From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: buildroot@buildroot.org
Cc: Thomas Perale <thomas.perale@mind.be>,
Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Subject: [Buildroot] [PATCH 3/4] support/scripts/cve-check: fix vulnerabilities with different analysis
Date: Tue, 3 Mar 2026 23:23:51 +0100 [thread overview]
Message-ID: <20260303222352.95612-3-thomas.perale@mind.be> (raw)
In-Reply-To: <20260303222352.95612-1-thomas.perale@mind.be>
Before this commit, only one entry per vulnerability ID was added to the
output. In CycloneDX, if you need to provide different analyses for
different affected components with the same vulnerability ID, you must
create multiple entries with the same ID.
When running `cve-check` with the `--include-resolved` argument, the
analysis of some vulnerabilities would get overwritten, which led to
undefined analysis results.
This is especially true when running the analysis on multiple components
with the same name but different versions. For instance, if the input
SBOM includes both the `gnupg` and `gnupg2` packages, CVE-2025-68973
could be included. This CVE might be exploitable for the `gnupg` package
but resolved for `gnupg2`. Therefore, a single analysis entry cannot
cover both cases.
This commit fixes the logic for adding vulnerabilities to the output
SBOM. A vulnerability is now added as a new entry if:
1. A vulnerability with the same ID doesn't exist yet.
2. The affect of the new vulnerability is not the same as the one
already present.
For the CVE-2025-68973 example this would result in the following
output:
```json
[
{
"id": "CVE-2025-68973",
"analysis": {
"state": "exploitable"
}
"affects": [
{"ref": "gnupg"}
]
},
{
"id": "CVE-2025-68973",
"analysis": {
"state": "resolved"
}
"affects": [
{"ref": "gnupg2"}
]
}
]
```
45 vulnerabilities were concerned by this bug over the Buildroot tree.
Co-Authored-By: Tim Soubry <tim.soubry@mind.be>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
support/scripts/cve-check | 76 +++++++++++++++++++--------------------
1 file changed, 37 insertions(+), 39 deletions(-)
diff --git a/support/scripts/cve-check b/support/scripts/cve-check
index 1c006e4ce4..44c5cdc57d 100755
--- a/support/scripts/cve-check
+++ b/support/scripts/cve-check
@@ -157,55 +157,54 @@ def nvd_cve_to_cdx_vulnerability(nvd_cve):
def vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability):
"""
- Append 'vulnerability' passed as argument to the 'vulnerabilities' argument
- if an entry with the same 'id' doesn't exist yet.
- If the vulnerability already exists, the input reference is added to the
- 'affects' list of the existing entry.
+ Updates a matching 'vulnerability' from the 'vulnerabilities' list or
+ appends it as a new entry.
+
+ A vulnerability is considered 'matching' if it shares the same 'id' AND
+ either:
+
+ 1. An identical 'affects' entry.
+ 2. An identical 'analysis.state'.
Args:
vulnerabilities (list): The vulnerabilities array reference retrieved
from the input CycloneDX SBOM
vulnerability (dict): Vulnerability to add to the 'vulnerabilities' list.
"""
- # Search if a vulnerability with the same identifier already exists in the
- # SBOM vulnerability list.
- matching_vuln = next(
- (vuln for vuln in vulnerabilities if vuln.get("id") == vulnerability["id"]),
- None
- )
+ new_analysis = vulnerability.get("analysis", {}).get("state")
+ new_ref = next((a.get("ref") for a in vulnerability.get("affects", [])), None)
- # bom-ref to the component is passed to the affects of the vulnerability
- # passed as argument
- bom_ref = next((a["ref"] for a in vulnerability.get("affects", [])), None)
+ # All vulnerabilities with same ID
+ matching_vulns = [v for v in vulnerabilities if v.get("id") == vulnerability.get("id")]
- if matching_vuln is not None:
- # Remove the affect to not use it while updating matching vuln.
- if "affects" in vulnerability:
- del vulnerability["affects"]
+ for curr_vuln in matching_vulns:
+ curr_vuln_analysis = curr_vuln.get("analysis", {}).get("state")
+ curr_vuln_refs = [a.get("ref") for a in curr_vuln.get("affects", [])]
- if matching_vuln.get("analysis") is not None and "analysis" in vulnerability:
- # We don't update vulnerabilities that already have an
- # 'analysis'.
- # Buildroot ignored vulnerabilities will already have
- # an analysis and need to remain as such.
- del vulnerability["analysis"]
+ is_same_ref = new_ref in curr_vuln_refs
+ is_same_analysis = curr_vuln_analysis == new_analysis
- affects = matching_vuln.setdefault("affects", [])
+ if not (is_same_ref or is_same_analysis):
+ continue
- if bom_ref is not None:
- ref = next((a["ref"] for a in affects if a["ref"] == bom_ref), None)
- if ref is None:
- # Add a 'ref' (bom reference) to the component if not
- # already present in the 'affects' list.
- affects.append({
- "ref": bom_ref
- })
+ if is_same_ref:
+ # If same vulnerability id and same affect ref, keep the previous
+ # analysis. This is the case where a vulnerability was ignored from
+ # the generated SBOM.
+ del vulnerability["analysis"]
+ del vulnerability["affects"]
+ else:
+ # The same analysis, add a new affect
+ # reference.
+ if new_ref is not None:
+ curr_vuln.setdefault("affects", []).append({"ref": new_ref})
+ del vulnerability["affects"]
- # Update the metadata of the vulnerability with the one
- # downloaded from the database.
- matching_vuln.update(vulnerability)
- else:
- vulnerabilities.append(vulnerability)
+ curr_vuln.update(vulnerability)
+ return
+
+ # No same ID w/ same analysis or same ref.
+ vulnerabilities.append(vulnerability)
def check_package_cve_affects(cve: cvecheck.CVE, cpe_product_pkgs, sbom, opt: Options):
@@ -279,8 +278,7 @@ def enrich_vulnerabilities(nvd_path: Path, sbom):
print(f"Warning: '{vuln_id}' doesn't exist in NVD database.", file=sys.stderr)
continue
- vulnerability = nvd_cve_to_cdx_vulnerability(cve.nvd_cve)
- vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability)
+ vuln.update(nvd_cve_to_cdx_vulnerability(cve.nvd_cve))
def main():
--
2.53.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
next prev parent reply other threads:[~2026-03-03 22:24 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-03 22:23 [Buildroot] [PATCH 1/4] support/scripts/cve-check: add indication how to run Thomas Perale via buildroot
2026-03-03 22:23 ` [Buildroot] [PATCH 2/4] support/scripts/cve-check: remove 'bom-ref' for vulnerabilities Thomas Perale via buildroot
2026-03-03 22:23 ` Thomas Perale via buildroot [this message]
2026-03-03 22:23 ` [Buildroot] [PATCH 4/4] package/pkg-generic.mk: replicate IGNORE_CVES to host packages Thomas Perale via buildroot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260303222352.95612-3-thomas.perale@mind.be \
--to=buildroot@buildroot.org \
--cc=thomas.perale@mind.be \
--cc=thomas.petazzoni@bootlin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.