From 0fdb309d1ede1a0639d617da75a49525693a5186 Mon Sep 17 00:00:00 2001
From: Frantisek Hrbata <frantisek.hrbata@espressif.com>
Date: Thu, 1 Aug 2024 12:24:47 +0200
Subject: [PATCH] change: exclude CVEs that do not impact ESP-IDF components

cJSON:    CVE-2024-31755 - Resolved in cJSON v1.7.18
FreeRTOS: CVE-2024-28115 - Affects only ARMv7-M MPU ports, and ARMv8-M ports

Signed-off-by: Frantisek Hrbata <frantisek.hrbata@espressif.com>
---
 .gitmodules                                  | 1 +
 components/freertos/FreeRTOS-Kernel/sbom.yml | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/.gitmodules b/.gitmodules
index f306088493..ee3fd858e0 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -55,6 +55,7 @@
 	sbom-url = https://github.com/DaveGamble/cJSON
 	sbom-description = Ultralightweight JSON parser in ANSI C
 	sbom-hash = acc76239bee01d8e9c858ae2cab296704e52d916
+	sbom-cve-exclude-list = CVE-2024-31755 Resolved in v1.7.18
 
 [submodule "components/mbedtls/mbedtls"]
 	path = components/mbedtls/mbedtls
diff --git a/components/freertos/FreeRTOS-Kernel/sbom.yml b/components/freertos/FreeRTOS-Kernel/sbom.yml
index f5f9f31eb3..1fc82481f8 100644
--- a/components/freertos/FreeRTOS-Kernel/sbom.yml
+++ b/components/freertos/FreeRTOS-Kernel/sbom.yml
@@ -4,3 +4,6 @@ cpe: cpe:2.3:o:amazon:freertos:{}:*:*:*:*:*:*:*
 supplier: 'Organization: Espressif Systems (Shanghai) CO LTD'
 originator: 'Organization: Amazon Web Services'
 description: An open-source, real-time operating system (RTOS) with additional features and patches from Espressif.
+cve-exclude-list:
+  - cve: CVE-2024-28115
+    reason: Affects only ARMv7-M MPU ports, and ARMv8-M ports with Memory Protected Unit (MPU) support enabled