| Message ID | 20250416142859.909037-3-daniel.turull@ericsson.com |
|---|---|
| State | New |
| Headers | show |
| Series | Check compiled files to filter kernel CVEs | expand |
Hello, I really like what is this new class trying to do. Sadly, the kernel repo does not offer kernel config hints for CVEs, but the files should also filter out a lot. Current implementation seems to only overwrite file generated by cve-check for kernel recipe, so it's suitable only for generating cve metrics. I see a major problem with this as it does not influence VEX and SPDX, which will become "the thing" very soon when the new regulations become active. Not sure how difficult it will be, but my recommendation would be to somehow get this integrated into oe.get_patched_cves function. Also, since this class is not enabled by default, there need to be tests implemented to make sure that it does not break. Peter > -----Original Message----- > From: daniel.turull@ericsson.com <daniel.turull@ericsson.com> > Sent: Wednesday, April 16, 2025 16:29 > To: openembedded-core@lists.openembedded.org > Cc: rybczynska@gmail.com; steve@sakoman.com; Marko, Peter (FT D EU SK > BFS1) <Peter.Marko@siemens.com>; richard.purdie@linuxfoundation.org; > ross.burton@arm.com; Daniel Turull <daniel.turull@ericsson.com> > Subject: [PATCH 2/2] cve-check-kernel: verify kernel CVEs using programFile from > kernel.org CNA > > From: Daniel Turull <daniel.turull@ericsson.com> > > This class is used to check the CVEs against a specific kernel configuration. > Depends on data from the kernel.org CNA > https://git.kernel.org/pub/scm/linux/security/vulns.git > The CVE data provided by kernel.org includes the files that are > affected by a given CVE and are provided as json files > > It requires the kernel to be compiled to be able to extract which files are used. > It is created as optional check on top cve-check. > > To enable add in your local.conf > INHERIT += cve-check > INHERIT += cve-check-kernel > > To test it > bitbake virtual/kernel -c cve_check_kernel > > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/classes/cve-check-kernel.bbclass | 132 ++++++++++++++++++++++++++ > 1 file changed, 132 insertions(+) > create mode 100644 meta/classes/cve-check-kernel.bbclass > > diff --git a/meta/classes/cve-check-kernel.bbclass b/meta/classes/cve-check- > kernel.bbclass > new file mode 100644 > index 0000000000..c01f0efd1d > --- /dev/null > +++ b/meta/classes/cve-check-kernel.bbclass > @@ -0,0 +1,132 @@ > +# > +# Copyright OpenEmbedded Contributors > +# > +# SPDX-License-Identifier: MIT > +# > +# This class is used to check the CVEs against a specific kernel configuration. > +# Depends on data from the kernel.org CNA > +# https://git.kernel.org/pub/scm/linux/security/vulns.git > +# The CVE data provided by kernel.org includes the files that are > +# affected by a given CVE and are provided as json files > +# > +# It requires the kernel to be compiled to be able to extract which files are > +# used. It is created as optional check on top cve-check. > +# > +# To enable add in your local.conf > +# INHERIT += cve-check > +# INHERIT += cve-check-kernel > +# > +# Then execute > +# bitbake virtual/kernel -c cve_check_kernel > +# > + > +KERNEL_FILES_DIR ?= "${LOG_DIR}/cve/kernel_files" > +KERNEL_SRC_FILES ?= "${KERNEL_FILES_DIR}/compile_commands.json" > +KERNEL_CNA_REPO ?= "${DL_DIR}/CVE_CHECK/vulns" > + > +python () { > + if not bb.data.inherits_class("cve-check", d): > + raise bb.parse.SkipRecipe("Skip cve-check-kernel when cve-check class is > not loaded.") > + > + if d.getVar('PN', True) == d.getVar("PREFERRED_PROVIDER_virtual/kernel", > True): > + bb.build.addtask('do_save_compiled_files', None, > 'do_compile_kernelmodules', d) > + bb.build.addtask('do_cve_check_kernel', 'do_build', None, d) > + d.appendVarFlag('do_cve_check_kernel', 'depends', > 'virtual/kernel:do_cve_check ') > + d.appendVarFlag('do_cve_check_kernel', 'depends', > 'virtual/kernel:do_compile_kernelmodules ') > + d.appendVarFlag('do_cve_check_kernel', 'depends', 'linux-vulns:do_unpack > ') > +} > + > +do_save_compiled_files() { > + bbplain "Fetching compiled files" > + mkdir -p ${KERNEL_FILES_DIR} > + ${S}/scripts/clang-tools/gen_compile_commands.py -o > ${KERNEL_SRC_FILES} > +} > + > +def get_files_in_cve(d, cve): > + import os > + import glob > + import json > + datadir = d.getVar('KERNEL_CNA_REPO', True) > + pattern = os.path.join(datadir, '**', f"{cve}.json") > + cve_files = glob.glob(pattern, recursive=True) > + files_affected = [] > + if len(cve_files) == 0: > + return None > + # Assuming one match > + with open(cve_files[0]) as f: > + k_cve = json.load(f) > + for item in k_cve['containers']['cna']['affected']: > + if item["defaultStatus"] == "affected": > + if "programFiles" in item: > + files = item['programFiles'] > + files_affected.extend(files) > + if len(files_affected) == 0: > + return None > + return files_affected > + > +python do_cve_check_kernel() { > + import json > + bb.plain("Updating CVEs using compiled files") > + kfiles = [] > + cves = {} > + affected= [] > + > + with open(d.getVar('KERNEL_SRC_FILES', True), 'r') as file: > + for item in json.load(file): > + kfiles.append(item['file'].replace(f"{d.getVar('S')}/","")) > + bb.debug(1, f"Total used kernel source files: {len(kfiles)}") > + > + # We want to use the file in log directory > + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") > + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") > + direct_file = d.getVar("CVE_CHECK_LOG_JSON") > + fragment_file = os.path.basename(deploy_file) > + fragment_path = os.path.join(cvelogpath, fragment_file) > + > + with open(fragment_path, 'r') as file: > + cves = json.load(file) > + > + total = 0 > + for cve in cves['package'][0]['issue']: > + status = cve['status'] > + id = cve['id'] > + > + if status == 'Unpatched': > + is_affected = False > + total += 1 > + affected_files = get_files_in_cve(d, id) > + if affected_files is None: > + bb.debug(1, f"No file information for {id}") > + affected.append(id) > + is_affected = True > + continue > + for f in affected_files: > + if f in kfiles: > + bb.debug(1, f"File match in {id}: {f}") > + affected.append(id) > + is_affected = True > + break > + if not is_affected: > + bb.debug(1, f"Changing status. Files in {id} not compiled. > {affected_files}") > + cve["status"] = "Ignored" > + cve["detail"] = "not-applicable-config" > + cve["description"] = f"Source code not compiled by config. > {affected_files}" > + > + # Update cve files generated from cve-check > + write_string = json.dumps(cves, indent=2) > + with open(direct_file, 'w') as f: > + bb.note("Writing file %s with CVE information" % direct_file) > + f.write(write_string) > + if d.getVar("CVE_CHECK_COPY_FILES") == "1": > + with open(deploy_file, "w") as f: > + f.write(write_string) > + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": > + with open(fragment_path, "w") as f: > + f.write(write_string) > + > + # Summary > + bb.warn(f"Before filter we have {total} CVEs") > + bb.warn(f"After programFile filter we have {len(affected)}") > + bb.warn(f"Affected CVEs after filtering: {affected}") > +} > +
Hi Peter, Thanks for the suggestions. The data to filter relies on the information on the CVE, so we could potentially filter out at the time of the build in the vex file, once I fix the previous patch. But this will become outdated for the new CVEs. I'll try to update the SPDX generation to include only the compiled files and not all as it is now. Then it could probably be used by cve-check, vex or an external tool using spdx information. Best regards, Daniel -----Original Message----- From: Marko, Peter <Peter.Marko@siemens.com> Sent: Thursday, 17 April 2025 10:56 To: Daniel Turull <daniel.turull@ericsson.com>; openembedded-core@lists.openembedded.org Cc: rybczynska@gmail.com; steve@sakoman.com; richard.purdie@linuxfoundation.org; ross.burton@arm.com Subject: RE: [PATCH 2/2] cve-check-kernel: verify kernel CVEs using programFile from kernel.org CNA [You don't often get email from peter.marko@siemens.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hello, I really like what is this new class trying to do. Sadly, the kernel repo does not offer kernel config hints for CVEs, but the files should also filter out a lot. Current implementation seems to only overwrite file generated by cve-check for kernel recipe, so it's suitable only for generating cve metrics. I see a major problem with this as it does not influence VEX and SPDX, which will become "the thing" very soon when the new regulations become active. Not sure how difficult it will be, but my recommendation would be to somehow get this integrated into oe.get_patched_cves function. Also, since this class is not enabled by default, there need to be tests implemented to make sure that it does not break. Peter > -----Original Message----- > From: daniel.turull@ericsson.com <daniel.turull@ericsson.com> > Sent: Wednesday, April 16, 2025 16:29 > To: openembedded-core@lists.openembedded.org > Cc: rybczynska@gmail.com; steve@sakoman.com; Marko, Peter (FT D EU SK > BFS1) <Peter.Marko@siemens.com>; richard.purdie@linuxfoundation.org; > ross.burton@arm.com; Daniel Turull <daniel.turull@ericsson.com> > Subject: [PATCH 2/2] cve-check-kernel: verify kernel CVEs using > programFile from kernel.org CNA > > From: Daniel Turull <daniel.turull@ericsson.com> > > This class is used to check the CVEs against a specific kernel configuration. > Depends on data from the kernel.org CNA > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit. > kernel.org%2Fpub%2Fscm%2Flinux%2Fsecurity%2Fvulns.git&data=05%7C02%7Cd > aniel.turull%40ericsson.com%7C31a9203398c447bfef3408dd7d8dbf07%7C92e84 > cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638804769948856423%7CUnknown%7CT > WFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiI > sIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=Q0WxBfDbU13MSWCrg > Jk3J6QT4d%2F5YDBsPXtyBcD85ow%3D&reserved=0 > The CVE data provided by kernel.org includes the files that are > affected by a given CVE and are provided as json files > > It requires the kernel to be compiled to be able to extract which files are used. > It is created as optional check on top cve-check. > > To enable add in your local.conf > INHERIT += cve-check > INHERIT += cve-check-kernel > > To test it > bitbake virtual/kernel -c cve_check_kernel > > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/classes/cve-check-kernel.bbclass | 132 > ++++++++++++++++++++++++++ > 1 file changed, 132 insertions(+) > create mode 100644 meta/classes/cve-check-kernel.bbclass > > diff --git a/meta/classes/cve-check-kernel.bbclass > b/meta/classes/cve-check- kernel.bbclass new file mode 100644 index > 0000000000..c01f0efd1d > --- /dev/null > +++ b/meta/classes/cve-check-kernel.bbclass > @@ -0,0 +1,132 @@ > +# > +# Copyright OpenEmbedded Contributors # # SPDX-License-Identifier: > +MIT # # This class is used to check the CVEs against a specific > +kernel configuration. > +# Depends on data from the kernel.org CNA # > +https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgit > +.kernel.org%2Fpub%2Fscm%2Flinux%2Fsecurity%2Fvulns.git&data=05%7C02%7 > +Cdaniel.turull%40ericsson.com%7C31a9203398c447bfef3408dd7d8dbf07%7C92 > +e84cebfbfd47abbe52080c6b87953f%7C0%7C0%7C638804769948876469%7CUnknown > +%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW > +4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=dB9lDl%2Bl% > +2BeySgLjiiDcz7IiplC7pB4fvWnN8Gl6ljD0%3D&reserved=0 > +# The CVE data provided by kernel.org includes the files that are # > +affected by a given CVE and are provided as json files # # It > +requires the kernel to be compiled to be able to extract which files > +are # used. It is created as optional check on top cve-check. > +# > +# To enable add in your local.conf > +# INHERIT += cve-check > +# INHERIT += cve-check-kernel > +# > +# Then execute > +# bitbake virtual/kernel -c cve_check_kernel # > + > +KERNEL_FILES_DIR ?= "${LOG_DIR}/cve/kernel_files" > +KERNEL_SRC_FILES ?= "${KERNEL_FILES_DIR}/compile_commands.json" > +KERNEL_CNA_REPO ?= "${DL_DIR}/CVE_CHECK/vulns" > + > +python () { > + if not bb.data.inherits_class("cve-check", d): > + raise bb.parse.SkipRecipe("Skip cve-check-kernel when > +cve-check class is > not loaded.") > + > + if d.getVar('PN', True) == > + d.getVar("PREFERRED_PROVIDER_virtual/kernel", > True): > + bb.build.addtask('do_save_compiled_files', None, > 'do_compile_kernelmodules', d) > + bb.build.addtask('do_cve_check_kernel', 'do_build', None, d) > + d.appendVarFlag('do_cve_check_kernel', 'depends', > 'virtual/kernel:do_cve_check ') > + d.appendVarFlag('do_cve_check_kernel', 'depends', > 'virtual/kernel:do_compile_kernelmodules ') > + d.appendVarFlag('do_cve_check_kernel', 'depends', > + 'linux-vulns:do_unpack > ') > +} > + > +do_save_compiled_files() { > + bbplain "Fetching compiled files" > + mkdir -p ${KERNEL_FILES_DIR} > + ${S}/scripts/clang-tools/gen_compile_commands.py -o > ${KERNEL_SRC_FILES} > +} > + > +def get_files_in_cve(d, cve): > + import os > + import glob > + import json > + datadir = d.getVar('KERNEL_CNA_REPO', True) > + pattern = os.path.join(datadir, '**', f"{cve}.json") > + cve_files = glob.glob(pattern, recursive=True) > + files_affected = [] > + if len(cve_files) == 0: > + return None > + # Assuming one match > + with open(cve_files[0]) as f: > + k_cve = json.load(f) > + for item in k_cve['containers']['cna']['affected']: > + if item["defaultStatus"] == "affected": > + if "programFiles" in item: > + files = item['programFiles'] > + files_affected.extend(files) > + if len(files_affected) == 0: > + return None > + return files_affected > + > +python do_cve_check_kernel() { > + import json > + bb.plain("Updating CVEs using compiled files") > + kfiles = [] > + cves = {} > + affected= [] > + > + with open(d.getVar('KERNEL_SRC_FILES', True), 'r') as file: > + for item in json.load(file): > + kfiles.append(item['file'].replace(f"{d.getVar('S')}/","")) > + bb.debug(1, f"Total used kernel source files: {len(kfiles)}") > + > + # We want to use the file in log directory > + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") > + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") > + direct_file = d.getVar("CVE_CHECK_LOG_JSON") > + fragment_file = os.path.basename(deploy_file) > + fragment_path = os.path.join(cvelogpath, fragment_file) > + > + with open(fragment_path, 'r') as file: > + cves = json.load(file) > + > + total = 0 > + for cve in cves['package'][0]['issue']: > + status = cve['status'] > + id = cve['id'] > + > + if status == 'Unpatched': > + is_affected = False > + total += 1 > + affected_files = get_files_in_cve(d, id) > + if affected_files is None: > + bb.debug(1, f"No file information for {id}") > + affected.append(id) > + is_affected = True > + continue > + for f in affected_files: > + if f in kfiles: > + bb.debug(1, f"File match in {id}: {f}") > + affected.append(id) > + is_affected = True > + break > + if not is_affected: > + bb.debug(1, f"Changing status. Files in {id} not compiled. > {affected_files}") > + cve["status"] = "Ignored" > + cve["detail"] = "not-applicable-config" > + cve["description"] = f"Source code not compiled by config. > {affected_files}" > + > + # Update cve files generated from cve-check > + write_string = json.dumps(cves, indent=2) > + with open(direct_file, 'w') as f: > + bb.note("Writing file %s with CVE information" % direct_file) > + f.write(write_string) > + if d.getVar("CVE_CHECK_COPY_FILES") == "1": > + with open(deploy_file, "w") as f: > + f.write(write_string) > + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": > + with open(fragment_path, "w") as f: > + f.write(write_string) > + > + # Summary > + bb.warn(f"Before filter we have {total} CVEs") > + bb.warn(f"After programFile filter we have {len(affected)}") > + bb.warn(f"Affected CVEs after filtering: {affected}") } > +
Hi Daniel, On 4/16/25 4:28 PM, Daniel Turull via lists.openembedded.org wrote: > [You don't often get email from daniel.turull=ericsson.com@lists.openembedded.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] > > From: Daniel Turull <daniel.turull@ericsson.com> > > This class is used to check the CVEs against a specific kernel configuration. > Depends on data from the kernel.org CNA > https://git.kernel.org/pub/scm/linux/security/vulns.git > The CVE data provided by kernel.org includes the files that are > affected by a given CVE and are provided as json files > > It requires the kernel to be compiled to be able to extract which files are used. > It is created as optional check on top cve-check. > > To enable add in your local.conf > INHERIT += cve-check > INHERIT += cve-check-kernel > > To test it > bitbake virtual/kernel -c cve_check_kernel > > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/classes/cve-check-kernel.bbclass | 132 ++++++++++++++++++++++++++ > 1 file changed, 132 insertions(+) > create mode 100644 meta/classes/cve-check-kernel.bbclass > > diff --git a/meta/classes/cve-check-kernel.bbclass b/meta/classes/cve-check-kernel.bbclass > new file mode 100644 > index 0000000000..c01f0efd1d > --- /dev/null > +++ b/meta/classes/cve-check-kernel.bbclass > @@ -0,0 +1,132 @@ > +# > +# Copyright OpenEmbedded Contributors > +# > +# SPDX-License-Identifier: MIT > +# > +# This class is used to check the CVEs against a specific kernel configuration. > +# Depends on data from the kernel.org CNA > +# https://git.kernel.org/pub/scm/linux/security/vulns.git > +# The CVE data provided by kernel.org includes the files that are > +# affected by a given CVE and are provided as json files > +# > +# It requires the kernel to be compiled to be able to extract which files are > +# used. It is created as optional check on top cve-check. > +# > +# To enable add in your local.conf > +# INHERIT += cve-check > +# INHERIT += cve-check-kernel > +# > +# Then execute > +# bitbake virtual/kernel -c cve_check_kernel > +# > + > +KERNEL_FILES_DIR ?= "${LOG_DIR}/cve/kernel_files" > +KERNEL_SRC_FILES ?= "${KERNEL_FILES_DIR}/compile_commands.json" > +KERNEL_CNA_REPO ?= "${DL_DIR}/CVE_CHECK/vulns" > + > +python () { > + if not bb.data.inherits_class("cve-check", d): > + raise bb.parse.SkipRecipe("Skip cve-check-kernel when cve-check class is not loaded.") > + > + if d.getVar('PN', True) == d.getVar("PREFERRED_PROVIDER_virtual/kernel", True): I don't think this will work reliably? I think you could have another virtual provider in PREFERRED_PROVIDER_virtual/kernel and then this wouldn't match. I have no clue how to handle that properly. I'm not sure how to make sure we're always using the latest linux-vulns database (and so not rely on the cache(s)) but at the same time allow building without network access. I guess we could provide some hash or tarball for linux-vulns by default, for building without network access? Cheers, Quentin
diff --git a/meta/classes/cve-check-kernel.bbclass b/meta/classes/cve-check-kernel.bbclass new file mode 100644 index 0000000000..c01f0efd1d --- /dev/null +++ b/meta/classes/cve-check-kernel.bbclass @@ -0,0 +1,132 @@ +# +# Copyright OpenEmbedded Contributors +# +# SPDX-License-Identifier: MIT +# +# This class is used to check the CVEs against a specific kernel configuration. +# Depends on data from the kernel.org CNA +# https://git.kernel.org/pub/scm/linux/security/vulns.git +# The CVE data provided by kernel.org includes the files that are +# affected by a given CVE and are provided as json files +# +# It requires the kernel to be compiled to be able to extract which files are +# used. It is created as optional check on top cve-check. +# +# To enable add in your local.conf +# INHERIT += cve-check +# INHERIT += cve-check-kernel +# +# Then execute +# bitbake virtual/kernel -c cve_check_kernel +# + +KERNEL_FILES_DIR ?= "${LOG_DIR}/cve/kernel_files" +KERNEL_SRC_FILES ?= "${KERNEL_FILES_DIR}/compile_commands.json" +KERNEL_CNA_REPO ?= "${DL_DIR}/CVE_CHECK/vulns" + +python () { + if not bb.data.inherits_class("cve-check", d): + raise bb.parse.SkipRecipe("Skip cve-check-kernel when cve-check class is not loaded.") + + if d.getVar('PN', True) == d.getVar("PREFERRED_PROVIDER_virtual/kernel", True): + bb.build.addtask('do_save_compiled_files', None, 'do_compile_kernelmodules', d) + bb.build.addtask('do_cve_check_kernel', 'do_build', None, d) + d.appendVarFlag('do_cve_check_kernel', 'depends', 'virtual/kernel:do_cve_check ') + d.appendVarFlag('do_cve_check_kernel', 'depends', 'virtual/kernel:do_compile_kernelmodules ') + d.appendVarFlag('do_cve_check_kernel', 'depends', 'linux-vulns:do_unpack ') +} + +do_save_compiled_files() { + bbplain "Fetching compiled files" + mkdir -p ${KERNEL_FILES_DIR} + ${S}/scripts/clang-tools/gen_compile_commands.py -o ${KERNEL_SRC_FILES} +} + +def get_files_in_cve(d, cve): + import os + import glob + import json + datadir = d.getVar('KERNEL_CNA_REPO', True) + pattern = os.path.join(datadir, '**', f"{cve}.json") + cve_files = glob.glob(pattern, recursive=True) + files_affected = [] + if len(cve_files) == 0: + return None + # Assuming one match + with open(cve_files[0]) as f: + k_cve = json.load(f) + for item in k_cve['containers']['cna']['affected']: + if item["defaultStatus"] == "affected": + if "programFiles" in item: + files = item['programFiles'] + files_affected.extend(files) + if len(files_affected) == 0: + return None + return files_affected + +python do_cve_check_kernel() { + import json + bb.plain("Updating CVEs using compiled files") + kfiles = [] + cves = {} + affected= [] + + with open(d.getVar('KERNEL_SRC_FILES', True), 'r') as file: + for item in json.load(file): + kfiles.append(item['file'].replace(f"{d.getVar('S')}/","")) + bb.debug(1, f"Total used kernel source files: {len(kfiles)}") + + # We want to use the file in log directory + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + direct_file = d.getVar("CVE_CHECK_LOG_JSON") + fragment_file = os.path.basename(deploy_file) + fragment_path = os.path.join(cvelogpath, fragment_file) + + with open(fragment_path, 'r') as file: + cves = json.load(file) + + total = 0 + for cve in cves['package'][0]['issue']: + status = cve['status'] + id = cve['id'] + + if status == 'Unpatched': + is_affected = False + total += 1 + affected_files = get_files_in_cve(d, id) + if affected_files is None: + bb.debug(1, f"No file information for {id}") + affected.append(id) + is_affected = True + continue + for f in affected_files: + if f in kfiles: + bb.debug(1, f"File match in {id}: {f}") + affected.append(id) + is_affected = True + break + if not is_affected: + bb.debug(1, f"Changing status. Files in {id} not compiled. {affected_files}") + cve["status"] = "Ignored" + cve["detail"] = "not-applicable-config" + cve["description"] = f"Source code not compiled by config. {affected_files}" + + # Update cve files generated from cve-check + write_string = json.dumps(cves, indent=2) + with open(direct_file, 'w') as f: + bb.note("Writing file %s with CVE information" % direct_file) + f.write(write_string) + if d.getVar("CVE_CHECK_COPY_FILES") == "1": + with open(deploy_file, "w") as f: + f.write(write_string) + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": + with open(fragment_path, "w") as f: + f.write(write_string) + + # Summary + bb.warn(f"Before filter we have {total} CVEs") + bb.warn(f"After programFile filter we have {len(affected)}") + bb.warn(f"Affected CVEs after filtering: {affected}") +} +