I used the cve check class by including it in the local.conf and then ran the bitbake build process for my image. I got a log of all the detected CVEs in the packages used in the build. However, on closer inspection, I noticed that the packages used in the build are already higher version than when the CVE was patched. Here is an example:

• LAYER: meta
• PACKAGE NAME: libksba
• PACKAGE VERSION: 1.6.0
• CVE: CVE-2016-4355
• CVE STATUS: Patched
• CVE SUMMARY: Multiple integer overflows in ber-decoder.c in Libksba before 1.3.3 allow remote attackers to cause a denial of service (crash) via crafted BER data, which leads to a buffer overflow.
• CVSS v2 BASE SCORE: 5.0
• CVSS v3 BASE SCORE: 7.5
• VECTOR: NETWORK
• MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-4355

As can be seen, the CVE was patched in version 1.3.3 of the libksba while the build is using the version 1.6.0.

Is there something wrong with what the cve-check is reporting or is it not bothering to match the version numbers before reporting a CVE? Or maybe my understanding of the report is incorrect?

Would really appreciate a feedback on this, seeing as how the documentation on the cve checker is sparse.


Thanks,
Gaurav