mbox series

[scarthgap,v2,0/5] backport: allow to extract all CVE_STATUS info

Message ID 20251121095415.288301-1-benjamin.robin@bootlin.com
Headers show
Series backport: allow to extract all CVE_STATUS info | expand

Message

Benjamin ROBIN Nov. 21, 2025, 9:54 a.m. UTC 
(I'm resending this series because it was blocked for spam, sorry for the noise)

Currently only CVEs with "Patched" status are exported in SPDX 3.0 files.
Moreover, CVE annotations provided by the CVE_STATUS_GROUPS variable are not
exported, since previously this was only handled by cve-check.bbclass.

Also the vex.bbclass is missing, which will helps users to extract all the
information needed to do a CVE analysis outside of Yocto.

These changes are realized since scarthgap Long Term Support ends in April
2028. Without these improvements, it is not possible to do a proper CVE
analysis outside of Yocto, solely based on the SBOM, since there are missing
CVE annotations in the artifact files. We want to be able to extract all CVE
annotations provided by the CVE_STATUS and the CVE_STATUS_GROUPS variables.

With this backport, great care has been taken to avoid breaking compatibility.
This is why the get_patched_cves() API was not changed. Everything that was
needed is implemented in the associated .bbclass:
 - Patch 1/5 modifies spdx30_tasks to extract all CVE status. This commit was
   not cherry-picked from master.
 - Patch 2/5 backports the vex.bbclass, but modify it a bit to use the old
   get_patched_cves() API.
 - Patch 3/5 and 4/5 are cherry-picked, these commits move the extraction of
   CVE_STATUS_GROUPS information to lib/oe/cve_check.py
 - Patch 5/5 is cherry-picked to backport a vex.bbclass improvement

This series should be applied on top of [1]:
[scarthgap] spdx30: fix cve status for patch files in VEX

[1]: https://patchwork.yoctoproject.org/project/oe-core/list/?series=40606

Benjamin Robin (Schneider Electric) (5):
  spdx30: provide all CVE_STATUS, not only Patched status
  vex.bbclass: add a new class
  cve-check: extract extending CVE_STATUS to library function
  spdx: extend CVE_STATUS variables
  vex: fix rootfs manifest

 meta/classes/cve-check.bbclass   |  17 +-
 meta/classes/spdx-common.bbclass |   5 +
 meta/classes/vex.bbclass         | 319 +++++++++++++++++++++++++++++++
 meta/lib/oe/cve_check.py         |  22 +++
 meta/lib/oe/spdx30_tasks.py      |  31 +--
 5 files changed, 365 insertions(+), 29 deletions(-)
 create mode 100644 meta/classes/vex.bbclass

Comments

Marta Rybczynska Nov. 21, 2025, 10:35 a.m. UTC | #1 
Hello Benjamin,
Do you confirm that this time it is ready for review?

Kind regards,
Marta

On Fri, Nov 21, 2025 at 10:54 AM Benjamin Robin via lists.openembedded.org
<benjamin.robin=bootlin.com@lists.openembedded.org> wrote:

> (I'm resending this series because it was blocked for spam, sorry for the
> noise)
>
> Currently only CVEs with "Patched" status are exported in SPDX 3.0 files.
> Moreover, CVE annotations provided by the CVE_STATUS_GROUPS variable are
> not
> exported, since previously this was only handled by cve-check.bbclass.
>
> Also the vex.bbclass is missing, which will helps users to extract all the
> information needed to do a CVE analysis outside of Yocto.
>
> These changes are realized since scarthgap Long Term Support ends in April
> 2028. Without these improvements, it is not possible to do a proper CVE
> analysis outside of Yocto, solely based on the SBOM, since there are
> missing
> CVE annotations in the artifact files. We want to be able to extract all
> CVE
> annotations provided by the CVE_STATUS and the CVE_STATUS_GROUPS variables.
>
> With this backport, great care has been taken to avoid breaking
> compatibility.
> This is why the get_patched_cves() API was not changed. Everything that was
> needed is implemented in the associated .bbclass:
>  - Patch 1/5 modifies spdx30_tasks to extract all CVE status. This commit
> was
>    not cherry-picked from master.
>  - Patch 2/5 backports the vex.bbclass, but modify it a bit to use the old
>    get_patched_cves() API.
>  - Patch 3/5 and 4/5 are cherry-picked, these commits move the extraction
> of
>    CVE_STATUS_GROUPS information to lib/oe/cve_check.py
>  - Patch 5/5 is cherry-picked to backport a vex.bbclass improvement
>
> This series should be applied on top of [1]:
> [scarthgap] spdx30: fix cve status for patch files in VEX
>
> [1]: https://patchwork.yoctoproject.org/project/oe-core/list/?series=40606
>
> Benjamin Robin (Schneider Electric) (5):
>   spdx30: provide all CVE_STATUS, not only Patched status
>   vex.bbclass: add a new class
>   cve-check: extract extending CVE_STATUS to library function
>   spdx: extend CVE_STATUS variables
>   vex: fix rootfs manifest
>
>  meta/classes/cve-check.bbclass   |  17 +-
>  meta/classes/spdx-common.bbclass |   5 +
>  meta/classes/vex.bbclass         | 319 +++++++++++++++++++++++++++++++
>  meta/lib/oe/cve_check.py         |  22 +++
>  meta/lib/oe/spdx30_tasks.py      |  31 +--
>  5 files changed, 365 insertions(+), 29 deletions(-)
>  create mode 100644 meta/classes/vex.bbclass
>
> --
> 2.51.2
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#226657):
> https://lists.openembedded.org/g/openembedded-core/message/226657
> Mute This Topic: https://lists.openembedded.org/mt/116405458/5827677
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [
> rybczynska@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Benjamin ROBIN Nov. 21, 2025, 10:42 a.m. UTC | #2 
Hello Marta,

On Friday, November 21, 2025 at 11:35 AM, Marta Rybczynska wrote:
> Hello Benjamin,
> Do you confirm that this time it is ready for review?

Yes, I confirm this time, this is ready for review :)
Sorry for all the initial noises...
 
> Kind regards,
> Marta