Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs

public inbox for openembedded-core@lists.openembedded.org
 help / color / mirror / Atom feed

From: Michael Opdenacker <michael.opdenacker@bootlin.com>
To: andrej.valek@siemens.com, openembedded-core@lists.openembedded.org
Cc: mikko.rapeli@linaro.org, Peter Marko <peter.marko@siemens.com>
Subject: Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Date: Fri, 19 May 2023 09:44:30 +0200	[thread overview]
Message-ID: <f04650dc-e504-e146-2845-e7cbeed5c547@bootlin.com> (raw)
In-Reply-To: <20230519062420.37015-1-andrej.valek@siemens.com>

Hi Andrej

On 19.05.23 at 08:24, Andrej Valek via lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
> more flexible. CVE_STATUS should contain flag for each CVE with accepted
> values "Ignored", "Not applicable" or "Patched". It allows to add
> a status for each CVEs.
> - Optional CVE_STATUS_REASONING flag variable may contain a reason
> why the CVE status was used. It will be added in csv/json report like
> a new "reason" entry.
> - Settings the same status and reason for multiple CVEs is possible
> via CVE_STATUS_GROUPS variable.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
>
> Examples of usage:
> CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
> CVE_STATUS[CVE-1234-0002] = "Not applicable"
> CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
>
> CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
> CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
> CVE_STATUS_WIN[status] = "Not applicable"
> CVE_STATUS_WIN[reason] = "Issue only applies on Windows"
>
> CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
> CVE_STATUS_PATCHED[status] = "Patched"
> CVE_STATUS_PATCHED[reason] = "Fixed externally"
>
> Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>   documentation/dev-manual/new-recipe.rst      |  4 +-
>   documentation/dev-manual/vulnerabilities.rst | 11 ++---
>   documentation/ref-manual/classes.rst         |  9 ++--
>   documentation/ref-manual/variables.rst       | 33 ++++++++++++---
>   meta/classes/cve-check.bbclass               | 44 +++++++++++++++++---
>   meta/lib/oe/cve_check.py                     |  6 +++
>   6 files changed, 87 insertions(+), 20 deletions(-)

Many thanks for the patch and for the documentation changes too !
However, could you send the documentation changes separately, using the 
yocto-docs repository as a reference, and sending them to the 
docs@lists.yoctoproject.org mailing list?

You seem to have produced your patches against "poky", but that's a 
repository aggregating stuff from other repositories. Your code changes 
should be for the "openembedded-core" repository.

Another advantage is that we can merge the documentation changes only 
when the code changes are accepted.

Thanks in advance
Cheers
Michael.

-- 
Michael Opdenacker, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

next prev parent reply	other threads:[~2023-05-19  7:44 UTC|newest]

Thread overview: 73+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-05 11:18 [OE-core][PATCH] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-05 11:30 ` Richard Purdie
2023-05-05 11:36   ` Valek, Andrej
2023-05-05 11:59     ` Richard Purdie
2023-05-08  8:57       ` adrian.freihofer
2023-05-09  9:02         ` Ross Burton
2023-05-09  9:16           ` Richard Purdie
2023-05-09  9:32           ` Mikko Rapeli
2023-05-09 21:37             ` Douglas Royds
2023-05-10  6:56               ` Mikko Rapeli
2023-05-09  8:19 ` Michael Opdenacker
2023-05-17  5:41 ` [OE-core][PATCH v2] " Andrej Valek
2023-05-17 11:08   ` Mikko Rapeli
2023-05-19  6:24 ` [OE-core][PATCH v3 1/3] " Andrej Valek
2023-05-19  6:56   ` Mikko Rapeli
2023-05-19  7:44   ` Michael Opdenacker [this message]
2023-05-19 13:11   ` Marta Rybczynska
2023-05-20  7:43     ` Valek, Andrej
2023-05-22  7:57     ` Mikko Rapeli
2023-05-23  8:41       ` Valek, Andrej
2023-05-29  7:32         ` Valek, Andrej
2023-05-30 10:12           ` Richard Purdie
2023-06-02 21:10             ` adrian.freihofer
2023-06-02 21:27               ` Richard Purdie
2023-06-04  9:59                 ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21  7:52                   ` Richard Purdie
2023-05-19  6:24 ` [OE-core][PATCH v3 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19  6:24 ` [OE-core][PATCH v3 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek
2023-05-19  8:18 ` [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-05-19  9:17   ` Mikko Rapeli
2023-05-19 13:09   ` Michael Opdenacker
2023-05-19 13:19     ` Valek, Andrej
2023-05-23 11:39       ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-12 11:57   ` [OE-core][PATCH v5 0/2] CVE-check handling Andrej Valek
2023-06-12 11:57   ` [OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-15 12:47     ` Richard Purdie
2023-06-12 11:57   ` [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551 Andrej Valek
2023-06-12 12:01     ` Valek, Andrej
2023-06-12 11:59   ` [OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values Andrej Valek
2023-06-20 14:15   ` [OE-core][PATCH v6 0/2] RFC: CVE-check handling Andrej Valek
2023-06-20 14:15   ` [OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-21  5:07     ` Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco)
2023-06-21  6:48       ` [PATCH " Siddharth
2023-06-21  7:55     ` [OE-core][PATCH " Luca Ceresoli
2023-06-20 14:15   ` [OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22  6:59   ` [OE-core][PATCH v7 0/3] CVE-check handling Andrej Valek
2023-06-22 12:42     ` Luca Ceresoli
2023-06-22 13:50       ` Valek, Andrej
2023-06-22 13:55         ` Luca Ceresoli
2023-06-22 13:59           ` Valek, Andrej
2023-06-22 14:07             ` Valek, Andrej
2023-06-22 16:24               ` Luca Ceresoli
2023-06-22  6:59   ` [OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-22  6:59   ` [OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22  6:59   ` [OE-core][PATCH v7 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-22 12:00   ` [OE-core][PATCH v8 0/3] CVE-check handling Andrej Valek
2023-06-22 12:00   ` [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 10:02     ` Ross Burton
2023-06-23 11:22       ` Valek, Andrej
2023-06-22 12:00   ` [OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-22 12:00   ` [OE-core][PATCH v8 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-06-23 11:14   ` [OE-core][PATCH v9 0/3] CVE-check handling Andrej Valek
2023-07-19 10:26     ` Valek, Andrej
2023-07-19 10:54       ` Richard Purdie
2023-07-19 11:16         ` Ross Burton
2023-07-19 12:03           ` Valek, Andrej
2023-07-20 16:41             ` Marta Rybczynska
2023-06-23 11:14   ` [OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs Andrej Valek
2023-06-23 11:14   ` [OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling Andrej Valek
2023-06-23 11:14   ` [OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS Andrej Valek
2023-07-20  7:19   ` [OE-core][PATCH] " Andrej Valek
2023-05-19  8:18 ` [OE-core][PATCH v4 2/3] oeqa/selftest/cve_check: add check for optional "reason" value Andrej Valek
2023-05-19  8:18 ` [OE-core][PATCH v4 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING Andrej Valek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f04650dc-e504-e146-2845-e7cbeed5c547@bootlin.com \
    --to=michael.opdenacker@bootlin.com \
    --cc=andrej.valek@siemens.com \
    --cc=mikko.rapeli@linaro.org \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=peter.marko@siemens.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox