| Message ID | 20260412185201.2556780-2-peter.marko@siemens.com |
|---|---|
| State | Under Review |
| Headers | show |
| Series | [1/2] xserver-org: update CVE_PRODUCT | expand |
> -----Original Message----- > From: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Sent: Sunday, April 12, 2026 8:52 PM > To: openembedded-core@lists.openembedded.org > Cc: Marko, Peter (FT D EU SK BFS1) <Peter.Marko@siemens.com> > Subject: [PATCH 2/2] xwayland: set status for CVE-2024-21886 > > From: Peter Marko <peter.marko@siemens.com> > > Reference [1]: > Introduced in: xorg-server-1.13.0 (2012) > Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 > > Note that the status should be "fixed-version", however that does not > seem to work correctly with the new sbom-cve-check. This looks like a bug in sbom-cve-check (or vex?) code. Any idea why certain manual CVE_STATUSes would be overridden by cvelistV5 status? > > [1] https://lists.x.org/archives/xorg/2024-January/061525.html > > Signed-off-by: Peter Marko <peter.marko@siemens.com> > --- > meta/recipes-graphics/xwayland/xwayland_24.1.9.bb | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb b/meta/recipes- > graphics/xwayland/xwayland_24.1.9.bb > index df1bb7e31b..6c10eddb8e 100644 > --- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb > +++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb > @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = > "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245 > > UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar" > > +CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since xwayland- > 23.2.4" > + > inherit meson features_check pkgconfig > REQUIRED_DISTRO_FEATURES = "x11 opengl" >
Hello Peter, On Sunday, April 12, 2026 at 9:04 PM, Marko, Peter wrote: > > From: Peter Marko <peter.marko@siemens.com> > > > > Reference [1]: > > Introduced in: xorg-server-1.13.0 (2012) > > Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 > > > > Note that the status should be "fixed-version", however that does not > > seem to work correctly with the new sbom-cve-check. > > This looks like a bug in sbom-cve-check (or vex?) code. > Any idea why certain manual CVE_STATUSes would be overridden by cvelistV5 status? This should not be possible. With default configuration a manual annotation cannot be overwritten. sbom-cve-check directly use the annotation without any extra processing. > > diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb b/meta/recipes- > > graphics/xwayland/xwayland_24.1.9.bb > > index df1bb7e31b..6c10eddb8e 100644 > > --- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb > > +++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb > > @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = > > "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245 > > > > UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar" > > > > +CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since xwayland- > > 23.2.4" > > + > > inherit meson features_check pkgconfig > > REQUIRED_DISTRO_FEATURES = "x11 opengl" What you see is perfectly normal. The recipe is named "xwayland", without a CVE_PRODUCT specified, so the default CPE is "cpe:2.3:*:*:xwayland:24.1.9:*:*:*:*:*:*:*" The CVE is associated with xorg-server and with xwayland. And if you notice, in the report the CVE is linked to xorg-server and to xwayland: The CVE is referenced twice in the report. When associated with xorg-server the annotation does not work, but when associated with xwayland it works. I guess you also need to add the CVE_STATUS in xserver-xorg recipe.
> -----Original Message----- > From: Benjamin Robin <benjamin.robin@bootlin.com> > Sent: Sunday, April 12, 2026 10:23 PM > To: Ross Burton <ross.burton@arm.com>; Marko, Peter (FT D EU SK BFS1) > <Peter.Marko@siemens.com> > Cc: openembedded-core@lists.openembedded.org > Subject: Re: [PATCH 2/2] xwayland: set status for CVE-2024-21886 > > Hello Peter, > > On Sunday, April 12, 2026 at 9:04 PM, Marko, Peter wrote: > > > From: Peter Marko <peter.marko@siemens.com> > > > > > > Reference [1]: > > > Introduced in: xorg-server-1.13.0 (2012) > > > Fixed in: xorg-server-21.1.11 and xwayland-23.2.4 > > > > > > Note that the status should be "fixed-version", however that does not > > > seem to work correctly with the new sbom-cve-check. > > > > This looks like a bug in sbom-cve-check (or vex?) code. > > Any idea why certain manual CVE_STATUSes would be overridden by cvelistV5 > status? > > This should not be possible. With default configuration a manual > annotation cannot be overwritten. sbom-cve-check directly use the > annotation without any extra processing. I wonder what I'm doing wrong when using this new code for the first time... When I got to the "new" CVE for ovmf, cve-metrics shows only CVE-2024-1298. In my local build, I get all the CVEs (which are se to fixed-version in the recipe). RECIPE=ovmf; bitbake $RECIPE -c sbom_cve_check_recipe; jq -r '.package[] | select(.name == "'$RECIPE'") | .issue[]? | select(.status == "Unpatched") | .id' tmp/deploy/images/qemux86-64/$RECIPE-recipe-sbom.sbom-cve-check.yocto.json CVE-2014-4859 CVE-2014-4860 CVE-2014-8271 CVE-2019-14553 CVE-2019-14559 CVE-2019-14562 CVE-2019-14563 CVE-2019-14575 CVE-2019-14586 CVE-2019-14587 CVE-2024-1298 My local.conf is: DISTRO = "poky" INHERIT += "sbom-cve-check-recipe" SRCREV:pn-sbom-cve-check-update-cvelist-native = "82e18eb3051039642ed8ec0b8eb15ea27dbbf52c" include conf/distro/include/cve-extra-exclusions.inc Peter > > > > diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb > b/meta/recipes- > > > graphics/xwayland/xwayland_24.1.9.bb > > > index df1bb7e31b..6c10eddb8e 100644 > > > --- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb > > > +++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb > > > @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = > > > "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245 > > > > > > UPSTREAM_CHECK_REGEX = "xwayland- > (?P<pver>\d+(\.(?!90\d)\d+)+)\.tar" > > > > > > +CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since > xwayland- > > > 23.2.4" > > > + > > > inherit meson features_check pkgconfig > > > REQUIRED_DISTRO_FEATURES = "x11 opengl" > > What you see is perfectly normal. > The recipe is named "xwayland", without a CVE_PRODUCT specified, so the > default CPE is "cpe:2.3:*:*:xwayland:24.1.9:*:*:*:*:*:*:*" > > The CVE is associated with xorg-server and with xwayland. > And if you notice, in the report the CVE is linked to xorg-server > and to xwayland: The CVE is referenced twice in the report. > When associated with xorg-server the annotation does not work, > but when associated with xwayland it works. > > I guess you also need to add the CVE_STATUS in xserver-xorg recipe. > > -- > Benjamin Robin, Bootlin > Embedded Linux and Kernel engineering > https://bootlin.com > >
On Sunday, April 12, 2026 at 11:01 PM, Marko, Peter wrote: > > From: Benjamin Robin <benjamin.robin@bootlin.com> > > This should not be possible. With default configuration a manual > > annotation cannot be overwritten. sbom-cve-check directly use the > > annotation without any extra processing. > > I wonder what I'm doing wrong when using this new code for the first time... > When I got to the "new" CVE for ovmf, cve-metrics shows only CVE-2024-1298. > In my local build, I get all the CVEs (which are se to fixed-version in the recipe). > > RECIPE=ovmf; bitbake $RECIPE -c sbom_cve_check_recipe; jq -r '.package[] | select(.name == "'$RECIPE'") | .issue[]? | select(.status == "Unpatched") | .id' tmp/deploy/images/qemux86-64/$RECIPE-recipe-sbom.sbom-cve-check.yocto.json > CVE-2014-4859 > CVE-2014-4860 > CVE-2014-8271 > CVE-2019-14553 > CVE-2019-14559 > CVE-2019-14562 > CVE-2019-14563 > CVE-2019-14575 > CVE-2019-14586 > CVE-2019-14587 > CVE-2024-1298 > > My local.conf is: > DISTRO = "poky" > INHERIT += "sbom-cve-check-recipe" > SRCREV:pn-sbom-cve-check-update-cvelist-native = "82e18eb3051039642ed8ec0b8eb15ea27dbbf52c" > include conf/distro/include/cve-extra-exclusions.inc I still cannot reproduce your issue. Could you share these 2 files (by email and compressed, and maybe only to me): - ovmf-recipe-sbom.spdx.json - ovmf-recipe-sbom.sbom-cve-check.yocto.json If you also have a KAS configuration file of your current setup, this will be great.
diff --git a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb index df1bb7e31b..6c10eddb8e 100644 --- a/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb +++ b/meta/recipes-graphics/xwayland/xwayland_24.1.9.bb @@ -14,6 +14,8 @@ SRC_URI[sha256sum] = "f297af27a84508db9b80d1cbbcc69c3801da38eb64c72f3b5b50f58245 UPSTREAM_CHECK_REGEX = "xwayland-(?P<pver>\d+(\.(?!90\d)\d+)+)\.tar" +CVE_STATUS[CVE-2024-21886] = "version-not-in-range: fixed since xwayland-23.2.4" + inherit meson features_check pkgconfig REQUIRED_DISTRO_FEATURES = "x11 opengl"