| Message ID | 20250429143904.634082-2-daniel.turull@ericsson.com |
|---|---|
| State | Changes Requested |
| Headers | show |
| Series | Check compiled files to filter kernel CVEs | expand |
On Tue, 2025-04-29 at 16:38 +0200, Daniel Turull via lists.openembedded.org wrote: > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > Use similar mechanism and same variables as cve-check to define > when to update. > > To use without internet access, change variable VULNS_URL to a local > copy or mirror. > > CC: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 76 +++++++++++++++++++++++ > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb If this is a real git repo, why can't we use a standard SRC_URI ? That would avoid having to invent new mirror variables and so on? Cheers, Richard
Thank you for providing this work Daniel. Are you able to obtain the same result with the raw CVE database? This patchset works for the Linux kernel only. Also, have you tested if it works with the world build for multiple kernel images (i.e. different configs) from the same source tree? I would be rather going for a post-processing with a given config after generating the json files instead of modifying the processing. My 0.02. Kind regards, Marta On Tue, Apr 29, 2025 at 4:39 PM Daniel Turull via lists.openembedded.org <daniel.turull=ericsson.com@lists.openembedded.org> wrote: > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > Use similar mechanism and same variables as cve-check to define > when to update. > > To use without internet access, change variable VULNS_URL to a local > copy or mirror. > > CC: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 76 +++++++++++++++++++++++ > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb > > diff --git a/meta/conf/distro/include/maintainers.inc > b/meta/conf/distro/include/maintainers.inc > index 8065287c17..ec427fe6a4 100644 > --- a/meta/conf/distro/include/maintainers.inc > +++ b/meta/conf/distro/include/maintainers.inc > @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador < > otavio.salvador@ossystems.com.br>" > RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > diff --git a/meta/recipes-core/meta/linux-vulns_git.bb > b/meta/recipes-core/meta/linux-vulns_git.bb > new file mode 100644 > index 0000000000..fc48558eb8 > --- /dev/null > +++ b/meta/recipes-core/meta/linux-vulns_git.bb > @@ -0,0 +1,76 @@ > +SUMMARY = "CVE information from kernel.org" > +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers > reserved \ > +and assigned to the Linux kernel project." > +HOMEPAGE = " > https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" > +LICENSE = "GPL-2.0-only & cve-tou" > +SECTION = "base" > + > +INHIBIT_DEFAULT_DEPS = "1" > + > +inherit native > +inherit nopackages > + > +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" > +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" > + > +# Use same intervals as cve-update-db-native. By default: once a day > (24*60*60). > +# Use 0 to force the update > +# Use a negative value to skip the update > + > +CVE_DB_UPDATE_INTERVAL ??= "86400" > + > +python do_fetch(){ > + import os > + import bb.utils > + > + bb.utils.export_proxies(d) > + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") > + repo_url = d.getVar("VULNS_URL") > + > + try: > + import time > + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) > + > + if update_interval < 0: > + bb.note("Kernel CVE database update skipped") > + return > + if time.time() - os.path.getmtime(db_file) < update_interval: > + bb.debug(2,"Kernel CVE database, recently updated, skipping") > + return > + > + except OSError: > + pass > + > + bb.utils.mkdirhier(os.path.dirname(db_file)) > + # Configure cmd > + if not os.path.exists(db_file): > + cmd = f"git clone {repo_url} {db_file}" > + else: > + cmd = f"git -C {db_file} pull" > + try: > + bb.fetch2.runfetchcmd(cmd, d) > + except bb.fetch2.FetchError as e: > + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") > + bb.warn("Set VULNS_URL in local.conf to point to a local copy or > mirror") > +} > + > +do_clean() { > + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} > +} > + > +deltask do_patch > +deltask do_unpack > +deltask do_configure > +deltask do_compile > +deltask do_install > +deltask do_populate_sysroot > +deltask do_runtime_spdx > +deltask do_create_spdx > +deltask do_populate_lic > +deltask do_cve_check > + > +do_fetch[nostamp] = "1" > +do_fetch[file-checksums] = "" > +do_fetch[vardeps] = "" > + > +EXCLUDE_FROM_WORLD = "1" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#215667): > https://lists.openembedded.org/g/openembedded-core/message/215667 > Mute This Topic: https://lists.openembedded.org/mt/112521333/5827677 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > rybczynska@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
Hi, On the original patch I had it as normal SRC_URI, but I changed to the variable not to interfere with the fetcher. Now I tested and I see that SRC_URI just works fine. I'll send a new patch with the change. After the comment from Peter, I decided to skip the git fetcher since we need to use the latest version and AUTOREV is not working with offline builds. The variable needs to be overridden in case we need to use a mirror. Or is it a way to use existing premirrors without the fetcher? Thanks Daniel -----Original Message----- From: Richard Purdie <richard.purdie@linuxfoundation.org> Sent: Tuesday, 29 April 2025 16:43 To: Daniel Turull <daniel.turull@ericsson.com>; openembedded-core@lists.openembedded.org Cc: Peter.Marko@siemens.com Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA info On Tue, 2025-04-29 at 16:38 +0200, Daniel Turull via lists.openembedded.org wrote: > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > Use similar mechanism and same variables as cve-check to define when > to update. > > To use without internet access, change variable VULNS_URL to a local > copy or mirror. > > CC: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 76 > +++++++++++++++++++++++ > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb If this is a real git repo, why can't we use a standard SRC_URI ? That would avoid having to invent new mirror variables and so on? Cheers, Richard
Hi Marta, The CVE database from NVD doesn’t have all the metadata, specially the files affected. I’ll test it with https://github.com/CVEProject/cvelistV5, since the data from the kernel should be the same. But the repository is much bigger. No, I haven’t tested with world builds. I’ll give it a try. Probably the file that I’m generating with should be specific for a config, so we don’t override it. Best regards, Daniel From: Marta Rybczynska <rybczynska@gmail.com> Sent: Tuesday, 29 April 2025 16:48 To: Daniel Turull <daniel.turull@ericsson.com> Cc: openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA info Thank you for providing this work Daniel. Are you able to obtain the same result with the raw CVE database? This patchset works for the Linux kernel only. Also, have you tested if it works with the world build for multiple kernel images (i.e. different configs) from the same source tree? I would be rather going for a post-processing with a given config after generating the json files instead of modifying the processing. My 0.02. Kind regards, Marta On Tue, Apr 29, 2025 at 4:39 PM Daniel Turull via lists.openembedded.org<http://lists.openembedded.org/> <daniel.turull=ericsson.com@lists.openembedded.org<mailto:ericsson.com@lists.openembedded.org>> wrote: From: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> Add CVE data source for kernel.org<http://kernel.org/>. It includes more information than the one provided by NVD. Use similar mechanism and same variables as cve-check to define when to update. To use without internet access, change variable VULNS_URL to a local copy or mirror. CC: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> Signed-off-by: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> --- meta/conf/distro/include/maintainers.inc | 1 + meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> | 76 +++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 8065287c17..ec427fe6a4 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br<mailto:otavio.salvador@ossystems.com.br>>" RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" diff --git a/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> new file mode 100644 index 0000000000..fc48558eb8 --- /dev/null +++ b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> @@ -0,0 +1,76 @@ +SUMMARY = "CVE information from kernel.org<http://kernel.org/>" +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \ +and assigned to the Linux kernel project." +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" +LICENSE = "GPL-2.0-only & cve-tou" +SECTION = "base" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native +inherit nopackages + +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" + +# Use same intervals as cve-update-db-native. By default: once a day (24*60*60). +# Use 0 to force the update +# Use a negative value to skip the update + +CVE_DB_UPDATE_INTERVAL ??= "86400" + +python do_fetch(){ + import os + import bb.utils + + bb.utils.export_proxies(d) + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") + repo_url = d.getVar("VULNS_URL") + + try: + import time + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) + + if update_interval < 0: + bb.note("Kernel CVE database update skipped") + return + if time.time() - os.path.getmtime(db_file) < update_interval: + bb.debug(2,"Kernel CVE database, recently updated, skipping") + return + + except OSError: + pass + + bb.utils.mkdirhier(os.path.dirname(db_file)) + # Configure cmd + if not os.path.exists(db_file): + cmd = f"git clone {repo_url} {db_file}" + else: + cmd = f"git -C {db_file} pull" + try: + bb.fetch2.runfetchcmd(cmd, d) + except bb.fetch2.FetchError as e: + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") + bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror") +} + +do_clean() { + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} +} + +deltask do_patch +deltask do_unpack +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot +deltask do_runtime_spdx +deltask do_create_spdx +deltask do_populate_lic +deltask do_cve_check + +do_fetch[nostamp] = "1" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +EXCLUDE_FROM_WORLD = "1" -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#215667): https://lists.openembedded.org/g/openembedded-core/message/215667 Mute This Topic: https://lists.openembedded.org/mt/112521333/5827677 Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core%2Bowner@lists.openembedded.org> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [rybczynska@gmail.com<mailto:rybczynska@gmail.com>] -=-=-=-=-=-=-=-=-=-=-=-
Hi again Marta,
I really appreciate your comments. You are doing a great job in this space.
With the post-processing do you mean another task after the do_cve_check or outside the build, maybe in a script in openembedded-core/scripts?
I see benefits in both (in the build and outside). If we keep it in the build we have more accurate data at the time of the build, while outside can be easily updated with new information.
We also include missing information and add resilience having multiple sources.
Before sending another round of patches, I’ll like to reach some consensus how we should implement this, and your comments together with Peter’s and Richard’s will be very appreciated.
New proposal:
* Keep as option to extract the compiled file, and store them in spdx as well. Basically:
* kernel: add support to extract compiled files
* store the file in log/cve/ with a unique name
* spdx: add option to include only compiled kernel files
* Add option to have multiple sources of cve, in cve-check, using vulns or cvelistv5
* Keep the bug fixes, though probably I could send them independently from this series.
* And then we have 3 options:
* Keep the existing cve-check, vex, spdx: use metadata from linux-vulns
* Create a new a post-processing script in openembedded-core/scripts that triages CVEs with files that are not compiled that matches a CVEs, with similar functionality as the one proposed in cve-check, vex, spdx: use metadata from linux-vulns to enhance CVE reporting. But then in cveinfo in the SPDX won’t be accurate, since now I was adding the fixes in the get_patched_cves. On the other hand, this also get outdated, and for the not applicable with already have the CVE_STATUS.
* Have both 1 and 2, since they are not mutually exclusive. Now probably I’m lining more to this option.
For the new script, the first version of the script will take as input the output from the kernel gen_compile_commands.py, a directory to vulns or cvelistv5, and the cve-summary.json and generate a new cve-summary with updated information. This potentially could be integrated on the scripts that Marta has on vex or use as input. For example:
./improve_kernel_cve_reporting.py --sources compile_commands.json --cve-data <dir to vulns or cvelistv5> --old-cve-report cve-summary.json –new-cve-report cve-summary-enhance.json
How does it sound? Or do you have a better proposal?
And for the question comparing with using only the NVD database, I’m getting less CVEs, since some do not have their cpe, due to their big backlog.
I have modified slightly the patches and I can fetch the cvelistv5 repo, but it is slower since it contains much more files. But then I guess it could be used as a source for the cve_check as alternative source.
CVE files as today:
Vulns: 5941
Cvelistv5: 291484
When comparing using data from cvelistv5 vs vulns, the functionally to exclude based on compiled files has the same results, except that with the former the script find more vulnerable CVEs, which later are corrected by the data from NVD.
Only NVD 14
linux-yocto-6.12.23+git-r0 do_cve_check: Found unpatched CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57995 CVE-2025-21751 CVE-2025-21833 CVE-2025-21949 CVE-2025-37838)
vulns: 33 vulnerable + 32 not applicable
CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57976 CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 CVE-2025-21807 CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 CVE-2025-22026 CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 CVE-2025-22115 CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23137 CVE-2025-37838 CVE-2025-40325)
cvelistv5: 36 vulnerable + 32 not applicable
Found unpatched CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2022-0400 CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57976 CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 CVE-2025-21807 CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 CVE-2025-22026 CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 CVE-2025-22115 CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23137 CVE-2025-37838 CVE-2025-40325)
Best regards,
Daniel
From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Daniel Turull via lists.openembedded.org
Sent: Tuesday, 29 April 2025 17:29
To: Marta Rybczynska <rybczynska@gmail.com>
Cc: openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com
Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA info
Hi Marta,
The CVE database from NVD doesn’t have all the metadata, specially the files affected.
I’ll test it with https://github.com/CVEProject/cvelistV5, since the data from the kernel should be the same. But the repository is much bigger.
No, I haven’t tested with world builds. I’ll give it a try. Probably the file that I’m generating with should be specific for a config, so we don’t override it.
Best regards,
Daniel
From: Marta Rybczynska <rybczynska@gmail.com<mailto:rybczynska@gmail.com>>
Sent: Tuesday, 29 April 2025 16:48
To: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>>
Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Peter.Marko@siemens.com<mailto:Peter.Marko@siemens.com>
Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA info
Thank you for providing this work Daniel.
Are you able to obtain the same result with the raw CVE database? This patchset works for the Linux kernel only.
Also, have you tested if it works with the world build for multiple kernel images (i.e. different configs) from the same source tree?
I would be rather going for a post-processing with a given config after generating the json files instead of modifying the processing.
My 0.02.
Kind regards,
Marta
On Tue, Apr 29, 2025 at 4:39 PM Daniel Turull via lists.openembedded.org<http://lists.openembedded.org/> <daniel.turull=ericsson.com@lists.openembedded.org<mailto:ericsson.com@lists.openembedded.org>> wrote:
From: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>>
Add CVE data source for kernel.org<http://kernel.org/>.
It includes more information than the one provided by NVD.
Use similar mechanism and same variables as cve-check to define
when to update.
To use without internet access, change variable VULNS_URL to a local
copy or mirror.
CC: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>>
---
meta/conf/distro/include/maintainers.inc | 1 +
meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> | 76 +++++++++++++++++++++++
2 files changed, 77 insertions(+)
create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/>
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 8065287c17..ec427fe6a4 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>"
RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>"
RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br<mailto:otavio.salvador@ossystems.com.br>>"
RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>"
+RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>"
RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>"
RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>"
RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>"
diff --git a/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/>
new file mode 100644
index 0000000000..fc48558eb8
--- /dev/null
+++ b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/>
@@ -0,0 +1,76 @@
+SUMMARY = "CVE information from kernel.org<http://kernel.org/>"
+DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \
+and assigned to the Linux kernel project."
+HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/"
+LICENSE = "GPL-2.0-only & cve-tou"
+SECTION = "base"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+inherit nopackages
+
+VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns"
+CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns"
+
+# Use same intervals as cve-update-db-native. By default: once a day (24*60*60).
+# Use 0 to force the update
+# Use a negative value to skip the update
+
+CVE_DB_UPDATE_INTERVAL ??= "86400"
+
+python do_fetch(){
+ import os
+ import bb.utils
+
+ bb.utils.export_proxies(d)
+ db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR")
+ repo_url = d.getVar("VULNS_URL")
+
+ try:
+ import time
+ update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+
+ if update_interval < 0:
+ bb.note("Kernel CVE database update skipped")
+ return
+ if time.time() - os.path.getmtime(db_file) < update_interval:
+ bb.debug(2,"Kernel CVE database, recently updated, skipping")
+ return
+
+ except OSError:
+ pass
+
+ bb.utils.mkdirhier(os.path.dirname(db_file))
+ # Configure cmd
+ if not os.path.exists(db_file):
+ cmd = f"git clone {repo_url} {db_file}"
+ else:
+ cmd = f"git -C {db_file} pull"
+ try:
+ bb.fetch2.runfetchcmd(cmd, d)
+ except bb.fetch2.FetchError as e:
+ bb.warn(f"Kernel vulns repo url not accessible. {repo_url}")
+ bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror")
+}
+
+do_clean() {
+ rm -rf ${CVE_CHECK_KERNEL_DB_DIR}
+}
+
+deltask do_patch
+deltask do_unpack
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+deltask do_runtime_spdx
+deltask do_create_spdx
+deltask do_populate_lic
+deltask do_cve_check
+
+do_fetch[nostamp] = "1"
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = ""
+
+EXCLUDE_FROM_WORLD = "1"
On Tue, 2025-04-29 at 15:21 +0000, Daniel Turull wrote: > Hi, > > On the original patch I had it as normal SRC_URI, but I changed to > the variable not to interfere with the fetcher. > Now I tested and I see that SRC_URI just works fine. > I'll send a new patch with the change. > > After the comment from Peter, I decided to skip the git fetcher since > we need to use the latest version and AUTOREV is not working with > offline builds. > > The variable needs to be overridden in case we need to use a mirror. > Or is it a way to use existing premirrors without the fetcher? Sounds good thanks. It is true that we don't want our default install fetching floating revisions from git repos. I think we can do this by defaulting to a revision we update periodically and then have the classes/conf files set AUTOREV as/where needed so users opt into it. I'd much rather do that and use the fetcher than trying to reinvent AUTOREV, mirroring and other things. We can improve the fetcher if needed too. Cheers, Richard
Hell Daniel, Thanks for the work. I plan to take some time in the next day to have a look and provide a viewpoint of what makes sense to do next. BTW This code is shorter than I expect this work to be (and yes, there are multiple people working on the same), and this is good news. It makes a review way easier than I expected! Kind regards, Marta On Wed, Apr 30, 2025 at 10:32 AM Daniel Turull <daniel.turull@ericsson.com> wrote: > Hi again Marta, > > > > I really appreciate your comments. You are doing a great job in this space. > > > > With the post-processing do you mean another task after the do_cve_check > or outside the build, maybe in a script in openembedded-core/scripts? > > > > I see benefits in both (in the build and outside). If we keep it in the > build we have more accurate data at the time of the build, while outside > can be easily updated with new information. > > We also include missing information and add resilience having multiple > sources. > > > > Before sending another round of patches, I’ll like to reach some consensus > how we should implement this, and your comments together with Peter’s and > Richard’s will be very appreciated. > > > > New proposal: > > - Keep as option to extract the compiled file, and store them in spdx > as well. Basically: > 1. kernel: add support to extract compiled files > - store the file in log/cve/ with a unique name > 2. spdx: add option to include only compiled kernel files > - Add option to have multiple sources of cve, in cve-check, using > vulns or cvelistv5 > - Keep the bug fixes, though probably I could send them independently > from this series. > - And then we have 3 options: > 1. Keep the existing cve-check, vex, spdx: use metadata from > linux-vulns > 2. Create a new a post-processing script in > openembedded-core/scripts that triages CVEs with files that are not > compiled that matches a CVEs, with similar functionality as the one > proposed in cve-check, vex, spdx: use metadata from linux-vulns to enhance > CVE reporting. But then in cveinfo in the SPDX won’t be accurate, since now > I was adding the fixes in the get_patched_cves. On the other hand, this > also get outdated, and for the not applicable with already have the > CVE_STATUS. > 3. Have both 1 and 2, since they are not mutually exclusive. Now > probably I’m lining more to this option. > > > > For the new script, the first version of the script will take as input the > output from the kernel gen_compile_commands.py, a directory to vulns or > cvelistv5, and the cve-summary.json and generate a new cve-summary with > updated information. This potentially could be integrated on the scripts > that Marta has on vex or use as input. For example: > > ./improve_kernel_cve_reporting.py --sources > compile_commands.json --cve-data <dir to vulns or cvelistv5> > --old-cve-report cve-summary.json –new-cve-report cve-summary-enhance.json > > > > How does it sound? Or do you have a better proposal? > > > > And for the question comparing with using only the NVD database, I’m > getting less CVEs, since some do not have their cpe, due to their big > backlog. > > > > I have modified slightly the patches and I can fetch the cvelistv5 repo, > but it is slower since it contains much more files. But then I guess it > could be used as a source for the cve_check as alternative source. > > CVE files as today: > > Vulns: 5941 > > Cvelistv5: 291484 > > > > When comparing using data from cvelistv5 vs vulns, the functionally to > exclude based on compiled files has the same results, except that with the > former the script find more vulnerable CVEs, which later are corrected by > the data from NVD. > > > > Only NVD 14 > > linux-yocto-6.12.23+git-r0 do_cve_check: Found unpatched CVE > (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 CVE-2022-38096 > CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57995 > CVE-2025-21751 CVE-2025-21833 CVE-2025-21949 CVE-2025-37838) > > > > vulns: 33 vulnerable + 32 not applicable > > CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 > CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 > CVE-2024-57976 CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 > CVE-2025-21807 CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 > CVE-2025-22026 CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 > CVE-2025-22115 CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 > CVE-2025-22126 CVE-2025-23137 CVE-2025-37838 CVE-2025-40325) > > > > cvelistv5: 36 vulnerable + 32 not applicable > > Found unpatched CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 > CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2022-0400 CVE-2022-38096 > CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57976 > CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 CVE-2025-21807 > CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 CVE-2025-22026 > CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 CVE-2025-22115 > CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 > CVE-2025-23137 CVE-2025-37838 CVE-2025-40325) > > > > Best regards, > > Daniel > > > > *From:* openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> *On Behalf Of *Daniel Turull > via lists.openembedded.org > *Sent:* Tuesday, 29 April 2025 17:29 > *To:* Marta Rybczynska <rybczynska@gmail.com> > *Cc:* openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com > *Subject:* Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA > info > > > > Hi Marta, > > The CVE database from NVD doesn’t have all the metadata, specially the > files affected. > > > > I’ll test it with https://github.com/CVEProject/cvelistV5, since the data > from the kernel should be the same. But the repository is much bigger. > > > > No, I haven’t tested with world builds. I’ll give it a try. Probably the > file that I’m generating with should be specific for a config, so we don’t > override it. > > > > Best regards, > > Daniel > > > > *From:* Marta Rybczynska <rybczynska@gmail.com> > *Sent:* Tuesday, 29 April 2025 16:48 > *To:* Daniel Turull <daniel.turull@ericsson.com> > *Cc:* openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com > *Subject:* Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA > info > > > > Thank you for providing this work Daniel. > > > > Are you able to obtain the same result with the raw CVE database? This > patchset works for the Linux kernel only. > > > > Also, have you tested if it works with the world build for multiple kernel > images (i.e. different configs) from the same source tree? > > > > I would be rather going for a post-processing with a given config after > generating the json files instead of modifying the processing. > > > > My 0.02. > > > > Kind regards, > > Marta > > > > On Tue, Apr 29, 2025 at 4:39 PM Daniel Turull via lists.openembedded.org > <daniel.turull=ericsson.com@lists.openembedded.org> wrote: > > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > Use similar mechanism and same variables as cve-check to define > when to update. > > To use without internet access, change variable VULNS_URL to a local > copy or mirror. > > CC: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 76 +++++++++++++++++++++++ > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb > > diff --git a/meta/conf/distro/include/maintainers.inc > b/meta/conf/distro/include/maintainers.inc > index 8065287c17..ec427fe6a4 100644 > --- a/meta/conf/distro/include/maintainers.inc > +++ b/meta/conf/distro/include/maintainers.inc > @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador < > otavio.salvador@ossystems.com.br>" > RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > diff --git a/meta/recipes-core/meta/linux-vulns_git.bb > b/meta/recipes-core/meta/linux-vulns_git.bb > new file mode 100644 > index 0000000000..fc48558eb8 > --- /dev/null > +++ b/meta/recipes-core/meta/linux-vulns_git.bb > @@ -0,0 +1,76 @@ > +SUMMARY = "CVE information from kernel.org" > +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers > reserved \ > +and assigned to the Linux kernel project." > +HOMEPAGE = " > https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" > +LICENSE = "GPL-2.0-only & cve-tou" > +SECTION = "base" > + > +INHIBIT_DEFAULT_DEPS = "1" > + > +inherit native > +inherit nopackages > + > +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" > +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" > + > +# Use same intervals as cve-update-db-native. By default: once a day > (24*60*60). > +# Use 0 to force the update > +# Use a negative value to skip the update > + > +CVE_DB_UPDATE_INTERVAL ??= "86400" > + > +python do_fetch(){ > + import os > + import bb.utils > + > + bb.utils.export_proxies(d) > + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") > + repo_url = d.getVar("VULNS_URL") > + > + try: > + import time > + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) > + > + if update_interval < 0: > + bb.note("Kernel CVE database update skipped") > + return > + if time.time() - os.path.getmtime(db_file) < update_interval: > + bb.debug(2,"Kernel CVE database, recently updated, skipping") > + return > + > + except OSError: > + pass > + > + bb.utils.mkdirhier(os.path.dirname(db_file)) > + # Configure cmd > + if not os.path.exists(db_file): > + cmd = f"git clone {repo_url} {db_file}" > + else: > + cmd = f"git -C {db_file} pull" > + try: > + bb.fetch2.runfetchcmd(cmd, d) > + except bb.fetch2.FetchError as e: > + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") > + bb.warn("Set VULNS_URL in local.conf to point to a local copy or > mirror") > +} > + > +do_clean() { > + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} > +} > + > +deltask do_patch > +deltask do_unpack > +deltask do_configure > +deltask do_compile > +deltask do_install > +deltask do_populate_sysroot > +deltask do_runtime_spdx > +deltask do_create_spdx > +deltask do_populate_lic > +deltask do_cve_check > + > +do_fetch[nostamp] = "1" > +do_fetch[file-checksums] = "" > +do_fetch[vardeps] = "" > + > +EXCLUDE_FROM_WORLD = "1" > >
Hello Marta, Did you had time to look at it and how to continue the work? Will it make sense that for know I reduce the scope and only add the option to extract the compiled files in a “log” file and into the spdx sources? And have the processing in a script in the script/contrib folder. Then the logic can be used to have the independent tool. We already have part of the logic in meta/recipes-kernel/linux/generate-cve-exclusions.py Thanks Daniel From: openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> On Behalf Of Marta Rybczynska via lists.openembedded.org Sent: Wednesday, 30 April 2025 17:04 To: Daniel Turull <daniel.turull@ericsson.com> Cc: openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com; richard.purdie@linuxfoundation.org Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA info Hell Daniel, Thanks for the work. I plan to take some time in the next day to have a look and provide a viewpoint of what makes sense to do next. BTW This code is shorter than I expect this work to be (and yes, there are multiple people working on the same), and this is good news. It makes a review way easier than I expected! Kind regards, Marta On Wed, Apr 30, 2025 at 10:32 AM Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> wrote: Hi again Marta, I really appreciate your comments. You are doing a great job in this space. With the post-processing do you mean another task after the do_cve_check or outside the build, maybe in a script in openembedded-core/scripts? I see benefits in both (in the build and outside). If we keep it in the build we have more accurate data at the time of the build, while outside can be easily updated with new information. We also include missing information and add resilience having multiple sources. Before sending another round of patches, I’ll like to reach some consensus how we should implement this, and your comments together with Peter’s and Richard’s will be very appreciated. New proposal: * Keep as option to extract the compiled file, and store them in spdx as well. Basically: * kernel: add support to extract compiled files * store the file in log/cve/ with a unique name * spdx: add option to include only compiled kernel files * Add option to have multiple sources of cve, in cve-check, using vulns or cvelistv5 * Keep the bug fixes, though probably I could send them independently from this series. * And then we have 3 options: * Keep the existing cve-check, vex, spdx: use metadata from linux-vulns * Create a new a post-processing script in openembedded-core/scripts that triages CVEs with files that are not compiled that matches a CVEs, with similar functionality as the one proposed in cve-check, vex, spdx: use metadata from linux-vulns to enhance CVE reporting. But then in cveinfo in the SPDX won’t be accurate, since now I was adding the fixes in the get_patched_cves. On the other hand, this also get outdated, and for the not applicable with already have the CVE_STATUS. * Have both 1 and 2, since they are not mutually exclusive. Now probably I’m lining more to this option. For the new script, the first version of the script will take as input the output from the kernel gen_compile_commands.py, a directory to vulns or cvelistv5, and the cve-summary.json and generate a new cve-summary with updated information. This potentially could be integrated on the scripts that Marta has on vex or use as input. For example: ./improve_kernel_cve_reporting.py --sources compile_commands.json --cve-data <dir to vulns or cvelistv5> --old-cve-report cve-summary.json –new-cve-report cve-summary-enhance.json How does it sound? Or do you have a better proposal? And for the question comparing with using only the NVD database, I’m getting less CVEs, since some do not have their cpe, due to their big backlog. I have modified slightly the patches and I can fetch the cvelistv5 repo, but it is slower since it contains much more files. But then I guess it could be used as a source for the cve_check as alternative source. CVE files as today: Vulns: 5941 Cvelistv5: 291484 When comparing using data from cvelistv5 vs vulns, the functionally to exclude based on compiled files has the same results, except that with the former the script find more vulnerable CVEs, which later are corrected by the data from NVD. Only NVD 14 linux-yocto-6.12.23+git-r0 do_cve_check: Found unpatched CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57995 CVE-2025-21751 CVE-2025-21833 CVE-2025-21949 CVE-2025-37838) vulns: 33 vulnerable + 32 not applicable CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57976 CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 CVE-2025-21807 CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 CVE-2025-22026 CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 CVE-2025-22115 CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23137 CVE-2025-37838 CVE-2025-40325) cvelistv5: 36 vulnerable + 32 not applicable Found unpatched CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2022-0400 CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57976 CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 CVE-2025-21807 CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 CVE-2025-22026 CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 CVE-2025-22115 CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23137 CVE-2025-37838 CVE-2025-40325) Best regards, Daniel From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>> On Behalf Of Daniel Turull via lists.openembedded.org<http://lists.openembedded.org/> Sent: Tuesday, 29 April 2025 17:29 To: Marta Rybczynska <rybczynska@gmail.com<mailto:rybczynska@gmail.com>> Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Peter.Marko@siemens.com<mailto:Peter.Marko@siemens.com> Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org<http://kernel.org/> CNA info Hi Marta, The CVE database from NVD doesn’t have all the metadata, specially the files affected. I’ll test it with https://github.com/CVEProject/cvelistV5, since the data from the kernel should be the same. But the repository is much bigger. No, I haven’t tested with world builds. I’ll give it a try. Probably the file that I’m generating with should be specific for a config, so we don’t override it. Best regards, Daniel From: Marta Rybczynska <rybczynska@gmail.com<mailto:rybczynska@gmail.com>> Sent: Tuesday, 29 April 2025 16:48 To: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Peter.Marko@siemens.com<mailto:Peter.Marko@siemens.com> Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org<http://kernel.org/> CNA info Thank you for providing this work Daniel. Are you able to obtain the same result with the raw CVE database? This patchset works for the Linux kernel only. Also, have you tested if it works with the world build for multiple kernel images (i.e. different configs) from the same source tree? I would be rather going for a post-processing with a given config after generating the json files instead of modifying the processing. My 0.02. Kind regards, Marta On Tue, Apr 29, 2025 at 4:39 PM Daniel Turull via lists.openembedded.org<http://lists.openembedded.org/> <daniel.turull=ericsson.com@lists.openembedded.org<mailto:ericsson.com@lists.openembedded.org>> wrote: From: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> Add CVE data source for kernel.org<http://kernel.org/>. It includes more information than the one provided by NVD. Use similar mechanism and same variables as cve-check to define when to update. To use without internet access, change variable VULNS_URL to a local copy or mirror. CC: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> Signed-off-by: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> --- meta/conf/distro/include/maintainers.inc | 1 + meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> | 76 +++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 8065287c17..ec427fe6a4 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br<mailto:otavio.salvador@ossystems.com.br>>" RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" diff --git a/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> new file mode 100644 index 0000000000..fc48558eb8 --- /dev/null +++ b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> @@ -0,0 +1,76 @@ +SUMMARY = "CVE information from kernel.org<http://kernel.org/>" +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \ +and assigned to the Linux kernel project." +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" +LICENSE = "GPL-2.0-only & cve-tou" +SECTION = "base" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native +inherit nopackages + +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" + +# Use same intervals as cve-update-db-native. By default: once a day (24*60*60). +# Use 0 to force the update +# Use a negative value to skip the update + +CVE_DB_UPDATE_INTERVAL ??= "86400" + +python do_fetch(){ + import os + import bb.utils + + bb.utils.export_proxies(d) + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") + repo_url = d.getVar("VULNS_URL") + + try: + import time + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) + + if update_interval < 0: + bb.note("Kernel CVE database update skipped") + return + if time.time() - os.path.getmtime(db_file) < update_interval: + bb.debug(2,"Kernel CVE database, recently updated, skipping") + return + + except OSError: + pass + + bb.utils.mkdirhier(os.path.dirname(db_file)) + # Configure cmd + if not os.path.exists(db_file): + cmd = f"git clone {repo_url} {db_file}" + else: + cmd = f"git -C {db_file} pull" + try: + bb.fetch2.runfetchcmd(cmd, d) + except bb.fetch2.FetchError as e: + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") + bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror") +} + +do_clean() { + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} +} + +deltask do_patch +deltask do_unpack +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot +deltask do_runtime_spdx +deltask do_create_spdx +deltask do_populate_lic +deltask do_cve_check + +do_fetch[nostamp] = "1" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +EXCLUDE_FROM_WORLD = "1"
Hello Daniel, I have had a look and I think that a post-processing tool is the right way to go. If you have the file list in SPDX, you can do checks, and possibly with other metadata (the kernel CVE database does not list affected kernel options, and that would be a really valuable information source for such a kind of a check). It will also be code way easier to maintain, as version checks are complex to perform and debug. Where we're at this: there will be a need to add information about what kind of CVE filtering has been done (the default, filtering by files etc). This might be necessary for maintenance reasons and when you will be comparing check results between firmware versions et al. A kind of "used_tools" kind of a field will be necessary. Kind regards, Marta On Wed, May 7, 2025 at 10:05 AM Daniel Turull <daniel.turull@ericsson.com> wrote: > Hello Marta, > > Did you had time to look at it and how to continue the work? > > > > Will it make sense that for know I reduce the scope and only add the > option to extract the compiled files in a “log” file and into the spdx > sources? And have the processing in a script in the script/contrib folder. > > Then the logic can be used to have the independent tool. We already have > part of the logic in meta/recipes-kernel/linux/generate-cve-exclusions.py > > > > Thanks > > > > Daniel > > > > *From:* openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> *On Behalf Of *Marta Rybczynska > via lists.openembedded.org > *Sent:* Wednesday, 30 April 2025 17:04 > *To:* Daniel Turull <daniel.turull@ericsson.com> > *Cc:* openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com; > richard.purdie@linuxfoundation.org > *Subject:* Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA > info > > > > Hell Daniel, > > Thanks for the work. I plan to take some time in the next day to have a > look and provide a viewpoint of what makes sense to do next. > > > > BTW This code is shorter than I expect this work to be (and yes, there are > multiple people working on the same), and this is good news. It makes a > review way easier than I expected! > > > > Kind regards, > > Marta > > > > On Wed, Apr 30, 2025 at 10:32 AM Daniel Turull <daniel.turull@ericsson.com> > wrote: > > Hi again Marta, > > > > I really appreciate your comments. You are doing a great job in this space. > > > > With the post-processing do you mean another task after the do_cve_check > or outside the build, maybe in a script in openembedded-core/scripts? > > > > I see benefits in both (in the build and outside). If we keep it in the > build we have more accurate data at the time of the build, while outside > can be easily updated with new information. > > We also include missing information and add resilience having multiple > sources. > > > > Before sending another round of patches, I’ll like to reach some consensus > how we should implement this, and your comments together with Peter’s and > Richard’s will be very appreciated. > > > > New proposal: > > - Keep as option to extract the compiled file, and store them in spdx > as well. Basically: > > > 1. kernel: add support to extract compiled files > > > - store the file in log/cve/ with a unique name > > > 2. spdx: add option to include only compiled kernel files > > > - Add option to have multiple sources of cve, in cve-check, using > vulns or cvelistv5 > - Keep the bug fixes, though probably I could send them independently > from this series. > - And then we have 3 options: > > > 1. Keep the existing cve-check, vex, spdx: use metadata from > linux-vulns > 2. Create a new a post-processing script in > openembedded-core/scripts that triages CVEs with files that are not > compiled that matches a CVEs, with similar functionality as the one > proposed in cve-check, vex, spdx: use metadata from linux-vulns to enhance > CVE reporting. But then in cveinfo in the SPDX won’t be accurate, since now > I was adding the fixes in the get_patched_cves. On the other hand, this > also get outdated, and for the not applicable with already have the > CVE_STATUS. > 3. Have both 1 and 2, since they are not mutually exclusive. Now > probably I’m lining more to this option. > > > > For the new script, the first version of the script will take as input the > output from the kernel gen_compile_commands.py, a directory to vulns or > cvelistv5, and the cve-summary.json and generate a new cve-summary with > updated information. This potentially could be integrated on the scripts > that Marta has on vex or use as input. For example: > > ./improve_kernel_cve_reporting.py --sources > compile_commands.json --cve-data <dir to vulns or cvelistv5> > --old-cve-report cve-summary.json –new-cve-report cve-summary-enhance.json > > > > How does it sound? Or do you have a better proposal? > > > > And for the question comparing with using only the NVD database, I’m > getting less CVEs, since some do not have their cpe, due to their big > backlog. > > > > I have modified slightly the patches and I can fetch the cvelistv5 repo, > but it is slower since it contains much more files. But then I guess it > could be used as a source for the cve_check as alternative source. > > CVE files as today: > > Vulns: 5941 > > Cvelistv5: 291484 > > > > When comparing using data from cvelistv5 vs vulns, the functionally to > exclude based on compiled files has the same results, except that with the > former the script find more vulnerable CVEs, which later are corrected by > the data from NVD. > > > > Only NVD 14 > > linux-yocto-6.12.23+git-r0 do_cve_check: Found unpatched CVE > (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 CVE-2022-38096 > CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57995 > CVE-2025-21751 CVE-2025-21833 CVE-2025-21949 CVE-2025-37838) > > > > vulns: 33 vulnerable + 32 not applicable > > CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 > CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 > CVE-2024-57976 CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 > CVE-2025-21807 CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 > CVE-2025-22026 CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 > CVE-2025-22115 CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 > CVE-2025-22126 CVE-2025-23137 CVE-2025-37838 CVE-2025-40325) > > > > cvelistv5: 36 vulnerable + 32 not applicable > > Found unpatched CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 > CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2022-0400 CVE-2022-38096 > CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57976 > CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 CVE-2025-21807 > CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 CVE-2025-22026 > CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 CVE-2025-22115 > CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 > CVE-2025-23137 CVE-2025-37838 CVE-2025-40325) > > > > Best regards, > > Daniel > > > > *From:* openembedded-core@lists.openembedded.org < > openembedded-core@lists.openembedded.org> *On Behalf Of *Daniel Turull > via lists.openembedded.org > *Sent:* Tuesday, 29 April 2025 17:29 > *To:* Marta Rybczynska <rybczynska@gmail.com> > *Cc:* openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com > *Subject:* Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA > info > > > > Hi Marta, > > The CVE database from NVD doesn’t have all the metadata, specially the > files affected. > > > > I’ll test it with https://github.com/CVEProject/cvelistV5, since the data > from the kernel should be the same. But the repository is much bigger. > > > > No, I haven’t tested with world builds. I’ll give it a try. Probably the > file that I’m generating with should be specific for a config, so we don’t > override it. > > > > Best regards, > > Daniel > > > > *From:* Marta Rybczynska <rybczynska@gmail.com> > *Sent:* Tuesday, 29 April 2025 16:48 > *To:* Daniel Turull <daniel.turull@ericsson.com> > *Cc:* openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com > *Subject:* Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA > info > > > > Thank you for providing this work Daniel. > > > > Are you able to obtain the same result with the raw CVE database? This > patchset works for the Linux kernel only. > > > > Also, have you tested if it works with the world build for multiple kernel > images (i.e. different configs) from the same source tree? > > > > I would be rather going for a post-processing with a given config after > generating the json files instead of modifying the processing. > > > > My 0.02. > > > > Kind regards, > > Marta > > > > On Tue, Apr 29, 2025 at 4:39 PM Daniel Turull via lists.openembedded.org > <daniel.turull=ericsson.com@lists.openembedded.org> wrote: > > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > Use similar mechanism and same variables as cve-check to define > when to update. > > To use without internet access, change variable VULNS_URL to a local > copy or mirror. > > CC: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 76 +++++++++++++++++++++++ > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb > > diff --git a/meta/conf/distro/include/maintainers.inc > b/meta/conf/distro/include/maintainers.inc > index 8065287c17..ec427fe6a4 100644 > --- a/meta/conf/distro/include/maintainers.inc > +++ b/meta/conf/distro/include/maintainers.inc > @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador < > otavio.salvador@ossystems.com.br>" > RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > diff --git a/meta/recipes-core/meta/linux-vulns_git.bb > b/meta/recipes-core/meta/linux-vulns_git.bb > new file mode 100644 > index 0000000000..fc48558eb8 > --- /dev/null > +++ b/meta/recipes-core/meta/linux-vulns_git.bb > @@ -0,0 +1,76 @@ > +SUMMARY = "CVE information from kernel.org" > +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers > reserved \ > +and assigned to the Linux kernel project." > +HOMEPAGE = " > https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" > +LICENSE = "GPL-2.0-only & cve-tou" > +SECTION = "base" > + > +INHIBIT_DEFAULT_DEPS = "1" > + > +inherit native > +inherit nopackages > + > +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" > +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" > + > +# Use same intervals as cve-update-db-native. By default: once a day > (24*60*60). > +# Use 0 to force the update > +# Use a negative value to skip the update > + > +CVE_DB_UPDATE_INTERVAL ??= "86400" > + > +python do_fetch(){ > + import os > + import bb.utils > + > + bb.utils.export_proxies(d) > + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") > + repo_url = d.getVar("VULNS_URL") > + > + try: > + import time > + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) > + > + if update_interval < 0: > + bb.note("Kernel CVE database update skipped") > + return > + if time.time() - os.path.getmtime(db_file) < update_interval: > + bb.debug(2,"Kernel CVE database, recently updated, skipping") > + return > + > + except OSError: > + pass > + > + bb.utils.mkdirhier(os.path.dirname(db_file)) > + # Configure cmd > + if not os.path.exists(db_file): > + cmd = f"git clone {repo_url} {db_file}" > + else: > + cmd = f"git -C {db_file} pull" > + try: > + bb.fetch2.runfetchcmd(cmd, d) > + except bb.fetch2.FetchError as e: > + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") > + bb.warn("Set VULNS_URL in local.conf to point to a local copy or > mirror") > +} > + > +do_clean() { > + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} > +} > + > +deltask do_patch > +deltask do_unpack > +deltask do_configure > +deltask do_compile > +deltask do_install > +deltask do_populate_sysroot > +deltask do_runtime_spdx > +deltask do_create_spdx > +deltask do_populate_lic > +deltask do_cve_check > + > +do_fetch[nostamp] = "1" > +do_fetch[file-checksums] = "" > +do_fetch[vardeps] = "" > + > +EXCLUDE_FROM_WORLD = "1" > >
Thank you Marta for the feedback. After a bit more though I reach the same conclusion. I’ve been working a bit in parallel and I’ll send some patches going into that direction. I’ll send a new revision of my series later this week, with an independent post-processing script in scripts/contrib. I’ll have the list a simpler text file with the list of compiled files as well as included as spdx. For now the script will take the simpler list, since it requires less processing. Best regards, Daniel From: Marta Rybczynska <rybczynska@gmail.com> Sent: Tuesday, 13 May 2025 15:33 To: Daniel Turull <daniel.turull@ericsson.com> Cc: openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com; richard.purdie@linuxfoundation.org Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA info Hello Daniel, I have had a look and I think that a post-processing tool is the right way to go. If you have the file list in SPDX, you can do checks, and possibly with other metadata (the kernel CVE database does not list affected kernel options, and that would be a really valuable information source for such a kind of a check). It will also be code way easier to maintain, as version checks are complex to perform and debug. Where we're at this: there will be a need to add information about what kind of CVE filtering has been done (the default, filtering by files etc). This might be necessary for maintenance reasons and when you will be comparing check results between firmware versions et al. A kind of "used_tools" kind of a field will be necessary. Kind regards, Marta On Wed, May 7, 2025 at 10:05 AM Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> wrote: Hello Marta, Did you had time to look at it and how to continue the work? Will it make sense that for know I reduce the scope and only add the option to extract the compiled files in a “log” file and into the spdx sources? And have the processing in a script in the script/contrib folder. Then the logic can be used to have the independent tool. We already have part of the logic in meta/recipes-kernel/linux/generate-cve-exclusions.py Thanks Daniel From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>> On Behalf Of Marta Rybczynska via lists.openembedded.org<http://lists.openembedded.org/> Sent: Wednesday, 30 April 2025 17:04 To: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Peter.Marko@siemens.com<mailto:Peter.Marko@siemens.com>; richard.purdie@linuxfoundation.org<mailto:richard.purdie@linuxfoundation.org> Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org<http://kernel.org/> CNA info Hell Daniel, Thanks for the work. I plan to take some time in the next day to have a look and provide a viewpoint of what makes sense to do next. BTW This code is shorter than I expect this work to be (and yes, there are multiple people working on the same), and this is good news. It makes a review way easier than I expected! Kind regards, Marta On Wed, Apr 30, 2025 at 10:32 AM Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> wrote: Hi again Marta, I really appreciate your comments. You are doing a great job in this space. With the post-processing do you mean another task after the do_cve_check or outside the build, maybe in a script in openembedded-core/scripts? I see benefits in both (in the build and outside). If we keep it in the build we have more accurate data at the time of the build, while outside can be easily updated with new information. We also include missing information and add resilience having multiple sources. Before sending another round of patches, I’ll like to reach some consensus how we should implement this, and your comments together with Peter’s and Richard’s will be very appreciated. New proposal: * Keep as option to extract the compiled file, and store them in spdx as well. Basically: * kernel: add support to extract compiled files * store the file in log/cve/ with a unique name * spdx: add option to include only compiled kernel files * Add option to have multiple sources of cve, in cve-check, using vulns or cvelistv5 * Keep the bug fixes, though probably I could send them independently from this series. * And then we have 3 options: * Keep the existing cve-check, vex, spdx: use metadata from linux-vulns * Create a new a post-processing script in openembedded-core/scripts that triages CVEs with files that are not compiled that matches a CVEs, with similar functionality as the one proposed in cve-check, vex, spdx: use metadata from linux-vulns to enhance CVE reporting. But then in cveinfo in the SPDX won’t be accurate, since now I was adding the fixes in the get_patched_cves. On the other hand, this also get outdated, and for the not applicable with already have the CVE_STATUS. * Have both 1 and 2, since they are not mutually exclusive. Now probably I’m lining more to this option. For the new script, the first version of the script will take as input the output from the kernel gen_compile_commands.py, a directory to vulns or cvelistv5, and the cve-summary.json and generate a new cve-summary with updated information. This potentially could be integrated on the scripts that Marta has on vex or use as input. For example: ./improve_kernel_cve_reporting.py --sources compile_commands.json --cve-data <dir to vulns or cvelistv5> --old-cve-report cve-summary.json –new-cve-report cve-summary-enhance.json How does it sound? Or do you have a better proposal? And for the question comparing with using only the NVD database, I’m getting less CVEs, since some do not have their cpe, due to their big backlog. I have modified slightly the patches and I can fetch the cvelistv5 repo, but it is slower since it contains much more files. But then I guess it could be used as a source for the cve_check as alternative source. CVE files as today: Vulns: 5941 Cvelistv5: 291484 When comparing using data from cvelistv5 vs vulns, the functionally to exclude based on compiled files has the same results, except that with the former the script find more vulnerable CVEs, which later are corrected by the data from NVD. Only NVD 14 linux-yocto-6.12.23+git-r0 do_cve_check: Found unpatched CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57995 CVE-2025-21751 CVE-2025-21833 CVE-2025-21949 CVE-2025-37838) vulns: 33 vulnerable + 32 not applicable CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2022-0400 CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57976 CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 CVE-2025-21807 CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 CVE-2025-22026 CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 CVE-2025-22115 CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23137 CVE-2025-37838 CVE-2025-40325) cvelistv5: 36 vulnerable + 32 not applicable Found unpatched CVE (CVE-1999-0524 CVE-2008-4609 CVE-2010-4563 CVE-2021-28711 CVE-2021-28712 CVE-2021-28713 CVE-2022-0400 CVE-2022-38096 CVE-2022-4543 CVE-2023-3397 CVE-2023-4010 CVE-2023-6240 CVE-2024-57976 CVE-2024-58074 CVE-2024-58093 CVE-2025-21709 CVE-2025-21752 CVE-2025-21807 CVE-2025-21817 CVE-2025-21833 CVE-2025-21837 CVE-2025-21884 CVE-2025-22026 CVE-2025-22105 CVE-2025-22108 CVE-2025-22111 CVE-2025-22113 CVE-2025-22115 CVE-2025-22121 CVE-2025-22122 CVE-2025-22124 CVE-2025-22125 CVE-2025-22126 CVE-2025-23137 CVE-2025-37838 CVE-2025-40325) Best regards, Daniel From: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org> <openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>> On Behalf Of Daniel Turull via lists.openembedded.org<http://lists.openembedded.org/> Sent: Tuesday, 29 April 2025 17:29 To: Marta Rybczynska <rybczynska@gmail.com<mailto:rybczynska@gmail.com>> Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Peter.Marko@siemens.com<mailto:Peter.Marko@siemens.com> Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org<http://kernel.org/> CNA info Hi Marta, The CVE database from NVD doesn’t have all the metadata, specially the files affected. I’ll test it with https://github.com/CVEProject/cvelistV5, since the data from the kernel should be the same. But the repository is much bigger. No, I haven’t tested with world builds. I’ll give it a try. Probably the file that I’m generating with should be specific for a config, so we don’t override it. Best regards, Daniel From: Marta Rybczynska <rybczynska@gmail.com<mailto:rybczynska@gmail.com>> Sent: Tuesday, 29 April 2025 16:48 To: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> Cc: openembedded-core@lists.openembedded.org<mailto:openembedded-core@lists.openembedded.org>; Peter.Marko@siemens.com<mailto:Peter.Marko@siemens.com> Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org<http://kernel.org/> CNA info Thank you for providing this work Daniel. Are you able to obtain the same result with the raw CVE database? This patchset works for the Linux kernel only. Also, have you tested if it works with the world build for multiple kernel images (i.e. different configs) from the same source tree? I would be rather going for a post-processing with a given config after generating the json files instead of modifying the processing. My 0.02. Kind regards, Marta On Tue, Apr 29, 2025 at 4:39 PM Daniel Turull via lists.openembedded.org<http://lists.openembedded.org/> <daniel.turull=ericsson.com@lists.openembedded.org<mailto:ericsson.com@lists.openembedded.org>> wrote: From: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> Add CVE data source for kernel.org<http://kernel.org/>. It includes more information than the one provided by NVD. Use similar mechanism and same variables as cve-check to define when to update. To use without internet access, change variable VULNS_URL to a local copy or mirror. CC: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> Signed-off-by: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> --- meta/conf/distro/include/maintainers.inc | 1 + meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> | 76 +++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 8065287c17..ec427fe6a4 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br<mailto:otavio.salvador@ossystems.com.br>>" RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" diff --git a/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> new file mode 100644 index 0000000000..fc48558eb8 --- /dev/null +++ b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> @@ -0,0 +1,76 @@ +SUMMARY = "CVE information from kernel.org<http://kernel.org/>" +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \ +and assigned to the Linux kernel project." +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" +LICENSE = "GPL-2.0-only & cve-tou" +SECTION = "base" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native +inherit nopackages + +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" + +# Use same intervals as cve-update-db-native. By default: once a day (24*60*60). +# Use 0 to force the update +# Use a negative value to skip the update + +CVE_DB_UPDATE_INTERVAL ??= "86400" + +python do_fetch(){ + import os + import bb.utils + + bb.utils.export_proxies(d) + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") + repo_url = d.getVar("VULNS_URL") + + try: + import time + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) + + if update_interval < 0: + bb.note("Kernel CVE database update skipped") + return + if time.time() - os.path.getmtime(db_file) < update_interval: + bb.debug(2,"Kernel CVE database, recently updated, skipping") + return + + except OSError: + pass + + bb.utils.mkdirhier(os.path.dirname(db_file)) + # Configure cmd + if not os.path.exists(db_file): + cmd = f"git clone {repo_url} {db_file}" + else: + cmd = f"git -C {db_file} pull" + try: + bb.fetch2.runfetchcmd(cmd, d) + except bb.fetch2.FetchError as e: + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") + bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror") +} + +do_clean() { + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} +} + +deltask do_patch +deltask do_unpack +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot +deltask do_runtime_spdx +deltask do_create_spdx +deltask do_populate_lic +deltask do_cve_check + +do_fetch[nostamp] = "1" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 8065287c17..ec427fe6a4 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br>" RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com>" +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com>" diff --git a/meta/recipes-core/meta/linux-vulns_git.bb b/meta/recipes-core/meta/linux-vulns_git.bb new file mode 100644 index 0000000000..fc48558eb8 --- /dev/null +++ b/meta/recipes-core/meta/linux-vulns_git.bb @@ -0,0 +1,76 @@ +SUMMARY = "CVE information from kernel.org" +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \ +and assigned to the Linux kernel project." +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" +LICENSE = "GPL-2.0-only & cve-tou" +SECTION = "base" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native +inherit nopackages + +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" + +# Use same intervals as cve-update-db-native. By default: once a day (24*60*60). +# Use 0 to force the update +# Use a negative value to skip the update + +CVE_DB_UPDATE_INTERVAL ??= "86400" + +python do_fetch(){ + import os + import bb.utils + + bb.utils.export_proxies(d) + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") + repo_url = d.getVar("VULNS_URL") + + try: + import time + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) + + if update_interval < 0: + bb.note("Kernel CVE database update skipped") + return + if time.time() - os.path.getmtime(db_file) < update_interval: + bb.debug(2,"Kernel CVE database, recently updated, skipping") + return + + except OSError: + pass + + bb.utils.mkdirhier(os.path.dirname(db_file)) + # Configure cmd + if not os.path.exists(db_file): + cmd = f"git clone {repo_url} {db_file}" + else: + cmd = f"git -C {db_file} pull" + try: + bb.fetch2.runfetchcmd(cmd, d) + except bb.fetch2.FetchError as e: + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") + bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror") +} + +do_clean() { + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} +} + +deltask do_patch +deltask do_unpack +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot +deltask do_runtime_spdx +deltask do_create_spdx +deltask do_populate_lic +deltask do_cve_check + +do_fetch[nostamp] = "1" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +EXCLUDE_FROM_WORLD = "1"