[Buildroot] [PATCH v5 8/8] utils/generate-cyclonedx: split vulnerabilities per state

[Thomas Perale via buildroot <buildroot@buildroot.org>]

If a vulnerability is present in multiple components and only one of
them has a patch that addresses that vulnerability, all components will
currently have that vulnerability marked as `resolved_with_pedigree`.

Right now, this issue does not affect any packages, but in the future it
might affect packages that provide multiple version options (e.g.
gnupg and gnupg2).

There is a small chance this happens in a real-world use case, but it
may occur in the context of maintenance when running
`make show-info-all`.

This commit changes how vulnerabilities fixed by a patch are stored.
Instead of placing all vulnerabilities into a single set, it now keeps an
index of the component for which the patch has been applied.

When generating the vulnerability list, the component reference is
checked instead of only the vulnerability ID. If a vulnerability ID has
multiple states for different references, multiple vulnerability
entries are created with distinct analyses.

Consider the hypothetical case where gnupg ignores a vulnerability
because it was introduced in a later version, while gnupg2 has patched
that vulnerability. This would result in the following JSON:

```json
[
    {
        "id": "CVE-1234-1234",
        "analysis": {
            "state": "in_triage",
            "detail": "The CVE 'CVE-1234-1234' has been marked as ignored by Buildroot"
        },
        "affects": [
            {"ref": "gnupg"}
        ]
    },
    {
        "id": "CVE-1234-1234",
        "analysis": {
            "state": "resolved_with_pedigree",
            "detail": "The CVE 'CVE-1234-1234' has been marked as ignored by Buildroot"
        },
        "affects": [
            {"ref": "gnupg2"}
        ]
    }
]
```

Signed-off-by: Thomas Perale <thomas.perale@mind.be>
---
 utils/generate-cyclonedx | 30 ++++++++++++++++++++----------
 1 file changed, 20 insertions(+), 10 deletions(-)

diff --git a/utils/generate-cyclonedx b/utils/generate-cyclonedx
index 43167d12d0..f4e0e8b539 100755
--- a/utils/generate-cyclonedx
+++ b/utils/generate-cyclonedx
@@ -249,10 +249,10 @@ class CycloneDX:
     _spdx_licenses: list = field(default_factory=list)
     """List of supported SPDX license expression. Initialized during the
     `__post_init__` step, fetched either online or from local copy"""
-    _vuln_with_pedigree: set = field(default_factory=set)
-    """Set of vulnerabilities that were addressed by a patch present in
-    buildroot tree. This set is used to set the analysis of the ignored CVEs to
-    'resolved_with_pedigree'."""
+    _vuln_with_pedigree: dict = field(default_factory=dict)
+    """Index of vulnerabilities per component ref that were addressed by a
+    patch present in buildroot tree. This index is used to set the analysis of
+    the ignored CVEs to 'resolved_with_pedigree'."""
 
     def __post_init__(self):
         self._spdx_licenses = br2_retrieve_spdx_licenses(self.options.cyclonedx_version)
@@ -297,11 +297,12 @@ class CycloneDX:
             ]
         }
 
-    def _component_patches(self, patch_list: list[str]):
+    def _component_patches(self, comp_ref: str, patch_list: list[str]):
         """Translate a list of patches from the show-info JSON to a list of
         patches in CycloneDX format.
 
         Args:
+            comp_ref (str): Reference of the component the patches are part of.
             patch_list (list): Array of patch relative paths for a given component.
 
         Returns:
@@ -324,7 +325,7 @@ class CycloneDX:
                 issue = {}
                 cves = extract_cves_from_header(header)
                 if cves:
-                    self._vuln_with_pedigree.update(cves)
+                    self._vuln_with_pedigree.setdefault(comp_ref, set()).update(cves)
                     issue = {
                         "resolves": [
                             {
@@ -387,7 +388,7 @@ class CycloneDX:
             **({
                 "cpe": comp["cpe-id"],
             } if "cpe-id" in comp else {}),
-            **(self._component_patches(comp["patches"]) if comp.get("patches") else {}),
+            **(self._component_patches(name, comp["patches"]) if comp.get("patches") else {}),
             "properties": [{
                 "name": "BR_TYPE",
                 "value": comp["type"],
@@ -421,22 +422,31 @@ class CycloneDX:
         Returns:
             list: Solved vulnerabilities list in CycloneDX format.
         """
+        # This will generate an index of affected component per
+        # (<cve-id>, <analysis-state>) tuple.
+        # In the case a CVE have different analysis based on the package they
+        # affects this will enable to create multiple entries with the same
+        # vulnerability id.
         cves = {}
 
         for name, comp in self._filtered_show_info_dict.items():
             for cve in comp.get('ignore_cves', []):
-                cves.setdefault(cve, []).append(name)
+                state = "in_triage"
+                if cve in self._vuln_with_pedigree.get(name, {}):
+                    state = "resolved_with_pedigree"
+
+                cves.setdefault((cve, state), []).append(name)
 
         return [{
             "id": cve,
             "analysis": {
-                "state": "resolved_with_pedigree" if cve in self._vuln_with_pedigree else "in_triage",
+                "state": state,
                 "detail": f"The CVE '{cve}' has been marked as ignored by Buildroot"
             },
             "affects": [
                 {"ref": bomref} for bomref in components
             ]
-        } for cve, components in cves.items()]
+        } for (cve, state), components in cves.items()]
 
     @property
     def cyclonedx(self):
-- 
2.53.0

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot