xref: /openbmc/openbmc/poky/meta/conf/cve-check-map.conf (revision 8460358c3d24c71d9d38fd126c745854a6301564) 
1# Possible options for CVE statuses
2
3# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
4CVE_CHECK_STATUSMAP[patched] = "Patched"
5# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
6CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
7# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
8CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
9# use when NVD DB does not mention correct version or does not mention any verion at all
10CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
11# use when a fix file has been included (set automatically)
12CVE_CHECK_STATUSMAP[fix-file-included] = "Patched"
13# do not use directly: automatic scan reports version number NOT in the vulnerable range (set automatically)
14CVE_CHECK_STATUSMAP[version-not-in-range] = "Patched"
15
16# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
17CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
18# use when CVE is confirmed by upstream but fix is still not available
19CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
20# do not use directly: automatic scan reports version number IS in the vulnerable range (set automatically)
21CVE_CHECK_STATUSMAP[version-in-range] = "Unpatched"
22
23# used for migration from old concept, do not use for new vulnerabilities
24CVE_CHECK_STATUSMAP[ignored] = "Ignored"
25# use when NVD DB wrongly indicates vulnerability which is actually for a different component
26CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
27# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
28CVE_CHECK_STATUSMAP[disputed] = "Ignored"
29# use when vulnerability depends on build or runtime configuration which is not used
30CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
31# use when vulnerability affects other platform (e.g. Windows or Debian)
32CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
33# use when upstream acknowledged the vulnerability but does not plan to fix it
34CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
35
36# use when it is impossible to conclude if the vulnerability is present or not
37CVE_CHECK_STATUSMAP[unknown] = "Unknown"
38