[master] [PATCH] cve-check: Add provision to exclude classes

[master] [PATCH] cve-check: Add provision to exclude classes

[dnagodra]

From: Dhairya Nagodra <dnagodra@cisco.com>

- There are times when exluding a package that inherits a particular
  class/classes may be desired.
- This provides the framework for that via the variable:
  CVE_CHECK_CLASS_EXCLUDELIST

Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
---
 meta/classes/cve-check.bbclass | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 56ba8bceef..6d459642fe 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -100,6 +100,8 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
 # Layers to be included
 CVE_CHECK_LAYER_INCLUDELIST ??= ""
 
+# Classes to be excluded
+CVE_CHECK_CLASS_EXCLUDELIST ??= ""
 
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
@@ -466,6 +468,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
 
     include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
     exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+    exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
 
     report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
 
@@ -475,6 +478,10 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
     if include_layers and layer not in include_layers:
         return
 
+    for excluded in exclude_classes:
+        if bb.data.inherits_class(excluded, d):
+            return
+
     # Early exit, the text format does not report packages without CVEs
     if not patched+unpatched+ignored:
         return
@@ -581,6 +588,7 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
 
     include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
     exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+    exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
 
     report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
 
@@ -590,6 +598,10 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
     if include_layers and layer not in include_layers:
         return
 
+    for excluded in exclude_classes:
+        if bb.data.inherits_class(excluded, d):
+            return
+
     unpatched_cves = []
 
     product_data = []
-- 
2.35.6

RE: [master] [PATCH] cve-check: Add provision to exclude classes

[Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)]

A gentle reminder

>-----Original Message-----
>From: dnagodra@cisco.com <dnagodra@cisco.com>
>Sent: Sunday, March 3, 2024 11:23 PM
>To: openembedded-core@lists.openembedded.org
>Cc: xe-linux-external(mailer list) <xe-linux-external@cisco.com>; Dhairya
>Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) <dnagodra@cisco.com>
>Subject: [master] [PATCH] cve-check: Add provision to exclude classes
>
>From: Dhairya Nagodra <dnagodra@cisco.com>
>
>- There are times when exluding a package that inherits a particular
>  class/classes may be desired.
>- This provides the framework for that via the variable:
>  CVE_CHECK_CLASS_EXCLUDELIST
>
>Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
>---
> meta/classes/cve-check.bbclass | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
>diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
>index 56ba8bceef..6d459642fe 100644
>--- a/meta/classes/cve-check.bbclass
>+++ b/meta/classes/cve-check.bbclass
>@@ -100,6 +100,8 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
> # Layers to be included
> CVE_CHECK_LAYER_INCLUDELIST ??= ""
>
>+# Classes to be excluded
>+CVE_CHECK_CLASS_EXCLUDELIST ??= ""
>
> # set to "alphabetical" for version using single alphabetical character as
>increment release  CVE_VERSION_SUFFIX ??= ""
>@@ -466,6 +468,7 @@ def cve_write_data_text(d, patched, unpatched,
>ignored, cve_data):
>
>     include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
>     exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
>+    exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
>
>     report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
>
>@@ -475,6 +478,10 @@ def cve_write_data_text(d, patched, unpatched,
>ignored, cve_data):
>     if include_layers and layer not in include_layers:
>         return
>
>+    for excluded in exclude_classes:
>+        if bb.data.inherits_class(excluded, d):
>+            return
>+
>     # Early exit, the text format does not report packages without CVEs
>     if not patched+unpatched+ignored:
>         return
>@@ -581,6 +588,7 @@ def cve_write_data_json(d, patched, unpatched,
>ignored, cve_data, cve_status):
>
>     include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
>     exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
>+    exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
>
>     report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
>
>@@ -590,6 +598,10 @@ def cve_write_data_json(d, patched, unpatched,
>ignored, cve_data, cve_status):
>     if include_layers and layer not in include_layers:
>         return
>
>+    for excluded in exclude_classes:
>+        if bb.data.inherits_class(excluded, d):
>+            return
>+
>     unpatched_cves = []
>
>     product_data = []
>--
>2.35.6

Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes

[Ross Burton]

On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org <dnagodra=cisco.com@lists.openembedded.org> wrote:
> 
> From: Dhairya Nagodra <dnagodra@cisco.com>
> 
> - There are times when exluding a package that inherits a particular
>  class/classes may be desired.
> - This provides the framework for that via the variable:
>  CVE_CHECK_CLASS_EXCLUDELIST

What’s the use-case for this?  Note that you can control whether cve-check runs per-layer already, if that’s useful.

Ross

RE: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes

[Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)]

>-----Original Message-----
>From: Ross Burton <Ross.Burton@arm.com>
>Sent: Friday, March 15, 2024 9:39 PM
>To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
><dnagodra@cisco.com>
>Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer
>list) <xe-linux-external@cisco.com>
>Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude
>classes
>
>On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org
><dnagodra=cisco.com@lists.openembedded.org> wrote:
>>
>> From: Dhairya Nagodra <dnagodra@cisco.com>
>>
>> - There are times when exluding a package that inherits a particular
>> class/classes may be desired.
>> - This provides the framework for that via the variable:
>>  CVE_CHECK_CLASS_EXCLUDELIST
>
>What’s the use-case for this?  Note that you can control whether cve-check
>runs per-layer already, if that’s useful.

Currently, the CVE report is generated for all packages associated with the build. 
However, not all of them might be getting used in the target device.
The package associated with native, nativesdk, cross classes are examples of such.
This patch would provide a way to exclude these packages in the CVE report.
So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native", 
The report would not have the entries for these packages:
 gnupg-native, nasm-native, binutils-native (and so on)

This is helpful when one wants to concentrate their CVE fixing efforts to the 
specific packages going into the target device.

Regards,
Dhairya

>
>Ross

Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes

[Mikko Rapeli]

Hi,

On Fri, Mar 15, 2024 at 07:52:00PM +0000, Dhairya Nagodra via lists.openembedded.org wrote:
> 
> 
> >-----Original Message-----
> >From: Ross Burton <Ross.Burton@arm.com>
> >Sent: Friday, March 15, 2024 9:39 PM
> >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
> ><dnagodra@cisco.com>
> >Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer
> >list) <xe-linux-external@cisco.com>
> >Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude
> >classes
> >
> >On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org
> ><dnagodra=cisco.com@lists.openembedded.org> wrote:
> >>
> >> From: Dhairya Nagodra <dnagodra@cisco.com>
> >>
> >> - There are times when exluding a package that inherits a particular
> >> class/classes may be desired.
> >> - This provides the framework for that via the variable:
> >>  CVE_CHECK_CLASS_EXCLUDELIST
> >
> >What’s the use-case for this?  Note that you can control whether cve-check
> >runs per-layer already, if that’s useful.
> 
> Currently, the CVE report is generated for all packages associated with the build. 
> However, not all of them might be getting used in the target device.
> The package associated with native, nativesdk, cross classes are examples of such.
> This patch would provide a way to exclude these packages in the CVE report.
> So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native", 
> The report would not have the entries for these packages:
>  gnupg-native, nasm-native, binutils-native (and so on)
> 
> This is helpful when one wants to concentrate their CVE fixing efforts to the 
> specific packages going into the target device.

CVE check generates report summaries for all images already. Doesn't that cover this
usecase?

And many build tools end up talking to servers in the Internet so detecting
and fixing CVEs in them is also quite important.

Cheers,

-Mikko

Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes

[Ross Burton]

On 15 Mar 2024, at 19:52, Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) <dnagodra@cisco.com> wrote:
>> What’s the use-case for this?  Note that you can control whether cve-check
>> runs per-layer already, if that’s useful.
> 
> Currently, the CVE report is generated for all packages associated with the build. 
> However, not all of them might be getting used in the target device.
> The package associated with native, nativesdk, cross classes are examples of such.
> This patch would provide a way to exclude these packages in the CVE report.
> So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native", 
> The report would not have the entries for these packages:
> gnupg-native, nasm-native, binutils-native (and so on)

For this specific use-case I’d suggest filtering the JSON to remove all -native entries.  Also as Mikko said, a CVE in gcc-cross would absolutely need to be considered, so I’d not recommend ignoring all native recipes.

Ross