[OE-core] [PATCH] cve-check: allow filtering out patched issues

Burton, Ross ross.burton at intel.com
Thu Feb 14 21:06:45 UTC 2019 

Also, be aware that cve-check-tool is notorious for unreliable reports
and shouldn't be relied upon: the false negative rate is huge (and not
something that can be fixed in cve-check-tool either).

Ross

On Thu, 14 Feb 2019 at 21:03, Burton, Ross <ross.burton at intel.com> wrote:
>
> The report explicitly lists would-be-vulnerable-but-patches issues and
> marks them as such, so why can't you just ignore them in the report?
>
> Ross
>
> On Thu, 14 Feb 2019 at 19:18, Dan Dedrick <dan.dedrick at gmail.com> wrote:
> >
> > It can be useful to filter out patched issues since they are no longer
> > vulnerable. This makes it easier to sift through what CVEs still might
> > need to be fixed.
> >
> > Signed-off-by: Dan Dedrick <ddedrick at lexmark.com>
> > ---
> >  meta/classes/cve-check.bbclass | 3 +++
> >  1 file changed, 3 insertions(+)
> >
> > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> > index 743bc08a4f..a486d686ae 100644
> > --- a/meta/classes/cve-check.bbclass
> > +++ b/meta/classes/cve-check.bbclass
> > @@ -35,6 +35,7 @@ CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
> >  CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
> >  CVE_CHECK_COPY_FILES ??= "1"
> >  CVE_CHECK_CREATE_MANIFEST ??= "1"
> > +CVE_CHECK_EXCLUDE_PATCHED ??= "0"
> >
> >  # Whitelist for packages (PN)
> >  CVE_CHECK_PN_WHITELIST = "\
> > @@ -54,6 +55,8 @@ python do_cve_check () {
> >      if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
> >          patched_cves = get_patches_cves(d)
> >          patched, unpatched = check_cves(d, patched_cves)
> > +        if d.getVar("CVE_CHECK_EXCLUDE_PATCHED") == "1":
> > +            patched = []
> >          if patched or unpatched:
> >              cve_data = get_cve_info(d, patched + unpatched)
> >              cve_write_data(d, patched, unpatched, cve_data)
> > --
> > 2.20.1
> >
> > --
> > _______________________________________________
> > Openembedded-core mailing list
> > Openembedded-core at lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-core

More information about the Openembedded-core mailing list