[openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS - Het Patel -X (hetpat

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: "Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)" <hetpat@cisco.com>
To: openembedded-core@lists.openembedded.org
Cc: xe-linux-external@cisco.com, vchavda@cisco.com
Subject: [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS
Date: Thu, 19 Feb 2026 21:34:10 -0800	[thread overview]
Message-ID: <20260220053443.3006180-1-hetpat@cisco.com> (raw)

From: Marta Rybczynska <rybczynska@gmail.com>

CVE_STATUS contains assesment of a given CVE, but until now it didn't have
include the affected vendor/product. In the case of a global system include,
that CVE_STATUS was visible in all recipes.

This patch allows encoding of affected product/vendor to each CVE_STATUS
assessment, also for groups. We can then filter them later and use only
CVEs that correspond to the recipe.

This is going to be used in meta/conf/distro/include/cve-extra-exclusions.inc
and similar places.

Backport Changes:
- Discarded the changes to meta/lib/oe/spdx30_tasks.py, as the
commit history for this file diverges from the base commit
itself (9c9b9545049a in the scarthgap branch).
- Additionally, the changes do not introduce any major features
and are primarily focused on code restructuring.

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit abca80a716e92fc18d3085aba1a15f4bac72379c)
Signed-off-by: Het Patel <hetpat@cisco.com>
---
 meta/classes/cve-check.bbclass | 24 ++++++++++-----------
 meta/lib/oe/cve_check.py       | 39 ++++++++++++++++++++++++++--------
 2 files changed, 42 insertions(+), 21 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 3f4704fb4e..de5ddf6f04 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -316,8 +316,8 @@ def check_cves(d, patched_cves):
     # Convert CVE_STATUS into ignored CVEs and check validity
     cve_ignore = []
     for cve in (d.getVarFlags("CVE_STATUS") or {}):
-        decoded_status, _, _ = decode_cve_status(d, cve)
-        if decoded_status == "Ignored":
+        decoded_status = decode_cve_status(d, cve)
+        if 'mapping' in decoded_status and decoded_status['mapping'] == "Ignored":
             cve_ignore.append(cve)
 
     import sqlite3
@@ -500,11 +500,11 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
         write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
         write_string += "CVE: %s\n" % cve
         write_string += "CVE STATUS: %s\n" % status
-        _, detail, description = decode_cve_status(d, cve)
-        if detail:
-            write_string += "CVE DETAIL: %s\n" % detail
-        if description:
-            write_string += "CVE DESCRIPTION: %s\n" % description
+        status_details = decode_cve_status(d, cve)
+        if 'detail' in status_details:
+            write_string += "CVE DETAIL: %s\n" % status_details['detail']
+        if 'description' in status_details:
+            write_string += "CVE DESCRIPTION: %s\n" % status_details['description']
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -632,11 +632,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
             "status" : status,
             "link": issue_link
         }
-        _, detail, description = decode_cve_status(d, cve)
-        if detail:
-            cve_item["detail"] = detail
-        if description:
-            cve_item["description"] = description
+        status_details = decode_cve_status(d, cve)
+        if 'detail' in status_details:
+            cve_item["detail"] = status_details['detail']
+        if 'description' in status_details:
+            cve_item["description"] = status_details['description']
         cve_list.append(cve_item)
 
     package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index 7c09b78242..767d1a6750 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -132,8 +132,8 @@ def get_patched_cves(d):
 
     # Search for additional patched CVEs
     for cve in (d.getVarFlags("CVE_STATUS") or {}):
-        decoded_status, _, _ = decode_cve_status(d, cve)
-        if decoded_status == "Patched":
+        decoded_status = decode_cve_status(d, cve)
+        if 'mapping' in decoded_status and decoded_status['mapping'] == "Patched":
             bb.debug(2, "CVE %s is additionally patched" % cve)
             patched_cves.add(cve)
 
@@ -227,22 +227,43 @@ def convert_cve_version(version):
 
 def decode_cve_status(d, cve):
     """
-    Convert CVE_STATUS into status, detail and description.
+    Convert CVE_STATUS into status, vendor, product, detail and description.
     """
     status = d.getVarFlag("CVE_STATUS", cve)
     if not status:
-        return ("", "", "")
+        return {}
+
+    status_split = status.split(':', 5)
+    status_out = {}
+    status_out["detail"] = status_split[0]
+    product = "*"
+    vendor = "*"
+    description = ""
+    if len(status_split) >= 4 and status_split[1].strip() == "cpe":
+        # Both vendor and product are mandatory if cpe: present, the syntax is then:
+        # detail: cpe:vendor:product:description
+        vendor = status_split[2].strip()
+        product = status_split[3].strip()
+        description = status_split[4].strip()
+    elif len(status_split) >= 2 and status_split[1].strip() == "cpe":
+        # Malformed CPE
+        bb.warn('Invalid CPE information for CVE_STATUS[%s] = "%s", not setting CPE' % (detail, cve, status))
+    else:
+        # Other case: no CPE, the syntax is then:
+        # detail: description
+        description = status_split[len(status_split)-1].strip() if (len(status_split) > 1) else ""
 
-    status_split = status.split(':', 1)
-    detail = status_split[0]
-    description = status_split[1].strip() if (len(status_split) > 1) else ""
+    status_out["vendor"] = vendor
+    status_out["product"] = product
+    status_out["description"] = description
 
-    status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+    status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", status_out['detail'])
     if status_mapping is None:
         bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
         status_mapping = "Unpatched"
+    status_out["mapping"] = status_mapping
 
-    return (status_mapping, detail, description)
+    return status_out
 
 def extend_cve_status(d):
     # do this only once in case multiple classes use this

next             reply	other threads:[~2026-02-20  5:34 UTC|newest]

Thread overview: 38+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-02-20  5:34 Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) [this message]
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 02/34] cve_check: Update selftest with new status detail Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 03/34] cve-check: annotate CVEs during analysis Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 04/34] cve-check-map: add new statuses Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 05/34] selftest: add test_product_match Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 06/34] cve-check: remove the TEXT format support Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 07/34] cve-check-update-nvd2-native: Incremement DL_DIR database location Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 08/34] cve-check: add field "modified" to JSON report Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 09/34] cve-check: do not skip cve status description after : Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 10/34] cve-check: fix malformed cve status description with : characters Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 11/34] cve-check: restore CVE_CHECK_SHOW_WARNINGS functionality Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 12/34] cve-check: fix cvesInRecord Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 13/34] cve-check: Fix errors in log lines Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 14/34] cve-check: Rework patch parsing Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 15/34] meta/lib/oe/cve_check.py: fix patched_cves not updated Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 16/34] cve-check: allow feed choice Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 17/34] cve-update-db-native: restore Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 18/34] cve-update-db-native: update structure Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 19/34] cve-update-db-native: add the fkie source Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 20/34] cve-check: change the default feed Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 21/34] cve-check: fix debug message Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 22/34] spdx30: Allow VEX Justification to be configurable Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 23/34] cve-update-db-native: fix fetcher for CVEs missing nodes Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 24/34] cve-update-db-native: Use a local copy of the database during builds Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 25/34] cve-update-db-native: Handle BB_NO_NETWORK and missing db Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 26/34] cve-update-db-native: log a little more Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 27/34] cve-update: decrease update interval to 23 hours Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 28/34] cve-update: remove cleanup of db_file in downloads Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 29/34] cve-update-db-native: Fix FKIE CVE accessVector parsing Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 30/34] cve-update-db-native: FKIE CVE parsing: Use Secondary metric Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 31/34] cve-update: log timestamps and add force update for future time Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 32/34] cve-update-db-native: pycodestyle fixes Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 33/34] cve-update-nvd2-native: " Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-20  5:34 ` [openembedded-core] [scarthgap] [PATCH v1 34/34] cve-update: Avoid NFS caching issues Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-02-23  9:46 ` [OE-core] [openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS Paul Barker
2026-02-23 12:31   ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-03  9:09     ` Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco)
2026-03-05 13:13       ` Yoann Congal

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:3f4704fb4 dfblob:de5ddf6f0 dfblob:7c09b7824 dfblob:767d1a675 )
 OR (
bs:"[openembedded-core] [scarthgap] [PATCH v1 01/34] cve-check: encode affected product/vendor in CVE_STATUS" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260220053443.3006180-1-hetpat@cisco.com \
    --to=hetpat@cisco.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=vchavda@cisco.com \
    --cc=xe-linux-external@cisco.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox