From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: dnagodra@cisco.com
Cc: Ross Burton <Ross.Burton@arm.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
"xe-linux-external(mailer list)" <xe-linux-external@cisco.com>
Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
Date: Mon, 18 Mar 2024 08:31:02 +0200 [thread overview]
Message-ID: <Zfffphmj70A5muCG@nuoska> (raw)
In-Reply-To: <SN7PR11MB6971F0A6CDA076349AF6C9EFD4282@SN7PR11MB6971.namprd11.prod.outlook.com>
Hi,
On Fri, Mar 15, 2024 at 07:52:00PM +0000, Dhairya Nagodra via lists.openembedded.org wrote:
>
>
> >-----Original Message-----
> >From: Ross Burton <Ross.Burton@arm.com>
> >Sent: Friday, March 15, 2024 9:39 PM
> >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
> ><dnagodra@cisco.com>
> >Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer
> >list) <xe-linux-external@cisco.com>
> >Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude
> >classes
> >
> >On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org
> ><dnagodra=cisco.com@lists.openembedded.org> wrote:
> >>
> >> From: Dhairya Nagodra <dnagodra@cisco.com>
> >>
> >> - There are times when exluding a package that inherits a particular
> >> class/classes may be desired.
> >> - This provides the framework for that via the variable:
> >> CVE_CHECK_CLASS_EXCLUDELIST
> >
> >What’s the use-case for this? Note that you can control whether cve-check
> >runs per-layer already, if that’s useful.
>
> Currently, the CVE report is generated for all packages associated with the build.
> However, not all of them might be getting used in the target device.
> The package associated with native, nativesdk, cross classes are examples of such.
> This patch would provide a way to exclude these packages in the CVE report.
> So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native",
> The report would not have the entries for these packages:
> gnupg-native, nasm-native, binutils-native (and so on)
>
> This is helpful when one wants to concentrate their CVE fixing efforts to the
> specific packages going into the target device.
CVE check generates report summaries for all images already. Doesn't that cover this
usecase?
And many build tools end up talking to servers in the Internet so detecting
and fixing CVEs in them is also quite important.
Cheers,
-Mikko
next prev parent reply other threads:[~2024-03-18 6:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-03 17:53 [master] [PATCH] cve-check: Add provision to exclude classes dnagodra
2024-03-13 19:30 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
2024-03-15 16:08 ` [OE-core] " Ross Burton
2024-03-15 19:52 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
2024-03-18 6:31 ` Mikko Rapeli [this message]
2024-03-18 17:02 ` Ross Burton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Zfffphmj70A5muCG@nuoska \
--to=mikko.rapeli@linaro.org \
--cc=Ross.Burton@arm.com \
--cc=dnagodra@cisco.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=xe-linux-external@cisco.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.