On Tue, Sep 14, 2021 at 8:41 AM Steve Sakoman via lists.openembedded.org <steve=sakoman....@lists.openembedded.org> wrote: > > On Tue, Sep 14, 2021 at 8:04 AM Steve Sakoman via > lists.openembedded.org <steve=sakoman....@lists.openembedded.org> > wrote: > > > > The CVE database correctly reports CVEs for oracle_berkley_db and > > berkley_db. We use the oracle_berkley_db source tree and therefore > > should only check for oracle_berkely_db CVEs. Otherwise the scanner > > falsely reports CVEs that are fixed in oracle_berkley_db > > Please hold off on taking this patch -- I need to do some more > research. I may have confused myself :-(
I did indeed confuse myself, so ignore this patch. The CVE database is reporting CVEs for the Oracle db code base under the name berkley_db, so the original patch in question is indeed correct and the CVEs are valid. Our CVE reporting has been whitelisting db CVEs. I'm going to remove that from the tool and submit a patch to add the db CVEs to the exclusion list in meta/conf/distro/include/cve-extra-exclusions.inc since it seems unlikely that we will be moving to a version of db with these issues fixed. Steve > > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661. > > > > Signed-off-by: Steve Sakoman <st...@sakoman.com> > > --- > > meta/recipes-support/db/db_5.3.28.bb | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/meta/recipes-support/db/db_5.3.28.bb > > b/meta/recipes-support/db/db_5.3.28.bb > > index d5b788a3d7..5e9305ab06 100644 > > --- a/meta/recipes-support/db/db_5.3.28.bb > > +++ b/meta/recipes-support/db/db_5.3.28.bb > > @@ -15,7 +15,7 @@ HOMEPAGE = > > "https://www.oracle.com/database/technologies/related/berkeleydb.html > > LICENSE = "Sleepycat" > > RCONFLICTS:${PN} = "db3" > > > > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db" > > +CVE_PRODUCT = "oracle_berkeley_db" > > CVE_VERSION = "11.2.${PV}" > > > > PR = "r1" > > -- > > 2.25.1 > > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#156021): https://lists.openembedded.org/g/openembedded-core/message/156021 Mute This Topic: https://lists.openembedded.org/mt/85608645/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
