| Message ID | 20250301094303.10707-1-peter.marko@siemens.com |
|---|---|
| State | Rejected |
| Delegated to: | Steve Sakoman |
| Headers | show |
| Series | [master,styhead,scarthgap,kirkstone] puzzles: set CVE product | expand |
Hello, Le sam. 1 mars 2025 à 10:44, Peter Marko via lists.openembedded.org <peter.marko=siemens.com@lists.openembedded.org> a écrit : > > From: Peter Marko <peter.marko@siemens.com> > > CVE reports now show 3 CVEs for this component. > They are for "The Puzzles theme for WordPress" with cpe like > "cpe:2.3:a:themerex:puzzles:*:*:*:*:*:wordpress:*:*". > > Setting vendor solves these false positives. > Vendor is set per git path "git://git.tartarus.org/simon/puzzles.git". > This may be wrong value, but since we don't support negative regex, this > is the best we can do now if we don't want to start marking all with > cpe-incorrect status one by one. > > Signed-off-by: Peter Marko <peter.marko@siemens.com> Thank you for taking care of the CVEs. For this patch though, another patch was prefered : https://lists.openembedded.org/g/openembedded-core/message/212280 (now in master-next, should be merged soon) The rationale is: since there is no CVEs on "our" puzzles, we can't predict what the CPE will be when that happen, so, in the meantime, we explicitly ignore CVEs from the wordpress plugin. Regards, > --- > meta/recipes-sato/puzzles/puzzles_git.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-sato/puzzles/puzzles_git.bb b/meta/recipes-sato/puzzles/puzzles_git.bb > index 677a9e291e0..df2491ec850 100644 > --- a/meta/recipes-sato/puzzles/puzzles_git.bb > +++ b/meta/recipes-sato/puzzles/puzzles_git.bb > @@ -20,6 +20,8 @@ inherit cmake features_check pkgconfig > > DEPENDS += "gtk+3" > > +CVE_PRODUCT = "simon:puzzles" > + > do_install:append () { > # net conflicts with Samba, so rename it > mv ${D}${bindir}/net ${D}${bindir}/puzzles-net > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#212092): https://lists.openembedded.org/g/openembedded-core/message/212092 > Mute This Topic: https://lists.openembedded.org/mt/111449818/4316185 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- > -- Yoann Congal Smile ECS - Tech expert
Sure, no problem. Will the patch from Ross be backported to all three active branches to cleanup those CVEs there, too? Peter > -----Original Message----- > From: Yoann Congal <yoann.congal@smile.fr> > Sent: Thursday, March 6, 2025 11:31 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Cc: openembedded-core@lists.openembedded.org; Steve Sakoman > <steve@sakoman.com> > Subject: Re: [OE-core][master][styhead][scarthgap][kirkstone][PATCH] puzzles: set > CVE product > > Hello, > > Le sam. 1 mars 2025 à 10:44, Peter Marko via lists.openembedded.org > <peter.marko=siemens.com@lists.openembedded.org> a écrit : > > > > From: Peter Marko <peter.marko@siemens.com> > > > > CVE reports now show 3 CVEs for this component. > > They are for "The Puzzles theme for WordPress" with cpe like > > "cpe:2.3:a:themerex:puzzles:*:*:*:*:*:wordpress:*:*". > > > > Setting vendor solves these false positives. > > Vendor is set per git path "git://git.tartarus.org/simon/puzzles.git". > > This may be wrong value, but since we don't support negative regex, this > > is the best we can do now if we don't want to start marking all with > > cpe-incorrect status one by one. > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > Thank you for taking care of the CVEs. > > For this patch though, another patch was prefered : > https://lists.openembedded.org/g/openembedded-core/message/212280 (now > in master-next, should be merged soon) > The rationale is: since there is no CVEs on "our" puzzles, we can't > predict what the CPE will be when that happen, so, in the meantime, we > explicitly ignore CVEs from the wordpress plugin. > > Regards, > > > > --- > > meta/recipes-sato/puzzles/puzzles_git.bb | 2 ++ > > 1 file changed, 2 insertions(+) > > > > diff --git a/meta/recipes-sato/puzzles/puzzles_git.bb b/meta/recipes- > sato/puzzles/puzzles_git.bb > > index 677a9e291e0..df2491ec850 100644 > > --- a/meta/recipes-sato/puzzles/puzzles_git.bb > > +++ b/meta/recipes-sato/puzzles/puzzles_git.bb > > @@ -20,6 +20,8 @@ inherit cmake features_check pkgconfig > > > > DEPENDS += "gtk+3" > > > > +CVE_PRODUCT = "simon:puzzles" > > + > > do_install:append () { > > # net conflicts with Samba, so rename it > > mv ${D}${bindir}/net ${D}${bindir}/puzzles-net > > > > -=-=-=-=-=-=-=-=-=-=-=- > > Links: You receive all messages sent to this group. > > View/Reply Online (#212092): https://lists.openembedded.org/g/openembedded- > core/message/212092 > > Mute This Topic: https://lists.openembedded.org/mt/111449818/4316185 > > Group Owner: openembedded-core+owner@lists.openembedded.org > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > [yoann.congal@smile.fr] > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > -- > Yoann Congal > Smile ECS - Tech expert
Hi, Le jeu. 6 mars 2025 à 13:22, Marko, Peter <Peter.Marko@siemens.com> a écrit : > Sure, no problem. > Will the patch from Ross be backported to all three active branches to cleanup those CVEs there, too? We did not talk about that during review but the best way to be sure of this will be to send a backport request for each active stable branch. > Peter > > > -----Original Message----- > > From: Yoann Congal <yoann.congal@smile.fr> > > Sent: Thursday, March 6, 2025 11:31 > > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > > Cc: openembedded-core@lists.openembedded.org; Steve Sakoman > > <steve@sakoman.com> > > Subject: Re: [OE-core][master][styhead][scarthgap][kirkstone][PATCH] puzzles: set > > CVE product > > > > Hello, > > > > Le sam. 1 mars 2025 à 10:44, Peter Marko via lists.openembedded.org > > <peter.marko=siemens.com@lists.openembedded.org> a écrit : > > > > > > From: Peter Marko <peter.marko@siemens.com> > > > > > > CVE reports now show 3 CVEs for this component. > > > They are for "The Puzzles theme for WordPress" with cpe like > > > "cpe:2.3:a:themerex:puzzles:*:*:*:*:*:wordpress:*:*". > > > > > > Setting vendor solves these false positives. > > > Vendor is set per git path "git://git.tartarus.org/simon/puzzles.git". > > > This may be wrong value, but since we don't support negative regex, this > > > is the best we can do now if we don't want to start marking all with > > > cpe-incorrect status one by one. > > > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > > > Thank you for taking care of the CVEs. > > > > For this patch though, another patch was prefered : > > https://lists.openembedded.org/g/openembedded-core/message/212280 (now > > in master-next, should be merged soon) > > The rationale is: since there is no CVEs on "our" puzzles, we can't > > predict what the CPE will be when that happen, so, in the meantime, we > > explicitly ignore CVEs from the wordpress plugin. > > > > Regards, > > > > > > > --- > > > meta/recipes-sato/puzzles/puzzles_git.bb | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/meta/recipes-sato/puzzles/puzzles_git.bb b/meta/recipes- > > sato/puzzles/puzzles_git.bb > > > index 677a9e291e0..df2491ec850 100644 > > > --- a/meta/recipes-sato/puzzles/puzzles_git.bb > > > +++ b/meta/recipes-sato/puzzles/puzzles_git.bb > > > @@ -20,6 +20,8 @@ inherit cmake features_check pkgconfig > > > > > > DEPENDS += "gtk+3" > > > > > > +CVE_PRODUCT = "simon:puzzles" > > > + > > > do_install:append () { > > > # net conflicts with Samba, so rename it > > > mv ${D}${bindir}/net ${D}${bindir}/puzzles-net > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > > Links: You receive all messages sent to this group. > > > View/Reply Online (#212092): https://lists.openembedded.org/g/openembedded- > > core/message/212092 > > > Mute This Topic: https://lists.openembedded.org/mt/111449818/4316185 > > > Group Owner: openembedded-core+owner@lists.openembedded.org > > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > > [yoann.congal@smile.fr] > > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > > > > > -- > > Yoann Congal > > Smile ECS - Tech expert
I have sent backports of patch from Ross which is ignoring the individual CVEs. But I still see my CVE_PRODUCT patch being maintained in mathieu/master-next branch. That should be dropped now. Peter > -----Original Message----- > From: Yoann Congal <yoann.congal@smile.fr> > Sent: Friday, March 7, 2025 10:55 > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Cc: Ross Burton <ross.burton@arm.com>; openembedded- > core@lists.openembedded.org; Steve Sakoman <steve@sakoman.com> > Subject: Re: [OE-core][master][styhead][scarthgap][kirkstone][PATCH] puzzles: set > CVE product > > Hi, > > Le jeu. 6 mars 2025 à 13:22, Marko, Peter <Peter.Marko@siemens.com> a écrit : > > Sure, no problem. > > Will the patch from Ross be backported to all three active branches to cleanup > those CVEs there, too? > > We did not talk about that during review but the best way to be sure > of this will be to send a backport request for each active stable > branch. > > > Peter > > > > > -----Original Message----- > > > From: Yoann Congal <yoann.congal@smile.fr> > > > Sent: Thursday, March 6, 2025 11:31 > > > To: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > > > Cc: openembedded-core@lists.openembedded.org; Steve Sakoman > > > <steve@sakoman.com> > > > Subject: Re: [OE-core][master][styhead][scarthgap][kirkstone][PATCH] puzzles: > set > > > CVE product > > > > > > Hello, > > > > > > Le sam. 1 mars 2025 à 10:44, Peter Marko via lists.openembedded.org > > > <peter.marko=siemens.com@lists.openembedded.org> a écrit : > > > > > > > > From: Peter Marko <peter.marko@siemens.com> > > > > > > > > CVE reports now show 3 CVEs for this component. > > > > They are for "The Puzzles theme for WordPress" with cpe like > > > > "cpe:2.3:a:themerex:puzzles:*:*:*:*:*:wordpress:*:*". > > > > > > > > Setting vendor solves these false positives. > > > > Vendor is set per git path "git://git.tartarus.org/simon/puzzles.git". > > > > This may be wrong value, but since we don't support negative regex, this > > > > is the best we can do now if we don't want to start marking all with > > > > cpe-incorrect status one by one. > > > > > > > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > > > > > > Thank you for taking care of the CVEs. > > > > > > For this patch though, another patch was prefered : > > > https://lists.openembedded.org/g/openembedded-core/message/212280 (now > > > in master-next, should be merged soon) > > > The rationale is: since there is no CVEs on "our" puzzles, we can't > > > predict what the CPE will be when that happen, so, in the meantime, we > > > explicitly ignore CVEs from the wordpress plugin. > > > > > > Regards, > > > > > > > > > > --- > > > > meta/recipes-sato/puzzles/puzzles_git.bb | 2 ++ > > > > 1 file changed, 2 insertions(+) > > > > > > > > diff --git a/meta/recipes-sato/puzzles/puzzles_git.bb b/meta/recipes- > > > sato/puzzles/puzzles_git.bb > > > > index 677a9e291e0..df2491ec850 100644 > > > > --- a/meta/recipes-sato/puzzles/puzzles_git.bb > > > > +++ b/meta/recipes-sato/puzzles/puzzles_git.bb > > > > @@ -20,6 +20,8 @@ inherit cmake features_check pkgconfig > > > > > > > > DEPENDS += "gtk+3" > > > > > > > > +CVE_PRODUCT = "simon:puzzles" > > > > + > > > > do_install:append () { > > > > # net conflicts with Samba, so rename it > > > > mv ${D}${bindir}/net ${D}${bindir}/puzzles-net > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- > > > > Links: You receive all messages sent to this group. > > > > View/Reply Online (#212092): > https://lists.openembedded.org/g/openembedded- > > > core/message/212092 > > > > Mute This Topic: https://lists.openembedded.org/mt/111449818/4316185 > > > > Group Owner: openembedded-core+owner@lists.openembedded.org > > > > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub > > > [yoann.congal@smile.fr] > > > > -=-=-=-=-=-=-=-=-=-=-=- > > > > > > > > > > > > > -- > > > Yoann Congal > > > Smile ECS - Tech expert > > > > -- > Yoann Congal > Smile ECS - Tech expert
diff --git a/meta/recipes-sato/puzzles/puzzles_git.bb b/meta/recipes-sato/puzzles/puzzles_git.bb index 677a9e291e0..df2491ec850 100644 --- a/meta/recipes-sato/puzzles/puzzles_git.bb +++ b/meta/recipes-sato/puzzles/puzzles_git.bb @@ -20,6 +20,8 @@ inherit cmake features_check pkgconfig DEPENDS += "gtk+3" +CVE_PRODUCT = "simon:puzzles" + do_install:append () { # net conflicts with Samba, so rename it mv ${D}${bindir}/net ${D}${bindir}/puzzles-net