HI Steve, When do you plan to add these db CVEs in the 'meta/conf/distro/include/cve-extra-exclusions.inc' file?
Thanks, Best Regards, Ranjitsinh Rathod Technical Leader | | KPIT Technologies Ltd. Cellphone: +91-84606 92403 __________________________________________ KPIT<http://www.kpit.com/> | Follow us on LinkedIn<http://www.kpit.com/linkedin> [cid:bd98461e-3fae-4ae5-bd5d-5abc68f568c4]<https://www.kpit.com/TheNewBrand> ________________________________ From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> on behalf of Steve Sakoman via lists.openembedded.org <steve=sakoman....@lists.openembedded.org> Sent: Wednesday, September 15, 2021 12:38 AM To: Steve Sakoman <st...@sakoman.com> Cc: Patches and discussions about the oe-core layer <openembedded-core@lists.openembedded.org> Subject: Re: [OE-core] [PATCH] [master] [dunfell] [hardknott] Revert "db: update CVE_PRODUCT" Caution: This email originated from outside of the KPIT. Do not click links or open attachments unless you recognize the sender and know the content is safe. On Tue, Sep 14, 2021 at 8:41 AM Steve Sakoman via lists.openembedded.org <steve=sakoman....@lists.openembedded.org> wrote: > > On Tue, Sep 14, 2021 at 8:04 AM Steve Sakoman via > lists.openembedded.org <steve=sakoman....@lists.openembedded.org> > wrote: > > > > The CVE database correctly reports CVEs for oracle_berkley_db and > > berkley_db. We use the oracle_berkley_db source tree and therefore > > should only check for oracle_berkely_db CVEs. Otherwise the scanner > > falsely reports CVEs that are fixed in oracle_berkley_db > > Please hold off on taking this patch -- I need to do some more > research. I may have confused myself :-( I did indeed confuse myself, so ignore this patch. The CVE database is reporting CVEs for the Oracle db code base under the name berkley_db, so the original patch in question is indeed correct and the CVEs are valid. Our CVE reporting has been whitelisting db CVEs. I'm going to remove that from the tool and submit a patch to add the db CVEs to the exclusion list in meta/conf/distro/include/cve-extra-exclusions.inc since it seems unlikely that we will be moving to a version of db with these issues fixed. Steve > > This reverts commit ad799b109716ccd2f44dcf7a6a4cfcbd622ea661. > > > > Signed-off-by: Steve Sakoman <st...@sakoman.com> > > --- > > meta/recipes-support/db/db_5.3.28.bb | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/meta/recipes-support/db/db_5.3.28.bb > > b/meta/recipes-support/db/db_5.3.28.bb > > index d5b788a3d7..5e9305ab06 100644 > > --- a/meta/recipes-support/db/db_5.3.28.bb > > +++ b/meta/recipes-support/db/db_5.3.28.bb > > @@ -15,7 +15,7 @@ HOMEPAGE = > > "https://www.oracle.com/database/technologies/related/berkeleydb.html > > LICENSE = "Sleepycat" > > RCONFLICTS:${PN} = "db3" > > > > -CVE_PRODUCT = "oracle_berkeley_db berkeley_db" > > +CVE_PRODUCT = "oracle_berkeley_db" > > CVE_VERSION = "11.2.${PV}" > > > > PR = "r1" > > -- > > 2.25.1 > > > > > > > > > > > This message contains information that may be privileged or confidential and is the property of the KPIT Technologies Ltd. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized to read, print, retain copy, disseminate, distribute, or use this message or any part thereof. If you receive this message in error, please notify the sender immediately and delete all copies of this message. KPIT Technologies Ltd. does not accept any liability for virus infected mails.
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#159023): https://lists.openembedded.org/g/openembedded-core/message/159023 Mute This Topic: https://lists.openembedded.org/mt/85608645/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
