From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: rybczynska@gmail.com, openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@syslinbit.com>,
Samantha Jalabert <samantha.jalabert@syslinbit.com>
Subject: Re: [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis
Date: Thu, 01 Aug 2024 14:44:43 +0100 [thread overview]
Message-ID: <63e1661173a1ee8e65538cd330f614a91719b2bf.camel@linuxfoundation.org> (raw)
In-Reply-To: <20240724152530.25856-1-marta.rybczynska@syslinbit.com>
On Wed, 2024-07-24 at 17:25 +0200, Marta Rybczynska via lists.openembedded.org wrote:
> Add status information for each CVE under analysis.
>
> Previously the information passed between different function of the
> cve-check class included only tables of patched, unpatched, ignored
> vulnerabilities and the general status of the recipe.
>
> The VEX work requires more information, and we need to pass them
> between different functions, so that it can be enriched as the
> analysis progresses. Instead of multiple tables, use a single one
> with annotations for each CVE encountered. For example, a patched
> CVE will have:
>
> {"abbrev-status": "Patched", "status": "version-not-in-range"}
>
> abbrev-status contains the general status (Patched, Unpatched,
> Ignored and Unknown that will be added in the VEX code)
> status contains more detailed information that can come from
> CVE_STATUS and the analysis.
>
> Additional fields of the annotation include for example the name
> of the patch file fixing a given CVE.
>
> The side-effect of this change is that all entries from CVE_STATUS
> are available in the result file. That includes entries from
> the optional file cve-extra-exclusions.inc even if they might have
> no link with the recipe (apply to a different package). This will
> be fixed by moving all entries from that file to appropriate recipes.
>
> From now on, CVE_STATUS should be added directly in the recipe file
> or in include files added only to affected recipes.
Sorry about the delay in getting to this. Initially I thought things
were ok but now I understand what is happening here, I'm afraid I have
concerns.
A fundamental property of what we're offering that we can use a common
include file to inject CVE_STATUS entries for recipes. Whilst I can
understand some of the concerns about the existing .inc file, we are
never going to be in a position where all users agree on exactly what
we should do with all CVEs.
The alternative is requiring a bbappend per recipe every time some
distro/company wants to add an entry and this is clearly not a good
solution.
I'm afraid I'm therefore very much against mandating that CVE_STATUS
entries should be against individual recipes. We need to find a
different solution rather than requiring that. We can likely sort the
file in core but not in other people's layers.
Cheers,
Richard
next prev parent reply other threads:[~2024-08-01 13:44 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-24 15:25 [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 2/5] cve_check: Update selftest with new status detail Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 3/5] vex.bbclass: add a new class Marta Rybczynska
2024-07-26 12:09 ` Ross Burton
2024-07-26 12:12 ` Ross Burton
2024-07-26 12:23 ` Marta Rybczynska
2024-07-26 12:22 ` Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 4/5] cve-check-map: add new statuses Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 5/5] cve-extra-exclusions.inc: add deprecation notice Marta Rybczynska
2024-07-26 12:23 ` Ross Burton
2024-07-26 12:28 ` Marta Rybczynska
2024-08-01 13:47 ` Richard Purdie
2024-08-01 13:58 ` Marta Rybczynska
2024-08-01 14:08 ` Richard Purdie
2024-08-06 13:16 ` Marta Rybczynska
2024-08-06 13:30 ` Richard Purdie
2024-07-24 15:41 ` Patchtest results for [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis patchtest
2024-07-25 14:29 ` Richard Purdie
[not found] ` <399979010dfd02323f49cbd25b95f606@syslinbit.com>
2024-07-25 15:27 ` Richard Purdie
2024-07-26 13:02 ` Marta Rybczynska
2024-08-01 14:25 ` Richard Purdie
2024-08-02 12:50 ` Marta Rybczynska
2024-08-02 13:00 ` Richard Purdie
2024-08-01 13:44 ` Richard Purdie [this message]
2024-08-01 14:14 ` Marko, Peter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=63e1661173a1ee8e65538cd330f614a91719b2bf.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=marta.rybczynska@syslinbit.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=rybczynska@gmail.com \
--cc=samantha.jalabert@syslinbit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox