On Fri, Jun 21, 2024 at 6:16 PM Ross Burton <[email protected]> wrote:
> Hi Marta, > > On 31 May 2024, at 14:01, Marta Rybczynska via lists.openembedded.org > <[email protected]> wrote: > > The "vex" class generates the minimum information that is necessary > > by an external CVE checking tool. It is a drop-in replacement of > "cve-check". > > It uses the same variables from recipes. > > > > It generates the JSON output format only. > > This appears to be a trimmed down version of the cve-check class which > outputs the same JSON file, so what this is really missing is the greater > context. For example, the comments still talk about the cve-check > behaviour, not this new vex class’s behaviour. Understanding what this > class is doing and how it’s meant to be used isn’t obvious. > > Correct me if I'm wrong, but this class writes a JSON file per recipe (in > the same bespoke JSON format as cve-check) that contains _just_ the > assertions in the recipe: that is any CVE_STATUS assignments and resolved > statements from patches. It does not include all known issues, because > that changes over time this is the responsibility of external tooling. > This explanation should be in the comments. > Yes, this is true. I'll update the description in the next version. > > Is this bespoke JSON format still the best format to use, or should we > adopt an existing format such as OpenVEX? > At this time I was unable to export some information directly in a format like OpenVEX, especially linked to the priority of analysis (eg. that the "cpe-incorrect" assessment has a priority over the direct scan result; in fact "cpe-incorrect" doesn't exist in any VEX format I am aware of). There is a bit of code on handling that in the standalone tool. What I want to do so is to assemble the list and go see the OpenVEX people (easier to reach than CSAF from my experience) to figure out if they have an idea on how to handle all our cases. The standalone tool has a CVE JSON to OpenVEX converter. Without extensions, it's a lossy conversion, however. > > There’s a chunk of code in cve_write_data_json() to write CVE metadata, > that appears to be dead code that can be deleted. Also the vex_clean event > is entirely dead code as the variables defining the files to clean are > never assigned. > > Also I’m unconvinced that we need to write so many files. We end up with > a file inside WORKDIR, LOG_DIR, and DEPLOY_DIR. Can we just reduce that > down to DEPLOY_DIR? > We tried to remove all the dead code, but there might be some places left. Will verify that. BTW We have solved the issue you have seen with ninja CVEs and I have builds + scans running. I want to verify results manually to make sure it is OK. Will be submitting another version after the verification are done. Kind regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#201132): https://lists.openembedded.org/g/openembedded-core/message/201132 Mute This Topic: https://lists.openembedded.org/mt/106407311/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
