| Message ID | 20241230074045.213743-1-hongxu.jia@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | meta/lib/oe/spdx30_tasks.py: add patched CVE to SPDX 3 | expand |
On Mon, Dec 30, 2024 at 12:40 AM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > Some CVEs may be patched during the build process without incrementing > the version number, save the CVEs fixed by patches to cve_by_status > which was parsed as "Patched" status to add new_vex_patched_relationship > to pkg_objset > > Take recipe unzip for example, CVE-2015-1315 is patched in oe-core and > is available in package SPDX > > oe-core$ grep "CVE-2015-1315" -rn meta > meta/recipes-extended/unzip/unzip_6.0.bb:12: file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \ > meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch:6:CVE: CVE-2015-1315 > > $ bitbake unzip > $ vim tmp/deploy/spdx/3.0.1/corei7-64/packages/package-unzip.spdx.json [1] > ... > { > "type": "security_VexFixedVulnAssessmentRelationship", > "spdxId": "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/6e57f2cbf8f80a80ee21628b8a35cdddaa8ee800cc9e42367d866eb8daa41bb0/vex-fixed/c8d7748f0d64a2a46a3a2545c891ad39" > "creationInfo": "_:CreationInfo1", > "extension": [ > { > "type": "https://rdf.openembedded.org/spdx/3.0/id-alias", > "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/22ab8d6eced4525f57bb861acc0fe983d8af5805dd97e702c22c1ffe04621cb2/unzip/UNIHASH/vex-fixed/c8d7748f0d64a2a46a3a2545c891ad39" > } > ], > "from": "http://spdxdocs.org/openembedded-alias/by-doc-hash/539e1deec075c3a51b8c6975352b0a9ad320a130a4d7d516316b35994a830f93/unzip/UNIHASH/vulnerability/CVE-2015-1315", > "relationshipType": "fixedIn", > "to": [ > "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/6e57f2cbf8f80a80ee21628b8a35cdddaa8ee800cc9e42367d866eb8daa41bb0/package/unzip" > ], > "security_vexVersion": "1.0.0" > }, > ... > > [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Security/Classes/VexFixedVulnAssessmentRelationship/ > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/lib/oe/spdx30_tasks.py | 15 +++++++++++++++ > 1 file changed, 15 insertions(+) > > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index 036c58bf4b..842962f609 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -515,6 +515,21 @@ def create_spdx(d): > > cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION")) > > + # Some CVEs may be patched during the build process without incrementing the version number, > + # so querying for CVEs based on the CPE id can lead to false positives. To account for this, > + # save the CVEs fixed by patches to cve_by_status. > + patched_cves = oe.cve_check.get_patched_cves(d) > + for cve, patched_cve in patched_cves.items(): > + if patched_cve["abbrev-status"] != "Patched": > + continue > + spdx_cve = build_objset.new_cve_vuln(cve) > + build_objset.set_element_alias(spdx_cve) > + cve_by_status.setdefault("Patched", {})[cve] = ( > + spdx_cve, > + None, > + None, > + ) > + Thanks for finding and fixing this, I didn't notice it was missing. It looks great, except that it should be in the `if include_vex != "none"` block so that it's not included if the user requested no VEX > source_files = add_download_files(d, build_objset) > build_inputs |= source_files > > -- > 2.25.1 >
Please drop it, I have a better way for it, v2 incoming //Hongxu
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 036c58bf4b..842962f609 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -515,6 +515,21 @@ def create_spdx(d): cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION")) + # Some CVEs may be patched during the build process without incrementing the version number, + # so querying for CVEs based on the CPE id can lead to false positives. To account for this, + # save the CVEs fixed by patches to cve_by_status. + patched_cves = oe.cve_check.get_patched_cves(d) + for cve, patched_cve in patched_cves.items(): + if patched_cve["abbrev-status"] != "Patched": + continue + spdx_cve = build_objset.new_cve_vuln(cve) + build_objset.set_element_alias(spdx_cve) + cve_by_status.setdefault("Patched", {})[cve] = ( + spdx_cve, + None, + None, + ) + source_files = add_download_files(d, build_objset) build_inputs |= source_files
Some CVEs may be patched during the build process without incrementing the version number, save the CVEs fixed by patches to cve_by_status which was parsed as "Patched" status to add new_vex_patched_relationship to pkg_objset Take recipe unzip for example, CVE-2015-1315 is patched in oe-core and is available in package SPDX oe-core$ grep "CVE-2015-1315" -rn meta meta/recipes-extended/unzip/unzip_6.0.bb:12: file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \ meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch:6:CVE: CVE-2015-1315 $ bitbake unzip $ vim tmp/deploy/spdx/3.0.1/corei7-64/packages/package-unzip.spdx.json [1] ... { "type": "security_VexFixedVulnAssessmentRelationship", "spdxId": "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/6e57f2cbf8f80a80ee21628b8a35cdddaa8ee800cc9e42367d866eb8daa41bb0/vex-fixed/c8d7748f0d64a2a46a3a2545c891ad39" "creationInfo": "_:CreationInfo1", "extension": [ { "type": "https://rdf.openembedded.org/spdx/3.0/id-alias", "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/22ab8d6eced4525f57bb861acc0fe983d8af5805dd97e702c22c1ffe04621cb2/unzip/UNIHASH/vex-fixed/c8d7748f0d64a2a46a3a2545c891ad39" } ], "from": "http://spdxdocs.org/openembedded-alias/by-doc-hash/539e1deec075c3a51b8c6975352b0a9ad320a130a4d7d516316b35994a830f93/unzip/UNIHASH/vulnerability/CVE-2015-1315", "relationshipType": "fixedIn", "to": [ "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/6e57f2cbf8f80a80ee21628b8a35cdddaa8ee800cc9e42367d866eb8daa41bb0/package/unzip" ], "security_vexVersion": "1.0.0" }, ... [1] https://spdx.github.io/spdx-spec/v3.0.1/model/Security/Classes/VexFixedVulnAssessmentRelationship/ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- meta/lib/oe/spdx30_tasks.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+)