From: Marta Rybczynska <[email protected]> Add 'fix-file-included', 'version-not-in-range' and 'version-in-range' generated by the cve-check.
'fix-file-included' means that a fix file for the CVE has been located. 'version-not-in-range' means that the product version has been found outside of the vulnerable range. 'version-in-range' means that the product version has been found inside of the vulnerable range. Signed-off-by: Marta Rybczynska <[email protected]> Signed-off-by: Samantha Jalabert <[email protected]> Signed-off-by: Richard Purdie <[email protected]> (cherry picked from commit d25f1817752bc8a84c40dcbef75f7559801ce15e) Signed-off-by: Het Patel <[email protected]> --- meta/conf/cve-check-map.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index 17b0f15571..ac956379d1 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -8,11 +8,17 @@ CVE_CHECK_STATUSMAP[backported-patch] = "Patched" CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" # use when NVD DB does not mention correct version or does not mention any verion at all CVE_CHECK_STATUSMAP[fixed-version] = "Patched" +# use when a fix file has been included (set automatically) +CVE_CHECK_STATUSMAP[fix-file-included] = "Patched" +# do not use directly: automatic scan reports version number NOT in the vulnerable range (set automatically) +CVE_CHECK_STATUSMAP[version-not-in-range] = "Patched" # used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" # use when CVE is confirmed by upstream but fix is still not available CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" +# do not use directly: automatic scan reports version number IS in the vulnerable range (set automatically) +CVE_CHECK_STATUSMAP[version-in-range] = "Unpatched" # used for migration from old concept, do not use for new vulnerabilities CVE_CHECK_STATUSMAP[ignored] = "Ignored" @@ -26,3 +32,6 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" # use when upstream acknowledged the vulnerability but does not plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" + +# use when it is impossible to conclude if the vulnerability is present or not +CVE_CHECK_STATUSMAP[unknown] = "Unknown"
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231454): https://lists.openembedded.org/g/openembedded-core/message/231454 Mute This Topic: https://lists.openembedded.org/mt/117905839/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
