git.ipfire.org Git - thirdparty/openembedded/openembedded-core.git/commit

author	Peter Marko <peter.marko@siemens.com>
	Sun, 24 Nov 2024 20:13:42 +0000 (21:13 +0100)
committer	Steve Sakoman <steve@sakoman.com>
	Tue, 4 Feb 2025 16:03:54 +0000 (08:03 -0800)
commit	0fb2bfb8d6c77009385d7deca2e758bdee5c9b07
tree	b29eae6a01f7e88bba8fea0fabf747fdd48349de	tree \| snapshot
parent	3cf7c6bcd569cb19ac2b9c05f1134fdda6e9e714	commit \| diff

cve-check: fix cvesInRecord

Currently flag cvesInRecord is set to false if all CVEs are ignored or
patched. This is inconsistent as it shows false if a CVE was fixed via
patch and true if this CVE was fixed by upgrade. In both cases the CVE
is valid and was fixed.

As I understand this flag, it should say if any CVE exists for
particular component's product (regardless of how this CVE is handled)
and can be used to validate if a product is correctly set.

Note that skipping ignored CVEs may make sense in some cases, as ignored
may mean that NVD DB is wrong, but in many cases it is ignored for other
reasons. Further patch can be done to evaluate ignore subtype but that
would be against my understanding of this flag as described above.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit c5d499693672ec9619392011b765941cf94aa319)
Signed-off-by: Steve Sakoman <steve@sakoman.com>