Re: [oe] [PATCH] bolt: disable CVE checking for this recipe

Mon, 02 Oct 2023 11:14:47 -0700 

On Mon, 2 Oct 2023, 17:53 Alex Stewart, <alex.stew...@ni.com> wrote:

>
>
> On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote:
> > Hi,
> >
> > On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote:
> >> This bolt product does not currently have an entry in the CVE database.
> >> However, the default cve-check logic that maps recipes to products in
> >> the CVE database is incorrectly matching this package to a different
> >> bolt product made by bolt-cms. As a result, CVE checking incorrectly
> >> reports CVEs for that product for this package.
> >>
> >> Signed-off-by: Jeffrey Pautler <jeffrey.paut...@ni.com>
> >> ---
> >>   meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++
> >>   1 file changed, 2 insertions(+)
> >>
> >> diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> >> index b6ad6337c..583cc6378 100644
> >> --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> >> +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> >> @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd"
> >>
> >>   S = "${WORKDIR}/git"
> >>
> >> +CVE_CHECK_SKIP_RECIPE = "${PN}"
> > I think this is wrong and dangerous for anyone who in the future tries
> to use
> > cve checker for this recipe. Instead, set the CVE product with vendor
> correctly
> > so that other products/vendors don't mix the results? Hopefully any new
> CVEs
> > in the future will set the same vendor and product.
>
> Are you suggesting that he set the string to something like...
> `cpe:*:a:freedesktop:bolt:*`
>
> on the hopes that, if the Free Desktop folks open a CPE in the future,
> that it will match?
>

Or you can ignore CVEs that are badly assigned to this project. That works
if there is a manageable number.

Kind regards,
Marta

>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#105310): 
https://lists.openembedded.org/g/openembedded-devel/message/105310
Mute This Topic: https://lists.openembedded.org/mt/101662068/21656
Group Owner: openembedded-devel+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to