From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2DE62C54798 for ; Sat, 24 Feb 2024 00:01:49 +0000 (UTC) Received: from mout01.posteo.de (mout01.posteo.de [185.67.36.65]) by mx.groups.io with SMTP id smtpd.web11.9881.1708732903754840840 for ; Fri, 23 Feb 2024 16:01:44 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=@posteo.com header.s=2017 header.b=PnDNXn1M; spf=pass (domain: posteo.com, ip: 185.67.36.65, mailfrom: simone.p.weiss@posteo.com) Received: from submission (posteo.de [185.67.36.169]) by mout01.posteo.de (Postfix) with ESMTPS id 3F182240027 for ; Sat, 24 Feb 2024 01:01:40 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=posteo.com; s=2017; t=1708732901; bh=yF9EbWOCCb25+jLA3EEkVtEIB4r71qKoz6W+WApeUNE=; h=Message-ID:Subject:From:To:Cc:Date:Content-Type:MIME-Version: From; b=PnDNXn1MTPQOakNxM1v4p9K+7LrS92tlx29RaGx3MfciYqlBgo8KasrjnTOqzfwnB bhhOkjGu9Yz8YNm4uyTkSi+I/itYruxdW8n1hLf7Hg3afdRmyr+9jrp4YML1EeUeD6 zTrGLmaKfGVARE2T97v6aJmA+CIvy4Ibqr/kIhykjcyvlqb3ak+gcF/Pgp4ivN3EJy oB22CeZ9MhG2pbqeyyWWjwccKRCZTZJHihit5YYSKsgJ0ydLTLmyWN4BbMkrXEjjxg A8IeToWMFR2ZKcNf3ln5hrzba9w3DP9SljFE5cJO/FSNHlMMUWvIGVjGiLhKF/LInQ 6pA8wRtON4laA== Received: from customer (localhost [127.0.0.1]) by submission (posteo.de) with ESMTPSA id 4ThRr40420z9rxM; Sat, 24 Feb 2024 01:01:39 +0100 (CET) Message-ID: <404a832329edbb499202500f2782bd115391a575.camel@posteo.net> Subject: Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component From: Simone =?ISO-8859-1?Q?Wei=DF?= To: Yoann CONGAL , Simone =?ISO-8859-1?Q?Wei=DF?= Cc: openembedded-core@lists.openembedded.org Date: Sat, 24 Feb 2024 00:01:39 +0000 In-Reply-To: References: <20240223210848.21731-1-simone.p.weiss@posteo.com> Content-Type: multipart/alternative; boundary="=-iYRrVHTRuVlGnCwC1lzG" MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sat, 24 Feb 2024 00:01:49 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/196118 --=-iYRrVHTRuVlGnCwC1lzG Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, 2024-02-23 at 22:52 +0100, Yoann CONGAL wrote: > Le=C2=A0ven. 23 f=C3=A9vr. 2024 =C3=A0=C2=A022:09, Simone Wei=C3=9F a > =C3=A9crit=C2=A0: > > From: Simone Wei=C3=9F > >=20 > > Log if the CVE_STATUS is set for a CVE, but the cve is not reported > > for a > > component. This should hopefully help to clean up not needed > > CVE_STATUS > > settings.=20 > >=20 >=20 >=20 > Thank you for taking the time to do this :-) > =C2=A0 > > Signed-off-by: Simone Wei=C3=9F > > --- > > =C2=A0meta/classes/cve-check.bbclass | 3 +++ > > =C2=A01 file changed, 3 insertions(+) > >=20 > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve- > > check.bbclass > > index 5191d04303..b82a9e89ec 100644 > > --- a/meta/classes/cve-check.bbclass > > +++ b/meta/classes/cve-check.bbclass > > @@ -418,6 +418,9 @@ def check_cves(d, patched_cves): > > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0cves_status.append([pro= duct, False]) > >=20 > > =C2=A0 =C2=A0 =C2=A0conn.close() > > +=C2=A0 =C2=A0 diff_ignore =3D list(set(cve_ignore) - set(cves_ignored)= ) > > +=C2=A0 =C2=A0 if diff_ignore: > > +=C2=A0 =C2=A0 =C2=A0 =C2=A0 bb.warn("Found CVE (%s) with CVE_STATUS se= t that is not found > > in database for this component" % " ".join(diff_ignore)) > >=20 >=20 >=20 > A non-optional warning might be a bit harsh (Especially one that can > come up after an independent NVD database update). >=20 I first had the same doubt, but then thought: hey it will only appear if cve checks are actually performed, which is not the default. And when you do that you get warnings anyway. You are right though. > How about a new element in the output of cve_check (the > build/tmp/log/cve/*.{txt,json} files)? > That way, someone looking for this info may find it, everyone else can > (safely) ignore this. >=20 > Another way I see would be to make the warning optional by using > QA_WARN&co but I'm not 100% sure it can be done... >=20 Good point. Sth like: oe.qa.handle_error("cve_status_not_in_db", "%s Found CVE (%s) with CVE_STATUS set that are not found in database for this component" % (pn, " ".join(diff_ignore)), d) should work. Then the warning is only given if=C2=A0cve_status_not_in_db is appended to WARN_QA. I think this would be fine, also other classes besides insane.bbclass add to WARN_QA/ERROR_QA. I will check the docs and then most likely send v2. Cheers Simone > Regards, >=20 > > =C2=A0 =C2=A0 =C2=A0if not cves_in_recipe: > > =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0bb.note("No CVE records for products = in recipe %s" % (pn)) --=-iYRrVHTRuVlGnCwC1lzG Content-Type: text/html; charset="utf-8" Content-Transfer-Encoding: quoted-printable
On Fri, 2024-02-23 at 22:52 +0100, Yoann CONG= AL wrote:
Le ven. 23 f=C3=A9vr. 2024 =C3=A0 22:09, Simone Wei=C3=9F <simone.p.weiss@posteo.com>= ; a =C3=A9crit :
From: Simone Wei=C3=9F <simone.p.weiss@posteo.com>
<= br>Log if the CVE_STATUS is set for a CVE, but the cve is not reported for = a
component. This should hopefully help to clean up not needed CVE_STATU= S
settings.


Thank you for= taking the time to do this :-)
 
Signed-off-by: Simone Wei=C3=9F <simone.p.weiss@posteo.com>---
 meta/classes/cve-check.bbclass | 3 +++
 1 file chang= ed, 3 insertions(+)

diff --git a/meta/classes/cve-check.b= bclass b/meta/classes/cve-check.bbclass
index 5191d04303..b82a9e89ec 100= 644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check= .bbclass
@@ -418,6 +418,9 @@ def check_cves(d, patched_cves):
  =            cves_status.append([product, False= ])

     conn.close()
+    dif= f_ignore =3D list(set(cve_ignore) - set(cves_ignored))
+    if= diff_ignore:
+        bb.warn("Found CVE (%s) with = CVE_STATUS set that is not found in database for this component" % " ".join= (diff_ignore))


A non-optional= warning might be a bit harsh (Especially one that can come up after an ind= ependent NVD database update).

I first had the same doubt, but then thought: hey it will only appear= if cve checks are actually performed, which is not the default.
= And when you do that you get warnings anyway. You are right though.
H= ow about a new element in the output of cve_check (the build/tmp/log/cve/*.= {txt,json} files)?
That way, someone looking for this info may fi= nd it, everyone else can (safely) ignore this.

Another way I see would be to make the warning optional by using QA_WARN&a= mp;co but I'm not 100% sure it can be done...

Good point. Sth like:

oe.qa.h= andle_error("cve_status_not_in_db", "%s Found CVE (%s) with CVE_STATUS set = that are not found in database for this component" % (pn, " ".join(diff_ign= ore)), d)

should work.
Then the warning = is only given if cve_status_no= t_in_db is appended to WARN_QA. I think this would be fine, also other clas= ses besides
insane.bbclass add to WARN_QA/ERROR_QA. I will= check the docs and then most likely send v2.

Chee= rs
Simone
Regards,

     if not cves_in_recipe:
    &nb= sp;    bb.note("No CVE records for products in recipe %s" % (pn))=

<= /span>
--=-iYRrVHTRuVlGnCwC1lzG--