Hi,
On Wed, May 17, 2023 at 07:41:38AM +0200, Andrej Valek via
lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contains flag for each CVE with accepted
> values "Ignored" or "Not applicable". It allows to add a status for CVEs
> which could be fixed externally.
> - Optional CVE_STATUS_REASONING flag variable could contains a reason
> why the CVE status was used. It will be added in csv/json report like
> a new "reason" entry.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
>
> Example of usage:
> CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
> CVE_STATUS[CVE-1234-0002] = "Not applicable"
> CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"
Looks good to me but would you add testing into
meta/lib/oeqa/selftest/cases/cve_check.py ?
And once merged update documentation in
documentation/dev-manual/vulnerabilities.rst,
documentation/ref-manual/classes.rst and
documentation/ref-manual/variables.rst ;)
Thanks,
-Mikko
> Signed-off-by: Andrej Valek <andrej.va...@siemens.com>
> ---
> meta/classes/cve-check.bbclass | 30 +++++++++++++++++++++++++-----
> meta/lib/oe/cve_check.py | 6 ++++++
> 2 files changed, 31 insertions(+), 5 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index bd9e7e7445c..e081095037c 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -70,13 +70,17 @@ CVE_CHECK_COVERAGE ??= "1"
> # Skip CVE Check for packages (PN)
> CVE_CHECK_SKIP_RECIPE ?= ""
>
> -# Ingore the check for a given list of CVEs. If a CVE is found,
> -# then it is considered patched. The value is a string containing
> -# space separated CVE values:
> +# Ignore the check for a given CVE. Each of CVE has to be mentioned
> +# separately with optional reason, why it has to ignored.
> #
> -# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
> +# CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
> +# CVE_STATUS[CVE-1234-0002] = "Ignored"
> +# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"
> #
> +# CVE_CHECK_IGNORE is depracated and CVE_STATUS has to be used instead.
> +# Keep CVE_CHECK_IGNORE like a fallback.
> CVE_CHECK_IGNORE ?= ""
> +CVE_STATUS ?= ""
>
> # Layers to be excluded
> CVE_CHECK_LAYER_EXCLUDELIST ??= ""
> @@ -88,6 +92,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
> # set to "alphabetical" for version using single alphabetical character as
> increment release
> CVE_VERSION_SUFFIX ??= ""
>
> +python () {
> + # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
> + for cve in d.getVar("CVE_CHECK_IGNORE").split():
> + d.setVarFlags("CVE_STATUS", {cve: "Ignored"})
> +}
> +
> def generate_json_report(d, out_path, link_path):
> if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
> import json
> @@ -282,7 +292,11 @@ def check_cves(d, patched_cves):
> bb.note("Recipe has been skipped by cve-check")
> return ([], [], [], [])
>
> - cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
> + # Convert CVE_STATUS into ignored CVEs
> + cve_ignore = []
> + for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
> + if status in ["Not applicable", "Ignored"]:
> + cve_ignore.append(cve)
>
> import sqlite3
> db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
> @@ -455,6 +469,9 @@ def cve_write_data_text(d, patched, unpatched, ignored,
> cve_data):
> else:
> unpatched_cves.append(cve)
> write_string += "CVE STATUS: Unpatched\n"
> + has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
> + if has_reason:
> + write_string += "CVE REASON: %s\n" % has_reason
> write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
> write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
> write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
> @@ -576,6 +593,9 @@ def cve_write_data_json(d, patched, unpatched, ignored,
> cve_data, cve_status):
> "status" : status,
> "link": issue_link
> }
> + has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
> + if has_reason:
> + cve_item["reason"] = has_reason
> cve_list.append(cve_item)
>
> package_data["issue"] = cve_list
> diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
> index dbaa0b373a3..f47dd9920ef 100644
> --- a/meta/lib/oe/cve_check.py
> +++ b/meta/lib/oe/cve_check.py
> @@ -130,6 +130,12 @@ def get_patched_cves(d):
> if not fname_match and not text_match:
> bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
>
> + # Search for additional patched CVEs
> + for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
> + if status == "Patched":
> + bb.debug(2, "CVE %s is additionally patched" % cve)
> + patched_cves.add(cve)
> +
> return patched_cves
>
>
> --
> 2.40.1
>
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181485):
https://lists.openembedded.org/g/openembedded-core/message/181485
Mute This Topic: https://lists.openembedded.org/mt/98943046/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
