recipes: cleanup CVE_STATUS which are resolved now

The don't show up in CVE metrics anymore since they were either fixed upstream or recipe version was upgraded meanwhile. * bind CVE-2019-6470: cpe got corrected in nvd db * libxml2 CVE-2023-45322: version is now higher than NVD cpe * zlib CVE-2023-45853: version is now higher than NVD cpe * gcc CVE-2021-37322: version is now higher than NVD cpe * python3 * CVE-2007-4559: version is now higher than NVD cpe * CVE-2019-18348: version is now higher than NVD cpe * CVE-2020-15523: version is now higher than NVD cpe * CVE-2022-26488: version is now higher than NVD cpe * CVE-2015-20107: version is now higher than NVD cpe * CVE-2023-36632: version is now higher than NVD cpe * rust * CVE-2024-24576: NVD has no cpe, but we have newer version as fix * CVE-2024-43402: version is now higher than NVD cpe * cups CVE-2021-25317: version is now higher than NVD cpe * ghostscript CVE-2023-38559: version is now higher than NVD cpe * libtirpc CVE-2021-46828: version is now higher than NVD cpe * unzip CVE-2008-0888: version is now higher than NVD cpe * ffmpeg CVE-2023-39018: cpe got corrected in nvd db * libxslt CVE-2022-29824: version is now higher than NVD cpe * libyaml * CVE-2024-35325: CVE is now rejected in NVD DB * CVE-2024-35326: CVE is now rejected in NVD DB * CVE-2024-35328: CVE is now rejected in NVD DB Also add comment for iputils regarding reports for FKIE/NVD2. Also remove some trailing spaces in python recipe. (From OE-Core rev: 73ee9789183aa95072af2b51ac9e08203f4e33f9) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-01-01 13:58:04 +00:00 · 2025-08-24 18:55:22 +02:00 · 2025-08-24 18:55:22 +02:00 · ec1ae11f78
commit ec1ae11f78
parent ef86bd8979
14 changed files with 4 additions and 43 deletions
--- a/meta/recipes-connectivity/bind/bind_9.20.11.bb
+++ b/meta/recipes-connectivity/bind/bind_9.20.11.bb
@ -26,10 +26,6 @@ UPSTREAM_CHECK_URI = "https://ftp.isc.org/isc/bind9/"
 # follow the ESV versions divisible by 2
 UPSTREAM_CHECK_REGEX = "(?P<pver>9.(\d*[02468])+(\.\d+)+(-P\d+)*)/"

-# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
-# so the issue doesn't affect us.
-CVE_STATUS[CVE-2019-6470] = "not-applicable-config: Issue only affects dhcpd with recent bind versions and we don't ship dhcpd anymore."
-
 inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives

 # PACKAGECONFIGs readline and libedit should NOT be set at same time
--- a/meta/recipes-core/libxml/libxml2_2.14.5.bb
+++ b/meta/recipes-core/libxml/libxml2_2.14.5.bb
@ -24,9 +24,6 @@ SRC_URI += "http://www.w3.org/XML/Test/xmlts20130923.tar;subdir=${BP};name=testt
 SRC_URI[archive.sha256sum] = "03d006f3537616833c16c53addcdc32a0eb20e55443cba4038307e3fa7d8d44b"
 SRC_URI[testtar.sha256sum] = "c6b2d42ee50b8b236e711a97d68e6c4b5c8d83e69a2be4722379f08702ea7273"

-# Disputed as a security issue, but fixed in d39f780
-CVE_STATUS[CVE-2023-45322] = "disputed: issue requires memory allocation to fail"
-
 CVE_STATUS[CVE-2025-6170] = "fixed-version: fixed in version 2.14.5"

 BINCONFIG = "${bindir}/xml2-config"
--- a/meta/recipes-core/zlib/zlib_1.3.1.bb
+++ b/meta/recipes-core/zlib/zlib_1.3.1.bb
@ -49,7 +49,5 @@ do_install_ptest() {

 BBCLASSEXTEND = "native nativesdk"

-CVE_STATUS[CVE-2023-45853] = "not-applicable-config: we don't build minizip"
-
 # Adding 'CVE_PRODUCT' to avoid false detection of CVEs
 CVE_PRODUCT = "zlib:zlib gnu:zlib"
--- a/meta/recipes-devtools/gcc/gcc-15.2.inc
+++ b/meta/recipes-devtools/gcc/gcc-15.2.inc
@ -112,5 +112,4 @@ EXTRA_OECONF_INITIAL = "\
    --disable-libssp \
 "

-CVE_STATUS[CVE-2021-37322] = "cpe-incorrect: Is a binutils 2.26 issue, not gcc"
 CVE_STATUS[CVE-2023-4039] = "fixed-version: Fixed from version 14.0+"
--- a/meta/recipes-devtools/python/python3_3.13.7.bb
+++ b/meta/recipes-devtools/python/python3_3.13.7.bb
@ -45,14 +45,6 @@ UPSTREAM_CHECK_REGEX = "[Pp]ython-(?P<pver>\d+(\.\d+)+).tar"

 CVE_PRODUCT = "python:python python_software_foundation:python cpython"

-CVE_STATUS[CVE-2007-4559] = "disputed: Upstream consider this expected behaviour"
-CVE_STATUS[CVE-2019-18348] = "not-applicable-config: This is not exploitable when glibc has CVE-2016-10739 fixed"
-CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows"
-CVE_STATUS[CVE-2022-26488] = "not-applicable-platform: Issue only applies on Windows"
-# The module will be removed in the future and flaws documented.
-CVE_STATUS[CVE-2015-20107] = "upstream-wontfix: The mailcap module is insecure by design, so this can't be fixed in a meaningful way"
-CVE_STATUS[CVE-2023-36632] = "disputed: Not an issue, in fact expected behaviour"
-
 PYTHON_MAJMIN = "3.13"

 S = "${UNPACKDIR}/Python-${PV}"
@ -201,14 +193,14 @@ do_install:append:class-native() {
        # when they're only used for python called with -O or -OO.
        #find ${D} -name *opt-*.pyc -delete
        # Remove all pyc files. There are a ton of them and it is probably faster to let
-        # python create the ones it wants at runtime rather than manage in the sstate 
+        # python create the ones it wants at runtime rather than manage in the sstate
        # tarballs and sysroot creation.
        find ${D} -name *.pyc -delete

        # Nothing should be looking into ${B} for python3-native
        sed -i -e 's:${B}:/build/path/unavailable/:g' \
                ${D}/${libdir}/python${PYTHON_MAJMIN}/config-${PYTHON_MAJMIN}${PYTHON_ABI}*/Makefile
-        
+
        # disable the lookup in user's site-packages globally
        sed -i 's#ENABLE_USER_SITE = None#ENABLE_USER_SITE = False#' ${D}${libdir}/python${PYTHON_MAJMIN}/site.py

@ -306,7 +298,7 @@ py_package_preprocess () {
        cd -

        mv ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config ${PKGD}/${bindir}/python${PYTHON_MAJMIN}-config-${MULTILIB_SUFFIX}
-        
+
        #Remove the unneeded copy of target sysconfig data
        rm -rf ${PKGD}/${libdir}/python-sysconfigdata
 }
--- a/meta/recipes-devtools/rust/rust-source.inc
+++ b/meta/recipes-devtools/rust/rust-source.inc
@ -19,6 +19,3 @@ RUSTSRC = "${UNPACKDIR}/rustc-${RUST_VERSION}-src"

 UPSTREAM_CHECK_URI = "https://forge.rust-lang.org/infra/other-installation-methods.html"
 UPSTREAM_CHECK_REGEX = "rustc-(?P<pver>\d+(\.\d+)+)-src"
-
-CVE_STATUS[CVE-2024-24576] = "not-applicable-platform: Issue only applies on Windows"
-CVE_STATUS[CVE-2024-43402] = "not-applicable-platform: Issue only applies on Windows"
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@ -23,7 +23,6 @@ CVE_STATUS[CVE-2008-1033] = "not-applicable-platform: Issue only applies to MacO
 CVE_STATUS[CVE-2009-0032] = "cpe-incorrect: Issue affects pdfdistiller plugin used with but not part of cups"
 CVE_STATUS[CVE-2018-6553] = "not-applicable-platform: This is an Ubuntu only issue"
 CVE_STATUS[CVE-2022-26691] = "fixed-version: This is fixed in 2.4.2 but the cve-check class still reports it"
-CVE_STATUS[CVE-2021-25317] = "not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply."

 LEAD_SONAME = "libcupsdriver.so"

--- a/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
+++ b/meta/recipes-extended/ghostscript/ghostscript_10.05.1.bb
@ -74,4 +74,3 @@ COMPATIBLE_HOST = "^(?!arc).*"
 CVE_PRODUCT = "ghostscript gpl_ghostscript"

 CVE_STATUS[CVE-2023-38560] = "not-applicable-config: PCL isn't part of the Ghostscript release"
-CVE_STATUS[CVE-2023-38559] = "cpe-incorrect: Issue only appears in versions before 10.02.0"
--- a/meta/recipes-extended/iputils/iputils_20250605.bb
+++ b/meta/recipes-extended/iputils/iputils_20250605.bb
@ -14,6 +14,7 @@ SRCREV = "6e1cb146547eb6fbb127ffc8397a9241be0d33c2"

 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>20\d+)"

+# these currently don't show up in CVE metrics for FKIE (as 2000 is not covered by it), but they would show for NVD2
 CVE_STATUS[CVE-2000-1213] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."
 CVE_STATUS[CVE-2000-1214] = "fixed-version: Fixed in 2000-10-10, but the versioning of iputils breaks the version order."

--- a/meta/recipes-extended/libtirpc/libtirpc_1.3.6.bb
+++ b/meta/recipes-extended/libtirpc/libtirpc_1.3.6.bb
@ -18,8 +18,6 @@ UPSTREAM_CHECK_URI = "https://sourceforge.net/projects/libtirpc/files/libtirpc/"
 UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)/"
 SRC_URI[sha256sum] = "bbd26a8f0df5690a62a47f6aa30f797f3ef8d02560d1bc449a83066b5a1d3508"

-CVE_STATUS[CVE-2021-46828] = "fixed-version: fixed in 1.3.3rc1 so not present in 1.3.3"
-
 inherit autotools pkgconfig

 PACKAGECONFIG ??= "\
--- a/meta/recipes-extended/unzip/unzip_6.0.bb
+++ b/meta/recipes-extended/unzip/unzip_6.0.bb
@ -38,8 +38,6 @@ UPSTREAM_VERSION_UNKNOWN = "1"

 SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"

-CVE_STATUS[CVE-2008-0888] = "fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source"
-
 # exclude version 5.5.2 which triggers a false positive
 UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"

--- a/meta/recipes-multimedia/ffmpeg/ffmpeg_7.1.1.bb
+++ b/meta/recipes-multimedia/ffmpeg/ffmpeg_7.1.1.bb
@ -26,13 +26,6 @@ SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz"

 SRC_URI[sha256sum] = "733984395e0dbbe5c046abda2dc49a5544e7e0e1e2366bba849222ae9e3a03b1"

-# https://nvd.nist.gov/vuln/detail/CVE-2023-39018
-# https://github.com/bramp/ffmpeg-cli-wrapper/issues/291
-# https://security-tracker.debian.org/tracker/CVE-2023-39018
-# https://bugzilla.suse.com/show_bug.cgi?id=CVE-2023-39018
-CVE_STATUS[CVE-2023-39018] = "cpe-incorrect: This issue belongs to ffmpeg-cli-wrapper \
-(Java wrapper around the FFmpeg CLI) and not ffmepg itself."
-
 # Build fails when thumb is enabled: https://bugzilla.yoctoproject.org/show_bug.cgi?id=7717
 ARM_INSTRUCTION_SET:armv4 = "arm"
 ARM_INSTRUCTION_SET:armv5 = "arm"
--- a/meta/recipes-support/libxslt/libxslt_1.1.43.bb
+++ b/meta/recipes-support/libxslt/libxslt_1.1.43.bb
@ -19,8 +19,6 @@ SRC_URI[sha256sum] = "5a3d6b383ca5afc235b171118e90f5ff6aa27e9fea3303065231a6d403

 UPSTREAM_CHECK_REGEX = "libxslt-(?P<pver>\d+(\.\d+)+)\.tar"

-CVE_STATUS[CVE-2022-29824] = "not-applicable-config: Static linking to libxml2 is not enabled."
-
 S = "${UNPACKDIR}/libxslt-${PV}"

 BINCONFIG = "${bindir}/xslt-config"
--- a/meta/recipes-support/libyaml/libyaml_0.2.5.bb
+++ b/meta/recipes-support/libyaml/libyaml_0.2.5.bb
@ -17,8 +17,4 @@ inherit autotools
 DISABLE_STATIC:class-nativesdk = ""
 DISABLE_STATIC:class-native = ""

-CVE_STATUS[CVE-2024-35325] = "upstream-wontfix: Upstream thinks this is a misuse (or wrong use) of the libyaml API - https://github.com/yaml/libyaml/issues/303"
-CVE_STATUS[CVE-2024-35326] = "upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
-CVE_STATUS[CVE-2024-35328] = "upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302"
-
 BBCLASSEXTEND = "native nativesdk"