[OE-core] [master] [PATCH] strace: add vendor to CVE_PRODUCT to exclude false positives

[OE-core] [master] [PATCH] strace: add vendor to CVE_PRODUCT to exclude false positives

[Madhu Marri]

- To avoid false positives such as CVE-2000-0006, add the CVE_PRODUCT
value with the vendor.
- The CVE-2000-0006 has the vendor paul_kranenburg:strace.
- This change has been verified by running do_cve_check task for
strace package.

Signed-off-by: Madhu Marri <madmarri@cisco.com>
---
 meta/recipes-devtools/strace/strace_6.12.bb | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/recipes-devtools/strace/strace_6.12.bb b/meta/recipes-devtools/strace/strace_6.12.bb
index c16e5dc478..0cbaead216 100644
--- a/meta/recipes-devtools/strace/strace_6.12.bb
+++ b/meta/recipes-devtools/strace/strace_6.12.bb
@@ -53,3 +53,6 @@ do_install_ptest() {
 RDEPENDS:${PN}-ptest += "make coreutils grep gawk sed locale-base-en-us"
 
 BBCLASSEXTEND = "native"
+
+# adding 'CVE_PRODUCT' to avoid false detection of CVEs
+CVE_PRODUCT = "strace:strace"
-- 
2.44.1

Re: [OE-core] [master] [PATCH] strace: add vendor to CVE_PRODUCT to exclude false positives

[Ross Burton]

On 15 Jan 2025, at 15:29, Madhu Marri via lists.openembedded.org <madmarri=cisco.com@lists.openembedded.org> wrote:
> 
> - To avoid false positives such as CVE-2000-0006, add the CVE_PRODUCT
> value with the vendor.

But CVE-2000-0006 is specific to this strace, not another strace.

Quoting from the original reference (https://web.archive.org/web/20030710214947/http://www.securityfocus.com/archive/1/39831):

“””
When you see snippet from strace, that says:

open("/etc/passwd", O_RDONLY) = 3

Do you trust it? You should not.
“””

You may disagree with the premise of the CVE and mark it as not an issue, but it _is_ a strace CVE.

Ross