[2/2] cve-check: fix cvesInRecord

Message ID	20241124201342.27405-2-peter.marko@siemens.com
State	New
Headers	show Return-Path: <peter.marko@siemens.com> ip: 185.136.64.228, mailfrom: fm-256628-20241124201535e459e01ad90e949d2e-72siab@rts-flowmailer.siemens.com) From: Peter Marko <peter.marko@siemens.com> To: openembedded-core@lists.openembedded.org Cc: Peter Marko <peter.marko@siemens.com> Subject: [OE-core][PATCH 2/2] cve-check: fix cvesInRecord Date: Sun, 24 Nov 2024 21:13:42 +0100 Message-Id: <20241124201342.27405-2-peter.marko@siemens.com> In-Reply-To: <20241124201342.27405-1-peter.marko@siemens.com> References: <20241124201342.27405-1-peter.marko@siemens.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Feedback-ID: 519:519-256628:519-21489:flowmailer
Series	[1/2] cve-check: restore CVE_CHECK_SHOW_WARNINGS functionality \| expand [1/2] cve-check: restore CVE_CHECK_SHOW_WARNINGS functionality [2/2] cve-check: fix cvesInRecord

Message ID

20241124201342.27405-2-peter.marko@siemens.com

State

New

Headers

From: Peter Marko <peter.marko@siemens.com>
To: openembedded-core@lists.openembedded.org
Cc: Peter Marko <peter.marko@siemens.com>
Subject: [OE-core][PATCH 2/2] cve-check: fix cvesInRecord
Date: Sun, 24 Nov 2024 21:13:42 +0100
Message-Id: <20241124201342.27405-2-peter.marko@siemens.com>
In-Reply-To: <20241124201342.27405-1-peter.marko@siemens.com>
References: <20241124201342.27405-1-peter.marko@siemens.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Feedback-ID: 519:519-256628:519-21489:flowmailer

Series

[1/2] cve-check: restore CVE_CHECK_SHOW_WARNINGS functionality | expand

Commit Message

Peter Marko Nov. 24, 2024, 8:13 p.m. UTC

From: Peter Marko <peter.marko@siemens.com>

Currently flag cvesInRecord is set to false if all CVEs are ignored or
patched. This is inconsistent as it shows false if a CVE was fixed via
patch and true if this CVE was fixed by upgrade. In both cases the CVE
is valid and was fixed.

As I understand this flag, it should say if any CVE exists for
particular component's product (regardless of how this CVE is handled)
and can be used to validate if a product is correctly set.

Note that skipping ignored CVEs may make sense in some cases, as ignored
may mean that NVD DB is wrong, but in many cases it is ignored for other
reasons. Further patch can be done to evaluate ignore subtype but that
would be against my understanding of this flag as described above.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 33d41b912d..6e10dd915a 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -343,18 +343,19 @@  def check_cves(d, cve_data):
         for cverow in cve_cursor:
             cve = cverow[0]
 
-            if cve_is_ignored(d, cve_data, cve):
-                bb.note("%s-%s ignores %s" % (product, pv, cve))
-                continue
-            elif cve_is_patched(d, cve_data, cve):
-                bb.note("%s has been patched" % (cve))
-                continue
             # Write status once only for each product
             if not cves_in_product:
                 cves_status.append([product, True])
                 cves_in_product = True
                 cves_in_recipe = True
 
+            if cve_is_ignored(d, cve_data, cve):
+                bb.note("%s-%s ignores %s" % (product, pv, cve))
+                continue
+            elif cve_is_patched(d, cve_data, cve):
+                bb.note("%s has been patched" % (cve))
+                continue
+
             vulnerable = False
             ignored = False

[2/2] cve-check: fix cvesInRecord

Commit Message

Patch