On Sat, Mar 19, 2022 at 8:26 PM Richard Purdie
<richard.pur...@linuxfoundation.org> wrote:
>
> This adds support for a random kernel CVE monitoring tool which can be
> run as a specific task against a kernel:
>
> $ bitbake linux-yocto -c checkcves
> [...]
> Sstate summary: Wanted 3 Local 3 Mirrors 0 Missed 0 Current 135 (100% match,
> 100% complete)
> NOTE: Executing Tasks
> WARNING: linux-yocto-5.15.26+gitAUTOINC+ea948a0983_5bd4bda819-r0
> do_checkcves: Should consider cherry-pick for
> be80a1d3f9dbe5aee79a325964f7037fe2d92f30:CVE-2021-4204 (NOT FOR THIS VERSION)
> WARNING: linux-yocto-5.15.26+gitAUTOINC+ea948a0983_5bd4bda819-r0
> do_checkcves: Should consider cherry-pick for
> 20b2aff4bc15bda809f994761d5719827d66c0b4:CVE-2022-0500 (NOT FOR THIS VERSION)
> WARNING: linux-yocto-5.15.26+gitAUTOINC+ea948a0983_5bd4bda819-r0
> do_checkcves: Should consider cherry-pick for
> 55749769fe608fa3f4a075e42e89d237c8e37637:CVE-2021-4095 (NOT FOR THIS VERSION)
> WARNING: linux-yocto-5.15.26+gitAUTOINC+ea948a0983_5bd4bda819-r0
> do_checkcves: Should consider cherry-pick for
> 4fbcc1a4cb20fe26ad0225679c536c80f1648221:CVE-2022-26490 (NOT FOR THIS VERSION)
> WARNING: linux-yocto-5.15.26+gitAUTOINC+ea948a0983_5bd4bda819-r0
> do_checkcves: Should consider cherry-pick for
> dbbf2d1e4077bab0c65ece2765d3fc69cf7d610f:CVE-2019-15239 (NOT FOR THIS VERSION)
> WARNING: linux-yocto-5.15.26+gitAUTOINC+ea948a0983_5bd4bda819-r0
> do_checkcves: Should consider cherry-pick for
> 89f3594d0de58e8a57d92d497dea9fee3d4b9cda:CVE-2022-24958 (NOT FOR THIS VERSION)
> WARNING: linux-yocto-5.15.26+gitAUTOINC+ea948a0983_5bd4bda819-r0
> do_checkcves: Should consider cherry-pick for
> 1bfba2f4270c64c912756fc76621bbce959ddf2e:CVE-2020-25220 (NOT FOR THIS VERSION)
> NOTE: Tasks Summary: Attempted 627 tasks of which 626 didn't need to be rerun
> and all succeeded.
>
> Posted as an RFC to see what people think of this. I make no claims
> on how useful it is/isn't but wanted to show integration isn't difficult
> and provide some inspiration for ideas.
>
> Details on the tool in question: https://github.com/madisongh/kernel-cve-tool
>
> I've ignored the NO-FIXES-AVILABLE and PATCHED-CVES files.
>
> Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
>
Thanks for posting the patch. Apart from the discussion about cherry-pick
vs updating, here are my two comments:
1. For all such tools I would really prefer machine-readable output format,
so we can parse it, generate reports etc.
2. The tool itself works only if the kernel history is included in the vendor's
tree, they say in the README:
Note that the script assumes that your branch is derived from one of the
existing stable kernel labels (e.g., 'v4.9') - in other words, it
must contain
commits from one of the linux-X.Y branches in the stable repository, and
have other commits added it to it.
It means that there are cases when it doesn't work - especially when the
vendor cherry-picked commits or imported all the kernel as one commit.
I find it useful as another source of information in addition to the NVD
database. It would allow correlation of the two and possibly limit mismatches.
However, I can already see that the last commit is 2 weeks ago,
so data might be outdated.
Regards,
Marta
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#163500):
https://lists.openembedded.org/g/openembedded-core/message/163500
Mute This Topic: https://lists.openembedded.org/mt/89894789/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
