Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
On 15 Mar 2024, at 19:52, Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) wrote: >> What’s the use-case for this? Note that you can control whether cve-check >> runs per-layer already, if that’s useful. > > Currently, the CVE report is generated for all packages associated with the > build. > However, not all of them might be getting used in the target device. > The package associated with native, nativesdk, cross classes are examples of > such. > This patch would provide a way to exclude these packages in the CVE report. > So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native", > The report would not have the entries for these packages: > gnupg-native, nasm-native, binutils-native (and so on) For this specific use-case I’d suggest filtering the JSON to remove all -native entries. Also as Mikko said, a CVE in gcc-cross would absolutely need to be considered, so I’d not recommend ignoring all native recipes. Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197310): https://lists.openembedded.org/g/openembedded-core/message/197310 Mute This Topic: https://lists.openembedded.org/mt/104706824/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
Hi, On Fri, Mar 15, 2024 at 07:52:00PM +, Dhairya Nagodra via lists.openembedded.org wrote: > > > >-Original Message- > >From: Ross Burton > >Sent: Friday, March 15, 2024 9:39 PM > >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) > > > >Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer > >list) > >Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude > >classes > > > >On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org > > wrote: > >> > >> From: Dhairya Nagodra > >> > >> - There are times when exluding a package that inherits a particular > >> class/classes may be desired. > >> - This provides the framework for that via the variable: > >> CVE_CHECK_CLASS_EXCLUDELIST > > > >What’s the use-case for this? Note that you can control whether cve-check > >runs per-layer already, if that’s useful. > > Currently, the CVE report is generated for all packages associated with the > build. > However, not all of them might be getting used in the target device. > The package associated with native, nativesdk, cross classes are examples of > such. > This patch would provide a way to exclude these packages in the CVE report. > So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native", > The report would not have the entries for these packages: > gnupg-native, nasm-native, binutils-native (and so on) > > This is helpful when one wants to concentrate their CVE fixing efforts to the > specific packages going into the target device. CVE check generates report summaries for all images already. Doesn't that cover this usecase? And many build tools end up talking to servers in the Internet so detecting and fixing CVEs in them is also quite important. Cheers, -Mikko -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197293): https://lists.openembedded.org/g/openembedded-core/message/197293 Mute This Topic: https://lists.openembedded.org/mt/104706824/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
>-Original Message- >From: Ross Burton >Sent: Friday, March 15, 2024 9:39 PM >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) > >Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer >list) >Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude >classes > >On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org > wrote: >> >> From: Dhairya Nagodra >> >> - There are times when exluding a package that inherits a particular >> class/classes may be desired. >> - This provides the framework for that via the variable: >> CVE_CHECK_CLASS_EXCLUDELIST > >What’s the use-case for this? Note that you can control whether cve-check >runs per-layer already, if that’s useful. Currently, the CVE report is generated for all packages associated with the build. However, not all of them might be getting used in the target device. The package associated with native, nativesdk, cross classes are examples of such. This patch would provide a way to exclude these packages in the CVE report. So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native", The report would not have the entries for these packages: gnupg-native, nasm-native, binutils-native (and so on) This is helpful when one wants to concentrate their CVE fixing efforts to the specific packages going into the target device. Regards, Dhairya > >Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197249): https://lists.openembedded.org/g/openembedded-core/message/197249 Mute This Topic: https://lists.openembedded.org/mt/104706824/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org wrote: > > From: Dhairya Nagodra > > - There are times when exluding a package that inherits a particular > class/classes may be desired. > - This provides the framework for that via the variable: > CVE_CHECK_CLASS_EXCLUDELIST What’s the use-case for this? Note that you can control whether cve-check runs per-layer already, if that’s useful. Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#197143): https://lists.openembedded.org/g/openembedded-core/message/197143 Mute This Topic: https://lists.openembedded.org/mt/104706824/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
A gentle reminder
>-Original Message-
>From: dnago...@cisco.com
>Sent: Sunday, March 3, 2024 11:23 PM
>To: openembedded-core@lists.openembedded.org
>Cc: xe-linux-external(mailer list) ; Dhairya
>Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
>Subject: [master] [PATCH] cve-check: Add provision to exclude classes
>
>From: Dhairya Nagodra
>
>- There are times when exluding a package that inherits a particular
> class/classes may be desired.
>- This provides the framework for that via the variable:
> CVE_CHECK_CLASS_EXCLUDELIST
>
>Signed-off-by: Dhairya Nagodra
>---
> meta/classes/cve-check.bbclass | 12
> 1 file changed, 12 insertions(+)
>
>diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
>index 56ba8bceef..6d459642fe 100644
>--- a/meta/classes/cve-check.bbclass
>+++ b/meta/classes/cve-check.bbclass
>@@ -100,6 +100,8 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
> # Layers to be included
> CVE_CHECK_LAYER_INCLUDELIST ??= ""
>
>+# Classes to be excluded
>+CVE_CHECK_CLASS_EXCLUDELIST ??= ""
>
> # set to "alphabetical" for version using single alphabetical character as
>increment release CVE_VERSION_SUFFIX ??= ""
>@@ -466,6 +468,7 @@ def cve_write_data_text(d, patched, unpatched,
>ignored, cve_data):
>
> include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
> exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
>+exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
>
> report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
>
>@@ -475,6 +478,10 @@ def cve_write_data_text(d, patched, unpatched,
>ignored, cve_data):
> if include_layers and layer not in include_layers:
> return
>
>+for excluded in exclude_classes:
>+if bb.data.inherits_class(excluded, d):
>+return
>+
> # Early exit, the text format does not report packages without CVEs
> if not patched+unpatched+ignored:
> return
>@@ -581,6 +588,7 @@ def cve_write_data_json(d, patched, unpatched,
>ignored, cve_data, cve_status):
>
> include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
> exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
>+exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
>
> report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
>
>@@ -590,6 +598,10 @@ def cve_write_data_json(d, patched, unpatched,
>ignored, cve_data, cve_status):
> if include_layers and layer not in include_layers:
> return
>
>+for excluded in exclude_classes:
>+if bb.data.inherits_class(excluded, d):
>+return
>+
> unpatched_cves = []
>
> product_data = []
>--
>2.35.6
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#197078):
https://lists.openembedded.org/g/openembedded-core/message/197078
Mute This Topic: https://lists.openembedded.org/mt/104706824/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
From: Dhairya Nagodra
- There are times when exluding a package that inherits a particular
class/classes may be desired.
- This provides the framework for that via the variable:
CVE_CHECK_CLASS_EXCLUDELIST
Signed-off-by: Dhairya Nagodra
---
meta/classes/cve-check.bbclass | 12
1 file changed, 12 insertions(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 56ba8bceef..6d459642fe 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -100,6 +100,8 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
# Layers to be included
CVE_CHECK_LAYER_INCLUDELIST ??= ""
+# Classes to be excluded
+CVE_CHECK_CLASS_EXCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
@@ -466,6 +468,7 @@ def cve_write_data_text(d, patched, unpatched, ignored,
cve_data):
include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
@@ -475,6 +478,10 @@ def cve_write_data_text(d, patched, unpatched, ignored,
cve_data):
if include_layers and layer not in include_layers:
return
+for excluded in exclude_classes:
+if bb.data.inherits_class(excluded, d):
+return
+
# Early exit, the text format does not report packages without CVEs
if not patched+unpatched+ignored:
return
@@ -581,6 +588,7 @@ def cve_write_data_json(d, patched, unpatched, ignored,
cve_data, cve_status):
include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
@@ -590,6 +598,10 @@ def cve_write_data_json(d, patched, unpatched, ignored,
cve_data, cve_status):
if include_layers and layer not in include_layers:
return
+for excluded in exclude_classes:
+if bb.data.inherits_class(excluded, d):
+return
+
unpatched_cves = []
product_data = []
--
2.35.6
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196574):
https://lists.openembedded.org/g/openembedded-core/message/196574
Mute This Topic: https://lists.openembedded.org/mt/104706824/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
