From: Marta Rybczynska <rybczynska@gmail.com>
To: openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@syslinbit.com>,
Samantha Jalabert <samantha.jalabert@syslinbit.com>
Subject: [OE-core][PATCH v3 4/5] cve-check-map: add new statuses
Date: Wed, 24 Jul 2024 17:25:29 +0200 [thread overview]
Message-ID: <20240724152530.25856-4-marta.rybczynska@syslinbit.com> (raw)
In-Reply-To: <20240724152530.25856-1-marta.rybczynska@syslinbit.com>
Add 'fix-file-included', 'version-not-in-range' and 'version-in-range' generated
by the cve-check.
'fix-file-included' means that a fix file for the CVE has been located.
'version-not-in-range' means that the product version has been found outside of
the vulnerable range.
'version-in-range' means that the product version has been found inside of the
vulnerable range.
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
---
meta/conf/cve-check-map.conf | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
index 17b0f15571..ac956379d1 100644
--- a/meta/conf/cve-check-map.conf
+++ b/meta/conf/cve-check-map.conf
@@ -8,11 +8,17 @@ CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
# use when NVD DB does not mention correct version or does not mention any verion at all
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+# use when a fix file has been included (set automatically)
+CVE_CHECK_STATUSMAP[fix-file-included] = "Patched"
+# do not use directly: automatic scan reports version number NOT in the vulnerable range (set automatically)
+CVE_CHECK_STATUSMAP[version-not-in-range] = "Patched"
# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
# use when CVE is confirmed by upstream but fix is still not available
CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+# do not use directly: automatic scan reports version number IS in the vulnerable range (set automatically)
+CVE_CHECK_STATUSMAP[version-in-range] = "Unpatched"
# used for migration from old concept, do not use for new vulnerabilities
CVE_CHECK_STATUSMAP[ignored] = "Ignored"
@@ -26,3 +32,6 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
# use when upstream acknowledged the vulnerability but does not plan to fix it
CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+
+# use when it is impossible to conclude if the vulnerability is present or not
+CVE_CHECK_STATUSMAP[unknown] = "Unknown"
--
2.43.0
next prev parent reply other threads:[~2024-07-24 15:26 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-24 15:25 [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 2/5] cve_check: Update selftest with new status detail Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 3/5] vex.bbclass: add a new class Marta Rybczynska
2024-07-26 12:09 ` Ross Burton
2024-07-26 12:12 ` Ross Burton
2024-07-26 12:23 ` Marta Rybczynska
2024-07-26 12:22 ` Marta Rybczynska
2024-07-24 15:25 ` Marta Rybczynska [this message]
2024-07-24 15:25 ` [OE-core][PATCH v3 5/5] cve-extra-exclusions.inc: add deprecation notice Marta Rybczynska
2024-07-26 12:23 ` Ross Burton
2024-07-26 12:28 ` Marta Rybczynska
2024-08-01 13:47 ` Richard Purdie
2024-08-01 13:58 ` Marta Rybczynska
2024-08-01 14:08 ` Richard Purdie
2024-08-06 13:16 ` Marta Rybczynska
2024-08-06 13:30 ` Richard Purdie
2024-07-24 15:41 ` Patchtest results for [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis patchtest
2024-07-25 14:29 ` Richard Purdie
[not found] ` <399979010dfd02323f49cbd25b95f606@syslinbit.com>
2024-07-25 15:27 ` Richard Purdie
2024-07-26 13:02 ` Marta Rybczynska
2024-08-01 14:25 ` Richard Purdie
2024-08-02 12:50 ` Marta Rybczynska
2024-08-02 13:00 ` Richard Purdie
2024-08-01 13:44 ` Richard Purdie
2024-08-01 14:14 ` Marko, Peter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240724152530.25856-4-marta.rybczynska@syslinbit.com \
--to=rybczynska@gmail.com \
--cc=marta.rybczynska@syslinbit.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=samantha.jalabert@syslinbit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox