minio: ignore irrelevant CVEs

The minio umbrella covers multiple projects. The recipe itself builds "minio client", which is a set of basic tools to query data from "minio server" - like ls, mv, find... The CVEs were files against minio server. Looking at the go mod list, this recipe doesn't use minio server even as a build dependency - so ignore the CVEs. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit df462075be) Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com> Signed-off-by: Anuj Mittal <anuj.mittal@oss.qualcomm.com>
2026-01-01 13:58:06 +00:00 · 2025-12-22 21:27:29 +01:00 · 2025-12-22 21:27:29 +01:00 · fe9360051e
commit fe9360051e
parent 3a59d89765
1 changed files with 6 additions and 0 deletions
--- a/meta-oe/recipes-extended/minio/minio_git.bb
+++ b/meta-oe/recipes-extended/minio/minio_git.bb
@ -164,3 +164,9 @@ do_install() {
    install -d ${D}/${sbindir}
    install ${S}/src/${GO_IMPORT}/mc ${D}/${sbindir}/mc
 }
+
+CVE_STATUS_GROUPS += "CVE_STATUS_WRONG_CPE"
+CVE_STATUS_WRONG_CPE[status] = "cpe-incorrect: The vulnerability is in minio server, not in minio client-tools"
+CVE_STATUS_WRONG_CPE = "CVE-2018-1000538 CVE-2020-11012 CVE-2021-21287 CVE-2021-21362 \
+                        CVE-2021-21390 CVE-2021-43858 CVE-2022-35919 CVE-2023-28433 \
+                        CVE-2023-28434 CVE-2024-36107"