[v2,1/6] linux-vulns: fetch kernel.org CNA info

Message ID	20250428134205.900354-2-daniel.turull@ericsson.com
State	New
Headers	show Return-Path: <daniel.turull@ericsson.com> ip: 40.107.104.46, mailfrom: edaturu@ericsson.com) Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C From: <daniel.turull@ericsson.com> To: <openembedded-core@lists.openembedded.org> CC: <rybczynska@gmail.com>, <steve@sakoman.com>, <Peter.Marko@siemens.com>, <ross.burton@arm.com>, <skandigraun@gmail.com>, Daniel Turull <daniel.turull@ericsson.com>, Peter Marko <peter.marko@siemens.com> Subject: [PATCH v2 1/6] linux-vulns: fetch kernel.org CNA info Date: Mon, 28 Apr 2025 15:42:00 +0200 Message-ID: <20250428134205.900354-2-daniel.turull@ericsson.com> In-Reply-To: <20250428134205.900354-1-daniel.turull@ericsson.com> References: <20250428134205.900354-1-daniel.turull@ericsson.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain
Series	Check compiled files to filter kernel CVEs \| expand [v2,0/6] Check compiled files to filter kernel CVEs [v2,1/6] linux-vulns: fetch kernel.org CNA info [v2,2/6] cve-check: fix debug message [v2,3/6] kernel: add support to extract compiled files [v2,4/6] cve-check: move message outsite check_cves and sort [v2,5/6] cve-check, vex, spdx: use metadata from linux-vulns to enhance CVE reporting [v2,6/6] spdx: add option to include only compiled kernel files

Message ID

20250428134205.900354-2-daniel.turull@ericsson.com

State

New

Headers

Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates
 192.176.1.74 as permitted sender) receiver=protection.outlook.com;
 client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C
From: <daniel.turull@ericsson.com>
To: <openembedded-core@lists.openembedded.org>
CC: <rybczynska@gmail.com>, <steve@sakoman.com>, <Peter.Marko@siemens.com>,
	<ross.burton@arm.com>, <skandigraun@gmail.com>, Daniel Turull
	<daniel.turull@ericsson.com>, Peter Marko <peter.marko@siemens.com>
Subject: [PATCH v2 1/6] linux-vulns: fetch kernel.org CNA info
Date: Mon, 28 Apr 2025 15:42:00 +0200
Message-ID: <20250428134205.900354-2-daniel.turull@ericsson.com>
In-Reply-To: <20250428134205.900354-1-daniel.turull@ericsson.com>
References: <20250428134205.900354-1-daniel.turull@ericsson.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Apr 2025 13:42:27.7381
 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 a7aab0b2-aafc-42df-6e7a-08dd865a841f
X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: 
 TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com]
X-MS-Exchange-CrossTenant-AuthSource: 
	DB1PEPF000509E3.eurprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6685
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Mon, 28 Apr 2025 13:42:39 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/215600

Series

Check compiled files to filter kernel CVEs | expand

Commit Message

Daniel Turull April 28, 2025, 1:42 p.m. UTC

From: Daniel Turull <daniel.turull@ericsson.com>

Add CVE data source for kernel.org.

It includes more information than the one provided by NVD.
Use similar mechanism and same variables as cve-check to define
when to update.

To use without internet access, change variable VULNS_URL to a local
copy or mirror.

CC: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Daniel Turull <daniel.turull@ericsson.com>
---
 meta/conf/distro/include/maintainers.inc  |  1 +
 meta/recipes-core/meta/linux-vulns_git.bb | 76 +++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb

diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc
index 8065287c17..ec427fe6a4 100644
--- a/meta/conf/distro/include/maintainers.inc
+++ b/meta/conf/distro/include/maintainers.inc
@@ -468,6 +468,7 @@  RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br>"
 RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com>"
+RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org>"
 RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com>"
 RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com>"
diff --git a/meta/recipes-core/meta/linux-vulns_git.bb b/meta/recipes-core/meta/linux-vulns_git.bb
new file mode 100644
index 0000000000..fc48558eb8
--- /dev/null
+++ b/meta/recipes-core/meta/linux-vulns_git.bb
@@ -0,0 +1,76 @@ 
+SUMMARY = "CVE information from kernel.org"
+DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \
+and assigned to the Linux kernel project."
+HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/"
+LICENSE = "GPL-2.0-only & cve-tou"
+SECTION = "base"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+inherit nopackages
+
+VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns"
+CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns"
+
+# Use same intervals as cve-update-db-native. By default: once a day (24*60*60).
+# Use 0 to force the update
+# Use a negative value to skip the update
+
+CVE_DB_UPDATE_INTERVAL ??= "86400"
+
+python do_fetch(){
+    import os
+    import bb.utils
+
+    bb.utils.export_proxies(d)
+    db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR")
+    repo_url = d.getVar("VULNS_URL")
+
+    try:
+        import time
+        update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+
+        if update_interval < 0:
+            bb.note("Kernel CVE database update skipped")
+            return
+        if time.time() - os.path.getmtime(db_file) < update_interval:
+            bb.debug(2,"Kernel CVE database, recently updated, skipping")
+            return
+
+    except OSError:
+        pass
+
+    bb.utils.mkdirhier(os.path.dirname(db_file))
+    # Configure cmd
+    if not os.path.exists(db_file):
+        cmd = f"git clone {repo_url} {db_file}"
+    else:
+        cmd = f"git -C {db_file} pull"
+    try:
+        bb.fetch2.runfetchcmd(cmd, d)
+    except bb.fetch2.FetchError as e:
+        bb.warn(f"Kernel vulns repo url not accessible. {repo_url}")
+        bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror")
+}
+
+do_clean() {
+    rm -rf ${CVE_CHECK_KERNEL_DB_DIR}
+}
+
+deltask do_patch
+deltask do_unpack
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+deltask do_runtime_spdx
+deltask do_create_spdx
+deltask do_populate_lic
+deltask do_cve_check
+
+do_fetch[nostamp] = "1"
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = ""
+
+EXCLUDE_FROM_WORLD = "1"

[v2,1/6] linux-vulns: fetch kernel.org CNA info

Commit Message

Patch