nodejs: ignore CVE-2023-30583, CVE-2023-30584 and CVE-2023-30587

Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583 https://nvd.nist.gov/vuln/detail/CVE-2023-30584 https://nvd.nist.gov/vuln/detail/CVE-2023-30587 None of these vulnerabilities are present in the recipe version. CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable code (load blobs from file) was introduced in v20[1], and as such, the vulnerability is not present in the recipe version. CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was introduced[2] in v20. Ignore these CVE IDs. [1]: 950cec4c26 [2]: 00c222593e Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
2026-05-22 01:49:38 +00:00 · 2026-01-02 12:28:56 +01:00 · 2026-01-02 12:28:56 +01:00 · 04f577d527
commit 04f577d527
parent 9608348824
1 changed files with 3 additions and 0 deletions
--- a/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
+++ b/meta-oe/recipes-devtools/nodejs/nodejs_16.20.2.bb
@ -46,6 +46,9 @@ S = "${WORKDIR}/node-v${PV}"

 CVE_PRODUCT = "nodejs node.js"

+# the vulnerabilities were introduced in v20
+CVE_CHECK_IGNORE = "CVE-2023-30583 CVE-2023-30584 CVE-2023-30587"
+
 # v8 errors out if you have set CCACHE
 CCACHE = ""