The script improve_kernel_cve_report.py doesn't have a bbclass. It can be useful to have one to generate improved cve-check files at every run.
This commit contains three classes: -improve_kernel_cve_report-base.bbclass: Base class which contains the tasks to perform improve_kernel_cve_report.py initialization and execution. -improve_kernel_cve_report-spdx-2.2.bbclass: Set IMPROVE_KERNEL_SPDX_FILE variable for SPDX-2.2 builds and set IMPROVE_KERNEL_PREFERRED_PROVIDER to require "create-spdx-2.2" in INHERIT. -improve_kernel_cve_report-spdx-3.0.bbclass: Set IMPROVE_KERNEL_SPDX_FILE variable for SPDX-3.0 project, and set IMPROVE_KERNEL_PREFERRED_PROVIDER to "create-spdx" to requires it in INHERIT. -improve_kernel_cve_report.bbclass: Include this class when you don't care what version of SPDX you get. These three new .bbclass files can be used to generate a new output in tmp/deploy/images with a .scouted.json file in addition to the existing .json cve-check file. The new .scouted.json is based on the cve-check file and the SBOM to generate this improved cve-check file with extra entries found by the script improve_kernel_cve_report.py. It only requires to use "inherit" on an image recipe (e.g. on core-image-minimal). The bbclass "improve_kernel_cve_report-spdx-2.2.bbclass" can be used if "create-spdx-2.2" is configured in INHERIT, and "create-spdx" is removed. INHERIT:remove = "create-spdx" INHERIT:append = " create-spdx-2.2" By default, projects use SPDX-3.0 and don't require any additional configuration. Signed-off-by: Valentin Boudevin <[email protected]> --- .../improve_kernel_cve_report-base.bbclass | 60 +++++++++++++++++++ ...improve_kernel_cve_report-spdx-2.2.bbclass | 4 ++ ...improve_kernel_cve_report-spdx-3.0.bbclass | 4 ++ .../classes/improve_kernel_cve_report.bbclass | 3 + 4 files changed, 71 insertions(+) create mode 100644 meta/classes/improve_kernel_cve_report-base.bbclass create mode 100644 meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass create mode 100644 meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass create mode 100644 meta/classes/improve_kernel_cve_report.bbclass diff --git a/meta/classes/improve_kernel_cve_report-base.bbclass b/meta/classes/improve_kernel_cve_report-base.bbclass new file mode 100644 index 0000000000..e78722c59c --- /dev/null +++ b/meta/classes/improve_kernel_cve_report-base.bbclass @@ -0,0 +1,60 @@ +# Settings for SPDX support + +# Setting to specify preferred provider for kernel SPDX file ("create-spdx" or "create-spdx-2.2") +IMPROVE_KERNEL_PREFERRED_PROVIDER ?= "" +# Setting to specify the path to the SPDX file to be used for extra kernel vulnerabilities scouting +IMPROVE_KERNEL_SPDX_FILE ?= "" + +python __anonymous() { + if bb.data.inherits_class("create-spdx-2.2", d): + bb.build.addtask("do_scout_extra_kernel_vulns", "do_build", "do_rootfs", d) + elif bb.data.inherits_class("create-spdx", d): + bb.build.addtask('do_scout_extra_kernel_vulns', 'do_build', 'do_create_image_sbom_spdx', d) +} + +python do_clean:append() { + import os, glob + deploy_dir = d.expand('${DEPLOY_DIR_IMAGE}') + for f in glob.glob(os.path.join(deploy_dir, '*scouted.json')): + bb.note("Removing " + f) + os.remove(f) +} + +do_scout_extra_kernel_vulns() { + new_cve_report_file="${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json" + improve_kernel_cve_script="${COREBASE}/scripts/contrib/improve_kernel_cve_report.py" + + # Check that IMPROVE_KERNEL_SPDX_FILE is set and the file exists + if [ -z "${IMPROVE_KERNEL_SPDX_FILE}" ] || [ ! -f "${IMPROVE_KERNEL_SPDX_FILE}" ]; then + bbwarn "improve_kernel_cve: IMPROVE_KERNEL_SPDX_FILE is empty or file not found: ${IMPROVE_KERNEL_SPDX_FILE}" + return 0 + fi + if [ ! -f "${CVE_CHECK_MANIFEST_JSON}" ]; then + bbwarn "improve_kernel_cve: CVE_CHECK file not found: ${CVE_CHECK_MANIFEST_JSON}. Skipping extra kernel vulnerabilities scouting." + return 0 + fi + if [ ! -f "${improve_kernel_cve_script}" ]; then + bbwarn "improve_kernel_cve: improve_kernel_cve_report.py not found in ${COREBASE}." + return 0 + fi + if [ ! -d "${STAGING_DATADIR_NATIVE}/vulns-native" ]; then + bbwarn "improve_kernel_cve: Vulnerabilities data not found in ${STAGING_DATADIR_NATIVE}/vulns-native." + return 0 + fi + + #Run the improve_kernel_cve_report.py script + bbplain "improve_kernel_cve: Using SPDX file for extra kernel vulnerabilities scouting: ${IMPROVE_KERNEL_SPDX_FILE}" + python3 "${improve_kernel_cve_script}" \ + --spdx "${IMPROVE_KERNEL_SPDX_FILE}" \ + --old-cve-report "${CVE_CHECK_MANIFEST_JSON}" \ + --new-cve-report "${new_cve_report_file}" \ + --datadir "${STAGING_DATADIR_NATIVE}/vulns-native" + bbplain "Improve CVE report with extra kernel cves: ${new_cve_report_file}" + + #Create a symlink as every other JSON file in tmp/deploy/images + ln -sf ${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}.scouted.json ${DEPLOY_DIR_IMAGE}/${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_NAME_SUFFIX}.scouted.json +} +do_scout_extra_kernel_vulns[depends] += "vulns-native:do_populate_sysroot" +do_scout_extra_kernel_vulns[nostamp] = "1" +do_scout_extra_kernel_vulns[doc] = "Scout extra kernel vulnerabilities and create a new enhanced version of the cve_check file in the deploy directory" +addtask scout_extra_kernel_vulnsate_cve_exclusions after do_prepare_recipe_sysroot \ No newline at end of file diff --git a/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass new file mode 100644 index 0000000000..45b483134d --- /dev/null +++ b/meta/classes/improve_kernel_cve_report-spdx-2.2.bbclass @@ -0,0 +1,4 @@ +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx-2.2" +IMPROVE_KERNEL_SPDX_FILE = "${DEPLOY_DIR}/spdx/2.2/${@d.getVar('MACHINE').replace('-', '_')}/recipes/recipe-${PREFERRED_PROVIDER_virtual/kernel}.spdx.json" + +inherit improve_kernel_cve_report-base \ No newline at end of file diff --git a/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass new file mode 100644 index 0000000000..3849f66aaf --- /dev/null +++ b/meta/classes/improve_kernel_cve_report-spdx-3.0.bbclass @@ -0,0 +1,4 @@ +IMPROVE_KERNEL_PREFERRED_PROVIDER = "create-spdx" +IMPROVE_KERNEL_SPDX_FILE = "${SPDXIMAGEDEPLOYDIR}/${IMAGE_LINK_NAME}.spdx.json" + +inherit improve_kernel_cve_report-base \ No newline at end of file diff --git a/meta/classes/improve_kernel_cve_report.bbclass b/meta/classes/improve_kernel_cve_report.bbclass new file mode 100644 index 0000000000..7b237d1e22 --- /dev/null +++ b/meta/classes/improve_kernel_cve_report.bbclass @@ -0,0 +1,3 @@ +# Include this class when you don't care what version of SPDX you get; it will +# be updated to the latest stable version that is supported +inherit improve_kernel_cve_report-spdx-3.0 \ No newline at end of file
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#230103): https://lists.openembedded.org/g/openembedded-core/message/230103 Mute This Topic: https://lists.openembedded.org/mt/117510777/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
