On Tue, May 17, 2022 at 1:42 PM Akash Hadke <akash.ha...@kpit.com> wrote:
>
> Hello Marta,
>
> Actually, I wanted to add the ignored and patched CVEs in buildhistory and
> for that purpose, I am exporting variables CVE_IGNORED and CVE_PATCHED with
> those values. I don't want to use cve-check.bbclass as it checks for the CVEs
> from the NVD database, and I only want to get ignored and patched CVEs from
> the recipe.
Hello again Akash,
What you'd like to do is to see the difference in ignored and patched
CVEs in buildhistory? Do I get it right?
>
> Regarding meta/conf/distro/include/cve-extra-exclusions.inc if any project
> includes it then CVEs that are ignored in cve-extra-exclusions.inc will get
> shown for each recipe in the CVE_CHECK_IGNORED list even though the CVEs are
> not related to that component recipe. Hence, I have did the changes to
> exclude CVEs from cve-extra-exclusions.inc
I think I understand the idea. The point I'm making is that if someone
does not include the cve-extra-exclusions.inc in their distro, the
code will still use it and filter out CVEs they still see when doing
cve-check.
Kind regards,
Marta
>
> Best Regards,
> Akash
> ________________________________
> From: Marta Rybczynska <rybczyn...@gmail.com>
> Sent: 17 May 2022 14:42
> To: Akash Hadke <akash.ha...@kpit.com>
> Cc: OE-core <openembedded-core@lists.openembedded.org>; Ranjitsinh Rathod
> <ranjitsinh.rat...@kpit.com>; Akash Hadke <hadkeaka...@gmail.com>
> Subject: Re: [OE-core] [poky][master][PATCH 1/3] cve_check.py: Add new method
> get_ignored_cves
>
> Caution: This email originated from outside of the KPIT. Do not click links
> or open attachments unless you recognize the sender and know the content is
> safe.
>
> On Wed, May 11, 2022 at 4:37 PM akash hadke via lists.openembedded.org
> <akash.hadke=kpit....@lists.openembedded.org> wrote:
> >
> > Add new method get_ignored_cves in cve_check.py
> > to get ignored CVEs from recipe by excluding distro-wide
> > ignored CVEs from meta/conf/distro/include/cve-extra-exclusions.inc
> >
> > While calling this method use below code to get argument values
> > paths = d.getVar('PATH').split(':')
> > cves = d.getVar('CVE_CHECK_IGNORE').split()
> >
>
> Hello Akash,
> While looking into this patch set I'm wondering what is your use case.
> It seems to be to get a list
> of ignored and patched CVEs. This is already available from the
> cve-check output or from the create-spdx
> output after some parsing. With the new JSON format for cve-check it
> becomes very easy. If you could
> elaborate more on the way you plan to use this data, I'm pretty sure
> we can come with a simple
> post-processing script to do the same.
>
> BTW Why do assume people always include
> meta/conf/distro/include/cve-extra-exclusions.inc ?
> We don't do that at Oniro and we use our own judgement on outstanding CVEs.
>
> Regards,
> Marta
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165733):
https://lists.openembedded.org/g/openembedded-core/message/165733
Mute This Topic: https://lists.openembedded.org/mt/91037023/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
