[OE-core][PATCH v2] cve-check: add option to add additional patched CVEs

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Andrej Valek <andrej.valek@siemens.com>
To: <openembedded-core@lists.openembedded.org>
Cc: Andrej Valek <andrej.valek@siemens.com>
Subject: [OE-core][PATCH v2] cve-check: add option to add additional patched CVEs
Date: Wed, 17 May 2023 07:41:38 +0200	[thread overview]
Message-ID: <20230517054138.33459-1-andrej.valek@siemens.com> (raw)
In-Reply-To: <20230505111814.491483-1-andrej.valek@siemens.com>

- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contains flag for each CVE with accepted
values "Ignored" or "Not applicable". It allows to add a status for CVEs
which could be fixed externally.
- Optional CVE_STATUS_REASONING flag variable could contains a reason
why the CVE status was used. It will be added in csv/json report like
a new "reason" entry.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.

Example of usage:
CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
CVE_STATUS[CVE-1234-0002] = "Not applicable"
CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/classes/cve-check.bbclass | 30 +++++++++++++++++++++++++-----
 meta/lib/oe/cve_check.py       |  6 ++++++
 2 files changed, 31 insertions(+), 5 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..e081095037c 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,13 +70,17 @@ CVE_CHECK_COVERAGE ??= "1"
 # Skip CVE Check for packages (PN)
 CVE_CHECK_SKIP_RECIPE ?= ""
 
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Ignore the check for a given CVE. Each of CVE has to be mentioned
+# separately with optional reason, why it has to ignored.
 #
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
+# CVE_STATUS[CVE-1234-0002] = "Ignored"
+# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"
 #
+# CVE_CHECK_IGNORE is depracated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE like a fallback.
 CVE_CHECK_IGNORE ?= ""
+CVE_STATUS ?= ""
 
 # Layers to be excluded
 CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -88,6 +92,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
 # set to "alphabetical" for version using single alphabetical character as increment release
 CVE_VERSION_SUFFIX ??= ""
 
+python () {
+    # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+    for cve in d.getVar("CVE_CHECK_IGNORE").split():
+        d.setVarFlags("CVE_STATUS", {cve: "Ignored"})
+}
+
 def generate_json_report(d, out_path, link_path):
     if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
         import json
@@ -282,7 +292,11 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been skipped by cve-check")
         return ([], [], [], [])
 
-    cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+    # Convert CVE_STATUS into ignored CVEs
+    cve_ignore = []
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status in ["Not applicable", "Ignored"]:
+            cve_ignore.append(cve)
 
     import sqlite3
     db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -455,6 +469,9 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         else:
             unpatched_cves.append(cve)
             write_string += "CVE STATUS: Unpatched\n"
+        has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if has_reason:
+            write_string += "CVE REASON: %s\n" % has_reason
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -576,6 +593,9 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
+        has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
+        if has_reason:
+            cve_item["reason"] = has_reason
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a3..f47dd9920ef 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,12 @@ def get_patched_cves(d):
         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
 
+    # Search for additional patched CVEs
+    for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+        if status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+
     return patched_cves
 
 
-- 
2.40.1

next prev parent reply	other threads:[~2023-05-17  5:42 UTC|newest]

Thread overview: 73+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-05 11:18 [OE-core][PATCH] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-05 11:30 ` Richard Purdie
2023-05-05 11:36   ` Valek, Andrej
2023-05-05 11:59     ` Richard Purdie
2023-05-08  8:57       ` adrian.freihofer
2023-05-09  9:02         ` Ross Burton
2023-05-09  9:16           ` Richard Purdie
2023-05-09  9:32           ` Mikko Rapeli
2023-05-09 21:37             ` Douglas Royds
2023-05-10  6:56               ` Mikko Rapeli
2023-05-09  8:19 ` Michael Opdenacker
2023-05-17  5:41 ` Andrej Valek [this message]
2023-05-17 11:08   ` [OE-core][PATCH v2] " Mikko Rapeli
2023-05-19  6:24 ` [OE-core][PATCH v3 1/3] " Andrej Valek
2023-05-19  6:56   ` Mikko Rapeli
2023-05-19  7:44   ` Michael Opdenacker
2023-05-19 13:11   ` Marta Rybczynska
2023-05-20  7:43     ` Valek, Andrej
2023-05-22  7:57     ` Mikko Rapeli
2023-05-23  8:41       ` Valek, Andrej
2023-05-29  7:32         ` Valek, Andrej
2023-05-30 10:12           ` Richard Purdie
2023-06-02 21:10             ` adrian.freihofer
2023-06-02 21:27               ` Richard Purdie
2023-06-04  9:59                 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21  7:52                   ` Richard Purdie
2023-05-19  6:24 ` [OE-core][PATCH v3 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19  6:24 ` [OE-core][PATCH v3 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
2023-05-19  8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-19  9:17   ` Mikko Rapeli
2023-05-19 13:09   ` Michael Opdenacker
2023-05-19 13:19     ` Valek, Andrej
2023-05-23 11:39       ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-12 11:57   ` [OE-core][PATCH v5 0/2] CVE-check handling Andrej Valek
2023-06-12 11:57   ` [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-15 12:47     ` Richard Purdie
2023-06-12 11:57   ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-06-12 12:01     ` Valek, Andrej
2023-06-12 11:59   ` [OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values Andrej Valek
2023-06-20 14:15   ` [OE-core][PATCH v6 0/2] RFC: CVE-check handling Andrej Valek
2023-06-20 14:15   ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-21  5:07     ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21  6:48       ` [PATCH " Siddharth
2023-06-21  7:55     ` [OE-core][PATCH " Luca Ceresoli
2023-06-20 14:15   ` [OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22  6:59   ` [OE-core][PATCH v7 0/3] CVE-check handling Andrej Valek
2023-06-22 12:42     ` Luca Ceresoli
2023-06-22 13:50       ` Valek, Andrej
2023-06-22 13:55         ` Luca Ceresoli
2023-06-22 13:59           ` Valek, Andrej
2023-06-22 14:07             ` Valek, Andrej
2023-06-22 16:24               ` Luca Ceresoli
2023-06-22  6:59   ` [OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-22  6:59   ` [OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22  6:59   ` [OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-22 12:00   ` [OE-core][PATCH v8 0/3] CVE-check handling Andrej Valek
2023-06-22 12:00   ` [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 10:02     ` Ross Burton
2023-06-23 11:22       ` Valek, Andrej
2023-06-22 12:00   ` [OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 12:00   ` [OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-23 11:14   ` [OE-core][PATCH v9 0/3] CVE-check handling Andrej Valek
2023-07-19 10:26     ` Valek, Andrej
2023-07-19 10:54       ` Richard Purdie
2023-07-19 11:16         ` Ross Burton
2023-07-19 12:03           ` Valek, Andrej
2023-07-20 16:41             ` Marta Rybczynska
2023-06-23 11:14   ` [OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 11:14   ` [OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-23 11:14   ` [OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-07-20  7:19   ` [OE-core][PATCH] " Andrej Valek
2023-05-19  8:18 ` [OE-core][PATCH v4 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19  8:18 ` [OE-core][PATCH v4 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bd9e7e7445 dfblob:e081095037 dfblob:dbaa0b373a
dfblob:f47dd9920e )
 OR (
bs:"[OE-core][PATCH v2] cve-check: add option to add additional patched CVEs" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230517054138.33459-1-andrej.valek@siemens.com \
    --to=andrej.valek@siemens.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox