[OE-core][PATCH] maintainers.inc: Modify email address
From: Andrej Valek andrej.va...@siemens.com -> andre...@skyrain.eu Signed-off-by: Andrej Valek --- meta/conf/distro/include/maintainers.inc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 17f038c71e..a7a74f1d2b 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -82,7 +82,7 @@ RECIPE_MAINTAINER:pn-buildtools-extended-tarball = "Richard Purdie -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#185061): https://lists.openembedded.org/g/openembedded-core/message/185061 Mute This Topic: https://lists.openembedded.org/mt/100439845/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS
- Try to add convert and apply statuses for old CVEs - Drop some obsolete ignores, while they are not relevant for current version Signed-off-by: Andrej Valek Reviewed-by: Peter Marko --- .../distro/include/cve-extra-exclusions.inc | 149 meta/recipes-bsp/grub/grub2.inc | 6 +- meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +- .../recipes-connectivity/bind/bind_9.18.16.bb | 2 +- .../bluez5/bluez5_5.68.bb | 4 +- .../openssh/openssh_9.3p1.bb | 9 +- .../openssl/openssl_3.1.1.bb | 3 +- meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +- meta/recipes-core/glibc/glibc_2.37.bb | 17 +- meta/recipes-core/libxml/libxml2_2.11.4.bb| 4 - meta/recipes-core/systemd/systemd_253.3.bb| 3 - meta/recipes-devtools/cmake/cmake.inc | 4 +- meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +- meta/recipes-devtools/gcc/gcc-13.1.inc| 3 +- meta/recipes-devtools/git/git_2.39.3.bb | 7 - meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +- meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +- .../recipes-devtools/python/python3_3.11.4.bb | 16 +- meta/recipes-devtools/qemu/qemu.inc | 13 +- meta/recipes-devtools/rsync/rsync_3.2.7.bb| 3 - meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 - meta/recipes-extended/cpio/cpio_2.14.bb | 3 +- meta/recipes-extended/cups/cups.inc | 17 +- .../iputils/iputils_20221126.bb | 5 +- .../libtirpc/libtirpc_1.3.3.bb| 3 +- meta/recipes-extended/procps/procps_4.0.3.bb | 4 - meta/recipes-extended/shadow/shadow_4.13.bb | 7 +- meta/recipes-extended/unzip/unzip_6.0.bb | 3 +- .../xinetd/xinetd_2.3.15.4.bb | 2 +- meta/recipes-extended/zip/zip_3.0.bb | 7 +- .../libnotify/libnotify_0.8.2.bb | 2 +- meta/recipes-gnome/librsvg/librsvg_2.56.1.bb | 3 +- meta/recipes-graphics/builder/builder_0.1.bb | 3 +- .../xorg-xserver/xserver-xorg.inc | 19 +- .../linux/cve-exclusion_6.1.inc | 361 -- .../libpng/libpng_1.6.40.bb | 3 +- meta/recipes-multimedia/libtiff/tiff_4.5.1.bb | 4 +- .../libgcrypt/libgcrypt_1.10.2.bb | 4 +- .../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +- meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +- meta/recipes-support/sqlite/sqlite3_3.42.0.bb | 6 - 41 files changed, 310 insertions(+), 421 deletions(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 0ae63e2c63..61fb08dbeb 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -15,44 +15,43 @@ # the aim of sharing that work and ensuring we don't duplicate it. # +# strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006 +CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old \ +with no resolution evident. Broken links in CVE database references make resolution impractical." -# strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 -# CVE is more than 20 years old with no resolution evident -# broken links in CVE database references make resolution impractical -CVE_CHECK_IGNORE += "CVE-2000-0006" - -# epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 -# The issue here is spoofing of domain names using characters from other character sets. -# There has been much discussion amongst the epiphany and webkit developers and -# whilst there are improvements about how domains are handled and displayed to the user -# there is unlikely ever to be a single fix to webkit or epiphany which addresses this -# problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further -# we can seem to take. -CVE_CHECK_IGNORE += "CVE-2005-0238" - -# glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 -# Issue is memory exhaustion via glob() calls, e.g. from within an ftp server -# Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 -# Upstream don't see it as a security issue, ftp servers shouldn't be passing -# this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar -CVE_CHECK_IGNORE += "CVE-2010-4756" - -# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 -# go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 -# The encoding/xml package in go can potentially be used for security exploits if not used correctly -# CVE applies to a netapp product as well as flagging a general issue. We don't ship anything -# exposing this interface in an exploitable way -CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" +# epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238 +CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \ +The issue here is spoofing
Re: [OE-core][PATCH v9 0/3] CVE-check handling
Even better, So I will make one more rebase, just for "[OE-core][PATCH v9 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS" Regards, Andrej On Wed, 2023-07-19 at 11:16 +, Ross Burton wrote: > On 19 Jul 2023, at 11:54, Richard Purdie > wrote: > > > > On Wed, 2023-07-19 at 10:26 +, Valek, Andrej wrote: > > > Hello, > > > > > > I would like to ask, what's the status here? > > > > I've asked for some people to help review it and I'm waiting on their > > feedback. FWIW they did promise "this morning" yesterday so they have > > around 6 minutes! > > I suspect I was that person :). I have no major objections to the patch now. > > Cheers, > Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184580): https://lists.openembedded.org/g/openembedded-core/message/184580 Mute This Topic: https://lists.openembedded.org/mt/99716038/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v9 0/3] CVE-check handling
Hello, I would like to ask, what's the status here? Regards, Andrej On Fri, 2023-06-23 at 13:14 +0200, Andrej Valek wrote: > After discussion in all parallel threads we proposed following variant which > covers both expressed requirements to have very small number of different cve > statuses and also very large number of them at the same time. > This is a compromise version which maybe is not ideal but deals with > conflicting responses we got. > > Changes compared to version 8: > - moved CVE_CHECK_STATUSMAP into separated cve-check-map.conf file > - this will allow to use it without inheriting the cve-check class, like for > SPDX > > Documentation will be updated in separated repository. > > meta/classes/cve-check.bbclass | 81 +++- > meta/conf/bitbake.conf | 1 + > meta/conf/cve-check-map.conf | 28 ++ > .../distro/include/cve-extra-exclusions.inc | 371 +- > meta/lib/oe/cve_check.py | 25 ++ > meta/lib/oeqa/selftest/cases/cve_check.py | 26 +- > meta/recipes-bsp/grub/grub2.inc | 6 +- > meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +- > .../recipes-connectivity/bind/bind_9.18.15.bb | 2 +- > .../bluez5/bluez5_5.66.bb | 4 +- > .../openssh/openssh_9.3p1.bb | 9 +- > .../openssl/openssl_3.1.1.bb | 3 +- > meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +- > meta/recipes-core/glibc/glibc_2.37.bb | 17 +- > meta/recipes-core/libxml/libxml2_2.10.4.bb | 4 - > meta/recipes-core/systemd/systemd_253.3.bb | 3 - > meta/recipes-devtools/cmake/cmake.inc | 4 +- > meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +- > meta/recipes-devtools/gcc/gcc-13.1.inc | 3 +- > meta/recipes-devtools/git/git_2.39.3.bb | 7 - > meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +- > meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +- > .../recipes-devtools/python/python3_3.11.3.bb | 13 +- > meta/recipes-devtools/qemu/qemu.inc | 13 +- > meta/recipes-devtools/rsync/rsync_3.2.7.bb | 3 - > meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 - > meta/recipes-extended/cpio/cpio_2.14.bb | 3 +- > meta/recipes-extended/cups/cups.inc | 17 +- > .../ghostscript/ghostscript_10.01.1.bb | 3 +- > .../iputils/iputils_20221126.bb | 5 +- > .../libtirpc/libtirpc_1.3.3.bb | 3 +- > .../logrotate/logrotate_3.21.0.bb | 5 +- > meta/recipes-extended/procps/procps_4.0.3.bb | 4 - > meta/recipes-extended/shadow/shadow_4.13.bb | 7 +- > meta/recipes-extended/unzip/unzip_6.0.bb | 3 +- > .../xinetd/xinetd_2.3.15.4.bb | 2 +- > meta/recipes-extended/zip/zip_3.0.bb | 7 +- > .../libnotify/libnotify_0.8.2.bb | 2 +- > meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +- > meta/recipes-graphics/builder/builder_0.1.bb | 3 +- > .../xorg-xserver/xserver-xorg.inc | 19 +- > .../linux/cve-exclusion_6.1.inc | 11 +- > .../libpng/libpng_1.6.39.bb | 3 +- > meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +- > .../libgcrypt/libgcrypt_1.10.2.bb | 4 +- > .../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +- > meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +- > meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 - > 48 files changed, 403 insertions(+), 373 deletions(-) > create mode 100644 meta/conf/cve-check-map.conf > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#184575): https://lists.openembedded.org/g/openembedded-core/message/184575 Mute This Topic: https://lists.openembedded.org/mt/99716038/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs
On Fri, 2023-06-23 at 10:02 +, Ross Burton wrote:
> On 22 Jun 2023, at 13:00, Andrej Valek via lists.openembedded.org
> wrote:
> > - Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
> > The CVE_STATUS should contain an information about status wich
> > is decoded in 3 items:
> > - generic status: "Ignored", "Patched" or "Unpatched"
> > - more detailed status enum
> > - description: free text describing reason for status
>
> I think this needs to be clearer about what the intended use of the keywords
> are.
>
> Is the canonical data the CVE_STATUS[CVE-1234-5678] attribute, and the mapping
> from the status there via CVE_CHECK_STATUSMAP simply for backwards
> compatibility with the existing file format? Is this deprecating the status
> fields in those files or is it just a high-level summary? Either way, that
> should be made clear.
>
Yes, it's for backport compatibility, and extending the existing "Ignored",
"Patched" statuses with reasons.
> > +# Possible options for CVE statuses
> > +
> > +# used by this class internally when fix is detected (NVD DB version check
> > or CVE patch file)
> > +CVE_CHECK_STATUSMAP[patched] = "Patched"
> > +# use when this class does not detect backported patch (e.g. vendor kernel
> > repo with cherry-picked CVE patch)
> > +CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
> > +# use when NVD DB does not mention patched versions of stable/LTS branches
> > which have upstream CVE backports
> > +CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
> > +# use when NVD DB does not mention correct version or does not mention any
> > verion at all
> > +CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
>
> It bothers me that some of these status flags are working around the fact that
> the CPE is incorrect, when that CPE data can be fixed. Instead of setting
> fixed-version, we can just mail NIST and fix the CPE.
>
Yes, but while you're sending it, the current status has to be covered. And you
don't know, if the CPE will be fixed or not.
> > +# used internally by this class if CVE vulnerability is detected which is
> > not marked as fixed or ignored
> > +CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
> > +# use when CVE is confirmed by upstream but fix is still not available
> > +CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
> > +
> > +# used for migration from old concept, do not use for new vulnerabilities
> > +CVE_CHECK_STATUSMAP[ignored] = "Ignored"
> > +# use when NVD DB wrongly indicates vulnerability which is actually for a
> > different component
> > +CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
> > +# use when upstream does not accept the report as a vulnerability (e.g.
> > works as designed)
> > +CVE_CHECK_STATUSMAP[disputed] = "Ignored"
> > +# use when vulnerability depends on build or runtime configuration which is
> > not used
> > +CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
> > +# use when vulnerability affects other platform (e.g. Windows or Debian)
> > +CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
>
> > +# use when upstream acknowledged the vulnerability but does not plan to fix
> > it
> > +CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
>
> Is this any different to ‘disputed’?
>
Of course. In the "upstream-wontfix" status, we know, that it won't be fixed.
But for "disputed" you don't know, if it's a bug or not.
> Do we expect to add a lot more statuses to this table, or for users to add
> their own values? It feels like maybe this should be a dict in
> lib/oe/cve_check.py instead of exposed in the data store.
>
Exactly, know I moved it separated file, where users could extend their own
statuses. The current version is just a "basement" of supported one.
> > + # Process CVE_STATUS_GROUPS to set multiple statuses and optional
> > detail or description at once
> > + for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
> > + cve_group = d.getVar(cve_status_group)
> > + if cve_group is not None:
> > + for cve in cve_group.split():
> > + d.setVarFlag("CVE_STATUS", cve,
> > d.getVarFlag(cve_status_group, "status"))
> > + else:
> > + bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" %
> > cve_status_group)
> > +}
>
> CVE_STATUS_GROUPS isn’t documented in the class or the commit message.
>
Added a description directly into class.
>
Regards,
Andrej
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183325):
https://lists.openembedded.org/g/openembedded-core/message/183325
Mute This Topic: https://lists.openembedded.org/mt/99695984/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v9 2/3] oeqa/selftest/cve_check: rework test to new cve status handling
From: Andrej Valek
- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++
.../logrotate/logrotate_3.21.0.bb | 5 ++--
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py
b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
-found_cves = { issue["id"]: issue["status"] for issue in
package["issue"]}
+found_cves = {}
+for issue in package["issue"]:
+found_cves[issue["id"]] = {
+"status" : issue["status"],
+"detail" : issue["detail"] if "detail" in issue else "",
+"description" : issue["description"] if "description" in
issue else ""
+}
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
-self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]),
0)
+detail = "not-applicable-platform"
+description = "CVE is debian, gentoo or SUSE specific on the way
logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
-self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1548"]["description"],
description)
self.assertIn("CVE-2011-1549", found_cves)
-self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1549"]["description"],
description)
self.assertIn("CVE-2011-1550", found_cves)
-self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1550"]["description"],
description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] =
"8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was
installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or
SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.41.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183323):
https://lists.openembedded.org/g/openembedded-core/message/183323
Mute This Topic: https://lists.openembedded.org/mt/99716040/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v9 0/3] CVE-check handling
After discussion in all parallel threads we proposed following variant which covers both expressed requirements to have very small number of different cve statuses and also very large number of them at the same time. This is a compromise version which maybe is not ideal but deals with conflicting responses we got. Changes compared to version 8: - moved CVE_CHECK_STATUSMAP into separated cve-check-map.conf file - this will allow to use it without inheriting the cve-check class, like for SPDX Documentation will be updated in separated repository. meta/classes/cve-check.bbclass| 81 +++- meta/conf/bitbake.conf| 1 + meta/conf/cve-check-map.conf | 28 ++ .../distro/include/cve-extra-exclusions.inc | 371 +- meta/lib/oe/cve_check.py | 25 ++ meta/lib/oeqa/selftest/cases/cve_check.py | 26 +- meta/recipes-bsp/grub/grub2.inc | 6 +- meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +- .../recipes-connectivity/bind/bind_9.18.15.bb | 2 +- .../bluez5/bluez5_5.66.bb | 4 +- .../openssh/openssh_9.3p1.bb | 9 +- .../openssl/openssl_3.1.1.bb | 3 +- meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +- meta/recipes-core/glibc/glibc_2.37.bb | 17 +- meta/recipes-core/libxml/libxml2_2.10.4.bb| 4 - meta/recipes-core/systemd/systemd_253.3.bb| 3 - meta/recipes-devtools/cmake/cmake.inc | 4 +- meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +- meta/recipes-devtools/gcc/gcc-13.1.inc| 3 +- meta/recipes-devtools/git/git_2.39.3.bb | 7 - meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +- meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +- .../recipes-devtools/python/python3_3.11.3.bb | 13 +- meta/recipes-devtools/qemu/qemu.inc | 13 +- meta/recipes-devtools/rsync/rsync_3.2.7.bb| 3 - meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 - meta/recipes-extended/cpio/cpio_2.14.bb | 3 +- meta/recipes-extended/cups/cups.inc | 17 +- .../ghostscript/ghostscript_10.01.1.bb| 3 +- .../iputils/iputils_20221126.bb | 5 +- .../libtirpc/libtirpc_1.3.3.bb| 3 +- .../logrotate/logrotate_3.21.0.bb | 5 +- meta/recipes-extended/procps/procps_4.0.3.bb | 4 - meta/recipes-extended/shadow/shadow_4.13.bb | 7 +- meta/recipes-extended/unzip/unzip_6.0.bb | 3 +- .../xinetd/xinetd_2.3.15.4.bb | 2 +- meta/recipes-extended/zip/zip_3.0.bb | 7 +- .../libnotify/libnotify_0.8.2.bb | 2 +- meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +- meta/recipes-graphics/builder/builder_0.1.bb | 3 +- .../xorg-xserver/xserver-xorg.inc | 19 +- .../linux/cve-exclusion_6.1.inc | 11 +- .../libpng/libpng_1.6.39.bb | 3 +- meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +- .../libgcrypt/libgcrypt_1.10.2.bb | 4 +- .../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +- meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +- meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 - 48 files changed, 403 insertions(+), 373 deletions(-) create mode 100644 meta/conf/cve-check-map.conf -- 2.41.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183321): https://lists.openembedded.org/g/openembedded-core/message/183321 Mute This Topic: https://lists.openembedded.org/mt/99716038/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v9 1/3] cve-check: add option to add additional patched CVEs
From: Andrej Valek
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on
Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek
Signed-off-by: Peter Marko
---
meta/classes/cve-check.bbclass | 81 --
meta/conf/bitbake.conf | 1 +
meta/conf/cve-check-map.conf | 28
meta/lib/oe/cve_check.py | 25 +++
4 files changed, 122 insertions(+), 13 deletions(-)
create mode 100644 meta/conf/cve-check-map.conf
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..55e3baf1ed 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,28 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on
Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
#
+# Settings the same status and reason for multiple CVEs is possible
+# via CVE_STATUS_GROUPS variable.
+#
+# CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
+#
+# CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0003"
+# CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on
Windows"
+# CVE_STATUS_PATCHED = "CVE-1234-0002 CVE-1234-0004"
+# CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally"
+#
+# All possible CVE statuses could be found in cve-check-map.conf
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
# Layers to be excluded
@@ -88,6 +104,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+# Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+if cve_check_ignore:
+bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+# Process CVE_STATUS_GROUPS to set multiple statuses and optional detail
or description at once
+for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+cve_group = d.getVar(cve_status_group)
+if cve_group is not None:
+for cve in cve_group.split():
+d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group,
"status"))
+else:
+bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" %
cve_status_group)
+}
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -260,7 +294,7 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
-from oe.cve_check import Version, convert_cve_version
+from oe.cve_check import Version, convert_cve_version, decode_cve_status
pn = d.getVar("PN")
real_pv = d.getVar("PV")
@@ -282,7 +316,12 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
-cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+# Convert CVE_STATUS into ignored CVEs and check validity
+cve_ignore = []
+for cve in (d.getVarFlags("CVE_STATUS") or {}):
+decoded_status, _, _ = decode_cve_status(d, cve)
+if decoded_status == "Ignored":
+cve_ignore.append(cve)
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +452,8 @@ def cve_write_data_text(d, patched, unpatched, ignored,
cve_data):
CVE manifest if enabled.
"""
+from oe.cve_check import decode_cve_status
+
cve_file = d.getVar("CVE_CHECK_LOG")
fdir_name = d.getVar("FILE_DIRNAME")
layer = fdir_name.split("/")[-3]
@@ -441,20 +482,27 @@ def cve_write_data_text(d, patched,
Re: [OE-core][PATCH v7 0/3] CVE-check handling
OK, Now I know what's the problem. SPDX are being created without inheriting the cve-check class. Regards, Andrej On Thu, 2023-06-22 at 15:59 +0200, Valek Andrej wrote: > Hello Luca, > > I wanted to check the logs, but it requires a login/password. Would it be > possible to send a link where is not required? Maybe here > https://autobuilder.yoctoproject.org/typhoon/#/ ? > > Regards, > Andrej > > On Thu, 2023-06-22 at 15:55 +0200, Luca Ceresoli wrote: > > Hello Andrej, > > > > On Thu, 22 Jun 2023 13:50:32 +0000 > > "Andrej Valek via lists.openembedded.org" > > wrote: > > > > > Hello Luca, > > > > > > How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it > > > didn't print any warning. Should I build an image? > > > > I don't know how to reproduce _exactly_ the build environment of the > > autobuilders, however the logs have some good hints (click the "stdio" > > links in the page at the URL I provided). E.g. for the qemuarm64 > > builder it says: > > > > Running '. ./oe-init-build-env; bitbake core-image-sato core-image-sato-sdk > > core-image-minimal core-image-minimal-dev core-image-sato:do_populate_sdk - > > k' > > ... > > MACHINE = "qemuarm64" > > DISTRO = "poky" > > ...and more settings you might want to put in your local.conf... > > > > So you may try that. > > > > Luca > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183246): https://lists.openembedded.org/g/openembedded-core/message/183246 Mute This Topic: https://lists.openembedded.org/mt/99693212/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v7 0/3] CVE-check handling
Hello Luca, I wanted to check the logs, but it requires a login/password. Would it be possible to send a link where is not required? Maybe here https://autobuilder.yoctoproject.org/typhoon/#/ ? Regards, Andrej On Thu, 2023-06-22 at 15:55 +0200, Luca Ceresoli wrote: > Hello Andrej, > > On Thu, 22 Jun 2023 13:50:32 + > "Andrej Valek via lists.openembedded.org" > wrote: > > > Hello Luca, > > > > How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it > > didn't print any warning. Should I build an image? > > I don't know how to reproduce _exactly_ the build environment of the > autobuilders, however the logs have some good hints (click the "stdio" > links in the page at the URL I provided). E.g. for the qemuarm64 > builder it says: > > Running '. ./oe-init-build-env; bitbake core-image-sato core-image-sato-sdk > core-image-minimal core-image-minimal-dev core-image-sato:do_populate_sdk -k' > ... > MACHINE = "qemuarm64" > DISTRO = "poky" > ...and more settings you might want to put in your local.conf... > > So you may try that. > > Luca > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183244): https://lists.openembedded.org/g/openembedded-core/message/183244 Mute This Topic: https://lists.openembedded.org/mt/99693212/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v7 0/3] CVE-check handling
Hello Luca, How can I reproduce it? I've executed "bitbake qemu -c create_spdx" but it didn't print any warning. Should I build an image? Regards, Andrej On Thu, 2023-06-22 at 14:42 +0200, Luca Ceresoli wrote: > Hello Andrej, > > On Thu, 22 Jun 2023 08:59:02 +0200 > "Andrej Valek via lists.openembedded.org" > wrote: > > > After discussion in all parallel threads we proposed following variant which > > covers both expressed requirements to have very small number of different > > cve > > statuses and also very large number of them at the same time. > > This is a compromise version which maybe is not ideal but deals with > > conflicting responses we got. > > > > Changes compare to version 6: > > - added conversion from CVE_CHECK_IGNORE to CVE_STATUS > > - added comments for all statuses > > - dropped "not-affected" status > > - conversion showed that it is not very usefull > > - added "disputed" status > > > > Documentation will be updated in separated repository. > > This patchset generates a lot of warnings when run on the autobuilders. > Here are a few: > > WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail cpe-incorrect for > CVE_STATUS[CVE-2017-5957] = "cpe-incorrect: Applies against virglrender < > 0.6.0 and not qemu itself", fallback to Unpatched > WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-config > for CVE_STATUS[CVE-2007-0998] = "not-applicable-config: The VNC server can > expose host files uder some circumstances. We don't enable it by default.", > fallback to Unpatched > WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail disputed for > CVE_STATUS[CVE-2018-18438] = "disputed: The issues identified by this CVE were > determined to not constitute a vulnerability.", fallback to Unpatched > NOTE: recipe python3-calver-2022.6.26-r0: task do_create_runtime_spdx: > Succeeded > WARNING: qemu-8.0.0-r0 do_create_spdx: Invalid detail not-applicable-platform > for CVE_STATUS[CVE-2023-0664] = "not-applicable-platform: Issue only applies > on Windows", fallback to Unpatched > > WARNING: cpio-2.14-r0 do_create_spdx: Invalid detail not-applicable-platform > for CVE_STATUS[CVE-2010-4226] = "not-applicable-platform: Issue applies to use > of cpio in SUSE/OBS", fallback to Unpatched > > WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for > CVE_STATUS[CVE-2022-3563] = "cpe-incorrect: This issues have kernel fixes > rather than bluez fixes", fallback to Unpatched > WARNING: bluez5-5.66-r0 do_create_spdx: Invalid detail cpe-incorrect for > CVE_STATUS[CVE-2022-3637] = "cpe-incorrect: This issues have kernel fixes > rather than bluez fixes", fallback to Unpatched > > For a more complete list you can look at the build page: > https://swatbot.yoctoproject.org/collection/17294/ > > All/most of the warnings are about CVEs. > > I haven't looked in detail at what is the intended behavior of your > patch set, however I'm removing it from my testing branch for the time > being. > > Best regards, > Luca > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183242): https://lists.openembedded.org/g/openembedded-core/message/183242 Mute This Topic: https://lists.openembedded.org/mt/99693212/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v8 1/3] cve-check: add option to add additional patched CVEs
From: Andrej Valek
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on
Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek
Signed-off-by: Peter Marko
---
meta/classes/cve-check.bbclass | 99 +-
meta/lib/oe/cve_check.py | 25 +
2 files changed, 111 insertions(+), 13 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..4eb6dff7de 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,14 +70,48 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on
Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
#
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
+# Possible options for CVE statuses
+
+# used by this class internally when fix is detected (NVD DB version check or
CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel
repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches
which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any
verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+
+# used internally by this class if CVE vulnerability is detected which is not
marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a
different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works
as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is
not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -88,6 +122,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+# Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+if cve_check_ignore:
+bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+# Process CVE_STATUS_GROUPS to set multiple statuses and optional detail
or description at once
+for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+cve_group = d.getVar(cve_status_group)
+if cve_group is not None:
+for cve in cve_group.split():
+d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group,
"status"))
+else:
+bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" %
cve_status_group)
+}
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -260,7 +312,7 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and
[OE-core][PATCH v8 2/3] oeqa/selftest/cve_check: rework test to new cve status handling
From: Andrej Valek
- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++
.../logrotate/logrotate_3.21.0.bb | 5 ++--
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py
b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
-found_cves = { issue["id"]: issue["status"] for issue in
package["issue"]}
+found_cves = {}
+for issue in package["issue"]:
+found_cves[issue["id"]] = {
+"status" : issue["status"],
+"detail" : issue["detail"] if "detail" in issue else "",
+"description" : issue["description"] if "description" in
issue else ""
+}
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
-self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]),
0)
+detail = "not-applicable-platform"
+description = "CVE is debian, gentoo or SUSE specific on the way
logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
-self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1548"]["description"],
description)
self.assertIn("CVE-2011-1549", found_cves)
-self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1549"]["description"],
description)
self.assertIn("CVE-2011-1550", found_cves)
-self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1550"]["description"],
description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] =
"8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was
installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or
SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.41.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183239):
https://lists.openembedded.org/g/openembedded-core/message/183239
Mute This Topic: https://lists.openembedded.org/mt/99695985/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v8 0/3] CVE-check handling
After discussion in all parallel threads we proposed following variant which covers both expressed requirements to have very small number of different cve statuses and also very large number of them at the same time. This is a compromise version which maybe is not ideal but deals with conflicting responses we got. Changes compared to version 7: - reverted dropped CVE ignores for lz4 and tiff Documentation will be updated in separated repository. meta/classes/cve-check.bbclass| 99 - .../distro/include/cve-extra-exclusions.inc | 371 +- meta/lib/oe/cve_check.py | 25 ++ meta/lib/oeqa/selftest/cases/cve_check.py | 26 +- meta/recipes-bsp/grub/grub2.inc | 6 +- meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +- .../recipes-connectivity/bind/bind_9.18.15.bb | 2 +- .../bluez5/bluez5_5.66.bb | 4 +- .../openssh/openssh_9.3p1.bb | 9 +- .../openssl/openssl_3.1.1.bb | 3 +- meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +- meta/recipes-core/glibc/glibc_2.37.bb | 17 +- meta/recipes-core/libxml/libxml2_2.10.4.bb| 4 - meta/recipes-core/systemd/systemd_253.3.bb| 3 - meta/recipes-devtools/cmake/cmake.inc | 4 +- meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +- meta/recipes-devtools/gcc/gcc-13.1.inc| 3 +- meta/recipes-devtools/git/git_2.39.3.bb | 7 - meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +- meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +- .../recipes-devtools/python/python3_3.11.3.bb | 13 +- meta/recipes-devtools/qemu/qemu.inc | 13 +- meta/recipes-devtools/rsync/rsync_3.2.7.bb| 3 - meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 - meta/recipes-extended/cpio/cpio_2.14.bb | 3 +- meta/recipes-extended/cups/cups.inc | 17 +- .../ghostscript/ghostscript_10.01.1.bb| 3 +- .../iputils/iputils_20221126.bb | 5 +- .../libtirpc/libtirpc_1.3.3.bb| 3 +- .../logrotate/logrotate_3.21.0.bb | 5 +- meta/recipes-extended/procps/procps_4.0.3.bb | 4 - meta/recipes-extended/shadow/shadow_4.13.bb | 7 +- meta/recipes-extended/unzip/unzip_6.0.bb | 3 +- .../xinetd/xinetd_2.3.15.4.bb | 2 +- meta/recipes-extended/zip/zip_3.0.bb | 7 +- .../libnotify/libnotify_0.8.2.bb | 2 +- meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +- meta/recipes-graphics/builder/builder_0.1.bb | 3 +- .../xorg-xserver/xserver-xorg.inc | 19 +- .../linux/cve-exclusion_6.1.inc | 11 +- .../libpng/libpng_1.6.39.bb | 3 +- meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +- .../libgcrypt/libgcrypt_1.10.2.bb | 4 +- .../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +- meta/recipes-support/lz4/lz4_1.9.4.bb | 3 +- meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 - 46 files changed, 392 insertions(+), 373 deletions(-) -- 2.41.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183237): https://lists.openembedded.org/g/openembedded-core/message/183237 Mute This Topic: https://lists.openembedded.org/mt/99695982/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v7 1/3] cve-check: add option to add additional patched CVEs
From: Andrej Valek
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on
Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek
Signed-off-by: Peter Marko
---
meta/classes/cve-check.bbclass | 99 +-
meta/lib/oe/cve_check.py | 25 +
2 files changed, 111 insertions(+), 13 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..4eb6dff7de 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,14 +70,48 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on
Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
#
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
+# Possible options for CVE statuses
+
+# used by this class internally when fix is detected (NVD DB version check or
CVE patch file)
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+# use when this class does not detect backported patch (e.g. vendor kernel
repo with cherry-picked CVE patch)
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+# use when NVD DB does not mention patched versions of stable/LTS branches
which have upstream CVE backports
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+# use when NVD DB does not mention correct version or does not mention any
verion at all
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+
+# used internally by this class if CVE vulnerability is detected which is not
marked as fixed or ignored
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+# use when CVE is confirmed by upstream but fix is still not available
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+# used for migration from old concept, do not use for new vulnerabilities
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+# use when NVD DB wrongly indicates vulnerability which is actually for a
different component
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+# use when upstream does not accept the report as a vulnerability (e.g. works
as designed)
+CVE_CHECK_STATUSMAP[disputed] = "Ignored"
+# use when vulnerability depends on build or runtime configuration which is
not used
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+# use when vulnerability affects other platform (e.g. Windows or Debian)
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# use when upstream acknowledged the vulnerability but does not plan to fix it
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -88,6 +122,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+# Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+if cve_check_ignore:
+bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+# Process CVE_STATUS_GROUPS to set multiple statuses and optional detail
or description at once
+for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+cve_group = d.getVar(cve_status_group)
+if cve_group is not None:
+for cve in cve_group.split():
+d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group,
"status"))
+else:
+bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" %
cve_status_group)
+}
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -260,7 +312,7 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and
[OE-core][PATCH v7 2/3] oeqa/selftest/cve_check: rework test to new cve status handling
From: Andrej Valek
- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++
.../logrotate/logrotate_3.21.0.bb | 5 ++--
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py
b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
-found_cves = { issue["id"]: issue["status"] for issue in
package["issue"]}
+found_cves = {}
+for issue in package["issue"]:
+found_cves[issue["id"]] = {
+"status" : issue["status"],
+"detail" : issue["detail"] if "detail" in issue else "",
+"description" : issue["description"] if "description" in
issue else ""
+}
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
-self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]),
0)
+detail = "not-applicable-platform"
+description = "CVE is debian, gentoo or SUSE specific on the way
logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
-self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1548"]["description"],
description)
self.assertIn("CVE-2011-1549", found_cves)
-self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1549"]["description"],
description)
self.assertIn("CVE-2011-1550", found_cves)
-self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1550"]["description"],
description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] =
"8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was
installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or
SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.41.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183226):
https://lists.openembedded.org/g/openembedded-core/message/183226
Mute This Topic: https://lists.openembedded.org/mt/99693214/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v7 0/3] CVE-check handling
After discussion in all parallel threads we proposed following variant which covers both expressed requirements to have very small number of different cve statuses and also very large number of them at the same time. This is a compromise version which maybe is not ideal but deals with conflicting responses we got. Changes compare to version 6: - added conversion from CVE_CHECK_IGNORE to CVE_STATUS - added comments for all statuses - dropped "not-affected" status - conversion showed that it is not very usefull - added "disputed" status Documentation will be updated in separated repository. meta/classes/cve-check.bbclass| 99 - .../distro/include/cve-extra-exclusions.inc | 371 +- meta/lib/oe/cve_check.py | 25 ++ meta/lib/oeqa/selftest/cases/cve_check.py | 26 +- meta/recipes-bsp/grub/grub2.inc | 6 +- meta/recipes-connectivity/avahi/avahi_0.8.bb | 3 +- .../recipes-connectivity/bind/bind_9.18.15.bb | 2 +- .../bluez5/bluez5_5.66.bb | 4 +- .../openssh/openssh_9.3p1.bb | 9 +- .../openssl/openssl_3.1.1.bb | 3 +- meta/recipes-core/coreutils/coreutils_9.3.bb | 4 +- meta/recipes-core/glibc/glibc_2.37.bb | 17 +- meta/recipes-core/libxml/libxml2_2.10.4.bb| 4 - meta/recipes-core/systemd/systemd_253.3.bb| 3 - meta/recipes-devtools/cmake/cmake.inc | 4 +- meta/recipes-devtools/flex/flex_2.6.4.bb | 6 +- meta/recipes-devtools/gcc/gcc-13.1.inc| 3 +- meta/recipes-devtools/git/git_2.39.3.bb | 7 - meta/recipes-devtools/jquery/jquery_3.6.3.bb | 5 +- meta/recipes-devtools/ninja/ninja_1.11.1.bb | 3 +- .../recipes-devtools/python/python3_3.11.3.bb | 13 +- meta/recipes-devtools/qemu/qemu.inc | 13 +- meta/recipes-devtools/rsync/rsync_3.2.7.bb| 3 - meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 - meta/recipes-extended/cpio/cpio_2.14.bb | 3 +- meta/recipes-extended/cups/cups.inc | 17 +- .../ghostscript/ghostscript_10.01.1.bb| 3 +- .../iputils/iputils_20221126.bb | 5 +- .../libtirpc/libtirpc_1.3.3.bb| 3 +- .../logrotate/logrotate_3.21.0.bb | 5 +- meta/recipes-extended/procps/procps_4.0.3.bb | 4 - meta/recipes-extended/shadow/shadow_4.13.bb | 7 +- meta/recipes-extended/unzip/unzip_6.0.bb | 3 +- .../xinetd/xinetd_2.3.15.4.bb | 2 +- meta/recipes-extended/zip/zip_3.0.bb | 7 +- .../libnotify/libnotify_0.8.2.bb | 2 +- meta/recipes-gnome/librsvg/librsvg_2.56.0.bb | 3 +- meta/recipes-graphics/builder/builder_0.1.bb | 3 +- .../xorg-xserver/xserver-xorg.inc | 19 +- .../linux/cve-exclusion_6.1.inc | 11 +- .../libpng/libpng_1.6.39.bb | 3 +- meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 9 +- .../libgcrypt/libgcrypt_1.10.2.bb | 4 +- .../recipes-support/libxslt/libxslt_1.1.38.bb | 4 +- meta/recipes-support/lz4/lz4_1.9.4.bb | 3 - meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 7 - 46 files changed, 390 insertions(+), 374 deletions(-) -- 2.41.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183224): https://lists.openembedded.org/g/openembedded-core/message/183224 Mute This Topic: https://lists.openembedded.org/mt/99693212/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v6 2/2] RFC: oeqa/selftest/cve_check: rework test to new cve status handling
- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++
.../logrotate/logrotate_3.21.0.bb | 5 ++--
2 files changed, 24 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py
b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
-found_cves = { issue["id"]: issue["status"] for issue in
package["issue"]}
+found_cves = {}
+for issue in package["issue"]:
+found_cves[issue["id"]] = {
+"status" : issue["status"],
+"detail" : issue["detail"] if "detail" in issue else "",
+"description" : issue["description"] if "description" in
issue else ""
+}
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
-self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]),
0)
+detail = "not-applicable-platform"
+description = "CVE is debian, gentoo or SUSE specific on the way
logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
-self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1548"]["description"],
description)
self.assertIn("CVE-2011-1549", found_cves)
-self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1549"]["description"],
description)
self.assertIn("CVE-2011-1550", found_cves)
-self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1550"]["description"],
description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..b83f39b129 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] =
"8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was
installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or
SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.41.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#183140):
https://lists.openembedded.org/g/openembedded-core/message/183140
Mute This Topic: https://lists.openembedded.org/mt/99644854/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v6 1/2] RFC: cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on
Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek
Signed-off-by: Peter Marko
---
meta/classes/cve-check.bbclass | 86 +-
meta/lib/oe/cve_check.py | 25 ++
2 files changed, 98 insertions(+), 13 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..6710c1d6bb 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,14 +70,35 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on
Windows"
+# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
#
+# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+# CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
+# Possible options for CVE statuses
+CVE_CHECK_STATUSMAP[patched] = "Patched"
+CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
+CVE_CHECK_STATUSMAP[backported-patch] = "Patched"
+CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched"
+
+CVE_CHECK_STATUSMAP[unpatched] = "Unpatched"
+CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched"
+
+CVE_CHECK_STATUSMAP[ignored] = "Ignored"
+CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored"
+CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
+CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored"
+CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored"
+CVE_CHECK_STATUSMAP[not-affected] = "Ignored"
+
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -88,6 +109,24 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+# Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+if cve_check_ignore:
+bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split():
+d.setVarFlag("CVE_STATUS", cve, "ignored")
+
+# Process CVE_STATUS_GROUPS to set multiple statuses and optional detail
or description at once
+for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+cve_group = d.getVar(cve_status_group)
+if cve_group is not None:
+for cve in cve_group.split():
+d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group,
"status"))
+else:
+bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" %
cve_status_group)
+}
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -260,7 +299,7 @@ def check_cves(d, patched_cves):
"""
Connect to the NVD database and find unpatched cves.
"""
-from oe.cve_check import Version, convert_cve_version
+from oe.cve_check import Version, convert_cve_version, decode_cve_status
pn = d.getVar("PN")
real_pv = d.getVar("PV")
@@ -282,7 +321,12 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
-cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+# Convert CVE_STATUS into ignored CVEs and check validity
+cve_ignore = []
+for cve in (d.getVarFlags("CVE_STATUS") or {}):
+decoded_status, _, _ = decode_cve_status(d, cve)
+if decoded_status == "Ignored":
+cve_ignore.append(cve)
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -413,6 +457,8 @@ def cve_write_data_text(d, patched, unpatched, ignored,
cve_data):
CVE manifest if enabled.
"""
+from oe.cve_check import decode_cve_status
+
cve_file = d.getVar("CVE_CHECK_LOG")
fdir_name = d.getVar("FILE_DIRNAME")
layer = fdir_name.split("/")[-3]
@@ -441,20 +487,27 @@ def
[OE-core][PATCH v6 0/2] RFC: CVE-check handling
After discussion in all parallel threads we proposed following variant which covers both expressed requirements to have very small number of different cve statuses and also very large number of them at the same time. This is a compromise version which maybe is not ideal but deals with conflicting responses we got. This patches version is missing commit for CVE_CHECK_IGNORE to CVE_STATUS conversion as it is large effort and current implementation is still in discussion. Once the concept is agreed, that commit will be added in next patchset version. Documentation is not updated too while current implementation is still in discussion. meta/classes/cve-check.bbclass| 86 --- meta/lib/oe/cve_check.py | 25 ++ meta/lib/oeqa/selftest/cases/cve_check.py | 26 -- .../logrotate/logrotate_3.21.0.bb | 5 +- 4 files changed, 122 insertions(+), 20 deletions(-) -- 2.41.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#183139): https://lists.openembedded.org/g/openembedded-core/message/183139 Mute This Topic: https://lists.openembedded.org/mt/99644853/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
This was sent by misstate, ignore it please.
Andrej
On Mon, 2023-06-12 at 13:57 +0200, Andrej Valek wrote:
> All mentioned CVEs are related to HSTS check feature, which is not
> implemented in version 7.69.1 .
>
> Signed-off-by: Andrej Valek
> ---
> meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/recipes-support/curl/curl_7.69.1.bb b/meta/recipes-
> support/curl/curl_7.69.1.bb
> index 899daf8eac..ea36c0bd3d 100644
> --- a/meta/recipes-support/curl/curl_7.69.1.bb
> +++ b/meta/recipes-support/curl/curl_7.69.1.bb
> @@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923 CVE-
> 2021-22926 CVE-2021-229
> # This CVE issue affects Windows only Hence whitelisting this CVE
> CVE_CHECK_WHITELIST += "CVE-2021-22897"
>
> +# HSTS check feature is not implemented
> +CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
> +
> inherit autotools pkgconfig binconfig multilib_header
>
> PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls
> libidn proxy threaded-resolver verbose zlib"
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182668):
https://lists.openembedded.org/g/openembedded-core/message/182668
Mute This Topic: https://lists.openembedded.org/mt/99481050/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v5 2/2] oeqa/selftest/cve_check: add check for opt "detail" and "description" values
- After introducing the CVE_STATUS_DETAIL and CVE_STATUS_DESCRIPTION flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek
---
meta/lib/oeqa/selftest/cases/cve_check.py | 26 +++
.../logrotate/logrotate_3.21.0.bb | 7 +++--
2 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py
b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c..60cecd1328 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
-found_cves = { issue["id"]: issue["status"] for issue in
package["issue"]}
+found_cves = {}
+for issue in package["issue"]:
+found_cves[issue["id"]] = {
+"status" : issue["status"],
+"detail" : issue["detail"] if "detail" in issue else "",
+"description" : issue["description"] if "description" in
issue else ""
+}
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
-self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]),
0)
+detail = "not-applicable-platform"
+description = "CVE is debian, gentoo or SUSE specific on the way
logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
-self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1548"]["description"],
description)
self.assertIn("CVE-2011-1549", found_cves)
-self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1549"]["description"],
description)
self.assertIn("CVE-2011-1550", found_cves)
-self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+self.assertEqual(found_cves["CVE-2011-1550"]["description"],
description)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60..48497138be 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,11 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] =
"8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was
installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[detail] = "not-applicable-platform"
+CVE_STATUS_RECIPE[description] = "CVE is debian, gentoo or SUSE specific on
the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.40.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182667):
https://lists.openembedded.org/g/openembedded-core/message/182667
Mute This Topic: https://lists.openembedded.org/mt/99481068/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell][PATCH 2/2] curl: whitelists CVE-2022-42915, CVE-2022-42916 and CVE-2022-43551
All mentioned CVEs are related to HSTS check feature, which is not
implemented in version 7.69.1 .
Signed-off-by: Andrej Valek
---
meta/recipes-support/curl/curl_7.69.1.bb | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/recipes-support/curl/curl_7.69.1.bb
b/meta/recipes-support/curl/curl_7.69.1.bb
index 899daf8eac..ea36c0bd3d 100644
--- a/meta/recipes-support/curl/curl_7.69.1.bb
+++ b/meta/recipes-support/curl/curl_7.69.1.bb
@@ -56,6 +56,9 @@ CVE_CHECK_WHITELIST = "CVE-2021-22922 CVE-2021-22923
CVE-2021-22926 CVE-2021-229
# This CVE issue affects Windows only Hence whitelisting this CVE
CVE_CHECK_WHITELIST += "CVE-2021-22897"
+# HSTS check feature is not implemented
+CVE_CHECK_WHITELIST += "CVE-2022-42915 CVE-2022-42916 CVE-2022-43551"
+
inherit autotools pkgconfig binconfig multilib_header
PACKAGECONFIG ??= "${@bb.utils.filter('DISTRO_FEATURES', 'ipv6', d)} gnutls
libidn proxy threaded-resolver verbose zlib"
--
2.39.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182666):
https://lists.openembedded.org/g/openembedded-core/message/182666
Mute This Topic: https://lists.openembedded.org/mt/99481050/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v5 1/2] cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_DETAIL] +
[CVE_STATUS_DESCRIPTION] to be more flexible. CVE_STATUS should
contain flag for each CVE with accepted values "Ignored", "Patched"
or "Unpatched". It allows to add a status for each CVEs.
- Optional CVE_STATUS_DEATAIL flag variable may contain a detailed
status. Possible options for each status:
- Patched
- fixed-version, backported-patch, cpe-stable-backport or other
- Unpatched
- vulnerable-investigating or other
- Ignored
- cpe-incorrect, not-applicable-platform, upstream-wontfix
not-applicable-config, not-affected or other
- Optional CVE_STATUS_DESCRIPTION flag variable may contain a reason
why the CVE status was used. Both optionals will be added in csv/json
report like a new "detail" an "description" entries
- Settings the same status and reason for multiple CVEs is possible
via CVE_STATUS_GROUPS variable.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Patched" or "Unpatched"
CVE_STATUS[CVE-1234-0002] = "Ignored"
CVE_STATUS_DETAIL[CVE-1234-0002] = "not-applicable-platform"
CVE_STATUS_DESCRIPTION[CVE-1234-0002] = "Issue only applies on Windows"
CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "Ignored"
CVE_STATUS_DETAIL[detail] = "not-applicable-platform"
CVE_STATUS_WIN[description] = "Issue only applies on Windows"
CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "Patched"
CVE_STATUS_DETAIL[detail] = "fixed-version"
CVE_STATUS_PATCHED[description] = "Fixed externally"
Signed-off-by: Andrej Valek
Signed-off-by: Peter Marko
---
meta/classes/cve-check.bbclass | 89 +-
meta/lib/oe/cve_check.py | 6 +++
2 files changed, 83 insertions(+), 12 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445..62676ba5bc 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,16 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional detail and description for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Patched" or "Unpatched"
+# CVE_STATUS[CVE-1234-0002] = "Ignored"
+# CVE_STATUS_DETAIL[CVE-1234-0002] = "not-applicable-platform"
+# CVE_STATUS_DESCRIPTION[CVE-1234-0002] = "Issue only applies on Windows"
#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
# Layers to be excluded
@@ -88,6 +92,47 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+# Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+if cve_check_ignore:
+bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS")
+set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
+
+# Process CVE_STATUS_GROUPS to set multiple statuses and optional detail
or description at once
+for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+cve_group = d.getVar(cve_status_group)
+if cve_group is not None:
+set_cves_statuses(d, cve_group,
+ d.getVarFlag(cve_status_group, "status"),
+ d.getVarFlag(cve_status_group, "detail"),
+ d.getVarFlag(cve_status_group, "description"))
+else:
+bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" %
cve_status_group)
+}
+
+def set_cves_statuses(d, cves, status, detail="", description=""):
+for cve in cves.split():
+d.setVarFlag("CVE_STATUS", cve, status)
+d.setVarFlag("CVE_STATUS_DETAIL", cve, detail)
+d.setVarFlag("CVE_STATUS_DESCRIPTION", cve, description)
+
+def get_cve_detail(d, cve, status):
+detail = d.getVarFlag("CVE_STATUS_DETAIL", cve)
+if detail is not None:
+if status == "Patched":
+if detail in ["fixed-version", "backported-patch",
"cpe-stable-backport", "other"]:
+return detail
+elif status == "Unpatched":
+if detail in ["vulnerable-investigating", "other"]:
+return detail
+else:
+if detail in ["cpe-incorrect", "not-applicable-platform",
"upstream-wontfix",
+
[OE-core][PATCH v5 0/2] CVE-check handling
After discussion in all parallel threads we proposed following variant which
covers both expressed requirements to have very small number of different cve
statuses and also very large number of them at the same time.
This is a compromise version which maybe is not ideal but deals with
conflicting responses we got.
Please guide us which direction do we need to go to get further with acceptance
of this patch series.
The CVE_CHECK_IGNORE variable is now deprecated in favor of CVE_STATUS variable.
The variable contains the same values like before ("Ignored", "Patched"
and "Unpatched"). The previous implementation has been extended by two
additional optional variables, CVE_STATUS_DETAIL and CVE_STATUS_DESCRIPTION.
meta/classes/cve-check.bbclass| 89 ---
meta/lib/oe/cve_check.py | 6 ++
meta/lib/oeqa/selftest/cases/cve_check.py | 26 --
.../logrotate/logrotate_3.21.0.bb | 7 +-
4 files changed, 109 insertions(+), 19 deletions(-)
--
2.40.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#182664):
https://lists.openembedded.org/g/openembedded-core/message/182664
Mute This Topic: https://lists.openembedded.org/mt/99481048/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hello again Richard, Maybe this email was little bit unclear..., so I will try to recap it here. There are 2 open points, where some final decision has to be made. - Could we rename the CVE_STATUS_REASONING -> CVE_STATUS_REASON? The first idea came from you. - What is the final enum for CVE_STATUS? I would say "patched" and "ignored". Afaik, the "not applicable" status came also from you. Should we keep it, or remove it? Of course all others are just like an additions which could be implemented later on request. So please, take a look on it and made a final decision. Thank you, Andrej On Tue, 2023-05-23 at 10:41 +0200, Valek Andrej wrote: > Hello Richard, > > Could you please take a look on the latest revision a make a decision there? > There are still bunch of unclear statements. So please make a final design and > we will try to implement it. > > Thank you, > Andrej > > On Mon, 2023-05-22 at 10:57 +0300, Mikko Rapeli wrote: > > Hi, > > > > On Fri, May 19, 2023 at 03:11:57PM +0200, Marta Rybczynska wrote: > > > I'm missing a status to cover the situation when the NVD (or any other > > > database) has an incorrect entry. We have quite many of those. This might > > > be a temporary situation, but not always. > > > > > > SPDX (the 3.0 draft) has some other possible reasons > > > https://github.com/spdx/spdx-spec/blob/vulnerability-profile/chapters/profile-vulnerabilities.md > > > What looks like interesting ideas are: > > > * "Can't fix" / "Will not fix" > > > * "Not applicable" (SPDX language: Ineffective) when the code is not used > > > * "Invalid match" (this is our NVD mismatch case) > > > * "Mitigated" measures taken so that it cannot be exploited > > > * "Workarounded" > > > > To me the SPDX details don't seem very usable when actually maintaining > > a linux distro for a long time. Anyone from major Linux distro > > stable/security teams participating in the work? > > > > So I'd rather compare to Debian security tracker CVE status data and ask > > what our LTS and master branch maintainers and those in the community > > who maintain yocto based SW stacks need. Do the maintainers want to read > > SPDX output, for example? What common statuses do the maintainers want to > > encode for each CVE? > > > > Debian security tracker > > https://security-team.debian.org/security_tracker.html > > shows states: > > > > * vulnerable: binary package with specified version in their distro > > version is vulnerable to the issue > > > > * fixed: binary package in their distro version has fixed the issue > > > > * undetermined: it is not yet clear if the issue affects Debian and > > their version of the packages > > > > And "vulnerable" has sub states: > > > > * ignored: the issue does not impact Debian packages > > > > * postponed: no security patch updates will be provided, e.g. such a > > minor issue that update will happen for example via normal package > > version updates to next stable version > > > > There are a lot of additional "standards" and sub states when looking at > > CVE data in the tracker (info not public, no upstream fix available, not > > supported configuration etc), but those major high level states are enough. > > And then there are security relevant bugs without CVEs. > > > > I've been happy with "Unpatched", "Patched" and "Ignored" states for > > each CVE detected by cve-check.bbclass. There could be a few more sub > > stated to "Ignored" and the "Patched" state should better reflect reality, > > which this patch set helps. But I'm happy with that. > > > > I'm not so happy with the SPDX states names and meanings. > > > > Cheers, > > > > -Mikko > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181854): https://lists.openembedded.org/g/openembedded-core/message/181854 Mute This Topic: https://lists.openembedded.org/mt/99007092/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v2] busybox: 1.36.0 -> 1.36.1
- regression on x86 is still in place
Signed-off-by: Andrej Valek
---
.../{busybox-inittab_1.36.0.bb => busybox-inittab_1.36.1.bb}| 0
.../busybox/{busybox_1.36.0.bb => busybox_1.36.1.bb}| 2 +-
2 files changed, 1 insertion(+), 1 deletion(-)
rename meta/recipes-core/busybox/{busybox-inittab_1.36.0.bb =>
busybox-inittab_1.36.1.bb} (100%)
rename meta/recipes-core/busybox/{busybox_1.36.0.bb => busybox_1.36.1.bb} (96%)
diff --git a/meta/recipes-core/busybox/busybox-inittab_1.36.0.bb
b/meta/recipes-core/busybox/busybox-inittab_1.36.1.bb
similarity index 100%
rename from meta/recipes-core/busybox/busybox-inittab_1.36.0.bb
rename to meta/recipes-core/busybox/busybox-inittab_1.36.1.bb
diff --git a/meta/recipes-core/busybox/busybox_1.36.0.bb
b/meta/recipes-core/busybox/busybox_1.36.1.bb
similarity index 96%
rename from meta/recipes-core/busybox/busybox_1.36.0.bb
rename to meta/recipes-core/busybox/busybox_1.36.1.bb
index 8014a5c7bf..968dce65e4 100644
--- a/meta/recipes-core/busybox/busybox_1.36.0.bb
+++ b/meta/recipes-core/busybox/busybox_1.36.1.bb
@@ -53,4 +53,4 @@ SRC_URI =
"https://busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
SRC_URI:append:libc-musl = " file://musl.cfg "
# TODO http://lists.busybox.net/pipermail/busybox/2023-January/090078.html
SRC_URI:append:x86 = " file://sha_accel.cfg"
-SRC_URI[tarball.sha256sum] =
"542750c8af7cb2630e201780b4f99f3dcceeb06f505b479ec68241c1e6af61a5"
+SRC_URI[tarball.sha256sum] =
"b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314"
--
2.40.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181757):
https://lists.openembedded.org/g/openembedded-core/message/181757
Mute This Topic: https://lists.openembedded.org/mt/99144514/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hello Richard, Could you please take a look on the latest revision a make a decision there? There are still bunch of unclear statements. So please make a final design and we will try to implement it. Thank you, Andrej On Mon, 2023-05-22 at 10:57 +0300, Mikko Rapeli wrote: > Hi, > > On Fri, May 19, 2023 at 03:11:57PM +0200, Marta Rybczynska wrote: > > I'm missing a status to cover the situation when the NVD (or any other > > database) has an incorrect entry. We have quite many of those. This might > > be a temporary situation, but not always. > > > > SPDX (the 3.0 draft) has some other possible reasons > > https://github.com/spdx/spdx-spec/blob/vulnerability-profile/chapters/profile-vulnerabilities.md > > What looks like interesting ideas are: > > * "Can't fix" / "Will not fix" > > * "Not applicable" (SPDX language: Ineffective) when the code is not used > > * "Invalid match" (this is our NVD mismatch case) > > * "Mitigated" measures taken so that it cannot be exploited > > * "Workarounded" > > To me the SPDX details don't seem very usable when actually maintaining > a linux distro for a long time. Anyone from major Linux distro > stable/security teams participating in the work? > > So I'd rather compare to Debian security tracker CVE status data and ask > what our LTS and master branch maintainers and those in the community > who maintain yocto based SW stacks need. Do the maintainers want to read > SPDX output, for example? What common statuses do the maintainers want to > encode for each CVE? > > Debian security tracker https://security-team.debian.org/security_tracker.html > shows states: > > * vulnerable: binary package with specified version in their distro > version is vulnerable to the issue > > * fixed: binary package in their distro version has fixed the issue > > * undetermined: it is not yet clear if the issue affects Debian and > their version of the packages > > And "vulnerable" has sub states: > > * ignored: the issue does not impact Debian packages > > * postponed: no security patch updates will be provided, e.g. such a > minor issue that update will happen for example via normal package > version updates to next stable version > > There are a lot of additional "standards" and sub states when looking at > CVE data in the tracker (info not public, no upstream fix available, not > supported configuration etc), but those major high level states are enough. > And then there are security relevant bugs without CVEs. > > I've been happy with "Unpatched", "Patched" and "Ignored" states for > each CVE detected by cve-check.bbclass. There could be a few more sub > stated to "Ignored" and the "Patched" state should better reflect reality, > which this patch set helps. But I'm happy with that. > > I'm not so happy with the SPDX states names and meanings. > > Cheers, > > -Mikko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181629): https://lists.openembedded.org/g/openembedded-core/message/181629 Mute This Topic: https://lists.openembedded.org/mt/99007092/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
Hello Marta,
On Fri, 2023-05-19 at 15:11 +0200, Marta Rybczynska wrote:
Thank you for this work. I think we are going in a good direction. My comments
in the text.
In general, I would like that we come with the fixed list of possible statuses
and avoid adding new ones too frequently. Changing them will break my parsing
and status scripts each time.
On Fri, May 19, 2023 at 8:24 AM Andrej Valek via
lists.openembedded.org<http://lists.openembedded.org>
mailto:siemens@lists.openembedded.org>>
wrote:
- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contain flag for each CVE with accepted
values "Ignored", "Not applicable" or "Patched". It allows to add
a status for each CVEs.
I'm missing a status to cover the situation when the NVD (or any other
database) has an incorrect entry. We have quite many of those. This might be a
temporary situation, but not always.
SPDX (the 3.0 draft) has some other possible reasons
https://github.com/spdx/spdx-spec/blob/vulnerability-profile/chapters/profile-vulnerabilities.md
What looks like interesting ideas are:
* "Can't fix" / "Will not fix"
* "Not applicable" (SPDX language: Ineffective) when the code is not used
* "Invalid match" (this is our NVD mismatch case)
* "Mitigated" measures taken so that it cannot be exploited
* "Workarounded"
I would say, "Ignored", "Not applicable" or "Patched" are enough, because
everything important is covered. Of course we can extend some keywords in the
feature, but we shouldn't confuse users.
There is still one big missing part: related to configuration options. It could
be used with "Not applicable"/"Ineffective" code, but only in cases where it is
not possible to activate the code. If the user can switch between
vulnerable/not vulnerable versions by a packageconfig change or so, this is not
covered.
Addiional question: why CVE_STATUS_REASONING and not CVE_STATUS_REASON ?
(reason variable is used nearly everywhere)
See explanation here:
https://lists.openembedded.org/g/openembedded-core/message/181551 . Once we
have a decision, I can change it.
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..44462de7445 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,15 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional reason for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
+# CVE_STATUS[CVE-1234-0002] = "Not applicable"
+# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
# Layers to be excluded
@@ -88,6 +91,25 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+# Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+if cve_check_ignore:
+bb.warn("CVE_CHECK_IGNORE has been deprecated, use CVE_STATUS instead")
+set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
+
+# Process CVE_STATUS_GROUPS to set multiple statuses and optional reasons
at once
+for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+set_cves_statuses(d, d.getVar(cve_status_group) or "",
+ d.getVarFlag(cve_status_group, "status"),
+ d.getVarFlag(cve_status_group, "reason"))
+}
+
+def set_cves_statuses(d, cves, status, reason=""):
+for cve in cves.split():
+d.setVarFlag("CVE_STATUS", cve, status)
+d.setVarFlag("CVE_STATUS_REASONING", cve, reason)
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -282,7 +304,13 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
-cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+# Convert CVE
Re: [OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
Hello Michael, I wanted to use a "CVE_STATUS_REASON", but it was advised here https://lists.openembedded.org/g/openembedded-core/message/181037 by Richard. So I was thinking, that it has to correct. Regards, Andrej On Fri, 2023-05-19 at 15:09 +0200, Michael Opdenacker wrote: > Hi Andrej, > > On 19.05.23 at 10:18, Andrej Valek via lists.openembedded.org wrote: > > - Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be > > more flexible. CVE_STATUS should contain flag for each CVE with accepted > > values "Ignored", "Not applicable" or "Patched". It allows to add > > a status for each CVEs. > > - Optional CVE_STATUS_REASONING flag variable may contain a reason > > why the CVE status was used. It will be added in csv/json report like > > a new "reason" entry. > > > I'm not a native English speaker, but what about just > "CVE_STATUS_REASON" instead of "CVE_STATUS_REASONING"? > > "Reasoning" is a mental process if I understand correctly. See > https://www.englishforums.com/English/ReasonVsReasoning/zdgdw/post.htm. > It seems to me that the term "reason" should be sufficient, as the > "reason" flag that you're using. > > I'd be interested in what others think about this... > Thanks in advance > Cheers > > Michael. > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#181551): https://lists.openembedded.org/g/openembedded-core/message/181551 Mute This Topic: https://lists.openembedded.org/mt/99008417/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v4 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING
- Try to add convert and apply statuses for old CVEs - Drop some obsolete ignores, while they are not relevant for current version Signed-off-by: Andrej Valek Reviewed-by: Peter Marko --- .../distro/include/cve-extra-exclusions.inc | 281 +++--- meta/recipes-bsp/grub/grub2.inc | 9 +- meta/recipes-connectivity/avahi/avahi_0.8.bb | 4 +- .../recipes-connectivity/bind/bind_9.18.13.bb | 3 +- .../bluez5/bluez5_5.66.bb | 6 +- .../openssh/openssh_9.3p1.bb | 12 +- .../openssl/openssl_3.1.0.bb | 3 +- meta/recipes-core/coreutils/coreutils_9.1.bb | 3 +- meta/recipes-core/glibc/glibc_2.37.bb | 12 +- meta/recipes-core/libxml/libxml2_2.10.4.bb| 3 +- meta/recipes-core/systemd/systemd_253.3.bb| 4 +- meta/recipes-devtools/cmake/cmake.inc | 5 +- meta/recipes-devtools/flex/flex_2.6.4.bb | 3 +- meta/recipes-devtools/gcc/gcc-12.2.inc| 3 - meta/recipes-devtools/git/git_2.39.2.bb | 12 +- meta/recipes-devtools/jquery/jquery_3.6.3.bb | 6 +- .../recipes-devtools/python/python3_3.11.2.bb | 18 +- meta/recipes-devtools/qemu/qemu.inc | 13 +- meta/recipes-devtools/rsync/rsync_3.2.7.bb| 3 - meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 +- meta/recipes-extended/cpio/cpio_2.13.bb | 4 +- meta/recipes-extended/cups/cups.inc | 24 +- .../ghostscript/ghostscript_10.0.0.bb | 3 +- .../iputils/iputils_20221126.bb | 7 +- .../libtirpc/libtirpc_1.3.3.bb| 4 +- meta/recipes-extended/procps/procps_4.0.3.bb | 4 +- meta/recipes-extended/shadow/shadow_4.13.bb | 8 +- meta/recipes-extended/unzip/unzip_6.0.bb | 3 +- .../xinetd/xinetd_2.3.15.4.bb | 3 +- meta/recipes-extended/zip/zip_3.0.bb | 8 +- .../libnotify/libnotify_0.8.2.bb | 4 +- meta/recipes-gnome/librsvg/librsvg_2.54.5.bb | 4 +- meta/recipes-graphics/builder/builder_0.1.bb | 3 +- .../xorg-xserver/xserver-xorg.inc | 13 +- .../linux/cve-exclusion_6.1.inc | 14 +- .../libpng/libpng_1.6.39.bb | 4 +- meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +- .../libgcrypt/libgcrypt_1.10.1.bb | 6 +- .../recipes-support/libxslt/libxslt_1.1.37.bb | 5 +- meta/recipes-support/lz4/lz4_1.9.4.bb | 4 +- meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 13 +- 41 files changed, 325 insertions(+), 230 deletions(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 0ca75bae3ef..1cb32db814d 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -19,7 +19,8 @@ # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 # CVE is more than 20 years old with no resolution evident # broken links in CVE database references make resolution impractical -CVE_CHECK_IGNORE += "CVE-2000-0006" +CVE_STATUS[CVE-2000-0006] = "Ignored" +CVE_STATUS_REASONING[CVE-2000-0006] = "CVE is more than 20 years old with no resolution evident." # epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 # The issue here is spoofing of domain names using characters from other character sets. @@ -28,31 +29,39 @@ CVE_CHECK_IGNORE += "CVE-2000-0006" # there is unlikely ever to be a single fix to webkit or epiphany which addresses this # problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further # we can seem to take. -CVE_CHECK_IGNORE += "CVE-2005-0238" +CVE_STATUS[CVE-2005-0238] = "Ignored" +CVE_STATUS_REASONING[CVE-2005-0238] = "There isn't any mitigation or fix or way to progress this further." # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 # Issue is memory exhaustion via glob() calls, e.g. from within an ftp server # Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 # Upstream don't see it as a security issue, ftp servers shouldn't be passing # this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar -CVE_CHECK_IGNORE += "CVE-2010-4756" +CVE_STATUS[CVE-2010-4756] = "Ignored" +CVE_STATUS_REASONING[CVE-2010-4756] = "Upstream have no plans to add BSD's GLOB_LIMIT or similar." # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 # The encoding/xml package in go can potentially be used for security exploits if not used correctly # CVE applies to a netapp product as well as flagging a general issue. We don't ship anything # exposing this interface in an exploitable way -CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" +CVE_STATUS[CVE-2020-29509] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-29509] = "We don't ship anything exposing this interface in an
[OE-core][PATCH v4 2/3] oeqa/selftest/cve_check: add check for optional "reason" value
- After introducing the CVE_STATUS_REASONING flag variable, CVEs could
contain a reason for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek
---
meta/lib/oeqa/selftest/cases/cve_check.py | 20 ++-
.../logrotate/logrotate_3.21.0.bb | 6 --
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py
b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c8..ea37beba031 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,28 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
-found_cves = { issue["id"]: issue["status"] for issue in
package["issue"]}
+found_cves = {}
+for issue in package["issue"]:
+found_cves[issue["id"]] = {
+"status" : issue["status"],
+"reason" : issue["reason"] if "reason" in issue else ""
+}
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
-self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+self.assertEqual(len(found_cves["CVE-2011-1098"]["reason"]), 0)
+reason = "CVE is debian, gentoo or SUSE specific on the way
logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
-self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["reason"], reason)
self.assertIn("CVE-2011-1549", found_cves)
-self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["reason"], reason)
self.assertIn("CVE-2011-1550", found_cves)
-self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["reason"], reason)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60f..633987ceed6 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,10 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] =
"8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was
installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[reason] = "CVE is debian, gentoo or SUSE specific on the way
logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.40.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181538):
https://lists.openembedded.org/g/openembedded-core/message/181538
Mute This Topic: https://lists.openembedded.org/mt/99008419/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v4 1/3] cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contain flag for each CVE with accepted
values "Ignored", "Not applicable" or "Patched". It allows to add
a status for each CVEs.
- Optional CVE_STATUS_REASONING flag variable may contain a reason
why the CVE status was used. It will be added in csv/json report like
a new "reason" entry.
- Settings the same status and reason for multiple CVEs is possible
via CVE_STATUS_GROUPS variable.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
CVE_STATUS[CVE-1234-0002] = "Not applicable"
CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "Not applicable"
CVE_STATUS_WIN[reason] = "Issue only applies on Windows"
CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "Patched"
CVE_STATUS_PATCHED[reason] = "Fixed externally"
Signed-off-by: Andrej Valek
Signed-off-by: Peter Marko
---
meta/classes/cve-check.bbclass | 44 ++
meta/lib/oe/cve_check.py | 6 +
2 files changed, 45 insertions(+), 5 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..44462de7445 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,12 +70,15 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned
+# separately with optional reason for this status.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
+# CVE_STATUS[CVE-1234-0002] = "Not applicable"
+# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
#
+# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE until other layers migrate to new variables
CVE_CHECK_IGNORE ?= ""
# Layers to be excluded
@@ -88,6 +91,25 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+# Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+cve_check_ignore = d.getVar("CVE_CHECK_IGNORE")
+if cve_check_ignore:
+bb.warn("CVE_CHECK_IGNORE has been deprecated, use CVE_STATUS instead")
+set_cves_statuses(d, d.getVar("CVE_CHECK_IGNORE"), "Ignored")
+
+# Process CVE_STATUS_GROUPS to set multiple statuses and optional reasons
at once
+for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split():
+set_cves_statuses(d, d.getVar(cve_status_group) or "",
+ d.getVarFlag(cve_status_group, "status"),
+ d.getVarFlag(cve_status_group, "reason"))
+}
+
+def set_cves_statuses(d, cves, status, reason=""):
+for cve in cves.split():
+d.setVarFlag("CVE_STATUS", cve, status)
+d.setVarFlag("CVE_STATUS_REASONING", cve, reason)
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -282,7 +304,13 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
-cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+# Convert CVE_STATUS into ignored CVEs and check validity
+cve_ignore = []
+for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+if status in ["Not applicable", "Ignored"]:
+cve_ignore.append(cve)
+elif status not in ["Patched"]:
+bb.error("Unsupported status %s in CVE_STATUS[%s]" % (status, cve))
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -455,6 +483,9 @@ def cve_write_data_text(d, patched, unpatched, ignored,
cve_data):
else:
unpatched_cves.append(cve)
write_string += "CVE STATUS: Unpatched\n"
+reasoning = d.getVarFlag("CVE_STATUS_REASONING", cve)
+if reasoning:
+write_string += "CVE REASON: %s\n" % reasoning
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -576,6 +607,9 @@ def cve_write_data_json(d, patched, unpatched, ignored,
cve_data, cve_status):
"status" : status,
"link": issue_link
[OE-core][PATCH v3 3/3] cve_check: convert CVE_CHECK_IGNORE to CVE_STATUS and CVE_STATUS_REASONING
- Try to add convert and apply statuses for old CVEs Signed-off-by: Andrej Valek Reviewed-by: Peter Marko --- .../distro/include/cve-extra-exclusions.inc | 281 +++--- meta/recipes-bsp/grub/grub2.inc | 9 +- meta/recipes-connectivity/avahi/avahi_0.8.bb | 4 +- .../recipes-connectivity/bind/bind_9.18.13.bb | 3 +- .../bluez5/bluez5_5.66.bb | 6 +- .../openssh/openssh_9.3p1.bb | 12 +- .../openssl/openssl_3.1.0.bb | 3 +- meta/recipes-core/coreutils/coreutils_9.1.bb | 3 +- meta/recipes-core/glibc/glibc_2.37.bb | 12 +- meta/recipes-core/libxml/libxml2_2.10.4.bb| 3 +- meta/recipes-core/systemd/systemd_253.3.bb| 4 +- meta/recipes-devtools/cmake/cmake.inc | 5 +- meta/recipes-devtools/flex/flex_2.6.4.bb | 3 +- meta/recipes-devtools/gcc/gcc-12.2.inc| 3 - meta/recipes-devtools/git/git_2.39.2.bb | 12 +- meta/recipes-devtools/jquery/jquery_3.6.3.bb | 6 +- .../recipes-devtools/python/python3_3.11.2.bb | 18 +- meta/recipes-devtools/qemu/qemu.inc | 13 +- meta/recipes-devtools/rsync/rsync_3.2.7.bb| 3 - meta/recipes-devtools/tcltk/tcl_8.6.13.bb | 4 +- meta/recipes-extended/cpio/cpio_2.13.bb | 4 +- meta/recipes-extended/cups/cups.inc | 24 +- .../ghostscript/ghostscript_10.0.0.bb | 3 +- .../iputils/iputils_20221126.bb | 7 +- .../libtirpc/libtirpc_1.3.3.bb| 4 +- meta/recipes-extended/procps/procps_4.0.3.bb | 4 +- meta/recipes-extended/shadow/shadow_4.13.bb | 8 +- meta/recipes-extended/unzip/unzip_6.0.bb | 3 +- .../xinetd/xinetd_2.3.15.4.bb | 3 +- meta/recipes-extended/zip/zip_3.0.bb | 8 +- .../libnotify/libnotify_0.8.2.bb | 4 +- meta/recipes-gnome/librsvg/librsvg_2.54.5.bb | 4 +- meta/recipes-graphics/builder/builder_0.1.bb | 3 +- .../xorg-xserver/xserver-xorg.inc | 13 +- .../linux/cve-exclusion_6.1.inc | 14 +- .../libpng/libpng_1.6.39.bb | 4 +- meta/recipes-multimedia/libtiff/tiff_4.5.0.bb | 10 +- .../libgcrypt/libgcrypt_1.10.1.bb | 6 +- .../recipes-support/libxslt/libxslt_1.1.37.bb | 5 +- meta/recipes-support/lz4/lz4_1.9.4.bb | 4 +- meta/recipes-support/sqlite/sqlite3_3.41.2.bb | 13 +- 41 files changed, 325 insertions(+), 230 deletions(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index 0ca75bae3ef..1cb32db814d 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -19,7 +19,8 @@ # strace https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0006 # CVE is more than 20 years old with no resolution evident # broken links in CVE database references make resolution impractical -CVE_CHECK_IGNORE += "CVE-2000-0006" +CVE_STATUS[CVE-2000-0006] = "Ignored" +CVE_STATUS_REASONING[CVE-2000-0006] = "CVE is more than 20 years old with no resolution evident." # epiphany https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0238 # The issue here is spoofing of domain names using characters from other character sets. @@ -28,31 +29,39 @@ CVE_CHECK_IGNORE += "CVE-2000-0006" # there is unlikely ever to be a single fix to webkit or epiphany which addresses this # problem. Ignore this CVE as there isn't any mitigation or fix or way to progress this further # we can seem to take. -CVE_CHECK_IGNORE += "CVE-2005-0238" +CVE_STATUS[CVE-2005-0238] = "Ignored" +CVE_STATUS_REASONING[CVE-2005-0238] = "There isn't any mitigation or fix or way to progress this further." # glibc https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4756 # Issue is memory exhaustion via glob() calls, e.g. from within an ftp server # Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 # Upstream don't see it as a security issue, ftp servers shouldn't be passing # this to libc glob. Exclude as upstream have no plans to add BSD's GLOB_LIMIT or similar -CVE_CHECK_IGNORE += "CVE-2010-4756" +CVE_STATUS[CVE-2010-4756] = "Ignored" +CVE_STATUS_REASONING[CVE-2010-4756] = "Upstream have no plans to add BSD's GLOB_LIMIT or similar." # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29509 # go https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29511 # The encoding/xml package in go can potentially be used for security exploits if not used correctly # CVE applies to a netapp product as well as flagging a general issue. We don't ship anything # exposing this interface in an exploitable way -CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" +CVE_STATUS[CVE-2020-29509] = "Ignored" +CVE_STATUS_REASONING[CVE-2020-29509] = "We don't ship anything exposing this interface in an exploitable way." +CVE_STATUS[CVE-2020-29511] = "Ignored"
[OE-core][PATCH v3 2/3] oeqa/selftest/cve_check: add check for optional "reason" value
- After introducing the CVE_STATUS_REASONING flag variable, CVEs could
contain a reason for assigned statuses.
- Add an example conversion in logrotate recipe.
Signed-off-by: Andrej Valek
---
meta/lib/oeqa/selftest/cases/cve_check.py | 20 ++-
.../logrotate/logrotate_3.21.0.bb | 6 --
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py
b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c8..ea37beba031 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,28 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
-found_cves = { issue["id"]: issue["status"] for issue in
package["issue"]}
+found_cves = {}
+for issue in package["issue"]:
+found_cves[issue["id"]] = {
+"status" : issue["status"],
+"reason" : issue["reason"] if "reason" in issue else ""
+}
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
-self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+self.assertEqual(len(found_cves["CVE-2011-1098"]["reason"]), 0)
+reason = "CVE is debian, gentoo or SUSE specific on the way
logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
-self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1548"]["reason"], reason)
self.assertIn("CVE-2011-1549", found_cves)
-self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1549"]["reason"], reason)
self.assertIn("CVE-2011-1550", found_cves)
-self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+self.assertEqual(found_cves["CVE-2011-1550"]["reason"], reason)
self.assertExists(summary_json)
check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60f..633987ceed6 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,10 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] =
"8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was
installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[reason] = "CVE is debian, gentoo or SUSE specific on the way
logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
--
2.40.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181532):
https://lists.openembedded.org/g/openembedded-core/message/181532
Mute This Topic: https://lists.openembedded.org/mt/99007095/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v3 1/3] cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contain flag for each CVE with accepted
values "Ignored", "Not applicable" or "Patched". It allows to add
a status for each CVEs.
- Optional CVE_STATUS_REASONING flag variable may contain a reason
why the CVE status was used. It will be added in csv/json report like
a new "reason" entry.
- Settings the same status and reason for multiple CVEs is possible
via CVE_STATUS_GROUPS variable.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "Ignored" # or "Not applicable" or "Patched"
CVE_STATUS[CVE-1234-0002] = "Not applicable"
CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on Windows"
CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED"
CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002"
CVE_STATUS_WIN[status] = "Not applicable"
CVE_STATUS_WIN[reason] = "Issue only applies on Windows"
CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004"
CVE_STATUS_PATCHED[status] = "Patched"
CVE_STATUS_PATCHED[reason] = "Fixed externally"
Signed-off-by: Andrej Valek
Signed-off-by: Peter Marko
---
documentation/dev-manual/new-recipe.rst | 4 +-
documentation/dev-manual/vulnerabilities.rst | 11 ++---
documentation/ref-manual/classes.rst | 9 ++--
documentation/ref-manual/variables.rst | 33 ---
meta/classes/cve-check.bbclass | 44 +---
meta/lib/oe/cve_check.py | 6 +++
6 files changed, 87 insertions(+), 20 deletions(-)
diff --git a/documentation/dev-manual/new-recipe.rst
b/documentation/dev-manual/new-recipe.rst
index 4e74246a4e9..008f4b1ceb7 100644
--- a/documentation/dev-manual/new-recipe.rst
+++ b/documentation/dev-manual/new-recipe.rst
@@ -1253,8 +1253,8 @@ In the following example, ``lz4`` is a makefile-based
package::
S = "${WORKDIR}/git"
- # Fixed in r118, which is larger than the current version.
- CVE_CHECK_IGNORE += "CVE-2014-4715"
+ CVE_STATUS[CVE-2014-4715] = "Patched"
+ CVE_STATUS_REASONING[CVE-2014-4715] = "Fixed in r118, which is larger than
the current version"
EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D}
LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no"
diff --git a/documentation/dev-manual/vulnerabilities.rst
b/documentation/dev-manual/vulnerabilities.rst
index 0ee3ec52c5c..ca1ea87ba7e 100644
--- a/documentation/dev-manual/vulnerabilities.rst
+++ b/documentation/dev-manual/vulnerabilities.rst
@@ -158,7 +158,8 @@ CVE checker will then capture this information and change
the CVE status to ``Pa
in the generated reports.
If analysis shows that the CVE issue does not impact the recipe due to
configuration, platform,
-version or other reasons, the CVE can be marked as ``Ignored`` using the
:term:`CVE_CHECK_IGNORE` variable.
+version or other reasons, the CVE can be marked as ``Ignored`` or ``Not
applicable`` using
+the :term:`CVE_STATUS[]` variable flag.
As mentioned previously, if data in the CVE database is wrong, it is recommend
to fix those
issues in the CVE database directly.
@@ -182,11 +183,11 @@ products defined in :term:`CVE_PRODUCT`. Then, for each
found CVE:
- If the package name (:term:`PN`) is part of
:term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``.
-- If the CVE ID is part of :term:`CVE_CHECK_IGNORE`, it is
- set as ``Ignored``.
+- If the CVE ID has status :term:`CVE_STATUS[] = "Ignored"`, it is
+ set as ``Ignored`` as same as for :term:`CVE_STATUS[] = "Not
applicable"`.
-- If the CVE ID is part of the patched CVE for the recipe, it is
- already considered as ``Patched``.
+- If the CVE ID is part of the patched CVE for the recipe or has status
+ :term:`CVE_STATUS[] = "Patched"`, it is considered as ``Patched``.
- Otherwise, the code checks whether the recipe version (:term:`PV`)
is within the range of versions impacted by the CVE. If so, the CVE
diff --git a/documentation/ref-manual/classes.rst
b/documentation/ref-manual/classes.rst
index ab1628401e9..2811244b8f7 100644
--- a/documentation/ref-manual/classes.rst
+++ b/documentation/ref-manual/classes.rst
@@ -517,10 +517,13 @@ The ``Patched`` state of a CVE issue is detected from
patch files with the forma
``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and
using
CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file.
-If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then
the CVE state is reported
-as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example::
+If the recipe adds the ``CVE-ID`` as flag of :term:`CVE_STATUS` variable with
status
+``Ignored`` or ``Not applicable``, then the CVE state is reported as
``Ignored``.
- CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511"
+ CVE_STATUS[CVE-2020-15523] = "Ignored"
+
+Possible
[OE-core][PATCH v2] cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS + [CVE_STATUS_REASONING] to be
more flexible. CVE_STATUS should contains flag for each CVE with accepted
values "Ignored" or "Not applicable". It allows to add a status for CVEs
which could be fixed externally.
- Optional CVE_STATUS_REASONING flag variable could contains a reason
why the CVE status was used. It will be added in csv/json report like
a new "reason" entry.
- All listed CVEs in CVE_CHECK_IGNORE are copied to CVE_STATUS with
value "Ignored" like a fallback.
Example of usage:
CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
CVE_STATUS[CVE-1234-0002] = "Not applicable"
CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"
Signed-off-by: Andrej Valek
---
meta/classes/cve-check.bbclass | 30 +-
meta/lib/oe/cve_check.py | 6 ++
2 files changed, 31 insertions(+), 5 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..e081095037c 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -70,13 +70,17 @@ CVE_CHECK_COVERAGE ??= "1"
# Skip CVE Check for packages (PN)
CVE_CHECK_SKIP_RECIPE ?= ""
-# Ingore the check for a given list of CVEs. If a CVE is found,
-# then it is considered patched. The value is a string containing
-# space separated CVE values:
+# Ignore the check for a given CVE. Each of CVE has to be mentioned
+# separately with optional reason, why it has to ignored.
#
-# CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234'
+# CVE_STATUS[CVE-1234-0001] = "Not applicable" or "Ignored"
+# CVE_STATUS[CVE-1234-0002] = "Ignored"
+# CVE_STATUS_REASONING[CVE-1234-0002] = "Issue only applies on windows"
#
+# CVE_CHECK_IGNORE is depracated and CVE_STATUS has to be used instead.
+# Keep CVE_CHECK_IGNORE like a fallback.
CVE_CHECK_IGNORE ?= ""
+CVE_STATUS ?= ""
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -88,6 +92,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
+python () {
+# Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS
+for cve in d.getVar("CVE_CHECK_IGNORE").split():
+d.setVarFlags("CVE_STATUS", {cve: "Ignored"})
+}
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -282,7 +292,11 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been skipped by cve-check")
return ([], [], [], [])
-cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+# Convert CVE_STATUS into ignored CVEs
+cve_ignore = []
+for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+if status in ["Not applicable", "Ignored"]:
+cve_ignore.append(cve)
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
@@ -455,6 +469,9 @@ def cve_write_data_text(d, patched, unpatched, ignored,
cve_data):
else:
unpatched_cves.append(cve)
write_string += "CVE STATUS: Unpatched\n"
+has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
+if has_reason:
+write_string += "CVE REASON: %s\n" % has_reason
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
@@ -576,6 +593,9 @@ def cve_write_data_json(d, patched, unpatched, ignored,
cve_data, cve_status):
"status" : status,
"link": issue_link
}
+has_reason = d.getVarFlag("CVE_STATUS_REASONING", cve)
+if has_reason:
+cve_item["reason"] = has_reason
cve_list.append(cve_item)
package_data["issue"] = cve_list
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index dbaa0b373a3..f47dd9920ef 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -130,6 +130,12 @@ def get_patched_cves(d):
if not fname_match and not text_match:
bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+# Search for additional patched CVEs
+for cve, status in (d.getVarFlags("CVE_STATUS") or {}).items():
+if status == "Patched":
+bb.debug(2, "CVE %s is additionally patched" % cve)
+patched_cves.add(cve)
+
return patched_cves
--
2.40.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#181444):
https://lists.openembedded.org/g/openembedded-core/message/181444
Mute This Topic: https://lists.openembedded.org/mt/98943046/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] cve-check: add option to add additional patched CVEs
On Fri, 2023-05-05 at 12:30 +0100, Richard Purdie wrote: > On Fri, 2023-05-05 at 13:18 +0200, Andrej Valek via > lists.openembedded.org wrote: > > CVE_CHECK_PATCHED - should contains an additional CVEs which have > > been > > fixed and shouldn't be mark as vulnerable nor ignored. > > > > Signed-off-by: Andrej Valek > > --- > > meta/classes/cve-check.bbclass | 8 > > 1 file changed, 8 insertions(+) > > > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve- > > check.bbclass > > index bd9e7e7445c..957ea0130dc 100644 > > --- a/meta/classes/cve-check.bbclass > > +++ b/meta/classes/cve-check.bbclass > > @@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= "" > > # > > CVE_CHECK_IGNORE ?= "" > > > > +# Usually a CVE gets treated as patched when a patch with the name > > of the CVE > > +# gets applied. Basically this variable should not be used. But if > > there are > > +# other reasons to mark a CVE as patched it can be added to this > > list. > > +CVE_CHECK_PATCHED ?= "" > > We're not adding variables which are documented as "Basically this > variable should not be used.". If you shouldn't need/use it, we don't > need it. Ok, maybe I should change the description a little bit. Do you have some other preference? > > Can't you just use the ignore variable for the same end result? Nope. If I use a ignore list, the output in the SBOM will be set to "ignored", which is wrong, because it has been fixed. And that's the reason. > > Cheers, > > Richard > Regards, Andrej -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#180913): https://lists.openembedded.org/g/openembedded-core/message/180913 Mute This Topic: https://lists.openembedded.org/mt/98703185/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] cve-check: add option to add additional patched CVEs
CVE_CHECK_PATCHED - should contains an additional CVEs which have been
fixed and shouldn't be mark as vulnerable nor ignored.
Signed-off-by: Andrej Valek
---
meta/classes/cve-check.bbclass | 8
1 file changed, 8 insertions(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index bd9e7e7445c..957ea0130dc 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -78,6 +78,11 @@ CVE_CHECK_SKIP_RECIPE ?= ""
#
CVE_CHECK_IGNORE ?= ""
+# Usually a CVE gets treated as patched when a patch with the name of the CVE
+# gets applied. Basically this variable should not be used. But if there are
+# other reasons to mark a CVE as patched it can be added to this list.
+CVE_CHECK_PATCHED ?= ""
+
# Layers to be excluded
CVE_CHECK_LAYER_EXCLUDELIST ??= ""
@@ -284,6 +289,9 @@ def check_cves(d, patched_cves):
cve_ignore = d.getVar("CVE_CHECK_IGNORE").split()
+# add additional patched CVEs into existing patched list
+patched_cves.update(d.getVar("CVE_CHECK_PATCHED").split())
+
import sqlite3
db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro")
conn = sqlite3.connect(db_file, uri=True)
--
2.40.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#180911):
https://lists.openembedded.org/g/openembedded-core/message/180911
Mute This Topic: https://lists.openembedded.org/mt/98703185/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
