diff mbox series

meta/lib/oe/spdx30_tasks.py: add patched CVE to SPDX 3

Message ID 20241230074045.213743-1-hongxu.jia@windriver.com
State New
Headers show
Series meta/lib/oe/spdx30_tasks.py: add patched CVE to SPDX 3 | expand

Commit Message

Hongxu Jia Dec. 30, 2024, 7:40 a.m. UTC 
Some CVEs may be patched during the build process without incrementing
the version number, save the CVEs fixed by patches to cve_by_status
which was parsed as "Patched" status to add new_vex_patched_relationship
to pkg_objset

Take recipe unzip for example, CVE-2015-1315 is patched in oe-core and
is available in package SPDX

oe-core$ grep "CVE-2015-1315" -rn meta
meta/recipes-extended/unzip/unzip_6.0.bb:12:    file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch:6:CVE: CVE-2015-1315

$ bitbake unzip
$ vim tmp/deploy/spdx/3.0.1/corei7-64/packages/package-unzip.spdx.json [1]
...
    {
      "type": "security_VexFixedVulnAssessmentRelationship",
      "spdxId": "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/6e57f2cbf8f80a80ee21628b8a35cdddaa8ee800cc9e42367d866eb8daa41bb0/vex-fixed/c8d7748f0d64a2a46a3a2545c891ad39"
      "creationInfo": "_:CreationInfo1",
      "extension": [
        {
          "type": "https://rdf.openembedded.org/spdx/3.0/id-alias",
          "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/22ab8d6eced4525f57bb861acc0fe983d8af5805dd97e702c22c1ffe04621cb2/unzip/UNIHASH/vex-fixed/c8d7748f0d64a2a46a3a2545c891ad39"
        }
      ],
      "from": "http://spdxdocs.org/openembedded-alias/by-doc-hash/539e1deec075c3a51b8c6975352b0a9ad320a130a4d7d516316b35994a830f93/unzip/UNIHASH/vulnerability/CVE-2015-1315",
      "relationshipType": "fixedIn",
      "to": [
        "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/6e57f2cbf8f80a80ee21628b8a35cdddaa8ee800cc9e42367d866eb8daa41bb0/package/unzip"
      ],
      "security_vexVersion": "1.0.0"
    },
...

[1] https://spdx.github.io/spdx-spec/v3.0.1/model/Security/Classes/VexFixedVulnAssessmentRelationship/

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 meta/lib/oe/spdx30_tasks.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
diff mbox series

Patch

diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
index 036c58bf4b..842962f609 100644
--- a/meta/lib/oe/spdx30_tasks.py
+++ b/meta/lib/oe/spdx30_tasks.py
@@ -515,6 +515,21 @@  def create_spdx(d):
 
     cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
 
+    # Some CVEs may be patched during the build process without incrementing the version number,
+    # so querying for CVEs based on the CPE id can lead to false positives. To account for this,
+    # save the CVEs fixed by patches to cve_by_status.
+    patched_cves = oe.cve_check.get_patched_cves(d)
+    for cve, patched_cve in patched_cves.items():
+        if patched_cve["abbrev-status"] != "Patched":
+            continue
+        spdx_cve = build_objset.new_cve_vuln(cve)
+        build_objset.set_element_alias(spdx_cve)
+        cve_by_status.setdefault("Patched", {})[cve] = (
+            spdx_cve,
+            None,
+            None,
+        )
+
     source_files = add_download_files(d, build_objset)
     build_inputs |= source_files