Re: cve check report package version mismatch

Home Messages Hashtags Subgroups

Marta Rybczynska #57460 On Tue, Jul 5, 2022 at 2:31 PM <gauravsuman007@...> wrote: I used the cve check class by including it in the local.conf and then ran the bitbake build process for my image. I got a log of all the detected CVEs in the packages used in the build. However, on closer inspection, I noticed that the packages used in the build are already higher version than when the CVE was patched. Here is an example: LAYER: meta PACKAGE NAME: libksba PACKAGE VERSION: 1.6.0 CVE: CVE-2016-4355 CVE STATUS: Patched Hello Gaurav, The CVE STATUS "Patched" means that there was an issue in the past, but it is either fixed or otherwise mitigated. Open issues are marked as "Unpatched". If you'd like to see only Unpatched issues in the report, please use CVE_CHECK_REPORT_PATCHED = "0" in your local.conf or other place you have your OE configuration from. Kind regards, Marta
More All Messages By This Member

Join yocto@lists.yoctoproject.org to automatically receive all group messages.