From: Ross Burton <Ross.Burton@arm.com>
To: "andrej.valek@siemens.com" <andrej.valek@siemens.com>
Cc: "openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
Peter Marko <peter.marko@siemens.com>
Subject: Re: [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs
Date: Fri, 23 Jun 2023 10:02:49 +0000 [thread overview]
Message-ID: <94754800-87B8-4051-89B2-B10546BCF342@arm.com> (raw)
In-Reply-To: <20230622120009.28939-2-andrej.valek@siemens.com>
On 22 Jun 2023, at 13:00, Andrej Valek via lists.openembedded.org <andrej.valek=siemens.com@lists.openembedded.org> wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
> The CVE_STATUS should contain an information about status wich
> is decoded in 3 items:
> - generic status: "Ignored", "Patched" or "Unpatched"
> - more detailed status enum
> - description: free text describing reason for status
I think this needs to be clearer about what the intended use of the keywords are.
Is the canonical data the CVE_STATUS[CVE-1234-5678] attribute, and the mapping from the status there via CVE_CHECK_STATUSMAP simply for backwards compatibility with the existing file format? Is this deprecating the status fields in those files or is it just a high-level summary? Either way, that should be made clear.
> +# Possible options for CVE statuses
> +
> +# used by this class internally when fix is detected (NVD DB version check or CVE patch file)
> +CVE_CHECK_STATUSMAP[patched] = "Patched"
> +# use when this class does not detect backported patch (e.g. vendor kernel repo with cherry-picked CVE patch)
> +CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
> +# use when NVD DB does not mention patched versions of stable/LTS branches which have upstream CVE backports
> +CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
> +# use when NVD DB does not mention correct version or does not mention any verion at all
> +CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
It bothers me that some of these status flags are working around the fact that the CPE is incorrect, when that CPE data can be fixed. Instead of setting fixed-version, we can just mail NIST and fix the CPE.
> +# used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored
> +CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
> +# use when CVE is confirmed by upstream but fix is still not available
> +CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
> +
> +# used for migration from old concept, do not use for new vulnerabilities
> +CVE_CHECK_STATUSMAP[ignored] = "Ignored"
> +# use when NVD DB wrongly indicates vulnerability which is actually for a different component
> +CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
> +# use when upstream does not accept the report as a vulnerability (e.g. works as designed)
> +CVE_CHECK_STATUSMAP[disputed] = "Ignored"
> +# use when vulnerability depends on build or runtime configuration which is not used
> +CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
> +# use when vulnerability affects other platform (e.g. Windows or Debian)
> +CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
> +# use when upstream acknowledged the vulnerability but does not plan to fix it
> +CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
Is this any different to ‘disputed’?
Do we expect to add a lot more statuses to this table, or for users to add their own values? It feels like maybe this should be a dict in lib/oe/cve_check.py instead of exposed in the data store.
> + # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once
> + for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
> + cve_group = d.getVar(cve_status_group)
> + if cve_group is not None:
> + for cve in cve_group.split():
> + d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
> + else:
> + bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
> +}
CVE_STATUS_GROUPS isn’t documented in the class or the commit message.
next prev parent reply other threads:[~2023-06-23 10:03 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-05 11:18 [OE-core][PATCH] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-05 11:30 ` Richard Purdie
2023-05-05 11:36 ` Valek, Andrej
2023-05-05 11:59 ` Richard Purdie
2023-05-08 8:57 ` adrian.freihofer
2023-05-09 9:02 ` Ross Burton
2023-05-09 9:16 ` Richard Purdie
2023-05-09 9:32 ` Mikko Rapeli
2023-05-09 21:37 ` Douglas Royds
2023-05-10 6:56 ` Mikko Rapeli
2023-05-09 8:19 ` Michael Opdenacker
2023-05-17 5:41 ` [OE-core][PATCH v2] " Andrej Valek
2023-05-17 11:08 ` Mikko Rapeli
2023-05-19 6:24 ` [OE-core][PATCH v3 1/3] " Andrej Valek
2023-05-19 6:56 ` Mikko Rapeli
2023-05-19 7:44 ` Michael Opdenacker
2023-05-19 13:11 ` Marta Rybczynska
2023-05-20 7:43 ` Valek, Andrej
2023-05-22 7:57 ` Mikko Rapeli
2023-05-23 8:41 ` Valek, Andrej
2023-05-29 7:32 ` Valek, Andrej
2023-05-30 10:12 ` Richard Purdie
2023-06-02 21:10 ` adrian.freihofer
2023-06-02 21:27 ` Richard Purdie
2023-06-04 9:59 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21 7:52 ` Richard Purdie
2023-05-19 6:24 ` [OE-core][PATCH v3 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19 6:24 ` [OE-core][PATCH v3 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
2023-05-19 8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-19 9:17 ` Mikko Rapeli
2023-05-19 13:09 ` Michael Opdenacker
2023-05-19 13:19 ` Valek, Andrej
2023-05-23 11:39 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-12 11:57 ` [OE-core][PATCH v5 0/2] CVE-check handling Andrej Valek
2023-06-12 11:57 ` [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-15 12:47 ` Richard Purdie
2023-06-12 11:57 ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-06-12 12:01 ` Valek, Andrej
2023-06-12 11:59 ` [OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values Andrej Valek
2023-06-20 14:15 ` [OE-core][PATCH v6 0/2] RFC: CVE-check handling Andrej Valek
2023-06-20 14:15 ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-21 5:07 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21 6:48 ` [PATCH " Siddharth
2023-06-21 7:55 ` [OE-core][PATCH " Luca Ceresoli
2023-06-20 14:15 ` [OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 0/3] CVE-check handling Andrej Valek
2023-06-22 12:42 ` Luca Ceresoli
2023-06-22 13:50 ` Valek, Andrej
2023-06-22 13:55 ` Luca Ceresoli
2023-06-22 13:59 ` Valek, Andrej
2023-06-22 14:07 ` Valek, Andrej
2023-06-22 16:24 ` Luca Ceresoli
2023-06-22 6:59 ` [OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 6:59 ` [OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 0/3] CVE-check handling Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 10:02 ` Ross Burton [this message]
2023-06-23 11:22 ` Valek, Andrej
2023-06-22 12:00 ` [OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 12:00 ` [OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 0/3] CVE-check handling Andrej Valek
2023-07-19 10:26 ` Valek, Andrej
2023-07-19 10:54 ` Richard Purdie
2023-07-19 11:16 ` Ross Burton
2023-07-19 12:03 ` Valek, Andrej
2023-07-20 16:41 ` Marta Rybczynska
2023-06-23 11:14 ` [OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-23 11:14 ` [OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-07-20 7:19 ` [OE-core][PATCH] " Andrej Valek
2023-05-19 8:18 ` [OE-core][PATCH v4 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19 8:18 ` [OE-core][PATCH v4 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=94754800-87B8-4051-89B2-B10546BCF342@arm.com \
--to=ross.burton@arm.com \
--cc=andrej.valek@siemens.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=peter.marko@siemens.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox