Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Opdenacker <michael.opdenacker@bootlin.com>
To: andrej.valek@siemens.com, openembedded-core@lists.openembedded.org
Cc: mikko.rapeli@linaro.org, Peter Marko <peter.marko@siemens.com>
Subject: Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Date: Fri, 19 May 2023 09:44:30 +0200	[thread overview]
Message-ID: <f04650dc-e504-e146-2845-e7cbeed5c547@bootlin.com> (raw)
In-Reply-To: <20230519062420.37015-1-andrej.valek@siemens.com>

Hi Andrej

On 19.05.23 at 08:24, Andrej Valek via lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contain flag for each CVE with accepted
> values "Ignored", "Not applicable" or "Patched". It allows to add
> a status for each CVEs.
> - Optional CVE_STATUS_REASONING flag variable may contain a reason
> why the CVE status was used. It will be added in csv/json report like
> a new "reason" entry.
> - Settings the same status and reason for multiple CVEs is possible
> via CVE_STATUS_GROUPS variable.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
>
> Examples of usage:
> CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
> CVE_STATUS[CVE-1234-0002] = "Not applicable"
> CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
>
> CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
> CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
> CVE_STATUS_WIN[status] = "Not applicable"
> CVE_STATUS_WIN[reason] = "Issue only applies on Windows"
>
> CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
> CVE_STATUS_PATCHED[status] = "Patched"
> CVE_STATUS_PATCHED[reason] = "Fixed externally"
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>   documentation/dev-manual/new-recipe.rst      |  4 +-
>   documentation/dev-manual/vulnerabilities.rst | 11 ++---
>   documentation/ref-manual/classes.rst         |  9 ++--
>   documentation/ref-manual/variables.rst       | 33 ++++++++++++---
>   meta/classes/cve-check.bbclass               | 44 +++++++++++++++++---
>   meta/lib/oe/cve_check.py                     |  6 +++
>   6 files changed, 87 insertions(+), 20 deletions(-)

Many thanks for the patch and for the documentation changes too !
However, could you send the documentation changes separately, using the 
yocto-docs repository as a reference, and sending them to the 
docs@lists.yoctoproject.org mailing list?

You seem to have produced your patches against "poky", but that's a 
repository aggregating stuff from other repositories. Your code changes 
should be for the "openembedded-core" repository.

Another advantage is that we can merge the documentation changes only 
when the code changes are accepted.

Thanks in advance
Cheers
Michael.

-- 
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

next prev parent reply	other threads:[~2023-05-19  7:44 UTC|newest]

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-05 11:18 [OE-core][PATCH] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-05 11:30 ` Richard Purdie
2023-05-05 11:36   ` Valek, Andrej
2023-05-05 11:59     ` Richard Purdie
2023-05-08  8:57       ` adrian.freihofer
2023-05-09  9:02         ` Ross Burton
2023-05-09  9:16           ` Richard Purdie
2023-05-09  9:32           ` Mikko Rapeli
2023-05-09 21:37             ` Douglas Royds
2023-05-10  6:56               ` Mikko Rapeli
2023-05-09  8:19 ` Michael Opdenacker
2023-05-17  5:41 ` [OE-core][PATCH v2] " Andrej Valek
2023-05-17 11:08   ` Mikko Rapeli
2023-05-19  6:24 ` [OE-core][PATCH v3 1/3] " Andrej Valek
2023-05-19  6:56   ` Mikko Rapeli
2023-05-19  7:44   ` Michael Opdenacker [this message]
2023-05-19 13:11   ` Marta Rybczynska
2023-05-20  7:43     ` Valek, Andrej
2023-05-22  7:57     ` Mikko Rapeli
2023-05-23  8:41       ` Valek, Andrej
2023-05-29  7:32         ` Valek, Andrej
2023-05-30 10:12           ` Richard Purdie
2023-06-02 21:10             ` adrian.freihofer
2023-06-02 21:27               ` Richard Purdie
2023-06-04  9:59                 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21  7:52                   ` Richard Purdie
2023-05-19  6:24 ` [OE-core][PATCH v3 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19  6:24 ` [OE-core][PATCH v3 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
2023-05-19  8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-19  9:17   ` Mikko Rapeli
2023-05-19 13:09   ` Michael Opdenacker
2023-05-19 13:19     ` Valek, Andrej
2023-05-23 11:39       ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-12 11:57   ` [OE-core][PATCH v5 0/2] CVE-check handling Andrej Valek
2023-06-12 11:57   ` [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-15 12:47     ` Richard Purdie
2023-06-12 11:57   ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-06-12 12:01     ` Valek, Andrej
2023-06-12 11:59   ` [OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values Andrej Valek
2023-06-20 14:15   ` [OE-core][PATCH v6 0/2] RFC: CVE-check handling Andrej Valek
2023-06-20 14:15   ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-21  5:07     ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21  6:48       ` [PATCH " Siddharth
2023-06-21  7:55     ` [OE-core][PATCH " Luca Ceresoli
2023-06-20 14:15   ` [OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22  6:59   ` [OE-core][PATCH v7 0/3] CVE-check handling Andrej Valek
2023-06-22 12:42     ` Luca Ceresoli
2023-06-22 13:50       ` Valek, Andrej
2023-06-22 13:55         ` Luca Ceresoli
2023-06-22 13:59           ` Valek, Andrej
2023-06-22 14:07             ` Valek, Andrej
2023-06-22 16:24               ` Luca Ceresoli
2023-06-22  6:59   ` [OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-22  6:59   ` [OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22  6:59   ` [OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-22 12:00   ` [OE-core][PATCH v8 0/3] CVE-check handling Andrej Valek
2023-06-22 12:00   ` [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 10:02     ` Ross Burton
2023-06-23 11:22       ` Valek, Andrej
2023-06-22 12:00   ` [OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 12:00   ` [OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-23 11:14   ` [OE-core][PATCH v9 0/3] CVE-check handling Andrej Valek
2023-07-19 10:26     ` Valek, Andrej
2023-07-19 10:54       ` Richard Purdie
2023-07-19 11:16         ` Ross Burton
2023-07-19 12:03           ` Valek, Andrej
2023-07-20 16:41             ` Marta Rybczynska
2023-06-23 11:14   ` [OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 11:14   ` [OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-23 11:14   ` [OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-07-20  7:19   ` [OE-core][PATCH] " Andrej Valek
2023-05-19  8:18 ` [OE-core][PATCH v4 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19  8:18 ` [OE-core][PATCH v4 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
2023-05-19  8:58 ` [PATCH] ref-manual: document " Andrej Valek
2023-05-19 13:01   ` [docs] " Michael Opdenacker
2023-07-20  7:31   ` [PATCH v2] ref-manual: document CVE_STATUS and CVE_CHECK_STATUSMAP Andrej Valek
2023-07-21 14:52     ` [docs] " Michael Opdenacker

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f04650dc-e504-e146-2845-e7cbeed5c547@bootlin.com \
    --to=michael.opdenacker@bootlin.com \
    --cc=andrej.valek@siemens.com \
    --cc=mikko.rapeli@linaro.org \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=peter.marko@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.