diff mbox series

[meta-oe,scarthgap,2/5] minio: ignore irrelevant CVEs

Message ID 20251222202732.3363914-2-skandigraun@gmail.com
State New
Headers show
Series [meta-gnome,scarthgap,1/5] accountservice: ignore CVE-2023-3297 | expand

Commit Message

Gyorgy Sarvari Dec. 22, 2025, 8:27 p.m. UTC 
The minio umbrella covers multiple projects. The recipe itself builds
"minio client", which is a set of basic tools to query data from
"minio server" - like ls, mv, find...

The CVEs were files against minio server. Looking at the go mod list,
this recipe doesn't use minio server even as a build dependency - so ignore
the CVEs.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit df462075be855c60117af661dbce1836c652fc16)
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-extended/minio/minio_git.bb | 6 ++++++
 1 file changed, 6 insertions(+)
diff mbox series

Patch

diff --git a/meta-oe/recipes-extended/minio/minio_git.bb b/meta-oe/recipes-extended/minio/minio_git.bb
index f278a728fd..511dd4d869 100644
--- a/meta-oe/recipes-extended/minio/minio_git.bb
+++ b/meta-oe/recipes-extended/minio/minio_git.bb
@@ -164,3 +164,9 @@  do_install() {
     install -d ${D}/${sbindir}
     install ${S}/src/${GO_IMPORT}/mc ${D}/${sbindir}/mc
 }
+
+CVE_STATUS_GROUPS += "CVE_STATUS_WRONG_CPE"
+CVE_STATUS_WRONG_CPE[status] = "cpe-incorrect: The vulnerability is in minio server, not in minio client-tools"
+CVE_STATUS_WRONG_CPE = "CVE-2018-1000538 CVE-2020-11012 CVE-2021-21287 CVE-2021-21362 \
+                        CVE-2021-21390 CVE-2021-43858 CVE-2022-35919 CVE-2023-28433 \
+                        CVE-2023-28434 CVE-2024-36107"