diff mbox series

[v4,2/3] oeqa/selftest/cve_check: add check for optional "reason" value

Message ID 20230519081850.82586-2-andrej.valek@siemens.com
State New
Headers show
Series None | expand

Commit Message

Andrej Valek May 19, 2023, 8:18 a.m. UTC 
- After introducing the CVE_STATUS_REASONING flag variable, CVEs could
contain a reason for assigned statuses.
- Add an example conversion in logrotate recipe.

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
---
 meta/lib/oeqa/selftest/cases/cve_check.py     | 20 ++++++++++++++-----
 .../logrotate/logrotate_3.21.0.bb             |  6 ++++--
 2 files changed, 19 insertions(+), 7 deletions(-)
diff mbox series

Patch

diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 9534c9775c8..ea37beba031 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -207,18 +207,28 @@  CVE_CHECK_REPORT_PATCHED = "1"
             self.assertEqual(len(report["package"]), 1)
             package = report["package"][0]
             self.assertEqual(package["name"], "logrotate")
-            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            found_cves = {}
+            for issue in package["issue"]:
+                found_cves[issue["id"]] = {
+                    "status" : issue["status"],
+                    "reason" : issue["reason"] if "reason" in issue else ""
+                }
             # m4 CVE should not be in logrotate
             self.assertNotIn("CVE-2008-1687", found_cves)
             # logrotate has both Patched and Ignored CVEs
             self.assertIn("CVE-2011-1098", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["reason"]), 0)
+            reason = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
             self.assertIn("CVE-2011-1548", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["reason"], reason)
             self.assertIn("CVE-2011-1549", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["reason"], reason)
             self.assertIn("CVE-2011-1550", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["reason"], reason)
 
         self.assertExists(summary_json)
         check_m4_json(summary_json)
diff --git a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
index 87c0d9ae60f..633987ceed6 100644
--- a/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
+++ b/meta/recipes-extended/logrotate/logrotate_3.21.0.bb
@@ -16,8 +16,10 @@  SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
 
 SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
 
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[reason] = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
 
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"