On Mon, 2023-06-12 at 13:57 +0200, Andrej Valek via
lists.openembedded.org wrote:
> - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_DETAIL] +
> [CVE_STATUS_DESCRIPTION] to be more flexible. CVE_STATUS should
> contain flag for each CVE with accepted values "Ignored", "Patched"
> or "Unpatched". It allows to add a status for each CVEs.
> - Optional CVE_STATUS_DEATAIL flag variable may contain a detailed
> status. Possible options for each status:
> - Patched
>  - fixed-version, backported-patch, cpe-stable-backport or other
> - Unpatched
>  - vulnerable-investigating or other
> - Ignored
>  - cpe-incorrect, not-applicable-platform, upstream-wontfix
>    not-applicable-config, not-affected or other
> - Optional CVE_STATUS_DESCRIPTION flag variable may contain a reason
> why the CVE status was used. Both optionals will be added in csv/json
> report like a new "detail" an "description" entries
> - Settings the same status and reason for multiple CVEs is possible
> via CVE_STATUS_GROUPS variable.
> - All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
> value "Ignored" like a fallback.
> 
> Examples of usage:
> CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Patched" or "Unpatched"
> CVE_STATUS[CVE-1234-0002] = "Ignored"
> CVE_STATUS_DETAIL[CVE-1234-0002] = "not-applicable-platform"
> CVE_STATUS_DESCRIPTION[CVE-1234-0002] = "Issue only applies on Windows"
> 
> CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
> CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
> CVE_STATUS_WIN[status] = "Ignored"
> CVE_STATUS_DETAIL[detail] = "not-applicable-platform"
> CVE_STATUS_WIN[description] = "Issue only applies on Windows"
> 
> CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
> CVE_STATUS_PATCHED[status] = "Patched"
> CVE_STATUS_DETAIL[detail] = "fixed-version"
> CVE_STATUS_PATCHED[description] = "Fixed externally"
> 
> Signed-off-by: Andrej Valek <[email protected]>
> Signed-off-by: Peter Marko <[email protected]>
> ---
>  meta/classes/cve-check.bbclass | 89 +++++++++++++++++++++++++++++-----
>  meta/lib/oe/cve_check.py       |  6 +++
>  2 files changed, 83 insertions(+), 12 deletions(-)

I'm afraid I really don't like this :(. Why?:

* we now have three different pieces of information, "status", "detail"
and "description" when we should only need two

* this needs a group mapping mechanism which is confusing above

* the information is spread over multiple differently named variables

* two pieces of the status information are connected in a hardcoded way

As a counter proposal, consider:

CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on 
Windows"
CVE_STATUS[CVE-1234-0002] = "not-applicable-platform: Issue only applies on 
Windows"
CVE_STATUS[CVE-1234-0003] = "fixed-version: Fixed externally"
CVE_STATUS[CVE-1234-0004] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

which conveys the same information with a slight bit of copy/paste but
not at a level I'd lose sleep over. To me it is a lot more readable.

Thoughts?

Cheers,

Richard

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182855): 
https://lists.openembedded.org/g/openembedded-core/message/182855
Mute This Topic: https://lists.openembedded.org/mt/99481049/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

              • ... Richard Purdie
  • ... Andrej Valek via lists.openembedded.org
  • ... Andrej Valek via lists.openembedded.org
  • ... Andrej Valek via lists.openembedded.org
    • ... Mikko Rapeli
    • ... Michael Opdenacker via lists.openembedded.org
      • ... Andrej Valek via lists.openembedded.org
        • ... Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
    • ... Andrej Valek via lists.openembedded.org
    • ... Andrej Valek via lists.openembedded.org
      • ... Richard Purdie
    • ... Andrej Valek via lists.openembedded.org
      • ... Andrej Valek via lists.openembedded.org
    • ... Andrej Valek via lists.openembedded.org
    • ... Andrej Valek via lists.openembedded.org
    • ... Andrej Valek via lists.openembedded.org
      • ... Sanjaykumar kantibhai Chitroda -X (schitrod - E-INFO CHIPS INC at Cisco) via lists.openembedded.org
        • ... Siddharth
      • ... Luca Ceresoli via lists.openembedded.org
    • ... Andrej Valek via lists.openembedded.org
    • ... Andrej Valek via lists.openembedded.org

Reply via email to