On Fri, 2024-02-23 at 22:52 +0100, Yoann CONGAL wrote:
> Le ven. 23 févr. 2024 à 22:09, Simone Weiß <[email protected]> a
> écrit :
> > From: Simone Weiß <[email protected]>
> >
> > Log if the CVE_STATUS is set for a CVE, but the cve is not reported
> > for a
> > component. This should hopefully help to clean up not needed
> > CVE_STATUS
> > settings.
> >
>
>
> Thank you for taking the time to do this :-)
>
> > Signed-off-by: Simone Weiß <[email protected]>
> > ---
> > meta/classes/cve-check.bbclass | 3 +++
> > 1 file changed, 3 insertions(+)
> >
> > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-
> > check.bbclass
> > index 5191d04303..b82a9e89ec 100644
> > --- a/meta/classes/cve-check.bbclass
> > +++ b/meta/classes/cve-check.bbclass
> > @@ -418,6 +418,9 @@ def check_cves(d, patched_cves):
> > cves_status.append([product, False])
> >
> > conn.close()
> > + diff_ignore = list(set(cve_ignore) - set(cves_ignored))
> > + if diff_ignore:
> > + bb.warn("Found CVE (%s) with CVE_STATUS set that is not found
> > in database for this component" % " ".join(diff_ignore))
> >
>
>
> A non-optional warning might be a bit harsh (Especially one that can
> come up after an independent NVD database update).
>
I first had the same doubt, but then thought: hey it will only appear if
cve checks are actually performed, which is not the default.
And when you do that you get warnings anyway. You are right though.
> How about a new element in the output of cve_check (the
> build/tmp/log/cve/*.{txt,json} files)?
> That way, someone looking for this info may find it, everyone else can
> (safely) ignore this.
>
> Another way I see would be to make the warning optional by using
> QA_WARN&co but I'm not 100% sure it can be done...
>
Good point. Sth like:
oe.qa.handle_error("cve_status_not_in_db", "%s Found CVE (%s) with
CVE_STATUS set that are not found in database for this component" % (pn, "
".join(diff_ignore)), d)
should work.
Then the warning is only given if cve_status_not_in_db is appended to
WARN_QA. I think this would be fine, also other classes besides
insane.bbclass add to WARN_QA/ERROR_QA. I will check the docs and then
most likely send v2.
Cheers
Simone
> Regards,
>
> > if not cves_in_recipe:
> > bb.note("No CVE records for products in recipe %s" % (pn))
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196118):
https://lists.openembedded.org/g/openembedded-core/message/196118
Mute This Topic: https://lists.openembedded.org/mt/104536878/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
