Re: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to "Unpatched" status

Dhairya Nagodra via lists.openembedded.org Mon, 12 Aug 2024 03:09:09 -0700


>-----Original Message-----
>From: Marko, Peter <peter.ma...@siemens.com>
>Sent: Wednesday, August 7, 2024 4:04 PM
>To: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco)
><dnago...@cisco.com>; Richard Purdie <richard.pur...@linuxfoundation.org>;
>Marta Rybczynska <rybczyn...@gmail.com>; openembedded-
>c...@lists.openembedded.org
>Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com>
>Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to
>"Unpatched" status
>
>
>
>> -----Original Message-----
>> From: Dhairya Nagodra -X (dnagodra - E INFOCHIPS LIMITED at Cisco)
>> <dnago...@cisco.com>
>> Sent: Wednesday, August 7, 2024 12:17
>> To: Marko, Peter (ADV D EU SK BFS1) <peter.ma...@siemens.com>; Richard
>> Purdie <richard.pur...@linuxfoundation.org>; Marta Rybczynska
>> <rybczyn...@gmail.com>; openembedded-core@lists.openembedded.org
>> Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com>
>> Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix'
>> to "Unpatched" status
>>
>>
>>
>> >-----Original Message-----
>> >From: Marko, Peter <peter.ma...@siemens.com>
>> >Sent: Wednesday, July 24, 2024 12:04 PM
>> >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
>> ><dnago...@cisco.com>; openembedded-core@lists.openembedded.org
>> >Cc: xe-linux-external(mailer list) <xe-linux-exter...@cisco.com>
>> >Subject: RE: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix'
>> >to "Unpatched" status
>> >
>> >-----Original Message-----
>> >From: openembedded-core@lists.openembedded.org <openembedded-
>> >c...@lists.openembedded.org> On Behalf Of Dhairya Nagodra via
>> >lists.openembedded.org
>> >Sent: Wednesday, July 24, 2024 6:45
>> >To: openembedded-core@lists.openembedded.org
>> >Cc: xe-linux-exter...@cisco.com; Dhairya Nagodra <dnago...@cisco.com>
>> >Subject: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to
>> >"Unpatched" status
>> >
>> >> - The 'upstream-wontfix' is to be used when the CVE is accepted by the
>> >>   upstream, but they are not planning to fix it.
>> >> - If the version used in Yocto is vulnerable, it should not have
>> >>   "Ignored" status. The package is still exploitable by the CVE.
>> >> - Also, when the status is exported out of the SDK, it would be
>> >>   incorrect to put it under Ignored catgory.
>> >
>> >The purpose of this entry is to remove meaningless CVEs from reports
>> >so that users don't spend countless hours over and over again on analyzing
>"open"
>> >CVEs if they were already closed upstream.
>> >If you look at comments of entries using this category (7 in oe-core
>> scarthgap)
>> >these CVEs are more or less irrelevant.
>> >
>> >So this patch is from my point of view step in the wrong direction.
>> >If you really need to show these due to your CVE handling process,
>> >you can easily override this variable assignment in your own layer.
>> >
>>
>>
>> I tried this in my layer, created a .conf and included in my distro.conf 
>> file.
>> The issue is, it gets overwritten by cve-check-map.conf (as it is included
>later).
>
>If you create meta-<your-layer>/conf/cve-check-map.conf it will be included
>instead of the one from oe-core/poky.
>


I tried this approach, it included both of the files, and my config was over 
written.

#     
<path>/distro/openembedded-core/../my-layer/conf/distro/my-cve-check-map.conf
#   
<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/defaultsetup.conf
 includes:
#     
<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-providers.inc
#     
<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-versions.inc
#     
<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/default-distrovars.inc
#     
<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/maintainers.inc
#     
<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tcmode-default.inc
#     
<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/tclibc-glibc.inc
#     
<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/uninative-flags.inc
#     
<path>/distro/openembedded-core/../openembedded-core/meta/conf/distro/include/init-manager-none.inc
#   
<path>/distro/openembedded-core/../openembedded-core/meta/conf/documentation.conf
#   <path>/distro/openembedded-core/../openembedded-core/meta/conf/licenses.conf
#   <path>/distro/openembedded-core/../openembedded-core/meta/conf/sanity.conf
#   
<path>/distro/openembedded-core/../openembedded-core/meta/conf/cve-check-map.conf

>>
>> Would it be okay to make assignments soft in the cve-check-map.conf file?
>> This would be similar to CVE_PRODUCT and CVE_VERSION.


This seems to be the only way, I'll share the patch soon.


>> If everyone agrees, I can share the patch for it.
>> Is there a better way to do this?
>
>This is also an option; I'm not opinionated on this one...
>
>>
>> Best Regards,
>> Dhairya
>>
>>
>> >>
>> >> Signed-off-by: Dhairya Nagodra <dnago...@cisco.com>
>> >> ---
>> >>  meta/conf/cve-check-map.conf | 4 ++--
>> >>  1 file changed, 2 insertions(+), 2 deletions(-)
>> >>
>> >> diff --git a/meta/conf/cve-check-map.conf
>> >> b/meta/conf/cve-check-map.conf index b9df41a6f3..7ff53f5601 100644
>> >> --- a/meta/conf/cve-check-map.conf
>> >> +++ b/meta/conf/cve-check-map.conf
>> >> @@ -15,6 +15,8 @@ CVE_CHECK_STATUSMAP[unpatched] =
>"Unpatched"
>> >>  CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
>> >>  # use when CVE fix is not compatible to the current version and
>> >> cannot be
>> >backported.
>> >>  CVE_CHECK_STATUSMAP[cannot-backport] = "Unpatched"
>> >> +# use when upstream acknowledged the vulnerability but does not
>> >> +plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Unpatched"
>> >>
>> >>  # used for migration from old concept, do not use for new
>> >> vulnerabilities  CVE_CHECK_STATUSMAP[ignored] = "Ignored"
>> >> @@ -26,5 +28,3 @@ CVE_CHECK_STATUSMAP[disputed] = "Ignored"
>> >>  CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
>> >>  # use when vulnerability affects other platform (e.g. Windows or
>> >> Debian)  CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
>> >> -# use when upstream acknowledged the vulnerability but does not
>> >> plan to fix it -CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203215): 
https://lists.openembedded.org/g/openembedded-core/message/203215
Mute This Topic: https://lists.openembedded.org/mt/107518628/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [OE-core] [PATCH] cve-check-map: Move 'upstream-wontfix' to "Unpatched" status

Reply via email to