[meta-java] jsch,xerces-j: fix CVE_STATUS

From: Peter Marko <peter.marko@siemens.com>

Last commit tried to convert CVE_CHECK_IGNORE to CVE_STATUS,
however it was done in wrong way and caused the CVEs
to be reported as open again.

This fixes CVE_STATUS syntax.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 recipes-core/jcraft/jsch_0.1.40.bb       | 3 +--
 recipes-core/xerces-j/xerces-j_2.11.0.bb | 2 +-
 2 files changed, 2 insertions(+), 3 deletions(-)

On Sat, Feb 24, 2024 at 3:40 AM Peter Marko via lists.openembedded.org
<peter.marko=siemens.com@lists.openembedded.org> wrote:

> From: Peter Marko <peter.marko@siemens.com>
>
> Last commit tried to convert CVE_CHECK_IGNORE to CVE_STATUS,
> however it was done in wrong way and caused the CVEs
> to be reported as open again.
>
> This fixes CVE_STATUS syntax.
>
> Merged. Thank you. (Especially thank you for fixing MY mistakes)

NOTE: both jsched and xerces-j have newer CVEs so if you have time to
investigate upgrades to fix them, it would be appreciated:
https://nvd.nist.gov/vuln/detail/CVE-2022-23437
https://nvd.nist.gov/vuln/detail/CVE-2023-48795


> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  recipes-core/jcraft/jsch_0.1.40.bb       | 3 +--
>  recipes-core/xerces-j/xerces-j_2.11.0.bb | 2 +-
>  2 files changed, 2 insertions(+), 3 deletions(-)
>
> diff --git a/recipes-core/jcraft/jsch_0.1.40.bb b/recipes-core/jcraft/
> jsch_0.1.40.bb
> index 8ef5c85..aeb04b4 100644
> --- a/recipes-core/jcraft/jsch_0.1.40.bb
> +++ b/recipes-core/jcraft/jsch_0.1.40.bb
> @@ -25,8 +25,7 @@ do_compile() {
>  SRC_URI[md5sum] = "b59cec19a487e95aed68378976b4b566"
>  SRC_URI[sha256sum] =
> "ca9d2ae08fd7a8983fb00d04f0f0c216a985218a5eb364ff9bee73870f28e097"
>
> -# Ignore the CVE because it only affects Windows platforms
> -CVE_STATUS += "CVE-2016-5725"
> +CVE_STATUS[CVE-2016-5725] = "not-applicable-platform: Issue only applies
> on Windows"
>
>  BBCLASSEXTEND = "native"
>
> diff --git a/recipes-core/xerces-j/xerces-j_2.11.0.bb
> b/recipes-core/xerces-j/xerces-j_2.11.0.bb
> index c7a54ab..45d3c43 100644
> --- a/recipes-core/xerces-j/xerces-j_2.11.0.bb
> +++ b/recipes-core/xerces-j/xerces-j_2.11.0.bb
> @@ -18,7 +18,7 @@ SRC_URI = "
> http://archive.apache.org/dist/xerces/j/source/Xerces-J-src.${PV}.tar
>  # Already fixed with updates and closed.
>  # https://access.redhat.com/security/cve/CVE-2018-2799
>  # https://bugzilla.redhat.com/show_bug.cgi?id=1567542
> -CVE_STATUS += "CVE-2018-2799"
> +CVE_STATUS[CVE-2018-2799] = "not-applicable-platform: Issue only applies
> on some Oracle Java SE and Red Hat Enterprise Linux versions"
>
>  S = "${WORKDIR}/xerces-2_11_0"
>
> --
> 2.30.2
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#109025):
> https://lists.openembedded.org/g/openembedded-devel/message/109025
> Mute This Topic: https://lists.openembedded.org/mt/104544794/924729
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [
> ticotimo@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>