diff mbox series

package/skopeo: ignore un-applicable CVE

Message ID 45637d224995588db97c5908d41ea67600e432f3.1726568237.git.yann.morin@orange.com
State New
Headers show
Series package/skopeo: ignore un-applicable CVE | expand

Commit Message

Yann E. MORIN Sept. 17, 2024, 10:17 a.m. UTC
From: "Yann E. MORIN" <yann.morin@orange.com>

The CVE tracker detects that CVE-2019-10214 impacts skopeo, but this is
a false positive. Indeed, that CVE applies to containers/image (which is
vendored in skopeo), and is matched for un-versioned skopeo (notice the
dash '-' in the CPE ID):

    https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:-:*:*:*:*:*:*:*

and does not apply to any versioned skopeo (1.16.1 and "any version" for
example; notice the star '*' or the version instead of the dash, in the
CPE ID):

    https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:*:*:*:*:*:*:*:*
    https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:skopeo_project:skopeo:1.16.1:*:*:*:*:*:*:*

This was fixed in containers/image in upstream commit a3d69a4a (Use the
same HTTP client for contacting the bearer token server and the
registry, 2019-08-01) which has been released in containers/image
v3.0.0 (2019-08-02), which has been vendored in skopeo since commit
bebcb94653cc (vendor github.com/containers/image@v3.0.0) released the
same day in skopeo 0.1.38 (2019-02-08).

Signed-off-by: Yann E. MORIN <yann.morin@orange.com>
---
 package/skopeo/skopeo.mk | 4 ++++
 1 file changed, 4 insertions(+)
diff mbox series

Patch

diff --git a/package/skopeo/skopeo.mk b/package/skopeo/skopeo.mk
index 9859d774d4..e2f7b8e889 100644
--- a/package/skopeo/skopeo.mk
+++ b/package/skopeo/skopeo.mk
@@ -11,6 +11,10 @@  SKOPEO_LICENSE = Apache-2.0
 SKOPEO_LICENSE_FILES = LICENSE
 SKOPEO_CPE_ID_VALID = YES
 
+# Applies to skopeo without a version; in practice, unaplicable since
+# skopeo 0.1.38 (2019-08-02)
+SKOPEO_CVE_IGNORE = CVE-2019-10214
+
 HOST_SKOPEO_DEPENDENCIES = \
 	host-btrfs-progs \
 	host-libgpgme \