On Fri, 2023-05-05 at 12:59 +0100, Richard Purdie wrote: > > On Fri, 2023-05-05 at 11:36 +0000, Valek, Andrej wrote: > > > > On Fri, 2023-05-05 at 12:30 +0100, Richard Purdie wrote: > > > > > > On Fri, 2023-05-05 at 13:18 +0200, Andrej Valek via > > > > > > lists.openembedded.org wrote: > > > > > > > > CVE_CHECK_PATCHED - should contains an additional CVEs > > > > > > > > which > > > > > > > > have > > > > > > > > been > > > > > > > > fixed and shouldn't be mark as vulnerable nor ignored. > > > > > > > > > > > > > > > > Signed-off-by: Andrej Valek <[email protected]> > > > > > > > > --- > > > > > > > > meta/classes/cve-check.bbclass | 8 ++++++++ > > > > > > > > 1 file changed, 8 insertions(+) > > > > > > > > > > > > > > > > diff --git a/meta/classes/cve-check.bbclass > > > > > > > > b/meta/classes/cve- > > > > > > > > check.bbclass > > > > > > > > index bd9e7e7445c..957ea0130dc 100644 > > > > > > > > --- a/meta/classes/cve-check.bbclass > > > > > > > > +++ b/meta/classes/cve-check.bbclass > > > > > > > > @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= "" > > > > > > > > # > > > > > > > > CVE_CHECK_IGNORE ?= "" > > > > > > > > > > > > > > > > +# Usually a CVE gets treated as patched when a patch > > > > > > > > with the > > > > > > > > name > > > > > > > > of the CVE > > > > > > > > +# gets applied. Basically this variable should not be > > > > > > > > used. > > > > > > > > But if > > > > > > > > there are > > > > > > > > +# other reasons to mark a CVE as patched it can be > > > > > > > > added to > > > > > > > > this > > > > > > > > list. > > > > > > > > +CVE_CHECK_PATCHED ?= "" > > > > > > > > > > > > We're not adding variables which are documented as > > > > > > "Basically > > > > > > this > > > > > > variable should not be used.". If you shouldn't need/use > > > > > > it, we > > > > > > don't > > > > > > need it. > > > > Ok, maybe I should change the description a little bit. Do you > > > > have > > > > some other preference? > > > > > > > > > > > > Can't you just use the ignore variable for the same end > > > > > > result? > > > > Nope. If I use a ignore list, the output in the SBOM will be > > > > set to > > > > "ignored", which is wrong, because it has been fixed. And > > > > that's > > > > the > > > > reason. > > > > > > > > I suspect "ignored" is a bad way to describe things. Ignore might > > mean > > the issue doesn't apply, has been fixed in some way or we really > > are > > ignoring it. What does the SBOM spec say about different field > > values? > > Should we be providing more reasoning than just adding to an ignore > > list? > > > > I'm a bit worried we're not solving the real problem here by adding > > a > > new variable we tell people not to use.
The patch from Andrej tries to solves a real issue: The CVE checker distinguishes between two types of patches. Ignored (= not applicable) and patched. Patching is only supported by adding a real patch file to the SRC_URI. However, there are other ways a patch can be implemented. For example, a recipe that uses the git fetcher would update the git hash to a commit that contains a fix instead of applying a patch file to the recipe. But I fully agree that the comment (originally suggested by me when Andrej and I were discussing the solution) is bad. Maybe it should read as follows: Normally, a CVE is treated as patched when a patch with the name of the CVE is applied. CVE_CHECK_PATCHED allows to extend the list of patched CVEs without adding a patch file to SRC_URI. Regarding the SBOM: It is important for customers that the CVEs of a product with SBOM can be correctly identified as repaired or as ignored. However, I'm not sure if the SBOM part is properly addressed by the patch. The create-spdx.bbclass uses the function oe.cve_check.get_patched_cves(d) which should probably handle the new variable as well. We will check that and come up with a V2. Thank you and regards, Adrian > > > > Cheers, > > > > Richard > > > > > > > > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181018): https://lists.openembedded.org/g/openembedded-core/message/181018 Mute This Topic: https://lists.openembedded.org/mt/98703185/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
