[OE-core] [scarthgap] [PATCH v1 3/4] cve-check-map: add new statuses - Het Patel -X (hetpat

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" <hetpat@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com, vchavda@cisco.com
Subject: [OE-core] [scarthgap] [PATCH v1 3/4] cve-check-map: add new statuses
Date: Tue, 17 Mar 2026 22:39:05 -0700	[thread overview]
Message-ID: <20260318053906.26606-4-hetpat@cisco.com> (raw)
In-Reply-To: <20260318053906.26606-1-hetpat@cisco.com>

From: Marta Rybczynska <rybczynska@gmail.com>

Add 'fix-file-included', 'version-not-in-range' and 'version-in-range' generated
by the cve-check.

'fix-file-included' means that a fix file for the CVE has been located.

'version-not-in-range' means that the product version has been found outside of
the vulnerable range.

'version-in-range' means that the product version has been found inside of the
vulnerable range.

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit d25f1817752bc8a84c40dcbef75f7559801ce15e)
Signed-off-by: Het Patel <hetpat@cisco.com>
---
 meta/conf/cve-check-map.conf | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
index 17b0f15571..ac956379d1 100644
--- a/meta/conf/cve-check-map.conf
+++ b/meta/conf/cve-check-map.conf
@@ -8,11 +8,17 @@ CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
 CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
 # use when NVD DB does not mention correct version or does not mention any verion at all
 CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+# use when a fix file has been included (set automatically)
+CVE_CHECK_STATUSMAP[fix-file-included] = "Patched"
+# do not use directly: automatic scan reports version number NOT in the vulnerable range (set automatically)
+CVE_CHECK_STATUSMAP[version-not-in-range] = "Patched"
 
 # used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
 CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
 # use when CVE is confirmed by upstream but fix is still not available
 CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+# do not use directly: automatic scan reports version number IS in the vulnerable range (set automatically)
+CVE_CHECK_STATUSMAP[version-in-range] = "Unpatched"
 
 # used for migration from old concept, do not use for new vulnerabilities
 CVE_CHECK_STATUSMAP[ignored] = "Ignored"
@@ -26,3 +32,6 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
 CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
 # use when upstream acknowledged the vulnerability but does not plan to fix it
 CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+
+# use when it is impossible to conclude if the vulnerability is present or not
+CVE_CHECK_STATUSMAP[unknown] = "Unknown"

next prev parent reply	other threads:[~2026-03-18  5:39 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-18  5:39 [OE-core] [scarthgap] [PATCH v1 0/4] cve-check: fix incorrect CVE assessments and runtime warnings - cover letter Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-18  5:39 ` [OE-core] [scarthgap] [PATCH v1 1/4] cve-check: encode affected product/vendor in CVE_STATUS Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-18  7:31   ` Marko, Peter (FT D EU SK BFS1)
2026-03-18 12:54     ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-18  5:39 ` [OE-core] [scarthgap] [PATCH v1 2/4] cve-check: annotate CVEs during analysis Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-18  7:38   ` Marko, Peter (FT D EU SK BFS1)
2026-03-18 12:55     ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-18  5:39 ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
2026-03-18  5:39 ` [OE-core] [scarthgap] [PATCH v1 4/4] cve-check: fix debug message Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-18 11:07 ` [OE-core] [scarthgap] [PATCH v1 0/4] cve-check: fix incorrect CVE assessments and runtime warnings - cover letter Yoann Congal
2026-03-18 12:57   ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-18 13:10     ` Yoann Congal
2026-03-18 13:15       ` Yoann Congal

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:17b0f1557 dfblob:ac956379d )
 OR (
bs:"[OE-core] [scarthgap] [PATCH v1 3/4] cve-check-map: add new statuses" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260318053906.26606-4-hetpat@cisco.com \
    --to=hetpat@cisco.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=vchavda@cisco.com \
    --cc=xe-linux-external@cisco.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox