| Message ID | 20250306212007.44880-1-JPEWhacker@gmail.com |
|---|---|
| State | Accepted, archived |
| Commit | 1ff496546279d8a97df5ec475007cfb095c2a0bc |
| Headers | show |
| Series | lib: spdx30_tasks: Handle patched CVEs | expand |
On Thu, 2025-03-06 at 14:20 -0700, Joshua Watt via lists.openembedded.org wrote: > The code to iterate over patched CVEs (e.g. those patched by a .patch > file in SRC_URI) was accidentally omitted when writing the SPDX 3 > handling. Add it in now > > [YOCTO #15789] > > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> > --- > meta/lib/oe/spdx30_tasks.py | 10 ++++++++++ > 1 file changed, 10 insertions(+) > > diff --git a/meta/lib/oe/spdx30_tasks.py > b/meta/lib/oe/spdx30_tasks.py > index e3e5dbc7427..e20bb0c86f3 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -498,6 +498,16 @@ def create_spdx(d): > # Add CVEs > cve_by_status = {} > if include_vex != "none": > + for cve in oe.cve_check.get_patched_cves(d): > + spdx_cve = build_objset.new_cve_vuln(cve) > + build_objset.set_element_alias(spdx_cve) > + > + cve_by_status.setdefault("Patched", {})[cve] = ( > + spdx_cve, > + "patched", > + "", > + ) > + > for cve in d.getVarFlags("CVE_STATUS") or {}: > decoded_status = oe.cve_check.decode_cve_status(d, cve) > I worry this has increased the build time by around 10 mins (~25%): https://valkyrie.yocto.io/pub/non-release/20250311-54/testresults/buildperf-alma8/perf-alma8-vk_master_20250311090119_046a92d351.html Cheers, Richard
On Tue, Mar 11, 2025, 7:01 AM Richard Purdie < richard.purdie@linuxfoundation.org> wrote: > On Thu, 2025-03-06 at 14:20 -0700, Joshua Watt via > lists.openembedded.org wrote: > > The code to iterate over patched CVEs (e.g. those patched by a .patch > > file in SRC_URI) was accidentally omitted when writing the SPDX 3 > > handling. Add it in now > > > > [YOCTO #15789] > > > > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> > > --- > > meta/lib/oe/spdx30_tasks.py | 10 ++++++++++ > > 1 file changed, 10 insertions(+) > > > > diff --git a/meta/lib/oe/spdx30_tasks.py > > b/meta/lib/oe/spdx30_tasks.py > > index e3e5dbc7427..e20bb0c86f3 100644 > > --- a/meta/lib/oe/spdx30_tasks.py > > +++ b/meta/lib/oe/spdx30_tasks.py > > @@ -498,6 +498,16 @@ def create_spdx(d): > > # Add CVEs > > cve_by_status = {} > > if include_vex != "none": > > + for cve in oe.cve_check.get_patched_cves(d): > > + spdx_cve = build_objset.new_cve_vuln(cve) > > + build_objset.set_element_alias(spdx_cve) > > + > > + cve_by_status.setdefault("Patched", {})[cve] = ( > > + spdx_cve, > > + "patched", > > + "", > > + ) > > + > > for cve in d.getVarFlags("CVE_STATUS") or {}: > > decoded_status = oe.cve_check.decode_cve_status(d, cve) > > > > I worry this has increased the build time by around 10 mins (~25%): > > > https://valkyrie.yocto.io/pub/non-release/20250311-54/testresults/buildperf-alma8/perf-alma8-vk_master_20250311090119_046a92d351.html Ok. Let me see what I can do about that > > > Cheers, > > Richard > > >
Hi, On Tue, Mar 11, 2025 at 07:17:33AM -0600, Joshua Watt via lists.openembedded.org wrote: > On Tue, Mar 11, 2025, 7:01 AM Richard Purdie < > richard.purdie@linuxfoundation.org> wrote: > > > On Thu, 2025-03-06 at 14:20 -0700, Joshua Watt via > > lists.openembedded.org wrote: > > > The code to iterate over patched CVEs (e.g. those patched by a .patch > > > file in SRC_URI) was accidentally omitted when writing the SPDX 3 > > > handling. Add it in now > > > > > > [YOCTO #15789] > > > > > > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> > > > --- > > > meta/lib/oe/spdx30_tasks.py | 10 ++++++++++ > > > 1 file changed, 10 insertions(+) > > > > > > diff --git a/meta/lib/oe/spdx30_tasks.py > > > b/meta/lib/oe/spdx30_tasks.py > > > index e3e5dbc7427..e20bb0c86f3 100644 > > > --- a/meta/lib/oe/spdx30_tasks.py > > > +++ b/meta/lib/oe/spdx30_tasks.py > > > @@ -498,6 +498,16 @@ def create_spdx(d): > > > # Add CVEs > > > cve_by_status = {} > > > if include_vex != "none": > > > + for cve in oe.cve_check.get_patched_cves(d): > > > + spdx_cve = build_objset.new_cve_vuln(cve) > > > + build_objset.set_element_alias(spdx_cve) > > > + > > > + cve_by_status.setdefault("Patched", {})[cve] = ( > > > + spdx_cve, > > > + "patched", > > > + "", > > > + ) > > > + > > > for cve in d.getVarFlags("CVE_STATUS") or {}: > > > decoded_status = oe.cve_check.decode_cve_status(d, cve) > > > > > > > I worry this has increased the build time by around 10 mins (~25%): > > > > > > https://valkyrie.yocto.io/pub/non-release/20250311-54/testresults/buildperf-alma8/perf-alma8-vk_master_20250311090119_046a92d351.html > > > Ok. Let me see what I can do about that Yes please. I think the kernel build time increase from ~4 minutes to ~16 minutes is what I saw in my local builds. Both kernel and image builds are affected by these SDPX CVE data changes, as we discussed yesterday on #yocto irc. Cheers, -Mikko
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index e3e5dbc7427..e20bb0c86f3 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -498,6 +498,16 @@ def create_spdx(d): # Add CVEs cve_by_status = {} if include_vex != "none": + for cve in oe.cve_check.get_patched_cves(d): + spdx_cve = build_objset.new_cve_vuln(cve) + build_objset.set_element_alias(spdx_cve) + + cve_by_status.setdefault("Patched", {})[cve] = ( + spdx_cve, + "patched", + "", + ) + for cve in d.getVarFlags("CVE_STATUS") or {}: decoded_status = oe.cve_check.decode_cve_status(d, cve)
The code to iterate over patched CVEs (e.g. those patched by a .patch file in SRC_URI) was accidentally omitted when writing the SPDX 3 handling. Add it in now [YOCTO #15789] Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> --- meta/lib/oe/spdx30_tasks.py | 10 ++++++++++ 1 file changed, 10 insertions(+)