| Message ID | 20250108160520.3159757-1-hongxu.jia@windriver.com |
|---|---|
| State | New |
| Headers | show |
| Series | None | expand |
On Wed, Jan 8, 2025 at 9:05 AM Hongxu Jia <hongxu.jia@windriver.com> wrote: > > Due to commit [cve-check: annotate CVEs during analysis][1] improved > get_patched_cves to search for additional CVEs from CVE_STATUS which > means the funciton get_patched_cves contains both of patched CVE and > decoded_status > > This commit add function get_cves to use get_patched_cves in one place > to add CVEs, and convert patched_cve to decoded_status: > > patched_cve["abbrev-status"] --> decoded_status["mapping"] > patched_cve["status"] --> decoded_status["detail"] > patched_cve["justification"] --> decoded_status["description"] > > Take recipe unzip for example, CVE-2015-1315 is patched in oe-core and > is available in package SPDX > > oe-core$ grep "CVE-2015-1315" -rn meta > meta/recipes-extended/unzip/unzip_6.0.bb:12: file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \ > meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch:6:CVE: CVE-2015-1315 > > $ bitbake unzip > $ vim tmp/deploy/spdx/3.0.1/core2-64/packages/package-unzip.spdx.json [2] > ... > { > "type": "security_VexFixedVulnAssessmentRelationship", > "spdxId": "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/47a621ef0550c7a6a1ed0507b0b8a7b7822447c2ff0995acc4b688eed1e1f1d0/vex-fixed/1aeb76ce6ca8dd91b12c18a11eeb964b", > "creationInfo": "_:CreationInfo1", > "extension": [ > { > "type": "https://rdf.openembedded.org/spdx/3.0/id-alias", > "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/22ab8d6eced4525f57bb861acc0fe983d8af5805dd97e702c22c1ffe04621cb2/unzip/UNIHASH/vex-fixed/1aeb76ce6ca8dd91b12c18a11eeb964b" > } > ], > "from": "http://spdxdocs.org/openembedded-alias/by-doc-hash/539e1deec075c3a51b8c6975352b0a9ad320a130a4d7d516316b35994a830f93/unzip/UNIHASH/vulnerability/CVE-2015-1315", > "relationshipType": "fixedIn", > "to": [ > "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/47a621ef0550c7a6a1ed0507b0b8a7b7822447c2ff0995acc4b688eed1e1f1d0/package/unzip" > ], > "security_vexVersion": "1.0.0" > }, > ... > > [1] https://git.openembedded.org/openembedded-core/commit/?id=452e605b55ad61c08f4af7089a5a9c576ca28f7d > [2] https://spdx.github.io/spdx-spec/v3.0.1/model/Security/Classes/VexFixedVulnAssessmentRelationship/ > > Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> > --- > meta/lib/oe/spdx30_tasks.py | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index c60c97896c..9baa40887b 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -437,6 +437,17 @@ def set_purposes(d, element, *var_names, force_purposes=[]): > getattr(oe.spdx30.software_SoftwarePurpose, p) for p in purposes[1:] > ] > > +def get_cves(d): > + cve_status = {} > + patched_cves = oe.cve_check.get_patched_cves(d) > + for cve, patched_cve in patched_cves.items(): > + cve_status[cve] = { > + "mapping": patched_cve["abbrev-status"], > + "detail": patched_cve["status"], > + "description": patched_cve.get("justification", None) > + } I don't see any reason to map this to the old indexes; better to update the code consuming it to use the new indexes instead. > + > + return cve_status > > def create_spdx(d): > def set_var_field(var, obj, name, package=None): > @@ -487,8 +498,8 @@ def create_spdx(d): > # Add CVEs > cve_by_status = {} > if include_vex != "none": > - for cve in d.getVarFlags("CVE_STATUS") or {}: > - decoded_status = oe.cve_check.decode_cve_status(d, cve) > + cve_data = get_cves(d) > + for cve, decoded_status in cve_data.items(): > > # If this CVE is fixed upstream, skip it unless all CVEs are > # specified. > -- > 2.25.1 >
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index c60c97896c..9baa40887b 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -437,6 +437,17 @@ def set_purposes(d, element, *var_names, force_purposes=[]): getattr(oe.spdx30.software_SoftwarePurpose, p) for p in purposes[1:] ] +def get_cves(d): + cve_status = {} + patched_cves = oe.cve_check.get_patched_cves(d) + for cve, patched_cve in patched_cves.items(): + cve_status[cve] = { + "mapping": patched_cve["abbrev-status"], + "detail": patched_cve["status"], + "description": patched_cve.get("justification", None) + } + + return cve_status def create_spdx(d): def set_var_field(var, obj, name, package=None): @@ -487,8 +498,8 @@ def create_spdx(d): # Add CVEs cve_by_status = {} if include_vex != "none": - for cve in d.getVarFlags("CVE_STATUS") or {}: - decoded_status = oe.cve_check.decode_cve_status(d, cve) + cve_data = get_cves(d) + for cve, decoded_status in cve_data.items(): # If this CVE is fixed upstream, skip it unless all CVEs are # specified.
Due to commit [cve-check: annotate CVEs during analysis][1] improved get_patched_cves to search for additional CVEs from CVE_STATUS which means the funciton get_patched_cves contains both of patched CVE and decoded_status This commit add function get_cves to use get_patched_cves in one place to add CVEs, and convert patched_cve to decoded_status: patched_cve["abbrev-status"] --> decoded_status["mapping"] patched_cve["status"] --> decoded_status["detail"] patched_cve["justification"] --> decoded_status["description"] Take recipe unzip for example, CVE-2015-1315 is patched in oe-core and is available in package SPDX oe-core$ grep "CVE-2015-1315" -rn meta meta/recipes-extended/unzip/unzip_6.0.bb:12: file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \ meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch:6:CVE: CVE-2015-1315 $ bitbake unzip $ vim tmp/deploy/spdx/3.0.1/core2-64/packages/package-unzip.spdx.json [2] ... { "type": "security_VexFixedVulnAssessmentRelationship", "spdxId": "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/47a621ef0550c7a6a1ed0507b0b8a7b7822447c2ff0995acc4b688eed1e1f1d0/vex-fixed/1aeb76ce6ca8dd91b12c18a11eeb964b", "creationInfo": "_:CreationInfo1", "extension": [ { "type": "https://rdf.openembedded.org/spdx/3.0/id-alias", "https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/22ab8d6eced4525f57bb861acc0fe983d8af5805dd97e702c22c1ffe04621cb2/unzip/UNIHASH/vex-fixed/1aeb76ce6ca8dd91b12c18a11eeb964b" } ], "from": "http://spdxdocs.org/openembedded-alias/by-doc-hash/539e1deec075c3a51b8c6975352b0a9ad320a130a4d7d516316b35994a830f93/unzip/UNIHASH/vulnerability/CVE-2015-1315", "relationshipType": "fixedIn", "to": [ "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/47a621ef0550c7a6a1ed0507b0b8a7b7822447c2ff0995acc4b688eed1e1f1d0/package/unzip" ], "security_vexVersion": "1.0.0" }, ... [1] https://git.openembedded.org/openembedded-core/commit/?id=452e605b55ad61c08f4af7089a5a9c576ca28f7d [2] https://spdx.github.io/spdx-spec/v3.0.1/model/Security/Classes/VexFixedVulnAssessmentRelationship/ Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> --- meta/lib/oe/spdx30_tasks.py | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-)