| Message ID | 20250312055803.801070-1-hongxu.jia@windriver.com |
|---|---|
| State | Accepted, archived |
| Commit | 08595b39b46ef2bf3a928d4528292ee31a990c98 |
| Headers | show |
| Series | lib: spdx30_tasks: remove duplicated patched CVEs | expand |
On Tue, Mar 11, 2025 at 11:58 PM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > Due to commit [lib: spdx30_tasks: Handle patched CVEs][1] applied, > duplicated CVE identifier for each CVE which increased +25% build > time (image task: do_create_image_sbom_spdx) > > $ bitbake binutils-cross-x86_64 > $ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584 > "spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584", > "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584" > "identifier": "CVE-2023-25584", > "https://cveawg.mitre.org/api/cve/CVE-2023-25584", > "https://www.cve.org/CVERecord?id=CVE-2023-25584" > "spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584", > "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584" > "identifier": "CVE-2023-25584", > "https://cveawg.mitre.org/api/cve/CVE-2023-25584", > "https://www.cve.org/CVERecord?id=CVE-2023-25584" > > Since the commit [cve-check: annotate CVEs during analysis][2] improved > function get_patched_cves to: > - Check each patch file; > - Search for additional patched CVEs from CVE_STATUS; > > And return dictionary patched_cve for each cve: > { > "abbrev-status": "xxx", > "status": "xxx", > "justification": "xxx", > "resource": "xxx", > "affected-vendor": "xxx", > "affected-product": "xxx", > } > > But while adding CVE in meta/lib/oe/spdx30_tasks.py, the cve_by_status > requires decoded_status > { > "mapping": "xxx", > "detail": "xxx", > "description": "xxx", > } > > This commit converts patched_cve to decoded_status > > patched_cve["abbrev-status"] --> decoded_status["mapping"] > patched_cve["status"] --> decoded_status["detail"] > patched_cve["justification"] --> decoded_status["description"] > > And remove duplicated search for additional patched CVEs from CVE_STATUS > (calling oe.cve_check.decode_cve_status) > > After applying this commit > $ bitbake binutils-cross-x86_64 > $ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584 > "spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/381bf593d99c005ecd2c2e0815b86bca2b9ff4cc2db59587aaddd3db95c67470/vulnerability/CVE-2023-25584", > "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584" > "identifier": "CVE-2023-25584", > "https://cveawg.mitre.org/api/cve/CVE-2023-25584", > "https://www.cve.org/CVERecord?id=CVE-2023-25584" > > [1] https://git.openembedded.org/openembedded-core/commit/?id=1ff496546279d8a97df5ec475007cfb095c2a0bc > [2] https://git.openembedded.org/openembedded-core/commit/?id=452e605b55ad61c08f4af7089a5a9c576ca28f7d > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/lib/oe/spdx30_tasks.py | 19 +++++++------------ > 1 file changed, 7 insertions(+), 12 deletions(-) > > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index e20bb0c86f3..3d80f05612f 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -498,18 +498,13 @@ def create_spdx(d): > # Add CVEs > cve_by_status = {} > if include_vex != "none": > - for cve in oe.cve_check.get_patched_cves(d): > - spdx_cve = build_objset.new_cve_vuln(cve) > - build_objset.set_element_alias(spdx_cve) > - > - cve_by_status.setdefault("Patched", {})[cve] = ( > - spdx_cve, > - "patched", > - "", > - ) > - > - for cve in d.getVarFlags("CVE_STATUS") or {}: > - decoded_status = oe.cve_check.decode_cve_status(d, cve) > + patched_cves = oe.cve_check.get_patched_cves(d) The name of get_patched_cves() is apparently a lie now :) Nevertheless, LGTM to me. Thanks. Reviewed-by: Joshua Watt <JPEWhacker@gmail.com> > + for cve, patched_cve in patched_cves.items(): > + decoded_status = { > + "mapping": patched_cve["abbrev-status"], > + "detail": patched_cve["status"], > + "description": patched_cve.get("justification", None) > + } > > # If this CVE is fixed upstream, skip it unless all CVEs are > # specified. > -- > 2.34.1 >
On Wed, Mar 12, 2025 at 6:58 AM hongxu via lists.openembedded.org <hongxu.jia=eng.windriver.com@lists.openembedded.org> wrote: > Due to commit [lib: spdx30_tasks: Handle patched CVEs][1] applied, > duplicated CVE identifier for each CVE which increased +25% build > time (image task: do_create_image_sbom_spdx) > > $ bitbake binutils-cross-x86_64 > $ jq . > tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json > | grep CVE-2023-25584 > "spdxId": " > http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584 > ", > "https://rdf.openembedded.org/spdx/3.0/alias": " > http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584 > " > "identifier": "CVE-2023-25584", > "https://cveawg.mitre.org/api/cve/CVE-2023-25584", > "https://www.cve.org/CVERecord?id=CVE-2023-25584" > "spdxId": " > http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584 > ", > "https://rdf.openembedded.org/spdx/3.0/alias": " > http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584 > " > "identifier": "CVE-2023-25584", > "https://cveawg.mitre.org/api/cve/CVE-2023-25584", > "https://www.cve.org/CVERecord?id=CVE-2023-25584" > > Since the commit [cve-check: annotate CVEs during analysis][2] improved > function get_patched_cves to: > - Check each patch file; > - Search for additional patched CVEs from CVE_STATUS; > > And return dictionary patched_cve for each cve: > { > "abbrev-status": "xxx", > "status": "xxx", > "justification": "xxx", > "resource": "xxx", > "affected-vendor": "xxx", > "affected-product": "xxx", > } > > But while adding CVE in meta/lib/oe/spdx30_tasks.py, the cve_by_status > requires decoded_status > { > "mapping": "xxx", > "detail": "xxx", > "description": "xxx", > } > > This commit converts patched_cve to decoded_status > > patched_cve["abbrev-status"] --> decoded_status["mapping"] > patched_cve["status"] --> decoded_status["detail"] > patched_cve["justification"] --> decoded_status["description"] > > And remove duplicated search for additional patched CVEs from CVE_STATUS > (calling oe.cve_check.decode_cve_status) > > After applying this commit > $ bitbake binutils-cross-x86_64 > $ jq . > tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json > | grep CVE-2023-25584 > "spdxId": " > http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/381bf593d99c005ecd2c2e0815b86bca2b9ff4cc2db59587aaddd3db95c67470/vulnerability/CVE-2023-25584 > ", > "https://rdf.openembedded.org/spdx/3.0/alias": " > http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584 > " > "identifier": "CVE-2023-25584", > "https://cveawg.mitre.org/api/cve/CVE-2023-25584", > "https://www.cve.org/CVERecord?id=CVE-2023-25584" > > [1] > https://git.openembedded.org/openembedded-core/commit/?id=1ff496546279d8a97df5ec475007cfb095c2a0bc > [2] > https://git.openembedded.org/openembedded-core/commit/?id=452e605b55ad61c08f4af7089a5a9c576ca28f7d > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/lib/oe/spdx30_tasks.py | 19 +++++++------------ > 1 file changed, 7 insertions(+), 12 deletions(-) > > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index e20bb0c86f3..3d80f05612f 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -498,18 +498,13 @@ def create_spdx(d): > # Add CVEs > cve_by_status = {} > if include_vex != "none": > - for cve in oe.cve_check.get_patched_cves(d): > - spdx_cve = build_objset.new_cve_vuln(cve) > - build_objset.set_element_alias(spdx_cve) > - > - cve_by_status.setdefault("Patched", {})[cve] = ( > - spdx_cve, > - "patched", > - "", > - ) > - > - for cve in d.getVarFlags("CVE_STATUS") or {}: > - decoded_status = oe.cve_check.decode_cve_status(d, cve) > + patched_cves = oe.cve_check.get_patched_cves(d) > + for cve, patched_cve in patched_cves.items(): > + decoded_status = { > + "mapping": patched_cve["abbrev-status"], > + "detail": patched_cve["status"], > + "description": patched_cve.get("justification", None) > + } > > # If this CVE is fixed upstream, skip it unless all CVEs are > # specified. > > This is enough to use get_patched_cves() here. And it would allow to fill a little more of the entry too. Regards, Marta
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index e20bb0c86f3..3d80f05612f 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -498,18 +498,13 @@ def create_spdx(d): # Add CVEs cve_by_status = {} if include_vex != "none": - for cve in oe.cve_check.get_patched_cves(d): - spdx_cve = build_objset.new_cve_vuln(cve) - build_objset.set_element_alias(spdx_cve) - - cve_by_status.setdefault("Patched", {})[cve] = ( - spdx_cve, - "patched", - "", - ) - - for cve in d.getVarFlags("CVE_STATUS") or {}: - decoded_status = oe.cve_check.decode_cve_status(d, cve) + patched_cves = oe.cve_check.get_patched_cves(d) + for cve, patched_cve in patched_cves.items(): + decoded_status = { + "mapping": patched_cve["abbrev-status"], + "detail": patched_cve["status"], + "description": patched_cve.get("justification", None) + } # If this CVE is fixed upstream, skip it unless all CVEs are # specified.
Due to commit [lib: spdx30_tasks: Handle patched CVEs][1] applied, duplicated CVE identifier for each CVE which increased +25% build time (image task: do_create_image_sbom_spdx) $ bitbake binutils-cross-x86_64 $ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584 "spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584", "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584" "identifier": "CVE-2023-25584", "https://cveawg.mitre.org/api/cve/CVE-2023-25584", "https://www.cve.org/CVERecord?id=CVE-2023-25584" "spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584", "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584" "identifier": "CVE-2023-25584", "https://cveawg.mitre.org/api/cve/CVE-2023-25584", "https://www.cve.org/CVERecord?id=CVE-2023-25584" Since the commit [cve-check: annotate CVEs during analysis][2] improved function get_patched_cves to: - Check each patch file; - Search for additional patched CVEs from CVE_STATUS; And return dictionary patched_cve for each cve: { "abbrev-status": "xxx", "status": "xxx", "justification": "xxx", "resource": "xxx", "affected-vendor": "xxx", "affected-product": "xxx", } But while adding CVE in meta/lib/oe/spdx30_tasks.py, the cve_by_status requires decoded_status { "mapping": "xxx", "detail": "xxx", "description": "xxx", } This commit converts patched_cve to decoded_status patched_cve["abbrev-status"] --> decoded_status["mapping"] patched_cve["status"] --> decoded_status["detail"] patched_cve["justification"] --> decoded_status["description"] And remove duplicated search for additional patched CVEs from CVE_STATUS (calling oe.cve_check.decode_cve_status) After applying this commit $ bitbake binutils-cross-x86_64 $ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584 "spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/381bf593d99c005ecd2c2e0815b86bca2b9ff4cc2db59587aaddd3db95c67470/vulnerability/CVE-2023-25584", "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584" "identifier": "CVE-2023-25584", "https://cveawg.mitre.org/api/cve/CVE-2023-25584", "https://www.cve.org/CVERecord?id=CVE-2023-25584" [1] https://git.openembedded.org/openembedded-core/commit/?id=1ff496546279d8a97df5ec475007cfb095c2a0bc [2] https://git.openembedded.org/openembedded-core/commit/?id=452e605b55ad61c08f4af7089a5a9c576ca28f7d Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- meta/lib/oe/spdx30_tasks.py | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-)