From: Mikko Rapeli <mikko.rapeli@linaro.org>
To: andrej.valek@siemens.com
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [OE-core][PATCH v2] cve-check: add option to add additional patched CVEs
Date: Wed, 17 May 2023 14:08:24 +0300 [thread overview]
Message-ID: <ZGS1qOBTMNAPFHv2@nuoska> (raw)
In-Reply-To: <20230517054138.33459-1-andrej.valek@siemens.com>
Hi,
On Wed, May 17, 2023 at 07:41:38AM +0200, Andrej Valek via lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contains flag for each CVE with accepted
> values "Ignored" or "Not applicable". It allows to add a status for CVEs
> which could be fixed externally.
> - Optional CVE_STATUS_REASONING flag variable could contains a reason
> why the CVE status was used. It will be added in csv/json report like
> a new "reason" entry.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
>
> Example of usage:
> CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
> CVE_STATUS[CVE-1234-0002] = "Not applicable"
> CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"
Looks good to me but would you add testing into
meta/lib/oeqa/selftest/cases/cve_check.py ?
And once merged update documentation in
documentation/dev-manual/vulnerabilities.rst,
documentation/ref-manual/classes.rst and
documentation/ref-manual/variables.rst ;)
Thanks,
-Mikko
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> ---
> meta/classes/cve-check.bbclass | 30 +++++++++++++++++++++++++-----
> meta/lib/oe/cve_check.py | 6 ++++++
> 2 files changed, 31 insertions(+), 5 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index bd9e7e7445c..e081095037c 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -70,13 +70,17 @@ CVE_CHECK_COVERAGE ??= "1"
> # Skip CVE Check for packages (PN)
> CVE_CHECK_SKIP_RECIPE ?= ""
>
> -# Ingore the check for a given list of CVEs. If a CVE is found,
> -# then it is considered patched. The value is a string containing
> -# space separated CVE values:
> +# Ignore the check for a given CVE. Each of CVE has to be mentioned
> +# separately with optional reason, why it has to ignored.
> #
> -# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
> +# CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
> +# CVE_STATUS[CVE-1234-0002] = "Ignored"
> +# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"
> #
> +# CVE_CHECK_IGNORE is depracated and CVE_STATUS has to be used instead.
> +# Keep CVE_CHECK_IGNORE like a fallback.
> CVE_CHECK_IGNORE ?= ""
> +CVE_STATUS ?= ""
>
> # Layers to be excluded
> CVE_CHECK_LAYER_EXCLUDELIST ??= ""
> @@ -88,6 +92,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
> # set to "alphabetical" for version using single alphabetical character as increment release
> CVE_VERSION_SUFFIX ??= ""
>
> +python () {
> + # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
> + for cve in d.getVar("CVE_CHECK_IGNORE").split():
> + d.setVarFlags("CVE_STATUS", {cve: "Ignored"})
> +}
> +
> def generate_json_report(d, out_path, link_path):
> if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
> import json
> @@ -282,7 +292,11 @@ def check_cves(d, patched_cves):
> bb.note("Recipe has been skipped by cve-check")
> return ([], [], [], [])
>
> - cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
> + # Convert CVE_STATUS into ignored CVEs
> + cve_ignore = []
> + for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
> + if status in ["Not applicable", "Ignored"]:
> + cve_ignore.append(cve)
>
> import sqlite3
> db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
> @@ -455,6 +469,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
> else:
> unpatched_cves.append(cve)
> write_string += "CVE STATUS: Unpatched\n"
> + has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
> + if has_reason:
> + write_string += "CVE REASON: %s\n" % has_reason
> write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
> write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
> write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
> @@ -576,6 +593,9 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
> "status" : status,
> "link": issue_link
> }
> + has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
> + if has_reason:
> + cve_item["reason"] = has_reason
> cve_list.append(cve_item)
>
> package_data["issue"] = cve_list
> diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
> index dbaa0b373a3..f47dd9920ef 100644
> --- a/meta/lib/oe/cve_check.py
> +++ b/meta/lib/oe/cve_check.py
> @@ -130,6 +130,12 @@ def get_patched_cves(d):
> if not fname_match and not text_match:
> bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
>
> + # Search for additional patched CVEs
> + for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
> + if status == "Patched":
> + bb.debug(2, "CVE %s is additionally patched" % cve)
> + patched_cves.add(cve)
> +
> return patched_cves
>
>
> --
> 2.40.1
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#181444): https://lists.openembedded.org/g/openembedded-core/message/181444
> Mute This Topic: https://lists.openembedded.org/mt/98943046/7159507
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>
next prev parent reply other threads:[~2023-05-17 11:08 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 11:18 [OE-core][PATCH] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-05 11:30 ` Richard Purdie
2023-05-05 11:36 ` Valek, Andrej
2023-05-05 11:59 ` Richard Purdie
2023-05-08 8:57 ` adrian.freihofer
2023-05-09 9:02 ` Ross Burton
2023-05-09 9:16 ` Richard Purdie
2023-05-09 9:32 ` Mikko Rapeli
2023-05-09 21:37 ` Douglas Royds
2023-05-10 6:56 ` Mikko Rapeli
2023-05-09 8:19 ` Michael Opdenacker
2023-05-17 5:41 ` [OE-core][PATCH v2] " Andrej Valek
2023-05-17 11:08 ` Mikko Rapeli [this message]
2023-05-19 6:24 ` [OE-core][PATCH v3 1/3] " Andrej Valek
2023-05-19 6:56 ` Mikko Rapeli
2023-05-19 7:44 ` Michael Opdenacker
2023-05-19 13:11 ` Marta Rybczynska
2023-05-20 7:43 ` Valek, Andrej
2023-05-22 7:57 ` Mikko Rapeli
2023-05-23 8:41 ` Valek, Andrej
2023-05-29 7:32 ` Valek, Andrej
2023-05-30 10:12 ` Richard Purdie
2023-06-02 21:10 ` adrian.freihofer
2023-06-02 21:27 ` Richard Purdie
2023-06-04 9:59 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21 7:52 ` Richard Purdie
2023-05-19 6:24 ` [OE-core][PATCH v3 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19 6:24 ` [OE-core][PATCH v3 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-19 9:17 ` Mikko Rapeli
2023-05-19 13:09 ` Michael Opdenacker
2023-05-19 13:19 ` Valek, Andrej
2023-05-23 11:39 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-12 11:57 ` [OE-core][PATCH v5 0/2] CVE-check handling Andrej Valek
2023-06-12 11:57 ` [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-15 12:47 ` Richard Purdie
2023-06-12 11:57 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-06-12 12:01 ` Valek, Andrej
2023-06-12 11:59 ` [OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values Andrej Valek
2023-06-20 14:15 ` [OE-core][PATCH v6 0/2] RFC: CVE-check handling Andrej Valek
2023-06-20 14:15 ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-21 5:07 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21 6:48 ` [PATCH " Siddharth
2023-06-21 7:55 ` [OE-core][PATCH " Luca Ceresoli
2023-06-20 14:15 ` [OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 0/3] CVE-check handling Andrej Valek
2023-06-22 12:42 ` Luca Ceresoli
2023-06-22 13:50 ` Valek, Andrej
2023-06-22 13:55 ` Luca Ceresoli
2023-06-22 13:59 ` Valek, Andrej
2023-06-22 14:07 ` Valek, Andrej
2023-06-22 16:24 ` Luca Ceresoli
2023-06-22 6:59 ` [OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 0/3] CVE-check handling Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 10:02 ` Ross Burton
2023-06-23 11:22 ` Valek, Andrej
2023-06-22 12:00 ` [OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 0/3] CVE-check handling Andrej Valek
2023-07-19 10:26 ` Valek, Andrej
2023-07-19 10:54 ` Richard Purdie
2023-07-19 11:16 ` Ross Burton
2023-07-19 12:03 ` Valek, Andrej
2023-07-20 16:41 ` Marta Rybczynska
2023-06-23 11:14 ` [OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-07-20 7:19 ` [OE-core][PATCH] " Andrej Valek
2023-05-19 8:18 ` [OE-core][PATCH v4 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19 8:18 ` [OE-core][PATCH v4 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
2023-05-19 8:58 ` [PATCH] ref-manual: document " Andrej Valek
2023-05-19 13:01 ` [docs] " Michael Opdenacker
2023-07-20 7:31 ` [PATCH v2] ref-manual: document CVE_STATUS and CVE_CHECK_STATUSMAP Andrej Valek
2023-07-21 14:52 ` [docs] " Michael Opdenacker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZGS1qOBTMNAPFHv2@nuoska \
--to=mikko.rapeli@linaro.org \
--cc=andrej.valek@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.