Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component

["Simone Weiß" <simone.p.weiss@posteo.com>]

[-- Attachment #1: Type: text/plain, Size: 2493 bytes --]

On Fri, 2024-02-23 at 22:52 +0100, Yoann CONGAL wrote:
> Le ven. 23 févr. 2024 à 22:09, Simone Weiß <simone.p.weiss@posteo.com> a
> écrit :
> > From: Simone Weiß <simone.p.weiss@posteo.com>
> > 
> > Log if the CVE_STATUS is set for a CVE, but the cve is not reported
> > for a
> > component. This should hopefully help to clean up not needed
> > CVE_STATUS
> > settings. 
> > 
> 
> 
> Thank you for taking the time to do this :-)
>  
> > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
> > ---
> >  meta/classes/cve-check.bbclass | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-
> > check.bbclass
> > index 5191d04303..b82a9e89ec 100644
> > --- a/meta/classes/cve-check.bbclass
> > +++ b/meta/classes/cve-check.bbclass
> > @@ -418,6 +418,9 @@ def check_cves(d, patched_cves):
> >              cves_status.append([product, False])
> > 
> >      conn.close()
> > +    diff_ignore = list(set(cve_ignore) - set(cves_ignored))
> > +    if diff_ignore:
> > +        bb.warn("Found CVE (%s) with CVE_STATUS set that is not found
> > in database for this component" % " ".join(diff_ignore))
> > 
> 
> 
> A non-optional warning might be a bit harsh (Especially one that can
> come up after an independent NVD database update).
> 
I first had the same doubt, but then thought: hey it will only appear if
cve checks are actually performed, which is not the default.
And when you do that you get warnings anyway. You are right though.
> How about a new element in the output of cve_check (the
> build/tmp/log/cve/*.{txt,json} files)?
> That way, someone looking for this info may find it, everyone else can
> (safely) ignore this.
> 
> Another way I see would be to make the warning optional by using
> QA_WARN&co but I'm not 100% sure it can be done...
> 
Good point. Sth like:

oe.qa.handle_error("cve_status_not_in_db", "%s Found CVE (%s) with
CVE_STATUS set that are not found in database for this component" % (pn, "
".join(diff_ignore)), d)

should work.
Then the warning is only given if cve_status_not_in_db is appended to
WARN_QA. I think this would be fine, also other classes besides
insane.bbclass add to WARN_QA/ERROR_QA. I will check the docs and then
most likely send v2.

Cheers
Simone
> Regards,
> 
> >      if not cves_in_recipe:
> >          bb.note("No CVE records for products in recipe %s" % (pn))


[-- Attachment #2: Type: text/html, Size: 4001 bytes --]