Hello Marta,
Actually, I wanted to add the ignored and patched CVEs in buildhistory and for
that purpose, I am exporting variables CVE_IGNORED and CVE_PATCHED with those
values. I don't want to use cve-check.bbclass as it checks for the CVEs from
the NVD database, and I only want to get ignored and patched CVEs from the
recipe.
Regarding meta/conf/distro/include/cve-extra-exclusions.inc if any project
includes it then CVEs that are ignored in cve-extra-exclusions.inc will get
shown for each recipe in the CVE_CHECK_IGNORED list even though the CVEs are
not related to that component recipe. Hence, I have did the changes to exclude
CVEs from cve-extra-exclusions.inc
Best Regards,
Akash
________________________________
From: Marta Rybczynska <rybczyn...@gmail.com>
Sent: 17 May 2022 14:42
To: Akash Hadke <akash.ha...@kpit.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>; Ranjitsinh Rathod
<ranjitsinh.rat...@kpit.com>; Akash Hadke <hadkeaka...@gmail.com>
Subject: Re: [OE-core] [poky][master][PATCH 1/3] cve_check.py: Add new method
get_ignored_cves
Caution: This email originated from outside of the KPIT. Do not click links or
open attachments unless you recognize the sender and know the content is safe.
On Wed, May 11, 2022 at 4:37 PM akash hadke via lists.openembedded.org
<akash.hadke=kpit....@lists.openembedded.org> wrote:
>
> Add new method get_ignored_cves in cve_check.py
> to get ignored CVEs from recipe by excluding distro-wide
> ignored CVEs from meta/conf/distro/include/cve-extra-exclusions.inc
>
> While calling this method use below code to get argument values
> paths = d.getVar('PATH').split(':')
> cves = d.getVar('CVE_CHECK_IGNORE').split()
>
Hello Akash,
While looking into this patch set I'm wondering what is your use case.
It seems to be to get a list
of ignored and patched CVEs. This is already available from the
cve-check output or from the create-spdx
output after some parsing. With the new JSON format for cve-check it
becomes very easy. If you could
elaborate more on the way you plan to use this data, I'm pretty sure
we can come with a simple
post-processing script to do the same.
BTW Why do assume people always include
meta/conf/distro/include/cve-extra-exclusions.inc ?
We don't do that at Oniro and we use our own judgement on outstanding CVEs.
Regards,
Marta
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165729):
https://lists.openembedded.org/g/openembedded-core/message/165729
Mute This Topic: https://lists.openembedded.org/mt/91037023/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
