[PATCH] cve-check: Log if CVE_STATUS set but not reported for component

[PATCH] cve-check: Log if CVE_STATUS set but not reported for component

[simone.p.weiss]

From: Simone Weiß <simone.p.weiss@posteo.com>

Log if the CVE_STATUS is set for a CVE, but the cve is not reported for a
component. This should hopefully help to clean up not needed CVE_STATUS
settings. 

Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
---
 meta/classes/cve-check.bbclass | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 5191d04303..b82a9e89ec 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -418,6 +418,9 @@ def check_cves(d, patched_cves):
             cves_status.append([product, False])
 
     conn.close()
+    diff_ignore = list(set(cve_ignore) - set(cves_ignored))
+    if diff_ignore:
+        bb.warn("Found CVE (%s) with CVE_STATUS set that is not found in database for this component" % " ".join(diff_ignore))
 
     if not cves_in_recipe:
         bb.note("No CVE records for products in recipe %s" % (pn))
-- 
2.39.2

Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component

[Yoann CONGAL]

[-- Attachment #1: Type: text/plain, Size: 2142 bytes --]

Le ven. 23 févr. 2024 à 22:09, Simone Weiß <simone.p.weiss@posteo.com> a
écrit :

> From: Simone Weiß <simone.p.weiss@posteo.com>
>
> Log if the CVE_STATUS is set for a CVE, but the cve is not reported for a
> component. This should hopefully help to clean up not needed CVE_STATUS
> settings.
>

Thank you for taking the time to do this :-)


> Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
> ---
>  meta/classes/cve-check.bbclass | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/meta/classes/cve-check.bbclass
> b/meta/classes/cve-check.bbclass
> index 5191d04303..b82a9e89ec 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -418,6 +418,9 @@ def check_cves(d, patched_cves):
>              cves_status.append([product, False])
>
>      conn.close()
> +    diff_ignore = list(set(cve_ignore) - set(cves_ignored))
> +    if diff_ignore:
> +        bb.warn("Found CVE (%s) with CVE_STATUS set that is not found in
> database for this component" % " ".join(diff_ignore))
>

A non-optional warning might be a bit harsh (Especially one that can come
up after an independent NVD database update).

How about a new element in the output of cve_check (the
build/tmp/log/cve/*.{txt,json} files)?
That way, someone looking for this info may find it, everyone else can
(safely) ignore this.

Another way I see would be to make the warning optional by using QA_WARN&co
but I'm not 100% sure it can be done...

Regards,

     if not cves_in_recipe:
>          bb.note("No CVE records for products in recipe %s" % (pn))
> --
> 2.39.2
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196113):
> https://lists.openembedded.org/g/openembedded-core/message/196113
> Mute This Topic: https://lists.openembedded.org/mt/104536878/4316185
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> yoann.congal@smile.fr]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>

-- 
Yoann Congal
Smile ECS - Tech expert

[-- Attachment #2: Type: text/html, Size: 3753 bytes --]

Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component

[Simone Weiß]

[-- Attachment #1: Type: text/plain, Size: 2493 bytes --]

On Fri, 2024-02-23 at 22:52 +0100, Yoann CONGAL wrote:
> Le ven. 23 févr. 2024 à 22:09, Simone Weiß <simone.p.weiss@posteo.com> a
> écrit :
> > From: Simone Weiß <simone.p.weiss@posteo.com>
> > 
> > Log if the CVE_STATUS is set for a CVE, but the cve is not reported
> > for a
> > component. This should hopefully help to clean up not needed
> > CVE_STATUS
> > settings. 
> > 
> 
> 
> Thank you for taking the time to do this :-)
>  
> > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com>
> > ---
> >  meta/classes/cve-check.bbclass | 3 +++
> >  1 file changed, 3 insertions(+)
> > 
> > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-
> > check.bbclass
> > index 5191d04303..b82a9e89ec 100644
> > --- a/meta/classes/cve-check.bbclass
> > +++ b/meta/classes/cve-check.bbclass
> > @@ -418,6 +418,9 @@ def check_cves(d, patched_cves):
> >              cves_status.append([product, False])
> > 
> >      conn.close()
> > +    diff_ignore = list(set(cve_ignore) - set(cves_ignored))
> > +    if diff_ignore:
> > +        bb.warn("Found CVE (%s) with CVE_STATUS set that is not found
> > in database for this component" % " ".join(diff_ignore))
> > 
> 
> 
> A non-optional warning might be a bit harsh (Especially one that can
> come up after an independent NVD database update).
> 
I first had the same doubt, but then thought: hey it will only appear if
cve checks are actually performed, which is not the default.
And when you do that you get warnings anyway. You are right though.
> How about a new element in the output of cve_check (the
> build/tmp/log/cve/*.{txt,json} files)?
> That way, someone looking for this info may find it, everyone else can
> (safely) ignore this.
> 
> Another way I see would be to make the warning optional by using
> QA_WARN&co but I'm not 100% sure it can be done...
> 
Good point. Sth like:

oe.qa.handle_error("cve_status_not_in_db", "%s Found CVE (%s) with
CVE_STATUS set that are not found in database for this component" % (pn, "
".join(diff_ignore)), d)

should work.
Then the warning is only given if cve_status_not_in_db is appended to
WARN_QA. I think this would be fine, also other classes besides
insane.bbclass add to WARN_QA/ERROR_QA. I will check the docs and then
most likely send v2.

Cheers
Simone
> Regards,
> 
> >      if not cves_in_recipe:
> >          bb.note("No CVE records for products in recipe %s" % (pn))


[-- Attachment #2: Type: text/html, Size: 4001 bytes --]

RE: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component

[Marko, Peter]

Hello,

This change looks like the right way forward, but it will need two things first:
* dissolve cve-extra-exclusions.inc into recipes, as every exclusion in that file will generate a warning in all components except the one for which the exclusion actually is meant
* create a (per-recipe) variable to disable it, especially for kernels where we have auto-generated exclusion lists which do not match NVD DB state

Best Regards,
  Peter

Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component

[Simone Weiß]

On Sat, 2024-02-24 at 14:28 +0000, Peter Marko via lists.openembedded.org
wrote:
> Hello,
> 
> This change looks like the right way forward, but it will need two
> things first:
> * dissolve cve-extra-exclusions.inc into recipes, as every exclusion in
> that file will generate a warning in all components except the one for
> which the exclusion actually is meant
> * create a (per-recipe) variable to disable it, especially for kernels
> where we have auto-generated exclusion lists which do not match NVD DB
> state
Hi,
this is disabled per default, so I think those points are not to pressing.

Cheers,
Simone
> 
> Best Regards,
>   Peter
> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#196131):
> https://lists.openembedded.org/g/openembedded-core/message/196131
> Mute This Topic: https://lists.openembedded.org/mt/104536878/8052774
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe:
> https://lists.openembedded.org/g/openembedded-core/unsub [simone.p.weiss@posteo.com
> ]
> -=-=-=-=-=-=-=-=-=-=-=-
> 

Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component

[Richard Purdie]

On Sat, 2024-02-24 at 14:28 +0000, Peter Marko via
lists.openembedded.org wrote:
> Hello,
> 
> This change looks like the right way forward, but it will need two
> things first:
> * dissolve cve-extra-exclusions.inc into recipes, as every exclusion
> in that file will generate a warning in all components except the one
> for which the exclusion actually is meant
> * create a (per-recipe) variable to disable it, especially for
> kernels where we have auto-generated exclusion lists which do not
> match NVD DB state

WARN_QA:remove:pn-XXXX = "YYYY"

is possible with the version which was switched to use the central QA
function.

Cheers,

Richard