548 " +CVE_CHECK_IGNORE += " CVE-2017-16548 " inherit autotools-brokensep diff --git a/meta/recipes-devtools/tcltk/tcl_8.6.11.bb b/meta/recipes-devtools/tcltk/tcl_8.6.11.bb index 7ead00d489..9f6b003ffb 100644 --- a/meta/recipes-devtools/tcltk/tcl_8.6.11.bb +++ b/meta/recipes-devtools/tcltk/tcl_8.6.11.bb @@ -31,7 +31,7 @@ SRC_URI:class-native = "${BASE_SRC_URI}" # Upstream don't believe this is an exploitable issue # https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7 -CVE_CHECK_WHITELIST += "CVE-2021-35331" +CVE_CHECK_IGNORE += "CVE-2021-35331" UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src" diff --git a/meta/recipes-extended/cpio/cpio_2.13.bb b/meta/recipes-extended/cpio/cpio_2.13.bb index b4dbff1157..e72a114de9 100644 --- a/meta/recipes-extended/cpio/cpio_2.13.bb +++ b/meta/recipes-extended/cpio/cpio_2.13.bb @@ -18,7 +18,7 @@ SRC_URI[sha256sum] = "e87470d9c984317f658567c03bfefb6b0c829ff17dbf6b0de48d71a4c8 inherit autotools gettext texinfo # Issue applies to use of cpio in SUSE/OBS, doesn't apply to us -CVE_CHECK_WHITELIST += "CVE-2010-4226" +CVE_CHECK_IGNORE += "CVE-2010-4226" EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}" diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc index 05c1e34a77..6f28dc30d0 100644 --- a/meta/recipes-extended/cups/cups.inc +++ b/meta/recipes-extended/cups/cups.inc @@ -21,11 +21,11 @@ UPSTREAM_CHECK_URI = "https://github.com/OpenPrinting/cups/releases" UPSTREAM_CHECK_REGEX = "cups-(?P<pver>(?!.+\d(b|rc)\d.+).+)-source.tar" # Issue only applies to MacOS -CVE_CHECK_WHITELIST += "CVE-2008-1033" +CVE_CHECK_IGNORE += "CVE-2008-1033" # Issue affects pdfdistiller plugin used with but not part of cups -CVE_CHECK_WHITELIST += "CVE-2009-0032" +CVE_CHECK_IGNORE += "CVE-2009-0032" # This is an Ubuntu only issue. -CVE_CHECK_WHITELIST += "CVE-2018-6553" +CVE_CHECK_IGNORE += "CVE-2018-6553" LEAD_SONAME = "libcupsdriver.so" @@ -117,4 +117,4 @@ cups_sysroot_preprocess () { # -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is # root:root, so this doesn't apply. -CVE_CHECK_WHITELIST += "CVE-2021-25317" +CVE_CHECK_IGNORE += "CVE-2021-25317" diff --git a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb index 5f0fa67aa7..c28e62f089 100644 --- a/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb +++ b/meta/recipes-extended/ghostscript/ghostscript_9.55.0.bb @@ -21,7 +21,7 @@ UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)\.tar" # As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources # however we use an external jpeg which doesn't have the issue. -CVE_CHECK_WHITELIST += "CVE-2013-6629" +CVE_CHECK_IGNORE += "CVE-2013-6629" def gs_verdir(v): return "".join(v.split(".")) diff --git a/meta/recipes-extended/iputils/iputils_20211215.bb b/meta/recipes-extended/iputils/iputils_20211215.bb index 29eec163b7..3ddce0be54 100644 --- a/meta/recipes-extended/iputils/iputils_20211215.bb +++ b/meta/recipes-extended/iputils/iputils_20211215.bb @@ -21,7 +21,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)" # Fixed in 2000-10-10, but the versioning of iputils # breaks the version order. -CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214" +CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214" PACKAGECONFIG ??= "libcap rarpd \ ${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ninfod', '', d)} \ diff --git a/meta/recipes-extended/logrotate/logrotate_3.19.0.bb b/meta/recipes-extended/logrotate/logrotate_3.19.0.bb index 929350dcfb..2a60d9b31f 100644 --- a/meta/recipes-extended/logrotate/logrotate_3.19.0.bb +++ b/meta/recipes-extended/logrotate/logrotate_3.19.0.bb @@ -18,7 +18,7 @@ SRC_URI = "https://github.com/${BPN}/${BPN}/releases/download/${PV}/${BP}.tar.xz SRC_URI[sha256sum] = "ddd5274d684c5c99ca724e8069329f343ebe376e07493d537d9effdc501214ba" # These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used -CVE_CHECK_WHITELIST += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550" +CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550" PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}" diff --git a/meta/recipes-extended/procps/procps_3.3.17.bb b/meta/recipes-extended/procps/procps_3.3.17.bb index 97f341488a..0f5575c9ab 100644 --- a/meta/recipes-extended/procps/procps_3.3.17.bb +++ b/meta/recipes-extended/procps/procps_3.3.17.bb @@ -75,7 +75,7 @@ python __anonymous() { # 'ps' isn't suitable for use as a security tool so whitelist this CVE. # https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3 -CVE_CHECK_WHITELIST += "CVE-2018-1121" +CVE_CHECK_IGNORE += "CVE-2018-1121" PROCPS_PACKAGES = "${PN}-lib \ ${PN}-ps \ diff --git a/meta/recipes-extended/shadow/shadow_4.11.1.bb b/meta/recipes-extended/shadow/shadow_4.11.1.bb index 2fbd81bf72..40b11345c9 100644 --- a/meta/recipes-extended/shadow/shadow_4.11.1.bb +++ b/meta/recipes-extended/shadow/shadow_4.11.1.bb @@ -8,4 +8,4 @@ BBCLASSEXTEND = "native nativesdk" # Severity is low and marked as closed and won't fix. # https://bugzilla.redhat.com/show_bug.cgi?id=884658 -CVE_CHECK_WHITELIST += "CVE-2013-4235" +CVE_CHECK_IGNORE += "CVE-2013-4235" diff --git a/meta/recipes-extended/unzip/unzip_6.0.bb b/meta/recipes-extended/unzip/unzip_6.0.bb index 0bc6abcd4b..4720fddf48 100644 --- a/meta/recipes-extended/unzip/unzip_6.0.bb +++ b/meta/recipes-extended/unzip/unzip_6.0.bb @@ -34,7 +34,7 @@ SRC_URI[md5sum] = "62b490407489521db863b523a7f86375" SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37" # Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source -CVE_CHECK_WHITELIST += "CVE-2008-0888" +CVE_CHECK_IGNORE += "CVE-2008-0888" # exclude version 5.5.2 which triggers a false positive UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz" diff --git a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb index e64494e54e..62ee70d244 100644 --- a/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb +++ b/meta/recipes-extended/xinetd/xinetd_2.3.15.4.bb @@ -18,7 +18,7 @@ SRCREV = "6a4af7786630ce48747d9687e2f18f45ea6684c4" S = "${WORKDIR}/git" # https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision -CVE_CHECK_WHITELIST += "CVE-2013-4342" +CVE_CHECK_IGNORE += "CVE-2013-4342" inherit autotools update-rc.d systemd pkgconfig diff --git a/meta/recipes-extended/zip/zip_3.0.bb b/meta/recipes-extended/zip/zip_3.0.bb index 18b5d8648e..3fea75125e 100644 --- a/meta/recipes-extended/zip/zip_3.0.bb +++ b/meta/recipes-extended/zip/zip_3.0.bb @@ -21,10 +21,10 @@ SRC_URI[md5sum] = "7b74551e63f8ee6aab6fbc86676c0d37" SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369" # Disputed and also Debian doesn't consider a vulnerability -CVE_CHECK_WHITELIST += "CVE-2018-13410" +CVE_CHECK_IGNORE += "CVE-2018-13410" # Not for zip but for smart contract implementation for it -CVE_CHECK_WHITELIST += "CVE-2018-13684" +CVE_CHECK_IGNORE += "CVE-2018-13684" # zip.inc sets CFLAGS, but what Makefile actually uses is # CFLAGS_NOOPT. It will also force -O3 optimization, overriding diff --git a/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb b/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb index 20cac71c55..fa3253b616 100644 --- a/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb +++ b/meta/recipes-gnome/libnotify/libnotify_0.7.9.bb @@ -35,4 +35,4 @@ RCONFLICTS:${PN} += "libnotify3" RREPLACES:${PN} += "libnotify3" # -7381 is specific to the NodeJS bindings -CVE_CHECK_WHITELIST += "CVE-2013-7381" +CVE_CHECK_IGNORE += "CVE-2013-7381" diff --git a/meta/recipes-gnome/librsvg/librsvg_2.52.5.bb b/meta/recipes-gnome/librsvg/librsvg_2.52.5.bb index f4b3773bf7..1279c663f7 100644 --- a/meta/recipes-gnome/librsvg/librsvg_2.52.5.bb +++ b/meta/recipes-gnome/librsvg/librsvg_2.52.5.bb @@ -51,7 +51,7 @@ do_compile:prepend() { } # Issue only on windows -CVE_CHECK_WHITELIST += "CVE-2018-1000041" +CVE_CHECK_IGNORE += "CVE-2018-1000041" CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders" diff --git a/meta/recipes-graphics/builder/builder_0.1.bb b/meta/recipes-graphics/builder/builder_0.1.bb index f448465f9a..39be3bd63f 100644 --- a/meta/recipes-graphics/builder/builder_0.1.bb +++ b/meta/recipes-graphics/builder/builder_0.1.bb @@ -30,4 +30,4 @@ do_install () { } # -4178 is an unrelated 'builder' -CVE_CHECK_WHITELIST = "CVE-2008-4178" +CVE_CHECK_IGNORE = "CVE-2008-4178" diff --git a/meta/recipes-graphics/xorg-font/font-util_1.3.2.bb b/meta/recipes-graphics/xorg-font/font-util_1.3.2.bb index 84e1d377a8..b3e832756b 100644 --- a/meta/recipes-graphics/xorg-font/font-util_1.3.2.bb +++ b/meta/recipes-graphics/xorg-font/font-util_1.3.2.bb @@ -19,4 +19,4 @@ BBCLASSEXTEND = "native" SRC_URI[md5sum] = "3d6adb76fdd072db8c8fae41b40855e8" SRC_URI[sha256sum] = "3ad880444123ac06a7238546fa38a2a6ad7f7e0cc3614de7e103863616522282" -SYSROOT_DIRS_BLACKLIST:remove = "${datadir}/fonts" +SYSROOT_DIRS_IGNORE:remove = "${datadir}/fonts" diff --git a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc index fad2962948..60bc8c76fa 100644 --- a/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc +++ b/meta/recipes-graphics/xorg-lib/xorg-lib-common.inc @@ -18,7 +18,7 @@ EXTRA_OECONF = "--disable-specs --without-groff --without-ps2pdf --without-fop" PACKAGECONFIG ??= "" PACKAGECONFIG[xmlto] = "--with-xmlto, --without-xmlto, xmlto-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native" -UNKNOWN_CONFIGURE_WHITELIST += "--enable-malloc0returnsnull --disable-malloc0returnsnull \ +UNKNOWN_CONFIGURE_OPT_IGNORE += "--enable-malloc0returnsnull --disable-malloc0returnsnull \ --disable-specs --without-groff --without-ps2pdf --without-fop \ --without-xmlto --with-xmlto \ " diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc index 5b7d0cd292..057a1ba6ad 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg.inc @@ -21,13 +21,13 @@ UPSTREAM_CHECK_REGEX = "xorg-server-(?P<pver>\d+(\.(?!99)\d+)+)\.tar" CVE_PRODUCT = "xorg-server x_server" # This is specific to Debian's xserver-wrapper.c -CVE_CHECK_WHITELIST += "CVE-2011-4613" +CVE_CHECK_IGNORE += "CVE-2011-4613" # As per upstream, exploiting this flaw is non-trivial and it requires exact # timing on the behalf of the attacker. Many graphical applications exit if their # connection to the X server is lost, so a typical desktop session is either # impossible or difficult to exploit. There is currently no upstream patch # available for this flaw. -CVE_CHECK_WHITELIST += "CVE-2020-25697" +CVE_CHECK_IGNORE += "CVE-2020-25697" S = "${WORKDIR}/${XORG_PN}-${PV}" diff --git a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb index 7791b0eecf..61e3d92e95 100644 --- a/meta/recipes-multimedia/libpng/libpng_1.6.37.bb +++ b/meta/recipes-multimedia/libpng/libpng_1.6.37.bb @@ -32,4 +32,4 @@ FILES:${PN}-tools = "${bindir}/png-fix-itxt ${bindir}/pngfix ${bindir}/pngcp" BBCLASSEXTEND = "native nativesdk" # CVE-2019-17371 is actually a memory leak in gif2png 2.x -CVE_CHECK_WHITELIST += "CVE-2019-17371" +CVE_CHECK_IGNORE += "CVE-2019-17371" diff --git a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb index eb3f983ba1..b8e703d084 100644 --- a/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb +++ b/meta/recipes-multimedia/libsndfile/libsndfile1_1.0.28.bb @@ -43,4 +43,4 @@ do_install:append() { # This can't be replicated and is just a memory leak. # https://github.com/erikd/libsndfile/issues/398 -CVE_CHECK_WHITELIST += "CVE-2018-13419" +CVE_CHECK_IGNORE += "CVE-2018-13419" diff --git a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb index 86b55ad284..6b933a409b 100644 --- a/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb +++ b/meta/recipes-multimedia/libtiff/tiff_4.3.0.bb @@ -20,7 +20,7 @@ UPSTREAM_CHECK_REGEX = "tiff-(?P<pver>\d+(\.\d+)+).tar" # Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 # and 4.3.0 doesn't have the issue -CVE_CHECK_WHITELIST += "CVE-2015-7313" +CVE_CHECK_IGNORE += "CVE-2015-7313" inherit autotools multilib_header diff --git a/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb b/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb index b9173d84d8..866f3932f6 100644 --- a/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb +++ b/meta/recipes-support/libgcrypt/libgcrypt_1.9.4.bb @@ -30,7 +30,7 @@ SRC_URI = "${GNUPG_MIRROR}/libgcrypt/libgcrypt-${PV}.tar.bz2 \ SRC_URI[sha256sum] = "ea849c83a72454e3ed4267697e8ca03390aee972ab421e7df69dfe42b65caaf7" # Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro. -CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438" +CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438" BINCONFIG = "${bindir}/libgcrypt-config" diff --git a/meta/recipes-support/lz4/lz4_1.9.3.bb b/meta/recipes-support/lz4/lz4_1.9.3.bb index abcf25f873..129a86b681 100644 --- a/meta/recipes-support/lz4/lz4_1.9.3.bb +++ b/meta/recipes-support/lz4/lz4_1.9.3.bb @@ -20,7 +20,7 @@ UPSTREAM_CHECK_GITTAGREGEX = "v(?P<pver>.*)" S = "${WORKDIR}/git" # Fixed in r118, which is larger than the current version. -CVE_CHECK_WHITELIST += "CVE-2014-4715" +CVE_CHECK_IGNORE += "CVE-2014-4715" EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" diff --git a/meta/recipes-support/sqlite/sqlite3_3.37.2.bb b/meta/recipes-support/sqlite/sqlite3_3.37.2.bb index 56364b4828..eb684e0d14 100644 --- a/meta/recipes-support/sqlite/sqlite3_3.37.2.bb +++ b/meta/recipes-support/sqlite/sqlite3_3.37.2.bb @@ -7,8 +7,8 @@ SRC_URI = "http://www.sqlite.org/2022/sqlite-autoconf-${SQLITE_PV}.tar.gz" SRC_URI[sha256sum] = "4089a8d9b467537b3f246f217b84cd76e00b1d1a971fe5aca1e30e230e46b2d8" # -19242 is only an issue in specific development branch commits -CVE_CHECK_WHITELIST += "CVE-2019-19242" +CVE_CHECK_IGNORE += "CVE-2019-19242" # This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA) -CVE_CHECK_WHITELIST += "CVE-2015-3717" +CVE_CHECK_IGNORE += "CVE-2015-3717" # Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f -CVE_CHECK_WHITELIST += "CVE-2021-36690" +CVE_CHECK_IGNORE += "CVE-2021-36690" |