On Mon, Dec 30, 2024 at 12:40 AM Hongxu Jia <hongxu....@windriver.com> wrote:
>
> Some CVEs may be patched during the build process without incrementing
> the version number, save the CVEs fixed by patches to cve_by_status
> which was parsed as "Patched" status to add new_vex_patched_relationship
> to pkg_objset
>
> Take recipe unzip for example, CVE-2015-1315 is patched in oe-core and
> is available in package SPDX
>
> oe-core$ grep "CVE-2015-1315" -rn meta
> meta/recipes-extended/unzip/unzip_6.0.bb:12:
> file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
> meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch:6:CVE:
> CVE-2015-1315
>
> $ bitbake unzip
> $ vim tmp/deploy/spdx/3.0.1/corei7-64/packages/package-unzip.spdx.json [1]
> ...
> {
> "type": "security_VexFixedVulnAssessmentRelationship",
> "spdxId":
> "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/6e57f2cbf8f80a80ee21628b8a35cdddaa8ee800cc9e42367d866eb8daa41bb0/vex-fixed/c8d7748f0d64a2a46a3a2545c891ad39";
> "creationInfo": "_:CreationInfo1",
> "extension": [
> {
> "type": "https://rdf.openembedded.org/spdx/3.0/id-alias";,
> "https://rdf.openembedded.org/spdx/3.0/alias":
> "http://spdxdocs.org/openembedded-alias/by-doc-hash/22ab8d6eced4525f57bb861acc0fe983d8af5805dd97e702c22c1ffe04621cb2/unzip/UNIHASH/vex-fixed/c8d7748f0d64a2a46a3a2545c891ad39";
> }
> ],
> "from":
> "http://spdxdocs.org/openembedded-alias/by-doc-hash/539e1deec075c3a51b8c6975352b0a9ad320a130a4d7d516316b35994a830f93/unzip/UNIHASH/vulnerability/CVE-2015-1315";,
> "relationshipType": "fixedIn",
> "to": [
>
> "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/6e57f2cbf8f80a80ee21628b8a35cdddaa8ee800cc9e42367d866eb8daa41bb0/package/unzip";
> ],
> "security_vexVersion": "1.0.0"
> },
> ...
>
> [1]
> https://spdx.github.io/spdx-spec/v3.0.1/model/Security/Classes/VexFixedVulnAssessmentRelationship/
>
> Signed-off-by: Hongxu Jia <hongxu....@windriver.com>
> ---
> meta/lib/oe/spdx30_tasks.py | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
> index 036c58bf4b..842962f609 100644
> --- a/meta/lib/oe/spdx30_tasks.py
> +++ b/meta/lib/oe/spdx30_tasks.py
> @@ -515,6 +515,21 @@ def create_spdx(d):
>
> cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"),
> d.getVar("CVE_VERSION"))
>
> + # Some CVEs may be patched during the build process without incrementing
> the version number,
> + # so querying for CVEs based on the CPE id can lead to false positives.
> To account for this,
> + # save the CVEs fixed by patches to cve_by_status.
> + patched_cves = oe.cve_check.get_patched_cves(d)
> + for cve, patched_cve in patched_cves.items():
> + if patched_cve["abbrev-status"] != "Patched":
> + continue
> + spdx_cve = build_objset.new_cve_vuln(cve)
> + build_objset.set_element_alias(spdx_cve)
> + cve_by_status.setdefault("Patched", {})[cve] = (
> + spdx_cve,
> + None,
> + None,
> + )
> +
Thanks for finding and fixing this, I didn't notice it was missing. It
looks great, except that it should be in the `if include_vex !=
"none"` block so that it's not included if the user requested no VEX
> source_files = add_download_files(d, build_objset)
> build_inputs |= source_files
>
> --
> 2.25.1
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#209476):
https://lists.openembedded.org/g/openembedded-core/message/209476
Mute This Topic: https://lists.openembedded.org/mt/110339948/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
