| Message ID | 20251216090214.1404629-1-skandigraun@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | [meta-oe] minio: ignore irrelevant CVEs | expand |
diff --git a/meta-oe/recipes-extended/minio/minio_git.bb b/meta-oe/recipes-extended/minio/minio_git.bb index f278a728fd..511dd4d869 100644 --- a/meta-oe/recipes-extended/minio/minio_git.bb +++ b/meta-oe/recipes-extended/minio/minio_git.bb @@ -164,3 +164,9 @@ do_install() { install -d ${D}/${sbindir} install ${S}/src/${GO_IMPORT}/mc ${D}/${sbindir}/mc } + +CVE_STATUS_GROUPS += "CVE_STATUS_WRONG_CPE" +CVE_STATUS_WRONG_CPE[status] = "cpe-incorrect: The vulnerability is in minio server, not in minio client-tools" +CVE_STATUS_WRONG_CPE = "CVE-2018-1000538 CVE-2020-11012 CVE-2021-21287 CVE-2021-21362 \ + CVE-2021-21390 CVE-2021-43858 CVE-2022-35919 CVE-2023-28433 \ + CVE-2023-28434 CVE-2024-36107"
The minio umbrella covers multiple projects. The recipe itself builds "minio client", which is a set of basic tools to query data from "minio server" - like ls, mv, find... The CVEs were files against minio server. Looking at the go mod list, this recipe doesn't use minio server even as a build dependency - so ignore the CVEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> --- meta-oe/recipes-extended/minio/minio_git.bb | 6 ++++++ 1 file changed, 6 insertions(+)