Commit 45d1a0be authored Sep 14, 2021 by Ralph Siemsen Committed by Richard Purdie Oct 11, 2021

tar: filter CVEs using vendor name



Recently a number of CVEs have been logged against a nodejs project
called "node-tar". These appear as false positives against the GNU tar
being built by Yocto. Some of these have been manually excluded using
CVE_CHECK_WHITELIST.

To avoid this problem, use the vendor name (in addition to package name)
for filtering CVEs. The syntax for this is:
  CVE_PRODUCT = "vendor:package"
When not specified, the vendor defaults to "%" which matches anything.

Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

parent 57f51e8c

Hide whitespace changes

Inline Side-by-side

mirror @mirror
mentioned in commit 4d0ad496
· Oct 25, 2021

mentioned in commit 4d0ad496

mentioned in commit 4d0ad4962bd3c69800f70770dc9123a694e16c26

Toggle commit list
mirror @mirror
mentioned in commit d11e970c
· Nov 02, 2021

mentioned in commit d11e970c

mentioned in commit d11e970c6e2482ad0b21994e4ec85ddf2aea1ede

Toggle commit list

Please register or to comment