From df462075be855c60117af661dbce1836c652fc16 Mon Sep 17 00:00:00 2001 From: Gyorgy Sarvari Date: Tue, 16 Dec 2025 10:02:14 +0100 Subject: [PATCH] minio: ignore irrelevant CVEs The minio umbrella covers multiple projects. The recipe itself builds "minio client", which is a set of basic tools to query data from "minio server" - like ls, mv, find... The CVEs were files against minio server. Looking at the go mod list, this recipe doesn't use minio server even as a build dependency - so ignore the CVEs. Signed-off-by: Gyorgy Sarvari Signed-off-by: Khem Raj --- meta-oe/recipes-extended/minio/minio_git.bb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta-oe/recipes-extended/minio/minio_git.bb b/meta-oe/recipes-extended/minio/minio_git.bb index f278a728fd..511dd4d869 100644 --- a/meta-oe/recipes-extended/minio/minio_git.bb +++ b/meta-oe/recipes-extended/minio/minio_git.bb @@ -164,3 +164,9 @@ do_install() { install -d ${D}/${sbindir} install ${S}/src/${GO_IMPORT}/mc ${D}/${sbindir}/mc } + +CVE_STATUS_GROUPS += "CVE_STATUS_WRONG_CPE" +CVE_STATUS_WRONG_CPE[status] = "cpe-incorrect: The vulnerability is in minio server, not in minio client-tools" +CVE_STATUS_WRONG_CPE = "CVE-2018-1000538 CVE-2020-11012 CVE-2021-21287 CVE-2021-21362 \ + CVE-2021-21390 CVE-2021-43858 CVE-2022-35919 CVE-2023-28433 \ + CVE-2023-28434 CVE-2024-36107"