From: Richard Purdie <richard.purdie@linuxfoundation.org>
To: Marta Rybczynska <rybczynska@gmail.com>
Cc: Ross Burton <Ross.Burton@arm.com>,
"openembedded-core@lists.openembedded.org"
<openembedded-core@lists.openembedded.org>,
Marta Rybczynska <marta.rybczynska@syslinbit.com>
Subject: Re: [OE-core][PATCH v3 5/5] cve-extra-exclusions.inc: add deprecation notice
Date: Thu, 01 Aug 2024 15:08:20 +0100 [thread overview]
Message-ID: <9d33f694d08c91ef31c49c0c549f17d272358476.camel@linuxfoundation.org> (raw)
In-Reply-To: <CAApg2=QPTmm6Y-r-oWS2PfP-DZ-t1NRfm7rKqcBnuFmkXRdC2w@mail.gmail.com>
On Thu, 2024-08-01 at 15:58 +0200, Marta Rybczynska wrote:
> On Thu, Aug 1, 2024 at 3:47 PM Richard Purdie <richard.purdie@linuxfoundation.org> wrote:
> > On Fri, 2024-07-26 at 14:28 +0200, Marta Rybczynska via
> > lists.openembedded.org wrote:
> > > On Fri, Jul 26, 2024 at 2:24 PM Ross Burton <Ross.Burton@arm.com>
> > > wrote:
> > > > On 24 Jul 2024, at 16:25, Marta Rybczynska via
> > > > lists.openembedded.org
> > > > <rybczynska=gmail.com@lists.openembedded.org> wrote:
> > > > >
> > > > > This file contains CVE_STATUS without machine-readable
> > > > > information on which
> > > > > recipe it applies to. All entries should be verified and, if
> > > > > appropriate,
> > > > > moved to their corresponding recipes.
> > > >
> > > > The point of this file was to be an opt-in for more exclusions
> > > > where we didn’t feel 100% confident asserting the issues could be
> > > > ignored.
> > > >
> > > > How much of a problem is it if this file contains a a limited
> > > > number of CVEs? We can review what is in there and move/remove as
> > > > needed to cut it down.
> > >
> > > With the vex class (and with SPDX too, I think) they end up copied
> > > present in every single package of the build. This brings enormous
> > > confusion.
> > > Impossible to filter them out as there is no information about the
> > > affected recipe/package.
> >
> > Difficult, yes, impossible, no.
> >
> > Surely we know which recipes a given CVE apply to?
>
> Without having the CVE data at the same time, no.
I thought we had the CVE data?
> Also, a CVE might apply to multiple
> recipes at the same time - and this could be dangerous. Imagine a situation where
> the CPE is incorrect and is pointing to the wrong package. It gets added to .inc.
> But then someone in their layer adds the package the CVE really applies to...
We can't cover every possible scenario and if the data is wrong, we
identify and fix it.
> If we keep the .inc file, I think the most correct way would be to add a field marking
> which recipe it should be applied to.
>
> What do you think?
How do we mark up a CVE as applying to gcc-cross-*/gcc-cross-canadian-
*/gcc-runtime/libgcc and so on?
How do we convert "bash" to "nativesdk-bash" and "bash-native"?
There are ways we could do such markup but I don't think it is going to
work well.
I guess the key question is what we're trying to achieve and where
we're expecting the data to be processed?
Could we write a common exclusion file out once as part of the CVE
fetch recipe and avoid putting it into the individual recipe output?
Cheers,
Richard
next prev parent reply other threads:[~2024-08-01 14:08 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-24 15:25 [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 2/5] cve_check: Update selftest with new status detail Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 3/5] vex.bbclass: add a new class Marta Rybczynska
2024-07-26 12:09 ` Ross Burton
2024-07-26 12:12 ` Ross Burton
2024-07-26 12:23 ` Marta Rybczynska
2024-07-26 12:22 ` Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 4/5] cve-check-map: add new statuses Marta Rybczynska
2024-07-24 15:25 ` [OE-core][PATCH v3 5/5] cve-extra-exclusions.inc: add deprecation notice Marta Rybczynska
2024-07-26 12:23 ` Ross Burton
2024-07-26 12:28 ` Marta Rybczynska
2024-08-01 13:47 ` Richard Purdie
2024-08-01 13:58 ` Marta Rybczynska
2024-08-01 14:08 ` Richard Purdie [this message]
2024-08-06 13:16 ` Marta Rybczynska
2024-08-06 13:30 ` Richard Purdie
2024-07-24 15:41 ` Patchtest results for [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis patchtest
2024-07-25 14:29 ` Richard Purdie
[not found] ` <399979010dfd02323f49cbd25b95f606@syslinbit.com>
2024-07-25 15:27 ` Richard Purdie
2024-07-26 13:02 ` Marta Rybczynska
2024-08-01 14:25 ` Richard Purdie
2024-08-02 12:50 ` Marta Rybczynska
2024-08-02 13:00 ` Richard Purdie
2024-08-01 13:44 ` Richard Purdie
2024-08-01 14:14 ` Marko, Peter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9d33f694d08c91ef31c49c0c549f17d272358476.camel@linuxfoundation.org \
--to=richard.purdie@linuxfoundation.org \
--cc=Ross.Burton@arm.com \
--cc=marta.rybczynska@syslinbit.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=rybczynska@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox