cve-check: remove redundant readline CVE whitelisting

Message ID	20190716124643.22183-1-ross.burton@intel.com
State	Accepted
Commit	07bb8b25e172aa5c8ae96b6e8eb4ac901b835219
Headers	show Delivered-To: patch@linaro.org Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; From: Ross Burton <ross.burton@intel.com> To: openembedded-core@lists.openembedded.org Date: Tue, 16 Jul 2019 13:46:43 +0100 Message-Id: <20190716124643.22183-1-ross.burton@intel.com> MIME-Version: 1.0 Subject: [OE-core] [PATCH] cve-check: remove redundant readline CVE whitelisting Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org
Series	cve-check: remove redundant readline CVE whitelisting \| expand cve-check: remove redundant readline CVE whitelisting

Message ID

20190716124643.22183-1-ross.burton@intel.com

State

Accepted

Commit

07bb8b25e172aa5c8ae96b6e8eb4ac901b835219

Headers

Received-SPF: pass (google.com: best guess record for domain of
	openembedded-core-bounces@lists.openembedded.org designates
	140.211.169.62 as permitted sender) client-ip=140.211.169.62; 
From: Ross Burton <ross.burton@intel.com>
To: openembedded-core@lists.openembedded.org
Date: Tue, 16 Jul 2019 13:46:43 +0100
Message-Id: <20190716124643.22183-1-ross.burton@intel.com>
MIME-Version: 1.0
Subject: [OE-core] [PATCH] cve-check: remove redundant readline CVE
	whitelisting
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: openembedded-core-bounces@lists.openembedded.org
Errors-To: openembedded-core-bounces@lists.openembedded.org

Series

cve-check: remove redundant readline CVE whitelisting | expand

Commit Message

Ross Burton July 16, 2019, 12:46 p.m. UTC

CVE-2014-2524 is a readline CVE that was fixed in 6.3patch3 onwards, but the
tooling wasn't able to detect this version.  As we now ship readline 8 we don't
need to manually whitelist it, and if we did then the whitelisting should be in
the readline recipe.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/classes/cve-check.bbclass | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

-- 
2.20.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index ffd624333f6..5979edf3d17 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -41,10 +41,15 @@  CVE_CHECK_PN_WHITELIST = "\
     glibc-locale \
 "
 
-# Whitelist for CVE and version of package
-CVE_CHECK_CVE_WHITELIST = "{\
-    'CVE-2014-2524': ('6.3','5.2',), \
-}"
+# Whitelist for CVE and version of package. If a CVE is found then the PV is
+# compared with the version list, and if found the CVE is considered
+# patched.
+#
+# The value should be valid Python in this format:
+# {
+#   'CVE-2014-2524': ('6.3','5.2')
+# }
+CVE_CHECK_CVE_WHITELIST ?= "{}"
 
 python do_cve_check () {
     """