| Message ID | 20230929170731.749414-1-jeffrey.pautler@ni.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | bolt: disable CVE checking for this recipe | expand |
Hi, On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote: > This bolt product does not currently have an entry in the CVE database. > However, the default cve-check logic that maps recipes to products in > the CVE database is incorrectly matching this package to a different > bolt product made by bolt-cms. As a result, CVE checking incorrectly > reports CVEs for that product for this package. > > Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com> > --- > meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > index b6ad6337c..583cc6378 100644 > --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd" > > S = "${WORKDIR}/git" > > +CVE_CHECK_SKIP_RECIPE = "${PN}" I think this is wrong and dangerous for anyone who in the future tries to use cve checker for this recipe. Instead, set the CVE product with vendor correctly so that other products/vendors don't mix the results? Hopefully any new CVEs in the future will set the same vendor and product. Cheers, -Mikko > inherit cmake pkgconfig meson features_check > > FILES:${PN} += "${datadir}/dbus-1/* \ > -- > 2.34.1 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#105252): https://lists.openembedded.org/g/openembedded-devel/message/105252 > Mute This Topic: https://lists.openembedded.org/mt/101662068/7159507 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [mikko.rapeli@linaro.org] > -=-=-=-=-=-=-=-=-=-=-=- >
On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote: > Hi, > > On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote: >> This bolt product does not currently have an entry in the CVE database. >> However, the default cve-check logic that maps recipes to products in >> the CVE database is incorrectly matching this package to a different >> bolt product made by bolt-cms. As a result, CVE checking incorrectly >> reports CVEs for that product for this package. >> >> Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com> >> --- >> meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++ >> 1 file changed, 2 insertions(+) >> >> diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb >> index b6ad6337c..583cc6378 100644 >> --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb >> +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb >> @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd" >> >> S = "${WORKDIR}/git" >> >> +CVE_CHECK_SKIP_RECIPE = "${PN}" > I think this is wrong and dangerous for anyone who in the future tries to use > cve checker for this recipe. Instead, set the CVE product with vendor correctly > so that other products/vendors don't mix the results? Hopefully any new CVEs > in the future will set the same vendor and product. Are you suggesting that he set the string to something like... `cpe:*:a:freedesktop:bolt:*` on the hopes that, if the Free Desktop folks open a CPE in the future, that it will match? > > Cheers, > > -Mikko > >> inherit cmake pkgconfig meson features_check >> >> FILES:${PN} += "${datadir}/dbus-1/* \ >> -- >> 2.34.1 >> >> >> > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#105303): https://lists.openembedded.org/g/openembedded-devel/message/105303 > Mute This Topic: https://lists.openembedded.org/mt/101662068/3616788 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [alex.stewart@ni.com] > -=-=-=-=-=-=-=-=-=-=-=- >
If we want to use a not yet Defined value then it would be good to inform upstream about the issue and also add a comment next to the definition so we can correct it in future On Mon, Oct 2, 2023 at 8:53 AM Alex Stewart <alex.stewart@ni.com> wrote: > > > On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote: > > Hi, > > > > On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote: > >> This bolt product does not currently have an entry in the CVE database. > >> However, the default cve-check logic that maps recipes to products in > >> the CVE database is incorrectly matching this package to a different > >> bolt product made by bolt-cms. As a result, CVE checking incorrectly > >> reports CVEs for that product for this package. > >> > >> Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com> > >> --- > >> meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++ > >> 1 file changed, 2 insertions(+) > >> > >> diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > >> index b6ad6337c..583cc6378 100644 > >> --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > >> +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > >> @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd" > >> > >> S = "${WORKDIR}/git" > >> > >> +CVE_CHECK_SKIP_RECIPE = "${PN}" > > I think this is wrong and dangerous for anyone who in the future tries > to use > > cve checker for this recipe. Instead, set the CVE product with vendor > correctly > > so that other products/vendors don't mix the results? Hopefully any new > CVEs > > in the future will set the same vendor and product. > > Are you suggesting that he set the string to something like... > `cpe:*:a:freedesktop:bolt:*` > > on the hopes that, if the Free Desktop folks open a CPE in the future, > that it will match? > > > > > Cheers, > > > > -Mikko > > > >> inherit cmake pkgconfig meson features_check > >> > >> FILES:${PN} += "${datadir}/dbus-1/* \ > >> -- > >> 2.34.1 > >> > >> > >> > > > > > > > > -- > Alex Stewart > Software Engineer - NI Real-Time OS > NI (National Instruments) > > alex.stewart@ni.com > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#105305): > https://lists.openembedded.org/g/openembedded-devel/message/105305 > Mute This Topic: https://lists.openembedded.org/mt/101662068/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
On Mon, 2 Oct 2023, 17:53 Alex Stewart, <alex.stewart@ni.com> wrote: > > > On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote: > > Hi, > > > > On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote: > >> This bolt product does not currently have an entry in the CVE database. > >> However, the default cve-check logic that maps recipes to products in > >> the CVE database is incorrectly matching this package to a different > >> bolt product made by bolt-cms. As a result, CVE checking incorrectly > >> reports CVEs for that product for this package. > >> > >> Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com> > >> --- > >> meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++ > >> 1 file changed, 2 insertions(+) > >> > >> diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > >> index b6ad6337c..583cc6378 100644 > >> --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > >> +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > >> @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd" > >> > >> S = "${WORKDIR}/git" > >> > >> +CVE_CHECK_SKIP_RECIPE = "${PN}" > > I think this is wrong and dangerous for anyone who in the future tries > to use > > cve checker for this recipe. Instead, set the CVE product with vendor > correctly > > so that other products/vendors don't mix the results? Hopefully any new > CVEs > > in the future will set the same vendor and product. > > Are you suggesting that he set the string to something like... > `cpe:*:a:freedesktop:bolt:*` > > on the hopes that, if the Free Desktop folks open a CPE in the future, > that it will match? > Or you can ignore CVEs that are badly assigned to this project. That works if there is a manageable number. Kind regards, Marta >
Hi, On Mon, Oct 02, 2023 at 11:53:42AM -0400, Alex Stewart wrote: > On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote: > > Hi, > > > > On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote: > > > This bolt product does not currently have an entry in the CVE database. > > > However, the default cve-check logic that maps recipes to products in > > > the CVE database is incorrectly matching this package to a different > > > bolt product made by bolt-cms. As a result, CVE checking incorrectly > > > reports CVEs for that product for this package. > > > > > > Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com> > > > --- > > > meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++ > > > 1 file changed, 2 insertions(+) > > > > > > diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > > > index b6ad6337c..583cc6378 100644 > > > --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > > > +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb > > > @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd" > > > S = "${WORKDIR}/git" > > > +CVE_CHECK_SKIP_RECIPE = "${PN}" > > I think this is wrong and dangerous for anyone who in the future tries to use > > cve checker for this recipe. Instead, set the CVE product with vendor correctly > > so that other products/vendors don't mix the results? Hopefully any new CVEs > > in the future will set the same vendor and product. > > Are you suggesting that he set the string to something like... > `cpe:*:a:freedesktop:bolt:*` > > on the hopes that, if the Free Desktop folks open a CPE in the future, that > it will match? Yes, if other Freedesktop projects have used these before. Cheers, -Mikko
diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb index b6ad6337c..583cc6378 100644 --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd" S = "${WORKDIR}/git" +CVE_CHECK_SKIP_RECIPE = "${PN}" + inherit cmake pkgconfig meson features_check FILES:${PN} += "${datadir}/dbus-1/* \
This bolt product does not currently have an entry in the CVE database. However, the default cve-check logic that maps recipes to products in the CVE database is incorrectly matching this package to a different bolt product made by bolt-cms. As a result, CVE checking incorrectly reports CVEs for that product for this package. Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com> --- meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++ 1 file changed, 2 insertions(+)