| Message ID | 20250226150720.143127-1-colinmca242@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | cve-check-map: Add accept-risk tag | expand |
On Wed, Feb 26, 2025 at 8:07 AM Colin McAllister via lists.openembedded.org <colinmca242=gmail.com@lists.openembedded.org> wrote: > > Adds tag for downstream users of Poky to accept risk for CVEs. > > Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com> > --- > Upcoming cybersecurity regulations allow for CVEs to be accepted on a > risk basis. This tag will allow consumers of Poky to mark CVEs as s/Poky/end users/ > ignored with this tag, which will help when feeding cve-check output > into compliance documentation. > > This is not intended to be used upstream and the comment tries to > indicate that. If I need to be more explicit in my comment, I'm happy to > send up a v2 patch. > > meta/conf/cve-check-map.conf | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf > index ac956379d1..ef3aabe641 100644 > --- a/meta/conf/cve-check-map.conf > +++ b/meta/conf/cve-check-map.conf > @@ -32,6 +32,8 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" > CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" > # use when upstream acknowledged the vulnerability but does not plan to fix it > CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" > +# for poky consumers to use when adding justification for why they don't plan to fix it Maybe better as something like: "for end users to use when adding justification for why the do not plan to fix a vulnerability (e.g. in local.conf or similar)" > +CVE_CHECK_STATUSMAP[accept-risk] = "Ignored" > > # use when it is impossible to conclude if the vulnerability is present or not > CVE_CHECK_STATUSMAP[unknown] = "Unknown" > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#211961): https://lists.openembedded.org/g/openembedded-core/message/211961 > Mute This Topic: https://lists.openembedded.org/mt/111397328/3616693 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [JPEWhacker@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- >
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index ac956379d1..ef3aabe641 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -32,6 +32,8 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" # use when upstream acknowledged the vulnerability but does not plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" +# for poky consumers to use when adding justification for why they don't plan to fix it +CVE_CHECK_STATUSMAP[accept-risk] = "Ignored" # use when it is impossible to conclude if the vulnerability is present or not CVE_CHECK_STATUSMAP[unknown] = "Unknown"
Adds tag for downstream users of Poky to accept risk for CVEs. Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com> --- Upcoming cybersecurity regulations allow for CVEs to be accepted on a risk basis. This tag will allow consumers of Poky to mark CVEs as ignored with this tag, which will help when feeding cve-check output into compliance documentation. This is not intended to be used upstream and the comment tries to indicate that. If I need to be more explicit in my comment, I'm happy to send up a v2 patch. meta/conf/cve-check-map.conf | 2 ++ 1 file changed, 2 insertions(+)