[Buildroot] [PATCH 1/4] support/scripts/cve-check: add indication how to run

[Buildroot] [PATCH 1/4] support/scripts/cve-check: add indication how to run

[Thomas Perale via buildroot]

Always run this script from the output of 'generate-cyclonedx'. Do not re-run
this script over an already analysed SBOMs.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 support/scripts/cve-check | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/support/scripts/cve-check b/support/scripts/cve-check
index ff14e4b238..2bb3524014 100755
--- a/support/scripts/cve-check
+++ b/support/scripts/cve-check
@@ -29,6 +29,9 @@ database.
 
 The NVD database is cloned using a mirror of it and the content is compared
 locally.
+
+Always run this script from the output of 'generate-cyclonedx'. Do not re-run
+this script over an already analysed SBOMs.
 """
 
 
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/4] support/scripts/cve-check: remove 'bom-ref' for vulnerabilities

[Thomas Perale via buildroot]

The 'bom-ref' are optionnal and since we don't reference the
vulnerabilities from anywhere else in the SBOM they are not necessary in
this case.

In the following commit, it will introduce multiple vulnerabilities that
have the same id. So using the vulnerability id as 'bom-ref' won't be
correct as the 'bom-ref' needs to be unique unlike the id property.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 support/scripts/cve-check | 1 -
 1 file changed, 1 deletion(-)

diff --git a/support/scripts/cve-check b/support/scripts/cve-check
index 2bb3524014..1c006e4ce4 100755
--- a/support/scripts/cve-check
+++ b/support/scripts/cve-check
@@ -129,7 +129,6 @@ def nvd_cve_to_cdx_vulnerability(nvd_cve):
     [1] https://cyclonedx.org/docs/1.6/json/#vulnerabilities
     """
     vulnerability = {
-        "bom-ref": nvd_cve["id"],
         "id": nvd_cve["id"],
         "description": cve_api_get_lang_from_list(nvd_cve.get("descriptions", [])) or "",
         "source": {
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 3/4] support/scripts/cve-check: fix vulnerabilities with different analysis

[Thomas Perale via buildroot]

Before this commit, only one entry per vulnerability ID was added to the
output. In CycloneDX, if you need to provide different analyses for
different affected components with the same vulnerability ID, you must
create multiple entries with the same ID.

When running `cve-check` with the `--include-resolved` argument, the
analysis of some vulnerabilities would get overwritten, which led to
undefined analysis results.

This is especially true when running the analysis on multiple components
with the same name but different versions. For instance, if the input
SBOM includes both the `gnupg` and `gnupg2` packages, CVE-2025-68973
could be included. This CVE might be exploitable for the `gnupg` package
but resolved for `gnupg2`. Therefore, a single analysis entry cannot
cover both cases.

This commit fixes the logic for adding vulnerabilities to the output
SBOM. A vulnerability is now added as a new entry if:

1. A vulnerability with the same ID doesn't exist yet.
2. The affect of the new vulnerability is not the same as the one
   already present.

For the CVE-2025-68973 example this would result in the following
output:

```json
[
    {
        "id": "CVE-2025-68973",
        "analysis": {
            "state": "exploitable"
        }
        "affects": [
            {"ref": "gnupg"}
        ]
    },
    {
        "id": "CVE-2025-68973",
        "analysis": {
            "state": "resolved"
        }
        "affects": [
            {"ref": "gnupg2"}
        ]
    }
]
```

45 vulnerabilities were concerned by this bug over the Buildroot tree.

Co-Authored-By: Tim Soubry <tim.soubry@mind.be>
Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 support/scripts/cve-check | 76 +++++++++++++++++++--------------------
 1 file changed, 37 insertions(+), 39 deletions(-)

diff --git a/support/scripts/cve-check b/support/scripts/cve-check
index 1c006e4ce4..44c5cdc57d 100755
--- a/support/scripts/cve-check
+++ b/support/scripts/cve-check
@@ -157,55 +157,54 @@ def nvd_cve_to_cdx_vulnerability(nvd_cve):
 
 def vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability):
     """
-    Append 'vulnerability' passed as argument to the 'vulnerabilities' argument
-    if an entry with the same 'id' doesn't exist yet.
-    If the vulnerability already exists, the input reference is added to the
-    'affects' list of the existing entry.
+    Updates a matching 'vulnerability' from the 'vulnerabilities' list or
+    appends it as a new entry.
+
+    A vulnerability is considered 'matching' if it shares the same 'id' AND
+    either:
+
+    1. An identical 'affects' entry.
+    2. An identical 'analysis.state'.
 
     Args:
         vulnerabilities (list): The vulnerabilities array reference retrieved
             from the input CycloneDX SBOM
         vulnerability (dict): Vulnerability to add to the 'vulnerabilities' list.
     """
-    # Search if a vulnerability with the same identifier already exists in the
-    # SBOM vulnerability list.
-    matching_vuln = next(
-        (vuln for vuln in vulnerabilities if vuln.get("id") == vulnerability["id"]),
-        None
-    )
+    new_analysis = vulnerability.get("analysis", {}).get("state")
+    new_ref = next((a.get("ref") for a in vulnerability.get("affects", [])), None)
 
-    # bom-ref to the component is passed to the affects of the vulnerability
-    # passed as argument
-    bom_ref = next((a["ref"] for a in vulnerability.get("affects", [])), None)
+    # All vulnerabilities with same ID
+    matching_vulns = [v for v in vulnerabilities if v.get("id") == vulnerability.get("id")]
 
-    if matching_vuln is not None:
-        # Remove the affect to not use it while updating matching vuln.
-        if "affects" in vulnerability:
-            del vulnerability["affects"]
+    for curr_vuln in matching_vulns:
+        curr_vuln_analysis = curr_vuln.get("analysis", {}).get("state")
+        curr_vuln_refs = [a.get("ref") for a in curr_vuln.get("affects", [])]
 
-        if matching_vuln.get("analysis") is not None and "analysis" in vulnerability:
-            # We don't update vulnerabilities that already have an
-            # 'analysis'.
-            # Buildroot ignored vulnerabilities will already have
-            # an analysis and need to remain as such.
-            del vulnerability["analysis"]
+        is_same_ref = new_ref in curr_vuln_refs
+        is_same_analysis = curr_vuln_analysis == new_analysis
 
-        affects = matching_vuln.setdefault("affects", [])
+        if not (is_same_ref or is_same_analysis):
+            continue
 
-        if bom_ref is not None:
-            ref = next((a["ref"] for a in affects if a["ref"] == bom_ref), None)
-            if ref is None:
-                # Add a 'ref' (bom reference) to the component if not
-                # already present in the 'affects' list.
-                affects.append({
-                    "ref": bom_ref
-                })
+        if is_same_ref:
+            # If same vulnerability id and same affect ref, keep the previous
+            # analysis. This is the case where a vulnerability was ignored from
+            # the generated SBOM.
+            del vulnerability["analysis"]
+            del vulnerability["affects"]
+        else:
+            # The same analysis, add a new affect
+            # reference.
+            if new_ref is not None:
+                curr_vuln.setdefault("affects", []).append({"ref": new_ref})
+                del vulnerability["affects"]
 
-        # Update the metadata of the vulnerability with the one
-        # downloaded from the database.
-        matching_vuln.update(vulnerability)
-    else:
-        vulnerabilities.append(vulnerability)
+        curr_vuln.update(vulnerability)
+        return
+
+    # No same ID w/ same analysis or same ref.
+    vulnerabilities.append(vulnerability)
 
 
 def check_package_cve_affects(cve: cvecheck.CVE, cpe_product_pkgs, sbom, opt: Options):
@@ -279,8 +278,7 @@ def enrich_vulnerabilities(nvd_path: Path, sbom):
             print(f"Warning: '{vuln_id}' doesn't exist in NVD database.", file=sys.stderr)
             continue
 
-        vulnerability = nvd_cve_to_cdx_vulnerability(cve.nvd_cve)
-        vuln_append_or_update_affects_if_exists(vulnerabilities, vulnerability)
+        vuln.update(nvd_cve_to_cdx_vulnerability(cve.nvd_cve))
 
 
 def main():
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 4/4] package/pkg-generic.mk: replicate IGNORE_CVES to host packages

[Thomas Perale via buildroot]

For host packages, this commit adds the same `ignore_cves` list as their
target counterpart and make it available from the `show-info` output.

When generating a CycloneDX SBOM with `make show-info-all |
utils/generate-cyclonedx` and running an analysis over it with
`support/script/cve-check`, multiple vulnerabilities
entries would be created with different analysis for packages that have
both a host and target variant that include IGNORE_CVES entries.

This is the case for the grub2 package that include ignored
vulnerabilities that patch both the target and host package but aren't
declared as ignored for the host package. This resulted in
vulnerabilities marked as 'exploitable' for the host variant while it
is patched.

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 package/pkg-generic.mk | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/package/pkg-generic.mk b/package/pkg-generic.mk
index dd440e4062..e5e0d49a16 100644
--- a/package/pkg-generic.mk
+++ b/package/pkg-generic.mk
@@ -745,6 +745,13 @@ ifeq ($$($(2)_CPE_ID_VALID),YES)
  $(2)_CPE_ID = $$($(2)_CPE_ID_PREFIX):$$($(2)_CPE_ID_VENDOR):$$($(2)_CPE_ID_PRODUCT):$$($(2)_CPE_ID_VERSION):$$($(2)_CPE_ID_UPDATE):*:*:*:*:*:*
 endif # ifeq ($$($(2)_CPE_ID_VALID),YES)
 
+# replicate the target '_IGNORE_CVES' to the host variant
+ifndef $(2)_IGNORE_CVES
+ ifdef $(3)_IGNORE_CVES
+  $(2)_IGNORE_CVES = $$($(3)_IGNORE_CVES)
+ endif
+endif
+
 # When a target package is a toolchain dependency set this variable to
 # 'NO' so the 'toolchain' dependency is not added to prevent a circular
 # dependency.
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot