Bit of a low effort first cut because I don't have a ton of time to take on the
maintaince task right now, but here's a first cut at a version of the script
that parses vulns entries. Note that it appears that the output from the
original script is still required as the vulns repo doesn't have the data from
the linux_kernel_cves repo imported.
________________________________
From: [email protected]
<[email protected]> on behalf of Bruce Ashfield via
lists.openembedded.org <[email protected]>
Sent: Friday, May 3, 2024 5:50 AM
To: Marta Rybczynska <[email protected]>
Cc: [email protected]
<[email protected]>; [email protected]
<[email protected]>; [email protected]
<[email protected]>
Subject: Re: [OE-core] [PATCH 02/12] linux-yocto/6.6: update CVE exclusions
(6.6.24)
Caution: This email originated from an external sender. Always use caution when
opening links or attachments from external parties.
On Fri, May 3, 2024 at 1:42 AM Marta Rybczynska
<[email protected]<mailto:[email protected]>> wrote:
Hello Bruce et al,
For information, the linux_kernel_cves repo has now a banner "This
repository has been archived by the owner on May 2, 2024. It is now
read-only. ",
Yes, I had noticed that, but was letting my release scripts do their "thing"
to at least update the date on the file. That way it was documented that
I'm checking and waiting for the replacement to arrive.
I did squash all the commits against the 6.1 kernel for that reason, since
they are a no-op until something new arrives.
Bruce
so I guess this is the last update.
Greg has scripting for statistics of the new process, haven't looked
into them yet.
Regards,
Marta
On Fri, May 3, 2024 at 4:40 AM Bruce Ashfield via
lists.openembedded.org<http://lists.openembedded.org>
<[email protected]<mailto:[email protected]>>
wrote:
>
> From: Bruce Ashfield
> <[email protected]<mailto:[email protected]>>
>
> Data pulled from: https://github.com/nluedtke/linux_kernel_cves
>
> 1/1 [
> Author: Nicholas Luedtke
> Email:
> [email protected]<mailto:[email protected]>
> Subject: Update 25Feb24
> Date: Sun, 25 Feb 2024 07:03:08 -0500
>
> ]
>
> Signed-off-by: Bruce Ashfield
> <[email protected]<mailto:[email protected]>>
> ---
> meta/recipes-kernel/linux/cve-exclusion_6.6.inc | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/meta/recipes-kernel/linux/cve-exclusion_6.6.inc
> b/meta/recipes-kernel/linux/cve-exclusion_6.6.inc
> index bb9ba49c48..133cab88a3 100644
> --- a/meta/recipes-kernel/linux/cve-exclusion_6.6.inc
> +++ b/meta/recipes-kernel/linux/cve-exclusion_6.6.inc
> @@ -1,9 +1,9 @@
>
> # Auto-generated CVE metadata, DO NOT EDIT BY HAND.
> -# Generated at 2024-03-28 16:40:04.102652+00:00 for version 6.6.23
> +# Generated at 2024-04-04 03:23:25.421265+00:00 for version 6.6.24
>
> python check_kernel_cve_status_version() {
> - this_version = "6.6.23"
> + this_version = "6.6.24"
> kernel_version = d.getVar("LINUX_VERSION")
> if kernel_version != this_version:
> bb.warn("Kernel CVE status needs updating: generated for %s but
> kernel is %s" % (this_version, kernel_version))
> --
> 2.39.2
>
>
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await thee at
its end
- "Use the force Harry" - Gandalf, Star Trek II
#! /usr/bin/env python3
# Generate granular CVE status metadata for a specific version of the kernel
# using data from linuxkernelcves.com.
#
# SPDX-License-Identifier: GPL-2.0-only
import argparse
import datetime
import json
import pathlib
import itertools
from packaging.version import Version
def main(argp=None):
parser = argparse.ArgumentParser()
parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://git.kernel.org/pub/scm/linux/kernel/git/lee/vulns.git";)
parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
args = parser.parse_args(argp)
datadir = args.datadir
version = args.version
print(f"""
# Auto-generated CVE metadata, DO NOT EDIT BY HAND.
# Generated at {datetime.datetime.now(datetime.timezone.utc)} for version {version}
python check_kernel_cve_status_version() {{
this_version = "{version}"
kernel_version = d.getVar("LINUX_VERSION")
if kernel_version != this_version:
bb.warn("Kernel CVE status needs updating: generated for %s but kernel is %s" % (this_version, kernel_version))
}}
do_cve_check[prefuncs] += "check_kernel_cve_status_version"
""")
for cve_file in itertools.chain((datadir / "cve" / "rejected").glob("*/CVE-*.json"), (datadir / "cve" / "published").glob("*/CVE-*.json")):
with open(cve_file, "r") as f:
data = json.load(f)
cna = data["containers"]["cna"]
metadata = data["cveMetadata"]
cve = metadata["cveID"]
kind = cve_file.parts[-3]
if kind == "rejected":
resolution = "disputed: Marked as rejected in kernel.org vulns database"
else:
resolution = None
for product in cna.get("affected", []):
def v(s):
if s == "v6.9-rc1~118" and cve == "CVE-2024-36970":
# Note, this will improperly catch revisions between v6.9-rc1~118 and v6.9-rc2 as affected
s = "6.9-rc1"
return Version(s.replace('*', '999999'))
if (product["vendor"], product["product"]) != ("Linux", "Linux"):
continue
product_status = product.get("defaultStatus", "unknown")
backport_ver = None
first_affected = None
fixed = None
fixed_versions = []
for entry in product.get("versions", []):
if entry.get("versionType", None) not in ("custom", "original_commit_for_fix", None):
# Note: This skips handling all the "git" versionType entries
product_status = "unknown"
break
if entry.get("versionType", None) == "original_commit_for_fix":
fixed = v(entry["version"])
if entry["status"] == "affected":
first_affected = v(entry["version"])
if backport_ver is not None:
# Done processing according to the documented algorithm
pass
elif "lessThan" not in entry and "lessThanOrEqual" not in entry and version == v(entry["version"]):
product_status = entry["status"]
backport_ver = entry["version"]
elif v(entry["version"]) <= version and (("lessThan" in entry and version < v(entry["lessThan"])) or
("lessThanOrEqual" in entry and version <= v(entry["lessThanOrEqual"]))):
product_status = entry["status"]
backport_ver = entry["version"]
for change in entry.get("changes", []):
if v(change["at"]) <= version:
product_status = change["status"]
backport_ver = change["at"]
if product_status == "unaffected":
if fixed is not None and version >= fixed:
resolution = f"fixed-version: Fixed from version {fixed}"
elif first_affected is not None and version < first_affected:
resolution = f"fixed-version: only effects {first_affected} onwards"
elif backport_ver is None:
resolution = "fixed-version: Not present in any released revision"
else:
resolution = f"cpe-stable-backport: Backported in {backport_ver}"
break
if resolution is not None:
print(f'CVE_STATUS[{cve}] = "{resolution}"')
else:
print(f"# {cve} resolution not documented by script")
if __name__ == "__main__":
main()
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#203664):
https://lists.openembedded.org/g/openembedded-core/message/203664
Mute This Topic: https://lists.openembedded.org/mt/105881317/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
