From: adrian.freihofer@gmail.com
To: Richard Purdie <richard.purdie@linuxfoundation.org>,
"Valek, Andrej" <andrej.valek@siemens.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>
Subject: Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs
Date: Mon, 08 May 2023 10:57:17 +0200 [thread overview]
Message-ID: <1a9baf9413cc3e405433806ec3e5f122e2a42793.camel@gmail.com> (raw)
In-Reply-To: <e57e347e816ca3c355d594a95f2549af7dd86609.camel@linuxfoundation.org>
On Fri, 2023-05-05 at 12:59 +0100, Richard Purdie wrote:
> > On Fri, 2023-05-05 at 11:36 +0000, Valek, Andrej wrote:
> > > > On Fri, 2023-05-05 at 12:30 +0100, Richard Purdie wrote:
> > > > > > On Fri, 2023-05-05 at 13:18 +0200, Andrej Valek via
> > > > > > lists.openembedded.org wrote:
> > > > > > > > CVE_CHECK_PATCHED - should contains an additional CVEs
> > > > > > > > which
> > > > > > > > have
> > > > > > > > been
> > > > > > > > fixed and shouldn't be mark as vulnerable nor ignored.
> > > > > > > >
> > > > > > > > Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> > > > > > > > ---
> > > > > > > > meta/classes/cve-check.bbclass | 8 ++++++++
> > > > > > > > 1 file changed, 8 insertions(+)
> > > > > > > >
> > > > > > > > diff --git a/meta/classes/cve-check.bbclass
> > > > > > > > b/meta/classes/cve-
> > > > > > > > check.bbclass
> > > > > > > > index bd9e7e7445c..957ea0130dc 100644
> > > > > > > > --- a/meta/classes/cve-check.bbclass
> > > > > > > > +++ b/meta/classes/cve-check.bbclass
> > > > > > > > @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= ""
> > > > > > > > #
> > > > > > > > CVE_CHECK_IGNORE ?= ""
> > > > > > > >
> > > > > > > > +# Usually a CVE gets treated as patched when a patch
> > > > > > > > with the
> > > > > > > > name
> > > > > > > > of the CVE
> > > > > > > > +# gets applied. Basically this variable should not be
> > > > > > > > used.
> > > > > > > > But if
> > > > > > > > there are
> > > > > > > > +# other reasons to mark a CVE as patched it can be
> > > > > > > > added to
> > > > > > > > this
> > > > > > > > list.
> > > > > > > > +CVE_CHECK_PATCHED ?= ""
> > > > > >
> > > > > > We're not adding variables which are documented as
> > > > > > "Basically
> > > > > > this
> > > > > > variable should not be used.". If you shouldn't need/use
> > > > > > it, we
> > > > > > don't
> > > > > > need it.
> > > > Ok, maybe I should change the description a little bit. Do you
> > > > have
> > > > some other preference?
> > > > > >
> > > > > > Can't you just use the ignore variable for the same end
> > > > > > result?
> > > > Nope. If I use a ignore list, the output in the SBOM will be
> > > > set to
> > > > "ignored", which is wrong, because it has been fixed. And
> > > > that's
> > > > the
> > > > reason.
> > > >
> >
> > I suspect "ignored" is a bad way to describe things. Ignore might
> > mean
> > the issue doesn't apply, has been fixed in some way or we really
> > are
> > ignoring it. What does the SBOM spec say about different field
> > values?
> > Should we be providing more reasoning than just adding to an ignore
> > list?
> >
> > I'm a bit worried we're not solving the real problem here by adding
> > a
> > new variable we tell people not to use.
The patch from Andrej tries to solves a real issue: The CVE checker
distinguishes between two types of patches. Ignored (= not applicable)
and patched. Patching is only supported by adding a real patch file to
the SRC_URI. However, there are other ways a patch can be implemented.
For example, a recipe that uses the git fetcher would update the git
hash to a commit that contains a fix instead of applying a patch file
to the recipe.
But I fully agree that the comment (originally suggested by me when
Andrej and I were discussing the solution) is bad. Maybe it should read
as follows:
Normally, a CVE is treated as patched when a patch with the name of the
CVE is applied. CVE_CHECK_PATCHED allows to extend the list of patched
CVEs without adding a patch file to SRC_URI.
Regarding the SBOM: It is important for customers that the CVEs of a
product with SBOM can be correctly identified as repaired or as
ignored. However, I'm not sure if the SBOM part is properly addressed
by the patch. The create-spdx.bbclass uses the function
oe.cve_check.get_patched_cves(d) which should probably handle the new
variable as well. We will check that and come up with a V2.
Thank you and regards,
Adrian
> >
> > Cheers,
> >
> > Richard
> >
> >
> >
> > -=-=-=-=-=-=-=-=-=-=-=-
> > Links: You receive all messages sent to this group.
> > View/Reply Online (#180915):
> > https://lists.openembedded.org/g/openembedded-core/message/180915
> > Mute This Topic: https://lists.openembedded.org/mt/98703185/4454582
> > Group Owner: openembedded-core+owner@lists.openembedded.org
> > Unsubscribe:
> > https://lists.openembedded.org/g/openembedded-core/unsub
> > [adrian.freihofer@gmail.com]
> > -=-=-=-=-=-=-=-=-=-=-=-
> >
next prev parent reply other threads:[~2023-05-08 8:57 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 11:18 [OE-core][PATCH] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-05 11:30 ` Richard Purdie
2023-05-05 11:36 ` Valek, Andrej
2023-05-05 11:59 ` Richard Purdie
2023-05-08 8:57 ` adrian.freihofer [this message]
2023-05-09 9:02 ` Ross Burton
2023-05-09 9:16 ` Richard Purdie
2023-05-09 9:32 ` Mikko Rapeli
2023-05-09 21:37 ` Douglas Royds
2023-05-10 6:56 ` Mikko Rapeli
2023-05-09 8:19 ` Michael Opdenacker
2023-05-17 5:41 ` [OE-core][PATCH v2] " Andrej Valek
2023-05-17 11:08 ` Mikko Rapeli
2023-05-19 6:24 ` [OE-core][PATCH v3 1/3] " Andrej Valek
2023-05-19 6:56 ` Mikko Rapeli
2023-05-19 7:44 ` Michael Opdenacker
2023-05-19 13:11 ` Marta Rybczynska
2023-05-20 7:43 ` Valek, Andrej
2023-05-22 7:57 ` Mikko Rapeli
2023-05-23 8:41 ` Valek, Andrej
2023-05-29 7:32 ` Valek, Andrej
2023-05-30 10:12 ` Richard Purdie
2023-06-02 21:10 ` adrian.freihofer
2023-06-02 21:27 ` Richard Purdie
2023-06-04 9:59 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21 7:52 ` Richard Purdie
2023-05-19 6:24 ` [OE-core][PATCH v3 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19 6:24 ` [OE-core][PATCH v3 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-19 9:17 ` Mikko Rapeli
2023-05-19 13:09 ` Michael Opdenacker
2023-05-19 13:19 ` Valek, Andrej
2023-05-23 11:39 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-12 11:57 ` [OE-core][PATCH v5 0/2] CVE-check handling Andrej Valek
2023-06-12 11:57 ` [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-15 12:47 ` Richard Purdie
2023-06-12 11:57 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-06-12 12:01 ` Valek, Andrej
2023-06-12 11:59 ` [OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values Andrej Valek
2023-06-20 14:15 ` [OE-core][PATCH v6 0/2] RFC: CVE-check handling Andrej Valek
2023-06-20 14:15 ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-21 5:07 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21 6:48 ` [PATCH " Siddharth
2023-06-21 7:55 ` [OE-core][PATCH " Luca Ceresoli
2023-06-20 14:15 ` [OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 0/3] CVE-check handling Andrej Valek
2023-06-22 12:42 ` Luca Ceresoli
2023-06-22 13:50 ` Valek, Andrej
2023-06-22 13:55 ` Luca Ceresoli
2023-06-22 13:59 ` Valek, Andrej
2023-06-22 14:07 ` Valek, Andrej
2023-06-22 16:24 ` Luca Ceresoli
2023-06-22 6:59 ` [OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 0/3] CVE-check handling Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 10:02 ` Ross Burton
2023-06-23 11:22 ` Valek, Andrej
2023-06-22 12:00 ` [OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 0/3] CVE-check handling Andrej Valek
2023-07-19 10:26 ` Valek, Andrej
2023-07-19 10:54 ` Richard Purdie
2023-07-19 11:16 ` Ross Burton
2023-07-19 12:03 ` Valek, Andrej
2023-07-20 16:41 ` Marta Rybczynska
2023-06-23 11:14 ` [OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-07-20 7:19 ` [OE-core][PATCH] " Andrej Valek
2023-05-19 8:18 ` [OE-core][PATCH v4 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19 8:18 ` [OE-core][PATCH v4 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1a9baf9413cc3e405433806ec3e5f122e2a42793.camel@gmail.com \
--to=adrian.freihofer@gmail.com \
--cc=andrej.valek@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=richard.purdie@linuxfoundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox