Add a new class named kernel-generate-cve-exclusions.bbclass to
generate-cve-exclusions to use this script at every run.
Two steps for testing:
1) inherit this class in the kernel recipe with "inherit
kernel-generate-cve-exclusions.bbclass"
2) Use the following command to generate cve exclusions .json, and .inc
file : "bitbake linux-yocto -c "do_generate_cve_exclusions"
This class contains several methods:
*do_generate_cve_exclusions: Use the script generate-cve-exclusions.py.
It uses the new "--output-json-file" argument to generate a JSON file as
an output stored in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}, and a .inc
file in ${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC}
*do_cve_check:prepend: Parse the previously generated JSON file to set
the variable CVE_STATUS corretly
The class also provides some variables:
*GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON: path of the output JSON file used
to set CVE_STATUS
*GENERATE_CVE_EXCLUSIONS_OUTPUT_INC: cve exclusions .inc file output
path. Not used directly by this class (needs to be inherit manually).
Signed-off-by: Valentin Boudevin <[email protected]>
---
.../kernel-generate-cve-exclusions.bbclass | 46 +++++++++++++++++++
1 file changed, 46 insertions(+)
create mode 100644 meta/classes/kernel-generate-cve-exclusions.bbclass
diff --git a/meta/classes/kernel-generate-cve-exclusions.bbclass
b/meta/classes/kernel-generate-cve-exclusions.bbclass
new file mode 100644
index 0000000000..8efa32f6a1
--- /dev/null
+++ b/meta/classes/kernel-generate-cve-exclusions.bbclass
@@ -0,0 +1,46 @@
+# Generate CVE exclusions for the kernel build (set to "1" to enable)
+GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON =
"${WORKDIR}/temp/cve-exclusion_${LINUX_VERSION}.json"
+GENERATE_CVE_EXCLUSIONS_OUTPUT_INC =
"${WORKDIR}/temp//cve-exclusion_${LINUX_VERSION}.inc"
+
+do_generate_cve_exclusions() {
+ # Check for required files and directories
+
generate_cve_exclusions_script=${COREBASE}/scripts/contrib/generate-cve-exclusions.py
+ if [ ! -f "${generate_cve_exclusions_script}" ]; then
+ bbwarn "generate-cve-exclusions.py not found in
${generate_cve_exclusions_script}."
+ return 0
+ fi
+ if [ ! -d "${STAGING_DATADIR_NATIVE}/cvelistv5-native" ]; then
+ bbwarn "CVE exclusions source directory not found in
${STAGING_DATADIR_NATIVE}/cvelistv5-native."
+ return 0
+ fi
+ # Generate the CVE exclusions JSON & INC file
+ python3 "${generate_cve_exclusions_script}" \
+ "${STAGING_DATADIR_NATIVE}/cvelistv5-native" \
+ ${LINUX_VERSION} \
+ --output-json-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}" \
+ --output-inc-file "${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC}"
+ bbplain "CVE exclusions generated for kernel version ${LINUX_VERSION} at
${GENERATE_CVE_EXCLUSIONS_OUTPUT_INC} and
${GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON}."
+}
+do_generate_cve_exclusions[depends] += "cvelistv5-native:do_populate_sysroot"
+do_generate_cve_exclusions[nostamp] = "1"
+do_generate_cve_exclusions[doc] = "Generate CVE exclusions for the kernel
build. (e.g., cve-exclusion_6.12.json)"
+addtask generate_cve_exclusions after do_prepare_recipe_sysroot before
do_cve_check
+
+python do_cve_check:prepend() {
+ import os
+ import json
+ workdir = d.getVar("${STAGING_DATADIR_NATIVE}/cvelistv5-native")
+ kernel_version = d.getVar("LINUX_VERSION")
+ json_input_file = d.getVar("GENERATE_CVE_EXCLUSIONS_OUTPUT_JSON")
+ if os.path.exists(json_input_file):
+ with open(json_input_file, 'r', encoding='utf-8') as f:
+ cve_data = json.load(f)
+ cve_status_dict = cve_data.get("cve_status", {})
+ count = 0
+ for cve_id, info in cve_status_dict.items():
+ if info.get("active", True):
+ continue
+ d.setVarFlag("CVE_STATUS", cve_id, info.get("message", ""))
+ count += 1
+ bb.note("Loaded %d CVE_STATUS entries from JSON output for kernel %s"
% (count, kernel_version))
+}
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#230162):
https://lists.openembedded.org/g/openembedded-core/message/230162
Mute This Topic: https://lists.openembedded.org/mt/117534182/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
