Skip to content

Commit aa0c2f6

Browse files
JiayongTJiayongT
authored
Add bdba yaml triage .NOPATCH CVEs from spec_parser (open-edge-platform#40)
Add bdba yaml cve triages for all nopatch derived from spec_parser.json Signed-off-by: Tan Jia Yong <jia.yong.tan@intel.com>
1 parent f49aa28 commit aa0c2f6

File tree

45 files changed

+890
-1
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

45 files changed

+890
-1
lines changed

SPECS/avahi/.bdba.yaml

Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
specVersion: 3
2+
vulnerabilityTriages:
3+
- component:
4+
name: avahi
5+
triages:
6+
- cve: CVE-2021-26720
7+
resolution: FalsePositive
8+
comment: '"CVE-2021-26720 only applies to Debian''s packaging of avahi.
9+
10+
https://nvd.nist.gov/vuln/detail/CVE-2021-26720"'

SPECS/bind/.bdba.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
specVersion: 3
2+
vulnerabilityTriages:
3+
- component:
4+
name: bind
5+
triages:
6+
- cve: CVE-2019-6470
7+
resolution: FalsePositive
8+
comment: '"CVE-2019-6470 is fixed by updating the dhcp package to 4.4.1 or greater"'

SPECS/cluster-agent/.bdba.yaml

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,14 @@ overrides:
1818
forceVersion: true
1919
files:
2020
- path: usr/bin/cluster-agent
21+
vulnerabilityTriages:
22+
- component:
23+
name: cluster-agent
24+
triages:
25+
- cve: CVE-2024-45338
26+
resolution: FalsePositive
27+
comment: '"Package x-net already at the patched version 0.33.0. Lack of CPE data
28+
in NVD database.
29+
30+
31+
https://github.com/advisories/GHSA-w32m-9786-jp63"'

SPECS/coreutils/.bdba.yaml

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,17 @@
1+
specVersion: 3
2+
vulnerabilityTriages:
3+
- component:
4+
name: coreutils
5+
triages:
6+
- cve: CVE-2016-2781
7+
resolution: FalsePositive
8+
comment: '"# Upstream community agreed to not fix this"'
9+
- cve: CVE-2013-0222
10+
resolution: FalsePositive
11+
comment: '"CVE-2013-0221 is fixed in coreutils-8.32-i18n-1.patch"'
12+
- cve: CVE-2013-0221
13+
resolution: FalsePositive
14+
comment: '"CVE-2013-0221 is fixed in coreutils-8.32-i18n-1.patch"'
15+
- cve: CVE-2013-0223
16+
resolution: FalsePositive
17+
comment: '"CVE-2013-0221 is fixed in coreutils-8.32-i18n-1.patch"'

SPECS/ctags/.bdba.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,4 +7,27 @@ overrides:
77
files:
88
- path: usr/bin/ctags
99
- path: usr/bin/optscript
10+
vulnerabilityTriages:
11+
- component:
12+
name: ctags
13+
triages:
14+
- cve: CVE-2022-4515
15+
resolution: FalsePositive
16+
comment: '"CVE-2022-4515 - This CVE does not impact us because it affects exuberant
17+
ctags which is an old project. But we use universal ctags which is a maintaned
18+
fork of it and replacement for it. They have patched this CVE in 2016.
19+
20+
21+
NIST
22+
23+
https://nvd.nist.gov/vuln/detail/CVE-2022-4515
24+
25+
26+
Fix
27+
28+
https://github.com/universal-ctags/ctags/commit/e00c55d7a0204dc1d0ae316141323959e1e16162
29+
30+
31+
Project explanation
1032
33+
https://github.com/universal-ctags/ctags/blob/dcb882d311365112732aad9c823c53ec6c534eb9/README.md#cve-2022"'

SPECS/ed/.bdba.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
specVersion: 3
2+
vulnerabilityTriages:
3+
- component:
4+
name: ed
5+
triages:
6+
- cve: CVE-2015-2987
7+
resolution: FalsePositive
8+
comment: '"CVE-2015-2987 applies to a different program named ED"'

SPECS/flex/.bdba.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
specVersion: 3
2+
vulnerabilityTriages:
3+
- component:
4+
name: flex
5+
triages:
6+
- cve: CVE-2019-6293
7+
resolution: FalsePositive
8+
comment: '"Upstream community decided to not fix this"'

SPECS/fluent-bit/.bdba.yaml

Lines changed: 83 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,3 +18,86 @@ overrides:
1818
forceVersion: true
1919
files:
2020
- path: usr/bin/fluent-bit
21+
vulnerabilityTriages:
22+
- component:
23+
name: fluent-bit
24+
triages:
25+
- cve: CVE-2023-31124
26+
resolution: FalsePositive
27+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2023-31124\n\ncpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*\
28+
\ \tUp to (excluding)\n1.19.1\n\nhttps://github.com/fluent/fluent-bit/tree/v3.0.7/lib/c-ares-1.24.0\n\
29+
b2fe537776e6c494237adb72eef8511fff590ea9\""
30+
- cve: CVE-2021-3672
31+
resolution: FalsePositive
32+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2021-3672\n\ncpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*\
33+
\ \tFrom (including) \t1.0.0 \tUp to (excluding)\n1.19.0\n\nhttps://github.com/fluent/fluent-bit/tree/v3.0.7/lib/c-ares-1.24.0\n\
34+
b2fe537776e6c494237adb72eef8511fff590ea9\""
35+
- cve: CVE-2015-8659
36+
resolution: FalsePositive
37+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2015-8659\n\ncpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*\
38+
\ \tUp to (excluding)\n1.5.0\n\nhttps://github.com/fluent/fluent-bit/blob/v3.0.7/lib/nghttp2/CMakeLists.txt\n\
39+
project(nghttp2 VERSION 1.58.90)\""
40+
- cve: CVE-2016-1544
41+
resolution: FalsePositive
42+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2016-1544\n\ncpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*\
43+
\ \tUp to (excluding)\n1.7.1\n\nhttps://github.com/fluent/fluent-bit/blob/v3.0.7/lib/nghttp2/CMakeLists.txt\n\
44+
project(nghttp2 VERSION 1.58.90)\""
45+
- cve: CVE-2023-32067
46+
resolution: FalsePositive
47+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2023-32067\n\ncpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*\
48+
\ \tUp to (excluding)\n1.19.1\n\nhttps://github.com/fluent/fluent-bit/tree/v3.0.7/lib/c-ares-1.24.0\n\
49+
b2fe537776e6c494237adb72eef8511fff590ea9\""
50+
- cve: CVE-2023-31130
51+
resolution: FalsePositive
52+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2023-31130\n\ncpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*\
53+
\ \tUp to (excluding)\n1.19.1\n\nhttps://github.com/fluent/fluent-bit/tree/v3.0.7/lib/c-ares-1.24.0\n\
54+
b2fe537776e6c494237adb72eef8511fff590ea9\""
55+
- cve: CVE-2022-4904
56+
resolution: FalsePositive
57+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2022-4904\n\ncpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*\
58+
\ \tUp to (excluding)\n1.19.0\n\nhttps://github.com/fluent/fluent-bit/tree/v3.0.7/lib/c-ares-1.24.0\n\
59+
b2fe537776e6c494237adb72eef8511fff590ea9\""
60+
- cve: CVE-2019-17543
61+
resolution: FalsePositive
62+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2019-17543\n\ncpe:2.3:a:lz4_project:lz4:*:*:*:*:*:*:*:*\
63+
\ \tUp to (excluding)\n1.9.2\n\nhttps://github.com/fluent/fluent-bit/blob/v3.0.7/lib/librdkafka-2.3.0/src/lz4.h\n\
64+
/*------ Version ------*/\n#define LZ4_VERSION_MAJOR 1 /* for breaking\
65+
\ interface changes */\n#define LZ4_VERSION_MINOR 9 /* for new (non-breaking)\
66+
\ interface capabilities */\n#define LZ4_VERSION_RELEASE 3 /* for tweaks,\
67+
\ bug-fixes, or development */\""
68+
- cve: CVE-2020-11080
69+
resolution: FalsePositive
70+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2020-11080\n\ncpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*\
71+
\ \tUp to (excluding)\n1.41.0\n\nhttps://github.com/fluent/fluent-bit/blob/v3.0.7/lib/nghttp2/CMakeLists.txt\n\
72+
project(nghttp2 VERSION 1.58.90)\""
73+
- cve: CVE-2020-8277
74+
resolution: FalsePositive
75+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2020-8277\n\ncpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*\
76+
\ \tUp to (excluding)\n1.16.0\n\nhttps://github.com/fluent/fluent-bit/tree/v3.0.7/lib/c-ares-1.24.0\n\
77+
b2fe537776e6c494237adb72eef8511fff590ea9\""
78+
- cve: CVE-2023-31147
79+
resolution: FalsePositive
80+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2023-31147\n\ncpe:2.3:a:c-ares_project:c-ares:*:*:*:*:*:*:*:*\
81+
\ \tUp to (excluding)\n1.19.1\n\nhttps://github.com/fluent/fluent-bit/tree/v3.0.7/lib/c-ares-1.24.0\n\
82+
b2fe537776e6c494237adb72eef8511fff590ea9\""
83+
- cve: CVE-2023-44487
84+
resolution: FalsePositive
85+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2023-44487\n\ncpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*\
86+
\ \tUp to (excluding)\n1.57.0\n\nhttps://github.com/fluent/fluent-bit/blob/v3.0.7/lib/nghttp2/CMakeLists.txt\n\
87+
project(nghttp2 VERSION 1.58.90)\""
88+
- cve: CVE-2016-5180
89+
resolution: FalsePositive
90+
comment: '"https://nvd.nist.gov/vuln/detail/CVE-2016-5180
91+
92+
93+
cpe:2.3:a:c-ares:c-ares:>1.10.0:*:*:*:*:*:*:*
94+
95+
96+
https://github.com/fluent/fluent-bit/tree/v3.0.7/lib/c-ares-1.24.0
97+
98+
b2fe537776e6c494237adb72eef8511fff590ea9"'
99+
- cve: CVE-2023-35945
100+
resolution: FalsePositive
101+
comment: "\"https://nvd.nist.gov/vuln/detail/CVE-2023-35945\n\ncpe:2.3:a:nghttp2:nghttp2:*:*:*:*:*:*:*:*\
102+
\ \tUp to (excluding)\n1.55.1\n\nhttps://github.com/fluent/fluent-bit/blob/v3.0.7/lib/nghttp2/CMakeLists.txt\n\
103+
project(nghttp2 VERSION 1.58.90)\""

SPECS/gcc/.bdba.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -47,3 +47,10 @@ overrides:
4747
- path: usr/lib64/liblsan.so.0.0.0
4848
- path: usr/lib64/libtsan.a
4949
- path: usr/lib64/libtsan.so.2.0.0
50+
vulnerabilityTriages:
51+
- component:
52+
name: gcc
53+
triages:
54+
- cve: CVE-2019-15847
55+
resolution: FalsePositive
56+
comment: ''

SPECS/gh/.bdba.yaml

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -12,3 +12,10 @@ overrides:
1212
forceVersion: true
1313
files:
1414
- path: usr/bin/gh
15+
vulnerabilityTriages:
16+
- component:
17+
name: gh
18+
triages:
19+
- cve: CVE-2024-53858
20+
resolution: FalsePositive
21+
comment: ''

0 commit comments

Comments
 (0)