From: Joshua Watt <[email protected]> Instead of hard coding the VEX justifications for "Ignored" CVE status, add a map that configures what justification should be used for each status.
This allows other justifications to be easily added, and also ensures that status fields added externally (by downstream) can set an appropriate justification if necessary. Signed-off-by: Joshua Watt <[email protected]> Signed-off-by: Richard Purdie <[email protected]> (cherry picked from commit c0fa3d92cefa74fa57c6c48c94acc64aa454e781) Signed-off-by: Het Patel <[email protected]> --- meta/conf/cve-check-map.conf | 4 ++++ meta/lib/oe/spdx30_tasks.py | 33 ++++++++++++++++----------------- 2 files changed, 20 insertions(+), 17 deletions(-) diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index ac956379d1..fc49fe0a50 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -28,8 +28,12 @@ CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" CVE_CHECK_STATUSMAP[disputed] = "Ignored" # use when vulnerability depends on build or runtime configuration which is not used CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent" + # use when vulnerability affects other platform (e.g. Windows or Debian) CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-platform] = "vulnerableCodeNotPresent" + # use when upstream acknowledged the vulnerability but does not plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index a3d848ceb1..c6bb3bd964 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -719,24 +719,23 @@ def create_spdx(d): impact_statement=description, ) - if detail in ( - "ignored", - "cpe-incorrect", - "disputed", - "upstream-wontfix", - ): - # VEX doesn't have justifications for this - pass - elif detail in ( - "not-applicable-config", - "not-applicable-platform", - ): - for v in spdx_vex: - v.security_justificationType = ( - oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent + vex_just_type = d.getVarFlag( + "CVE_CHECK_VEX_JUSTIFICATION", detail + ) + if vex_just_type: + if ( + vex_just_type + not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS + ): + bb.fatal( + f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}" ) - else: - bb.fatal(f"Unknown detail '{detail}' for ignored {cve}") + + for v in spdx_vex: + v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[ + vex_just_type + ] + else: bb.fatal(f"Unknown {cve} status '{status}'")
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#231467): https://lists.openembedded.org/g/openembedded-core/message/231467 Mute This Topic: https://lists.openembedded.org/mt/117905852/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
