diff mbox series

[scarthgap] strace: add vendor to CVE_PRODUCT to exclude false positives

Message ID 20250109102051.3685800-1-madmarri@cisco.com
State Awaiting Upstream
Delegated to: Steve Sakoman
Headers show
Series [scarthgap] strace: add vendor to CVE_PRODUCT to exclude false positives | expand

Commit Message

Madhu Marri -X (madmarri - E INFOCHIPS PRIVATE LIMITED at Cisco) Jan. 9, 2025, 10:20 a.m. UTC 
- To avoid false positives such as CVE-2000-0006, add the CVE_PRODUCT
value with the vendor.
- The CVE-2000-0006 has the vendor paul_kranenburg:strace.
- This change has been verified by running do_cve_check task for
strace package.

Signed-off-by: Madhu Marri <madmarri@cisco.com>
---
 meta/recipes-devtools/strace/strace_6.7.bb | 3 +++
 1 file changed, 3 insertions(+)

Comments

Steve Sakoman Jan. 10, 2025, 2:05 p.m. UTC | #1 
Hi Madhu,

This patch should be submitted and merged to the master branch before
I can take it for the stable branches.\

Thanks,

Steve

On Thu, Jan 9, 2025 at 2:21 AM Madhu Marri via lists.openembedded.org
<madmarri=cisco.com@lists.openembedded.org> wrote:
>
> - To avoid false positives such as CVE-2000-0006, add the CVE_PRODUCT
> value with the vendor.
> - The CVE-2000-0006 has the vendor paul_kranenburg:strace.
> - This change has been verified by running do_cve_check task for
> strace package.
>
> Signed-off-by: Madhu Marri <madmarri@cisco.com>
> ---
>  meta/recipes-devtools/strace/strace_6.7.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-devtools/strace/strace_6.7.bb b/meta/recipes-devtools/strace/strace_6.7.bb
> index c8c83cdf7c..30ac31ee69 100644
> --- a/meta/recipes-devtools/strace/strace_6.7.bb
> +++ b/meta/recipes-devtools/strace/strace_6.7.bb
> @@ -54,3 +54,6 @@ RDEPENDS:${PN}-ptest:append:libc-glibc = "\
>  "
>
>  BBCLASSEXTEND = "native"
> +
> +# adding 'CVE_PRODUCT' to avoid false detection of CVEs
> +CVE_PRODUCT = "strace:strace"
> --
> 2.44.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#209625): https://lists.openembedded.org/g/openembedded-core/message/209625
> Mute This Topic: https://lists.openembedded.org/mt/110513535/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Madhu Marri -X (madmarri - E INFOCHIPS PRIVATE LIMITED at Cisco) Jan. 15, 2025, 3:30 p.m. UTC | #2 
Hi Steve,

Thanks for the review. I have submitted patch for master branch.

Regards
Madhu


________________________________
From: Steve Sakoman <steve@sakoman.com>
Sent: Friday, January 10, 2025 7:35 PM
To: Madhu Marri -X (madmarri - E INFOCHIPS PRIVATE LIMITED at Cisco) <madmarri@cisco.com>
Cc: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org>; xe-linux-external(mailer list) <xe-linux-external@cisco.com>; Shubham Pushpkar -X (spushpka - E INFOCHIPS PRIVATE LIMITED at Cisco) <spushpka@cisco.com>
Subject: Re: [OE-core] [scarthgap] [PATCH] strace: add vendor to CVE_PRODUCT to exclude false positives

Hi Madhu,

This patch should be submitted and merged to the master branch before
I can take it for the stable branches.\

Thanks,

Steve

On Thu, Jan 9, 2025 at 2:21 AM Madhu Marri via lists.openembedded.org
<madmarri=cisco.com@lists.openembedded.org> wrote:
>
> - To avoid false positives such as CVE-2000-0006, add the CVE_PRODUCT
> value with the vendor.
> - The CVE-2000-0006 has the vendor paul_kranenburg:strace.
> - This change has been verified by running do_cve_check task for
> strace package.
>
> Signed-off-by: Madhu Marri <madmarri@cisco.com>
> ---
>  meta/recipes-devtools/strace/strace_6.7.bb | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-devtools/strace/strace_6.7.bb b/meta/recipes-devtools/strace/strace_6.7.bb
> index c8c83cdf7c..30ac31ee69 100644
> --- a/meta/recipes-devtools/strace/strace_6.7.bb
> +++ b/meta/recipes-devtools/strace/strace_6.7.bb
> @@ -54,3 +54,6 @@ RDEPENDS:${PN}-ptest:append:libc-glibc = "\
>  "
>
>  BBCLASSEXTEND = "native"
> +
> +# adding 'CVE_PRODUCT' to avoid false detection of CVEs
> +CVE_PRODUCT = "strace:strace"
> --
> 2.44.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#209625): https://lists.openembedded.org/g/openembedded-core/message/209625
> Mute This Topic: https://lists.openembedded.org/mt/110513535/3620601
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [steve@sakoman.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
diff mbox series

Patch

diff --git a/meta/recipes-devtools/strace/strace_6.7.bb b/meta/recipes-devtools/strace/strace_6.7.bb
index c8c83cdf7c..30ac31ee69 100644
--- a/meta/recipes-devtools/strace/strace_6.7.bb
+++ b/meta/recipes-devtools/strace/strace_6.7.bb
@@ -54,3 +54,6 @@  RDEPENDS:${PN}-ptest:append:libc-glibc = "\
 "
 
 BBCLASSEXTEND = "native"
+
+# adding 'CVE_PRODUCT' to avoid false detection of CVEs
+CVE_PRODUCT = "strace:strace"