# When producing a combined mirror directory, allow duplicates for the case
# where multiple recipes use the same SRC_URI.
ARCHIVER_COMBINED_MIRRORDIR = "${ARCHIVER_TOPDIR}/mirror"
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_SRC}/mirror"
+SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_SRC}/mirror"
do_dumpdata[dirs] = "${ARCHIVER_OUTDIR}"
do_ar_recipe[dirs] = "${ARCHIVER_OUTDIR}"
sdkvars = "DISTRO DISTRO_VERSION SDK_NAME SDK_VERSION SDKMACHINE SDKIMAGE_FEATURES TOOLCHAIN_HOST_TASK TOOLCHAIN_TARGET_TASK BAD_RECOMMENDATIONS NO_RECOMMENDATIONS PACKAGE_EXCLUDE"
if d.getVar('BB_CURRENTTASK') == 'populate_sdk_ext':
# Extensible SDK uses some additional variables
- sdkvars += " SDK_LOCAL_CONF_WHITELIST SDK_LOCAL_CONF_BLACKLIST SDK_INHERIT_BLACKLIST SDK_UPDATE_URL SDK_EXT_TYPE SDK_RECRDEP_TASKS SDK_INCLUDE_PKGDATA SDK_INCLUDE_TOOLCHAIN"
- listvars = "SDKIMAGE_FEATURES BAD_RECOMMENDATIONS PACKAGE_EXCLUDE SDK_LOCAL_CONF_WHITELIST SDK_LOCAL_CONF_BLACKLIST SDK_INHERIT_BLACKLIST"
+ sdkvars += " ESDK_LOCALCONF_ALLOW ESDK_LOCALCONF_REMOVE ESDK_CLASS_INHERIT_DISABLE SDK_UPDATE_URL SDK_EXT_TYPE SDK_RECRDEP_TASKS SDK_INCLUDE_PKGDATA SDK_INCLUDE_TOOLCHAIN"
+ listvars = "SDKIMAGE_FEATURES BAD_RECOMMENDATIONS PACKAGE_EXCLUDE ESDK_LOCALCONF_ALLOW ESDK_LOCALCONF_REMOVE ESDK_CLASS_INHERIT_DISABLE"
return outputvars(sdkvars, listvars, d)
CVE_CHECK_REPORT_PATCHED ??= "1"
# Whitelist for packages (PN)
-CVE_CHECK_PN_WHITELIST ?= ""
+CVE_CHECK_SKIP_RECIPE ?= ""
# Whitelist for CVE. If a CVE is found, then it is considered patched.
# The value is a string containing space separated CVE values:
#
-# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
#
-CVE_CHECK_WHITELIST ?= ""
+CVE_CHECK_IGNORE ?= ""
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
pv = d.getVar("CVE_VERSION").split("+git")[0]
# If the recipe has been whitelisted we return empty lists
- if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split():
+ if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split():
bb.note("Recipe has been whitelisted, skipping check")
return ([], [], [])
- cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
+ cve_whitelist = d.getVar("CVE_CHECK_IGNORE").split()
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
ALL_QA = "${WARN_QA} ${ERROR_QA}"
-UNKNOWN_CONFIGURE_WHITELIST ?= "--enable-nls --disable-nls --disable-silent-rules --disable-dependency-tracking --with-libtool-sysroot --disable-static"
+UNKNOWN_CONFIGURE_OPT_IGNORE ?= "--enable-nls --disable-nls --disable-silent-rules --disable-dependency-tracking --with-libtool-sysroot --disable-static"
# This is a list of directories that are expected to be empty.
QA_EMPTY_DIRS ?= " \
options = set()
for line in output.splitlines():
options |= set(line.partition(flag)[2].split())
- whitelist = set(d.getVar("UNKNOWN_CONFIGURE_WHITELIST").split())
+ whitelist = set(d.getVar("UNKNOWN_CONFIGURE_OPT_IGNORE").split())
options -= whitelist
if options:
pn = d.getVar('PN')
SDK_RECRDEP_TASKS ?= ""
SDK_CUSTOM_TEMPLATECONF ?= "0"
-SDK_LOCAL_CONF_WHITELIST ?= ""
-SDK_LOCAL_CONF_BLACKLIST ?= "CONF_VERSION \
+ESDK_LOCALCONF_ALLOW ?= ""
+ESDK_LOCALCONF_REMOVE ?= "CONF_VERSION \
BB_NUMBER_THREADS \
BB_NUMBER_PARSE_THREADS \
PARALLEL_MAKE \
TMPDIR \
BB_SERVER_TIMEOUT \
"
-SDK_INHERIT_BLACKLIST ?= "buildhistory icecc"
+ESDK_CLASS_INHERIT_DISABLE ?= "buildhistory icecc"
SDK_UPDATE_URL ?= ""
SDK_TARGETS ?= "${PN}"
if derivative:
shutil.copyfile(builddir + '/conf/local.conf', baseoutpath + '/conf/local.conf')
else:
- local_conf_whitelist = (d.getVar('SDK_LOCAL_CONF_WHITELIST') or '').split()
- local_conf_blacklist = (d.getVar('SDK_LOCAL_CONF_BLACKLIST') or '').split()
+ local_conf_whitelist = (d.getVar('ESDK_LOCALCONF_ALLOW') or '').split()
+ local_conf_blacklist = (d.getVar('ESDK_LOCALCONF_REMOVE') or '').split()
def handle_var(varname, origvalue, op, newlines):
if varname in local_conf_blacklist or (origvalue.strip().startswith('/') and not varname in local_conf_whitelist):
newlines.append('# Removed original setting of %s\n' % varname)
f.write('CONF_VERSION = "%s"\n\n' % d.getVar('CONF_VERSION', False))
# Some classes are not suitable for SDK, remove them from INHERIT
- f.write('INHERIT:remove = "%s"\n' % d.getVar('SDK_INHERIT_BLACKLIST', False))
+ f.write('INHERIT:remove = "%s"\n' % d.getVar('ESDK_CLASS_INHERIT_DISABLE', False))
# Bypass the default connectivity check if any
f.write('CONNECTIVITY_CHECK_URIS = ""\n\n')
SSTATE_EXTRAPATHWILDCARD[vardepvalue] = ""
# For multilib rpm the allarch packagegroup files can overwrite (in theory they're identical)
-SSTATE_DUPWHITELIST = "${DEPLOY_DIR}/licenses/"
+SSTATE_ALLOW_OVERLAP_FILES = "${DEPLOY_DIR}/licenses/"
# Avoid docbook/sgml catalog warnings for now
-SSTATE_DUPWHITELIST += "${STAGING_ETCDIR_NATIVE}/sgml ${STAGING_DATADIR_NATIVE}/sgml"
+SSTATE_ALLOW_OVERLAP_FILES += "${STAGING_ETCDIR_NATIVE}/sgml ${STAGING_DATADIR_NATIVE}/sgml"
# sdk-provides-dummy-nativesdk and nativesdk-buildtools-perl-dummy overlap for different SDKMACHINE
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_RPM}/sdk_provides_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-nativesdk/"
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_RPM}/buildtools_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/buildtools-dummy-nativesdk/"
+SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_RPM}/sdk_provides_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-nativesdk/"
+SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_RPM}/buildtools_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/buildtools-dummy-nativesdk/"
# target-sdk-provides-dummy overlaps that allarch is disabled when multilib is used
-SSTATE_DUPWHITELIST += "${COMPONENTS_DIR}/sdk-provides-dummy-target/ ${DEPLOY_DIR_RPM}/sdk_provides_dummy_target/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-target/"
+SSTATE_ALLOW_OVERLAP_FILES += "${COMPONENTS_DIR}/sdk-provides-dummy-target/ ${DEPLOY_DIR_RPM}/sdk_provides_dummy_target/ ${DEPLOY_DIR_IPK}/sdk-provides-dummy-target/"
# Archive the sources for many architectures in one deploy folder
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_SRC}"
+SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_SRC}"
# ovmf/grub-efi/systemd-boot/intel-microcode multilib recipes can generate identical overlapping files
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/ovmf"
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/grub-efi"
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/systemd-boot"
-SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/microcode"
+SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/ovmf"
+SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/grub-efi"
+SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/systemd-boot"
+SSTATE_ALLOW_OVERLAP_FILES += "${DEPLOY_DIR_IMAGE}/microcode"
SSTATE_SCAN_FILES ?= "*.la *-config *_config postinst-*"
SSTATE_SCAN_CMD ??= 'find ${SSTATE_BUILDDIR} \( -name "${@"\" -o -name \"".join(d.getVar("SSTATE_SCAN_FILES").split())}" \) -type f'
shareddirs.append(dstdir)
# Check the file list for conflicts against files which already exist
- whitelist = (d.getVar("SSTATE_DUPWHITELIST") or "").split()
+ whitelist = (d.getVar("SSTATE_ALLOW_OVERLAP_FILES") or "").split()
match = []
for f in sharedfiles:
if os.path.exists(f) and not os.path.islink(f):
"DISTRO_FEATURES on an existing build directory is not supported - you " \
"should really clean out tmp and rebuild (reusing sstate should be safe). " \
"It could be the overlapping files detected are harmless in which case " \
- "adding them to SSTATE_DUPWHITELIST may be the correct solution. It could " \
+ "adding them to SSTATE_ALLOW_OVERLAP_FILES may be the correct solution. It could " \
"also be your build is including two different conflicting versions of " \
"things (e.g. bluez 4 and bluez 5 and the correct solution for that would " \
"be to resolve the conflict. If in doubt, please ask on the mailing list, " \
for lock in locks:
bb.utils.unlockfile(lock)
-sstate_install[vardepsexclude] += "SSTATE_DUPWHITELIST STATE_MANMACH SSTATE_MANFILEPREFIX"
+sstate_install[vardepsexclude] += "SSTATE_ALLOW_OVERLAP_FILES STATE_MANMACH SSTATE_MANFILEPREFIX"
sstate_install[vardeps] += "${SSTATEPOSTINSTFUNCS}"
def sstate_installpkg(ss, d):
SYSROOT_DIRS:append:class-crosssdk = " ${SYSROOT_DIRS_NATIVE}"
# These directories will not be staged in the sysroot
-SYSROOT_DIRS_BLACKLIST = " \
+SYSROOT_DIRS_IGNORE = " \
${mandir} \
${docdir} \
${infodir} \
done
# Remove directories we do not care about
- for dir in ${SYSROOT_DIRS_BLACKLIST}; do
+ for dir in ${SYSROOT_DIRS_IGNORE}; do
rm -rf "$to$dir"
done
}
# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006
# CVE is more than 20 years old with no resolution evident
# broken links in CVE database references make resolution impractical
-CVE_CHECK_WHITELIST += "CVE-2000-0006"
+CVE_CHECK_IGNORE += "CVE-2000-0006"
# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238
# The issue here is spoofing of domain names using characters from other character sets.
# there is unlikely ever to be a single fix to webkit or epiphany which addresses this
# problem. Whitelisted as there isn't any mitigation or fix or way to progress this further
# we can seem to take.
-CVE_CHECK_WHITELIST += "CVE-2005-0238"
+CVE_CHECK_IGNORE += "CVE-2005-0238"
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756
# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server
# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681
# Upstream don't see it as a security issue, ftp servers shouldn't be passing
# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar
-CVE_CHECK_WHITELIST += "CVE-2010-4756"
+CVE_CHECK_IGNORE += "CVE-2010-4756"
# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509
# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511
# The encoding/xml package in go can potentially be used for security exploits if not used correctly
# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything
# exposing this interface in an exploitable way
-CVE_CHECK_WHITELIST += "CVE-2020-29509 CVE-2020-29511"
+CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
# db
# Since Oracle relicensed bdb, the open source community is slowly but surely replacing bdb with
# supported and open source friendly alternatives. As a result these CVEs are unlikely to ever be fixed.
-CVE_CHECK_WHITELIST += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
+CVE_CHECK_IGNORE += "CVE-2015-2583 CVE-2015-2624 CVE-2015-2626 CVE-2015-2640 CVE-2015-2654 \
CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4776 CVE-2015-4777 \
CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \
CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \
# groff:groff-native https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0803
# Appears it was fixed in https://git.savannah.gnu.org/cgit/groff.git/commit/?id=07f95f1674217275ed4612f1dcaa95a88435c6a7
# so from 1.17 onwards. Reported to the database for update by RP 2021/5/9. Update accepted 2021/5/10.
-#CVE_CHECK_WHITELIST += "CVE-2000-0803"
+#CVE_CHECK_IGNORE += "CVE-2000-0803"
cls.env_eSDK = oeSDKExtSelfTest.get_esdk_environment('', cls.tmpdir_eSDKQA)
sstate_config="""
-SDK_LOCAL_CONF_WHITELIST = "SSTATE_MIRRORS"
+ESDK_LOCALCONF_ALLOW = "SSTATE_MIRRORS"
SSTATE_MIRRORS = "file://.* file://%s/PATH"
CORE_IMAGE_EXTRA_INSTALL = "perl"
""" % sstate_dir
# Configure eSDK to use sstate mirror from poky
sstate_config="""
-SDK_LOCAL_CONF_WHITELIST = "SSTATE_MIRRORS"
+ESDK_LOCALCONF_ALLOW = "SSTATE_MIRRORS"
SSTATE_MIRRORS = "file://.* file://%s/PATH"
""" % bb_vars["SSTATE_DIR"]
with open(os.path.join(cls.tmpdir_eSDKQA, 'conf', 'local.conf'), 'a+') as f:
SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f"
# Applies only to RHEL
-CVE_CHECK_WHITELIST += "CVE-2019-14865"
+CVE_CHECK_IGNORE += "CVE-2019-14865"
DEPENDS = "flex-native bison-native gettext-native"
SRC_URI[sha256sum] = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
# Issue only affects Debian/SUSE, not us
-CVE_CHECK_WHITELIST += "CVE-2021-26720"
+CVE_CHECK_IGNORE += "CVE-2021-26720"
DEPENDS = "expat libcap libdaemon glib-2.0"
# Issue only affects dhcpd with recent bind versions. We don't ship dhcpd anymore
# so the issue doesn't affect us.
-CVE_CHECK_WHITELIST += "CVE-2019-6470"
+CVE_CHECK_IGNORE += "CVE-2019-6470"
inherit autotools update-rc.d systemd useradd pkgconfig multilib_header update-alternatives
SRC_URI[sha256sum] = "9349e11e8160bb3d720835d271250d8a7424d3690f5289e6db6fe07cc66c6d76"
# These issues have kernel fixes rather than bluez fixes so exclude here
-CVE_CHECK_WHITELIST += "CVE-2020-12352 CVE-2020-24490"
+CVE_CHECK_IGNORE += "CVE-2020-12352 CVE-2020-24490"
# noinst programs in Makefile.tools that are conditional on READLINE
# support
SRC_URI[sha256sum] = "4590890ea9bb9ace4f71ae331785a3a5823232435161960ed5fc86588f331fe9"
# This CVE is specific to OpenSSH with the pam opie which we don't build/use here
-CVE_CHECK_WHITELIST += "CVE-2007-2768"
+CVE_CHECK_IGNORE += "CVE-2007-2768"
# This CVE is specific to OpenSSH server, as used in Fedora and Red Hat Enterprise Linux 7
# and when running in a Kerberos environment. As such it is not relevant to OpenEmbedded
-CVE_CHECK_WHITELIST += "CVE-2014-9278"
+CVE_CHECK_IGNORE += "CVE-2014-9278"
# CVE only applies to some distributed RHEL binaries
-CVE_CHECK_WHITELIST += "CVE-2008-3844"
+CVE_CHECK_IGNORE += "CVE-2008-3844"
PAM_SRC_URI = "file://sshd"
# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
# Apache in meta-webserver is already recent enough
-CVE_CHECK_WHITELIST += "CVE-2019-0190"
+CVE_CHECK_IGNORE += "CVE-2019-0190"
# http://git.savannah.gnu.org/cgit/coreutils.git/commit/?id=v8.27-101-gf5d7c0842
# runcon is not really a sandbox command, use `runcon ... setsid ...` to avoid this particular issue.
-CVE_CHECK_WHITELIST += "CVE-2016-2781"
+CVE_CHECK_IGNORE += "CVE-2016-2781"
EXTRA_OECONF:class-target = "--enable-install-program=arch,hostname --libexecdir=${libdir}"
EXTRA_OECONF:class-nativesdk = "--enable-install-program=arch,hostname"
require glibc.inc
require glibc-version.inc
-CVE_CHECK_WHITELIST += "CVE-2020-10029 CVE-2021-27645"
+CVE_CHECK_IGNORE += "CVE-2020-10029 CVE-2021-27645"
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010022
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010023
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010024
# Upstream glibc maintainers dispute there is any issue and have no plans to address it further.
# "this is being treated as a non-security bug and no real threat."
-CVE_CHECK_WHITELIST += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
+CVE_CHECK_IGNORE += "CVE-2019-1010022 CVE-2019-1010023 CVE-2019-1010024"
# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-1010025
# Allows for ASLR bypass so can bypass some hardening, not an exploit in itself, may allow
# easier access for another. "ASLR bypass itself is not a vulnerability."
# Potential patch at https://sourceware.org/bugzilla/show_bug.cgi?id=22853
-CVE_CHECK_WHITELIST += "CVE-2019-1010025"
+CVE_CHECK_IGNORE += "CVE-2019-1010025"
DEPENDS += "gperf-native bison-native make-native"
require dummy-sdk-package.inc
-SSTATE_DUPWHITELIST += "${PKGDATA_DIR}/${PN} ${PKGDATA_DIR}/runtime/${PN}"
+SSTATE_ALLOW_OVERLAP_FILES += "${PKGDATA_DIR}/${PN} ${PKGDATA_DIR}/runtime/${PN}"
# This is specific to the npm package that installs cmake, so isn't
# relevant to OpenEmbedded
-CVE_CHECK_WHITELIST += "CVE-2016-10642"
+CVE_CHECK_IGNORE += "CVE-2016-10642"
# Disputed - yes there is stack exhaustion but no bug and it is building the
# parser, not running it, effectively similar to a compiler ICE. Upstream no plans to address
# https://github.com/westes/flex/issues/414
-CVE_CHECK_WHITELIST += "CVE-2019-6293"
+CVE_CHECK_IGNORE += "CVE-2019-6293"
inherit autotools gettext texinfo ptest
"
# Is a binutils 2.26 issue, not gcc
-CVE_CHECK_WHITELIST += "CVE-2021-37322"
+CVE_CHECK_IGNORE += "CVE-2021-37322"
# and builds track file dependencies (e.g. perl and its makedepends code).
# For determinism we don't install this ever and rely on the copy from gcc-cross.
# [YOCTO #7287]
-SYSROOT_DIRS_BLACKLIST += "${libdir}/gcc"
+SYSROOT_DIRS_IGNORE += "${libdir}/gcc"
PACKAGECONFIG[readline] = "--with-system-readline,--without-system-readline,nativesdk-readline"
PACKAGECONFIG[debuginfod] = "--with-debuginfod, --without-debuginfod, nativesdk-elfutils"
-SSTATE_DUPWHITELIST += "${STAGING_DATADIR}/gdb"
+SSTATE_ALLOW_OVERLAP_FILES += "${STAGING_DATADIR}/gdb"
do_configure:prepend() {
cat > ${WORKDIR}/python << EOF
# Upstream don't believe it is a signifiant real world issue and will only
# fix in 1.17 onwards where we can drop this.
# https://github.com/golang/go/issues/30999#issuecomment-910470358
-CVE_CHECK_WHITELIST += "CVE-2021-29923"
+CVE_CHECK_IGNORE += "CVE-2021-29923"
# https://github.com/jquery/jquery/issues/3927
# There are ways jquery can expose security issues but any issues are in the apps exposing them
# and there is little we can directly do
-CVE_CHECK_WHITELIST += "CVE-2007-2379"
+CVE_CHECK_IGNORE += "CVE-2007-2379"
inherit allarch
#
# We want the results of libtool-cross preserved - don't stage anything ourselves.
#
-SYSROOT_DIRS_BLACKLIST += " \
+SYSROOT_DIRS_IGNORE += " \
${bindir} \
${datadir}/aclocal \
${datadir}/libtool/build-aux \
CVE_PRODUCT = "python"
# Upstream consider this expected behaviour
-CVE_CHECK_WHITELIST += "CVE-2007-4559"
+CVE_CHECK_IGNORE += "CVE-2007-4559"
# This is not exploitable when glibc has CVE-2016-10739 fixed.
-CVE_CHECK_WHITELIST += "CVE-2019-18348"
+CVE_CHECK_IGNORE += "CVE-2019-18348"
# This is windows only issue.
-CVE_CHECK_WHITELIST += "CVE-2020-15523"
+CVE_CHECK_IGNORE += "CVE-2020-15523"
PYTHON_MAJMIN = "3.10"
SRC_URI:append:class-nativesdk = " file://cross.patch"
# Applies against virglrender < 0.6.0 and not qemu itself
-CVE_CHECK_WHITELIST += "CVE-2017-5957"
+CVE_CHECK_IGNORE += "CVE-2017-5957"
# The VNC server can expose host files uder some circumstances. We don't
# enable it by default.
-CVE_CHECK_WHITELIST += "CVE-2007-0998"
+CVE_CHECK_IGNORE += "CVE-2007-0998"
# 'The issues identified by this CVE were determined to not constitute a vulnerability.'
# https://bugzilla.redhat.com/show_bug.cgi?id=1609015#c11
-CVE_CHECK_WHITELIST += "CVE-2018-18438"
+CVE_CHECK_IGNORE += "CVE-2018-18438"
COMPATIBLE_HOST:mipsarchn32 = "null"
COMPATIBLE_HOST:mipsarchn64 = "null"
SRC_URI[sha256sum] = "becc3c504ceea499f4167a260040ccf4d9f2ef9499ad5683c179a697146ce50e"
# -16548 required for v3.1.3pre1. Already in v3.1.3.
-CVE_CHECK_WHITELIST += " CVE-2017-16548 "
+CVE_CHECK_IGNORE += " CVE-2017-16548 "
inherit autotools-brokensep
# Upstream don't believe this is an exploitable issue
# https://core.tcl-lang.org/tcl/info/7079e4f91601e9c7
-CVE_CHECK_WHITELIST += "CVE-2021-35331"
+CVE_CHECK_IGNORE += "CVE-2021-35331"
UPSTREAM_CHECK_REGEX = "tcl(?P<pver>\d+(\.\d+)+)-src"
inherit autotools gettext texinfo
# Issue applies to use of cpio in SUSE/OBS, doesn't apply to us
-CVE_CHECK_WHITELIST += "CVE-2010-4226"
+CVE_CHECK_IGNORE += "CVE-2010-4226"
EXTRA_OECONF += "DEFAULT_RMT_DIR=${sbindir}"
UPSTREAM_CHECK_REGEX = "cups-(?P<pver>(?!.+\d(b|rc)\d.+).+)-source.tar"
# Issue only applies to MacOS
-CVE_CHECK_WHITELIST += "CVE-2008-1033"
+CVE_CHECK_IGNORE += "CVE-2008-1033"
# Issue affects pdfdistiller plugin used with but not part of cups
-CVE_CHECK_WHITELIST += "CVE-2009-0032"
+CVE_CHECK_IGNORE += "CVE-2009-0032"
# This is an Ubuntu only issue.
-CVE_CHECK_WHITELIST += "CVE-2018-6553"
+CVE_CHECK_IGNORE += "CVE-2018-6553"
LEAD_SONAME = "libcupsdriver.so"
# -25317 concerns /var/log/cups having lp ownership. Our /var/log/cups is
# root:root, so this doesn't apply.
-CVE_CHECK_WHITELIST += "CVE-2021-25317"
+CVE_CHECK_IGNORE += "CVE-2021-25317"
# As of ghostscript 9.54.0 the jpeg issue in the CVE is present in the gs jpeg sources
# however we use an external jpeg which doesn't have the issue.
-CVE_CHECK_WHITELIST += "CVE-2013-6629"
+CVE_CHECK_IGNORE += "CVE-2013-6629"
def gs_verdir(v):
return "".join(v.split("."))
# Fixed in 2000-10-10, but the versioning of iputils
# breaks the version order.
-CVE_CHECK_WHITELIST += "CVE-2000-1213 CVE-2000-1214"
+CVE_CHECK_IGNORE += "CVE-2000-1213 CVE-2000-1214"
PACKAGECONFIG ??= "libcap rarpd \
${@bb.utils.contains('DISTRO_FEATURES', 'ipv6', 'ninfod', '', d)} \
SRC_URI[sha256sum] = "ddd5274d684c5c99ca724e8069329f343ebe376e07493d537d9effdc501214ba"
# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_WHITELIST += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
# 'ps' isn't suitable for use as a security tool so whitelist this CVE.
# https://bugzilla.redhat.com/show_bug.cgi?id=1575473#c3
-CVE_CHECK_WHITELIST += "CVE-2018-1121"
+CVE_CHECK_IGNORE += "CVE-2018-1121"
PROCPS_PACKAGES = "${PN}-lib \
${PN}-ps \
# Severity is low and marked as closed and won't fix.
# https://bugzilla.redhat.com/show_bug.cgi?id=884658
-CVE_CHECK_WHITELIST += "CVE-2013-4235"
+CVE_CHECK_IGNORE += "CVE-2013-4235"
SRC_URI[sha256sum] = "036d96991646d0449ed0aa952e4fbe21b476ce994abc276e49d30e686708bd37"
# Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&action=diff applied to 6.0 source
-CVE_CHECK_WHITELIST += "CVE-2008-0888"
+CVE_CHECK_IGNORE += "CVE-2008-0888"
# exclude version 5.5.2 which triggers a false positive
UPSTREAM_CHECK_REGEX = "unzip(?P<pver>(?!552).+)\.tgz"
S = "${WORKDIR}/git"
# https://github.com/xinetd-org/xinetd/pull/10 is merged into this git tree revision
-CVE_CHECK_WHITELIST += "CVE-2013-4342"
+CVE_CHECK_IGNORE += "CVE-2013-4342"
inherit autotools update-rc.d systemd pkgconfig
SRC_URI[sha256sum] = "f0e8bb1f9b7eb0b01285495a2699df3a4b766784c1765a8f1aeedf63c0806369"
# Disputed and also Debian doesn't consider a vulnerability
-CVE_CHECK_WHITELIST += "CVE-2018-13410"
+CVE_CHECK_IGNORE += "CVE-2018-13410"
# Not for zip but for smart contract implementation for it
-CVE_CHECK_WHITELIST += "CVE-2018-13684"
+CVE_CHECK_IGNORE += "CVE-2018-13684"
# zip.inc sets CFLAGS, but what Makefile actually uses is
# CFLAGS_NOOPT. It will also force -O3 optimization, overriding
RREPLACES:${PN} += "libnotify3"
# -7381 is specific to the NodeJS bindings
-CVE_CHECK_WHITELIST += "CVE-2013-7381"
+CVE_CHECK_IGNORE += "CVE-2013-7381"
}
# Issue only on windows
-CVE_CHECK_WHITELIST += "CVE-2018-1000041"
+CVE_CHECK_IGNORE += "CVE-2018-1000041"
CACHED_CONFIGUREVARS = "ac_cv_path_GDK_PIXBUF_QUERYLOADERS=${STAGING_LIBDIR_NATIVE}/gdk-pixbuf-2.0/gdk-pixbuf-query-loaders"
}
# -4178 is an unrelated 'builder'
-CVE_CHECK_WHITELIST = "CVE-2008-4178"
+CVE_CHECK_IGNORE = "CVE-2008-4178"
SRC_URI[md5sum] = "3d6adb76fdd072db8c8fae41b40855e8"
SRC_URI[sha256sum] = "3ad880444123ac06a7238546fa38a2a6ad7f7e0cc3614de7e103863616522282"
-SYSROOT_DIRS_BLACKLIST:remove = "${datadir}/fonts"
+SYSROOT_DIRS_IGNORE:remove = "${datadir}/fonts"
PACKAGECONFIG ??= ""
PACKAGECONFIG[xmlto] = "--with-xmlto, --without-xmlto, xmlto-native docbook-xml-dtd4-native docbook-xsl-stylesheets-native"
-UNKNOWN_CONFIGURE_WHITELIST += "--enable-malloc0returnsnull --disable-malloc0returnsnull \
+UNKNOWN_CONFIGURE_OPT_IGNORE += "--enable-malloc0returnsnull --disable-malloc0returnsnull \
--disable-specs --without-groff --without-ps2pdf --without-fop \
--without-xmlto --with-xmlto \
"
CVE_PRODUCT = "xorg-server x_server"
# This is specific to Debian's xserver-wrapper.c
-CVE_CHECK_WHITELIST += "CVE-2011-4613"
+CVE_CHECK_IGNORE += "CVE-2011-4613"
# As per upstream, exploiting this flaw is non-trivial and it requires exact
# timing on the behalf of the attacker. Many graphical applications exit if their
# connection to the X server is lost, so a typical desktop session is either
# impossible or difficult to exploit. There is currently no upstream patch
# available for this flaw.
-CVE_CHECK_WHITELIST += "CVE-2020-25697"
+CVE_CHECK_IGNORE += "CVE-2020-25697"
S = "${WORKDIR}/${XORG_PN}-${PV}"
BBCLASSEXTEND = "native nativesdk"
# CVE-2019-17371 is actually a memory leak in gif2png 2.x
-CVE_CHECK_WHITELIST += "CVE-2019-17371"
+CVE_CHECK_IGNORE += "CVE-2019-17371"
# This can't be replicated and is just a memory leak.
# https://github.com/erikd/libsndfile/issues/398
-CVE_CHECK_WHITELIST += "CVE-2018-13419"
+CVE_CHECK_IGNORE += "CVE-2018-13419"
# Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313
# and 4.3.0 doesn't have the issue
-CVE_CHECK_WHITELIST += "CVE-2015-7313"
+CVE_CHECK_IGNORE += "CVE-2015-7313"
inherit autotools multilib_header
SRC_URI[sha256sum] = "ea849c83a72454e3ed4267697e8ca03390aee972ab421e7df69dfe42b65caaf7"
# Below whitelisted CVEs are disputed and not affecting crypto libraries for any distro.
-CVE_CHECK_WHITELIST += "CVE-2018-12433 CVE-2018-12438"
+CVE_CHECK_IGNORE += "CVE-2018-12433 CVE-2018-12438"
BINCONFIG = "${bindir}/libgcrypt-config"
S = "${WORKDIR}/git"
# Fixed in r118, which is larger than the current version.
-CVE_CHECK_WHITELIST += "CVE-2014-4715"
+CVE_CHECK_IGNORE += "CVE-2014-4715"
EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
SRC_URI[sha256sum] = "4089a8d9b467537b3f246f217b84cd76e00b1d1a971fe5aca1e30e230e46b2d8"
# -19242 is only an issue in specific development branch commits
-CVE_CHECK_WHITELIST += "CVE-2019-19242"
+CVE_CHECK_IGNORE += "CVE-2019-19242"
# This is believed to be iOS specific (https://groups.google.com/g/sqlite-dev/c/U7OjAbZO6LA)
-CVE_CHECK_WHITELIST += "CVE-2015-3717"
+CVE_CHECK_IGNORE += "CVE-2015-3717"
# Issue in an experimental extension we don't have/use. Fixed by https://sqlite.org/src/info/b1e0c22ec981cf5f
-CVE_CHECK_WHITELIST += "CVE-2021-36690"
+CVE_CHECK_IGNORE += "CVE-2021-36690"
