diff mbox series

[v2] cve-check-map: Add accept-risk tag

Message ID 20250226171002.143338-1-colinmca242@gmail.com
State New
Headers show
Series [v2] cve-check-map: Add accept-risk tag | expand

Commit Message

Colin Pinnell McAllister Feb. 26, 2025, 5:10 p.m. UTC 
Adds tag for end users to accept risk for CVEs.

Signed-off-by: Colin Pinnell McAllister <colinmca242@gmail.com>
---
Upcoming cybersecurity regulations allow for CVEs to be accepted on a
risk basis. This tag will allow end users to mark CVEs as ignored with
this tag, which will help when feeding cve-check output into compliance
documentation.

This is not intended to be used upstream and the comment tries to
indicate that. If I need to be even more explicit in my comment,
I'm happy to send up a v3 patch :)

V2 Changes:
* Updated wording in comment and commit message

 meta/conf/cve-check-map.conf | 2 ++
 1 file changed, 2 insertions(+)
diff mbox series

Patch

diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf
index ac956379d1..07895f3778 100644
--- a/meta/conf/cve-check-map.conf
+++ b/meta/conf/cve-check-map.conf
@@ -32,6 +32,8 @@  CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
 CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
 # use when upstream acknowledged the vulnerability but does not plan to fix it
 CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+# for end users to add justification why they won't fix it
+CVE_CHECK_STATUSMAP[accept-risk] = "Ignored"
 
 # use when it is impossible to conclude if the vulnerability is present or not
 CVE_CHECK_STATUSMAP[unknown] = "Unknown"