* [PATCH] cve-check: Log if CVE_STATUS set but not reported for component @ 2024-02-23 21:08 simone.p.weiss 2024-02-23 21:52 ` [OE-core] " Yoann CONGAL 2024-02-24 14:28 ` Marko, Peter 0 siblings, 2 replies; 6+ messages in thread From: simone.p.weiss @ 2024-02-23 21:08 UTC (permalink / raw) To: openembedded-core; +Cc: Simone Weiß From: Simone Weiß <simone.p.weiss@posteo.com> Log if the CVE_STATUS is set for a CVE, but the cve is not reported for a component. This should hopefully help to clean up not needed CVE_STATUS settings. Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> --- meta/classes/cve-check.bbclass | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 5191d04303..b82a9e89ec 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -418,6 +418,9 @@ def check_cves(d, patched_cves): cves_status.append([product, False]) conn.close() + diff_ignore = list(set(cve_ignore) - set(cves_ignored)) + if diff_ignore: + bb.warn("Found CVE (%s) with CVE_STATUS set that is not found in database for this component" % " ".join(diff_ignore)) if not cves_in_recipe: bb.note("No CVE records for products in recipe %s" % (pn)) -- 2.39.2 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component 2024-02-23 21:08 [PATCH] cve-check: Log if CVE_STATUS set but not reported for component simone.p.weiss @ 2024-02-23 21:52 ` Yoann CONGAL 2024-02-24 0:01 ` Simone Weiß 2024-02-24 14:28 ` Marko, Peter 1 sibling, 1 reply; 6+ messages in thread From: Yoann CONGAL @ 2024-02-23 21:52 UTC (permalink / raw) To: Simone Weiß; +Cc: openembedded-core [-- Attachment #1: Type: text/plain, Size: 2142 bytes --] Le ven. 23 févr. 2024 à 22:09, Simone Weiß <simone.p.weiss@posteo.com> a écrit : > From: Simone Weiß <simone.p.weiss@posteo.com> > > Log if the CVE_STATUS is set for a CVE, but the cve is not reported for a > component. This should hopefully help to clean up not needed CVE_STATUS > settings. > Thank you for taking the time to do this :-) > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > --- > meta/classes/cve-check.bbclass | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/classes/cve-check.bbclass > b/meta/classes/cve-check.bbclass > index 5191d04303..b82a9e89ec 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -418,6 +418,9 @@ def check_cves(d, patched_cves): > cves_status.append([product, False]) > > conn.close() > + diff_ignore = list(set(cve_ignore) - set(cves_ignored)) > + if diff_ignore: > + bb.warn("Found CVE (%s) with CVE_STATUS set that is not found in > database for this component" % " ".join(diff_ignore)) > A non-optional warning might be a bit harsh (Especially one that can come up after an independent NVD database update). How about a new element in the output of cve_check (the build/tmp/log/cve/*.{txt,json} files)? That way, someone looking for this info may find it, everyone else can (safely) ignore this. Another way I see would be to make the warning optional by using QA_WARN&co but I'm not 100% sure it can be done... Regards, if not cves_in_recipe: > bb.note("No CVE records for products in recipe %s" % (pn)) > -- > 2.39.2 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#196113): > https://lists.openembedded.org/g/openembedded-core/message/196113 > Mute This Topic: https://lists.openembedded.org/mt/104536878/4316185 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > yoann.congal@smile.fr] > -=-=-=-=-=-=-=-=-=-=-=- > > -- Yoann Congal Smile ECS - Tech expert [-- Attachment #2: Type: text/html, Size: 3753 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component 2024-02-23 21:52 ` [OE-core] " Yoann CONGAL @ 2024-02-24 0:01 ` Simone Weiß 0 siblings, 0 replies; 6+ messages in thread From: Simone Weiß @ 2024-02-24 0:01 UTC (permalink / raw) To: Yoann CONGAL, Simone Weiß; +Cc: openembedded-core [-- Attachment #1: Type: text/plain, Size: 2493 bytes --] On Fri, 2024-02-23 at 22:52 +0100, Yoann CONGAL wrote: > Le ven. 23 févr. 2024 à 22:09, Simone Weiß <simone.p.weiss@posteo.com> a > écrit : > > From: Simone Weiß <simone.p.weiss@posteo.com> > > > > Log if the CVE_STATUS is set for a CVE, but the cve is not reported > > for a > > component. This should hopefully help to clean up not needed > > CVE_STATUS > > settings. > > > > > Thank you for taking the time to do this :-) > > > Signed-off-by: Simone Weiß <simone.p.weiss@posteo.com> > > --- > > meta/classes/cve-check.bbclass | 3 +++ > > 1 file changed, 3 insertions(+) > > > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve- > > check.bbclass > > index 5191d04303..b82a9e89ec 100644 > > --- a/meta/classes/cve-check.bbclass > > +++ b/meta/classes/cve-check.bbclass > > @@ -418,6 +418,9 @@ def check_cves(d, patched_cves): > > cves_status.append([product, False]) > > > > conn.close() > > + diff_ignore = list(set(cve_ignore) - set(cves_ignored)) > > + if diff_ignore: > > + bb.warn("Found CVE (%s) with CVE_STATUS set that is not found > > in database for this component" % " ".join(diff_ignore)) > > > > > A non-optional warning might be a bit harsh (Especially one that can > come up after an independent NVD database update). > I first had the same doubt, but then thought: hey it will only appear if cve checks are actually performed, which is not the default. And when you do that you get warnings anyway. You are right though. > How about a new element in the output of cve_check (the > build/tmp/log/cve/*.{txt,json} files)? > That way, someone looking for this info may find it, everyone else can > (safely) ignore this. > > Another way I see would be to make the warning optional by using > QA_WARN&co but I'm not 100% sure it can be done... > Good point. Sth like: oe.qa.handle_error("cve_status_not_in_db", "%s Found CVE (%s) with CVE_STATUS set that are not found in database for this component" % (pn, " ".join(diff_ignore)), d) should work. Then the warning is only given if cve_status_not_in_db is appended to WARN_QA. I think this would be fine, also other classes besides insane.bbclass add to WARN_QA/ERROR_QA. I will check the docs and then most likely send v2. Cheers Simone > Regards, > > > if not cves_in_recipe: > > bb.note("No CVE records for products in recipe %s" % (pn)) [-- Attachment #2: Type: text/html, Size: 4001 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component 2024-02-23 21:08 [PATCH] cve-check: Log if CVE_STATUS set but not reported for component simone.p.weiss 2024-02-23 21:52 ` [OE-core] " Yoann CONGAL @ 2024-02-24 14:28 ` Marko, Peter 2024-02-24 15:41 ` Simone Weiß 2024-02-24 15:53 ` Richard Purdie 1 sibling, 2 replies; 6+ messages in thread From: Marko, Peter @ 2024-02-24 14:28 UTC (permalink / raw) To: simone.p.weiss@posteo.com, openembedded-core@lists.openembedded.org Hello, This change looks like the right way forward, but it will need two things first: * dissolve cve-extra-exclusions.inc into recipes, as every exclusion in that file will generate a warning in all components except the one for which the exclusion actually is meant * create a (per-recipe) variable to disable it, especially for kernels where we have auto-generated exclusion lists which do not match NVD DB state Best Regards, Peter ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component 2024-02-24 14:28 ` Marko, Peter @ 2024-02-24 15:41 ` Simone Weiß 2024-02-24 15:53 ` Richard Purdie 1 sibling, 0 replies; 6+ messages in thread From: Simone Weiß @ 2024-02-24 15:41 UTC (permalink / raw) To: peter.marko, simone.p.weiss@posteo.com, openembedded-core@lists.openembedded.org On Sat, 2024-02-24 at 14:28 +0000, Peter Marko via lists.openembedded.org wrote: > Hello, > > This change looks like the right way forward, but it will need two > things first: > * dissolve cve-extra-exclusions.inc into recipes, as every exclusion in > that file will generate a warning in all components except the one for > which the exclusion actually is meant > * create a (per-recipe) variable to disable it, especially for kernels > where we have auto-generated exclusion lists which do not match NVD DB > state Hi, this is disabled per default, so I think those points are not to pressing. Cheers, Simone > > Best Regards, > Peter > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#196131): > https://lists.openembedded.org/g/openembedded-core/message/196131 > Mute This Topic: https://lists.openembedded.org/mt/104536878/8052774 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: > https://lists.openembedded.org/g/openembedded-core/unsub [simone.p.weiss@posteo.com > ] > -=-=-=-=-=-=-=-=-=-=-=- > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [PATCH] cve-check: Log if CVE_STATUS set but not reported for component 2024-02-24 14:28 ` Marko, Peter 2024-02-24 15:41 ` Simone Weiß @ 2024-02-24 15:53 ` Richard Purdie 1 sibling, 0 replies; 6+ messages in thread From: Richard Purdie @ 2024-02-24 15:53 UTC (permalink / raw) To: peter.marko, simone.p.weiss@posteo.com, openembedded-core@lists.openembedded.org On Sat, 2024-02-24 at 14:28 +0000, Peter Marko via lists.openembedded.org wrote: > Hello, > > This change looks like the right way forward, but it will need two > things first: > * dissolve cve-extra-exclusions.inc into recipes, as every exclusion > in that file will generate a warning in all components except the one > for which the exclusion actually is meant > * create a (per-recipe) variable to disable it, especially for > kernels where we have auto-generated exclusion lists which do not > match NVD DB state WARN_QA:remove:pn-XXXX = "YYYY" is possible with the version which was switched to use the central QA function. Cheers, Richard ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-02-24 15:53 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2024-02-23 21:08 [PATCH] cve-check: Log if CVE_STATUS set but not reported for component simone.p.weiss 2024-02-23 21:52 ` [OE-core] " Yoann CONGAL 2024-02-24 0:01 ` Simone Weiß 2024-02-24 14:28 ` Marko, Peter 2024-02-24 15:41 ` Simone Weiß 2024-02-24 15:53 ` Richard Purdie
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox