| Message ID | 20260318053906.26606-1-hetpat@cisco.com |
|---|---|
| Headers | show |
| Series | cve-check: fix incorrect CVE assessments and runtime warnings - cover letter | expand |
Hello, On Wed Mar 18, 2026 at 6:39 AM CET, Het Patel via lists.openembedded.org wrote: > From: Het Patel <hetpat@cisco.com> > > The patches address the following bugs: > > 1. Incomplete CVE Assessment Details: Currently, the `detail` field is missing for approximately 81% of entries, rendering reports unreliable for auditing. These changes ensure that the rationale for a "Patched" or "Unpatched" assessment is properly recorded, allowing for a clear distinction between version-based assessments and missing data. > > 2. Runtime Warnings: Corrects four instances where debug calls were missing the required log level parameter. This change eliminates the runtime warnings that currently trigger during every CVE scan. I appreciate that you trimed down your previous try to cleanup CVE checking code[0]. But I still feel like it is too intrusive for stable inclusion. Can you please provide examples of some CVEs having "Incomplete CVE Assessment Details:" so I can understand the problem? > Testing: > - Applied cleanly to the current `scarthgap` HEAD. > - Verified via a full CVE scan. > - Confirmed that all existing CVE statuses are preserved with no regressions observed. Can you provide output (log+json) both before/after to verify this claim? Thanks! [0]: https://lore.kernel.org/openembedded-core/20260220053443.3006180-1-hetpat@cisco.com/#r > Het Patel (4): > cve-check: encode affected product/vendor in CVE_STATUS > cve-check: annotate CVEs during analysis > cve-check-map: add new statuses > cve-check: fix debug message > > meta/classes/cve-check.bbclass | 246 +++++++++++++++++++++-------------------- > meta/conf/cve-check-map.conf | 9 + > meta/lib/oe/cve_check.py | 74 +++++++++--- > 3 files changed, 197 insertions(+), 132 deletions(-)
Hi Yoann, I will share the new series of patches, which includes a few additional ones. I will attach the corresponding output files to that. Best regards, Het
On Wed Mar 18, 2026 at 1:57 PM CET, Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: > Hi Yoann, > > I will share the new series of patches, which includes a few additional ones. I will attach the corresponding output files to that. Hmmm, I wrote that I felt that the series was too intrusive and now you want to add more patches? Are you sure this is the right direction? (I'm trying to prevent you from losing time to something that could ultimately be unmergable...) Regards, > > Best regards, > Het > ________________________________ > From: Yoann Congal <yoann.congal@smile.fr> > Sent: Wednesday, March 18, 2026 4:37 PM > To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) <hetpat@cisco.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> > Cc: xe-linux-external(mailer list) <xe-linux-external@cisco.com>; Viral Chavda (vchavda) <vchavda@cisco.com> > Subject: Re: [OE-core] [scarthgap] [PATCH v1 0/4] cve-check: fix incorrect CVE assessments and runtime warnings - cover letter > > Hello, > > On Wed Mar 18, 2026 at 6:39 AM CET, Het Patel via lists.openembedded.org wrote: >> From: Het Patel <hetpat@cisco.com> >> >> The patches address the following bugs: >> >> 1. Incomplete CVE Assessment Details: Currently, the `detail` field is missing for approximately 81% of entries, rendering reports unreliable for auditing. These changes ensure that the rationale for a "Patched" or "Unpatched" assessment is properly recorded, allowing for a clear distinction between version-based assessments and missing data. >> >> 2. Runtime Warnings: Corrects four instances where debug calls were missing the required log level parameter. This change eliminates the runtime warnings that currently trigger during every CVE scan. > > I appreciate that you trimed down your previous try to cleanup CVE > checking code[0]. But I still feel like it is too intrusive for stable > inclusion. > > Can you please provide examples of some CVEs having "Incomplete CVE > Assessment Details:" so I can understand the problem? > >> Testing: >> - Applied cleanly to the current `scarthgap` HEAD. >> - Verified via a full CVE scan. >> - Confirmed that all existing CVE statuses are preserved with no regressions observed. > > Can you provide output (log+json) both before/after to verify this > claim? > > Thanks! > > [0]: https://lore.kernel.org/openembedded-core/20260220053443.3006180-1-hetpat@cisco.com/#r > >> Het Patel (4): >> cve-check: encode affected product/vendor in CVE_STATUS >> cve-check: annotate CVEs during analysis >> cve-check-map: add new statuses >> cve-check: fix debug message >> >> meta/classes/cve-check.bbclass | 246 +++++++++++++++++++++-------------------- >> meta/conf/cve-check-map.conf | 9 + >> meta/lib/oe/cve_check.py | 74 +++++++++--- >> 3 files changed, 197 insertions(+), 132 deletions(-) > > > -- > Yoann Congal > Smile ECS
On Wed Mar 18, 2026 at 2:10 PM CET, Yoann Congal wrote: > On Wed Mar 18, 2026 at 1:57 PM CET, Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) wrote: >> Hi Yoann, >> >> I will share the new series of patches, which includes a few additional ones. I will attach the corresponding output files to that. > > Hmmm, I wrote that I felt that the series was too intrusive and now you > want to add more patches? Are you sure this is the right direction? Oh, I see now that you are talking about patches from Peter suggestion. The series might still be too intrusive but it will be more coherent. Got it. > (I'm trying to prevent you from losing time to something that could > ultimately be unmergable...) > > Regards, > >> >> Best regards, >> Het >> ________________________________ >> From: Yoann Congal <yoann.congal@smile.fr> >> Sent: Wednesday, March 18, 2026 4:37 PM >> To: Het Patel -X (hetpat - E INFOCHIPS PRIVATE LIMITED at Cisco) <hetpat@cisco.com>; openembedded-core@lists.openembedded.org <openembedded-core@lists.openembedded.org> >> Cc: xe-linux-external(mailer list) <xe-linux-external@cisco.com>; Viral Chavda (vchavda) <vchavda@cisco.com> >> Subject: Re: [OE-core] [scarthgap] [PATCH v1 0/4] cve-check: fix incorrect CVE assessments and runtime warnings - cover letter >> >> Hello, >> >> On Wed Mar 18, 2026 at 6:39 AM CET, Het Patel via lists.openembedded.org wrote: >>> From: Het Patel <hetpat@cisco.com> >>> >>> The patches address the following bugs: >>> >>> 1. Incomplete CVE Assessment Details: Currently, the `detail` field is missing for approximately 81% of entries, rendering reports unreliable for auditing. These changes ensure that the rationale for a "Patched" or "Unpatched" assessment is properly recorded, allowing for a clear distinction between version-based assessments and missing data. >>> >>> 2. Runtime Warnings: Corrects four instances where debug calls were missing the required log level parameter. This change eliminates the runtime warnings that currently trigger during every CVE scan. >> >> I appreciate that you trimed down your previous try to cleanup CVE >> checking code[0]. But I still feel like it is too intrusive for stable >> inclusion. >> >> Can you please provide examples of some CVEs having "Incomplete CVE >> Assessment Details:" so I can understand the problem? >> >>> Testing: >>> - Applied cleanly to the current `scarthgap` HEAD. >>> - Verified via a full CVE scan. >>> - Confirmed that all existing CVE statuses are preserved with no regressions observed. >> >> Can you provide output (log+json) both before/after to verify this >> claim? >> >> Thanks! >> >> [0]: https://lore.kernel.org/openembedded-core/20260220053443.3006180-1-hetpat@cisco.com/#r >> >>> Het Patel (4): >>> cve-check: encode affected product/vendor in CVE_STATUS >>> cve-check: annotate CVEs during analysis >>> cve-check-map: add new statuses >>> cve-check: fix debug message >>> >>> meta/classes/cve-check.bbclass | 246 +++++++++++++++++++++-------------------- >>> meta/conf/cve-check-map.conf | 9 + >>> meta/lib/oe/cve_check.py | 74 +++++++++--- >>> 3 files changed, 197 insertions(+), 132 deletions(-) >> >> >> -- >> Yoann Congal >> Smile ECS
From: Het Patel <hetpat@cisco.com> The patches address the following bugs: 1. Incomplete CVE Assessment Details: Currently, the `detail` field is missing for approximately 81% of entries, rendering reports unreliable for auditing. These changes ensure that the rationale for a "Patched" or "Unpatched" assessment is properly recorded, allowing for a clear distinction between version-based assessments and missing data. 2. Runtime Warnings: Corrects four instances where debug calls were missing the required log level parameter. This change eliminates the runtime warnings that currently trigger during every CVE scan. Testing: - Applied cleanly to the current `scarthgap` HEAD. - Verified via a full CVE scan. - Confirmed that all existing CVE statuses are preserved with no regressions observed. Het Patel (4): cve-check: encode affected product/vendor in CVE_STATUS cve-check: annotate CVEs during analysis cve-check-map: add new statuses cve-check: fix debug message meta/classes/cve-check.bbclass | 246 +++++++++++++++++++++-------------------- meta/conf/cve-check-map.conf | 9 + meta/lib/oe/cve_check.py | 74 +++++++++--- 3 files changed, 197 insertions(+), 132 deletions(-)