| Message ID | 20250429143904.634082-2-daniel.turull@ericsson.com |
|---|---|
| State | New |
| Headers | show |
| Series | Check compiled files to filter kernel CVEs | expand |
On Tue, 2025-04-29 at 16:38 +0200, Daniel Turull via lists.openembedded.org wrote: > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > Use similar mechanism and same variables as cve-check to define > when to update. > > To use without internet access, change variable VULNS_URL to a local > copy or mirror. > > CC: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 76 +++++++++++++++++++++++ > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb If this is a real git repo, why can't we use a standard SRC_URI ? That would avoid having to invent new mirror variables and so on? Cheers, Richard
Thank you for providing this work Daniel. Are you able to obtain the same result with the raw CVE database? This patchset works for the Linux kernel only. Also, have you tested if it works with the world build for multiple kernel images (i.e. different configs) from the same source tree? I would be rather going for a post-processing with a given config after generating the json files instead of modifying the processing. My 0.02. Kind regards, Marta On Tue, Apr 29, 2025 at 4:39 PM Daniel Turull via lists.openembedded.org <daniel.turull=ericsson.com@lists.openembedded.org> wrote: > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > Use similar mechanism and same variables as cve-check to define > when to update. > > To use without internet access, change variable VULNS_URL to a local > copy or mirror. > > CC: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 76 +++++++++++++++++++++++ > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb > > diff --git a/meta/conf/distro/include/maintainers.inc > b/meta/conf/distro/include/maintainers.inc > index 8065287c17..ec427fe6a4 100644 > --- a/meta/conf/distro/include/maintainers.inc > +++ b/meta/conf/distro/include/maintainers.inc > @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador < > otavio.salvador@ossystems.com.br>" > RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned < > unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield < > bruce.ashfield@gmail.com>" > diff --git a/meta/recipes-core/meta/linux-vulns_git.bb > b/meta/recipes-core/meta/linux-vulns_git.bb > new file mode 100644 > index 0000000000..fc48558eb8 > --- /dev/null > +++ b/meta/recipes-core/meta/linux-vulns_git.bb > @@ -0,0 +1,76 @@ > +SUMMARY = "CVE information from kernel.org" > +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers > reserved \ > +and assigned to the Linux kernel project." > +HOMEPAGE = " > https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" > +LICENSE = "GPL-2.0-only & cve-tou" > +SECTION = "base" > + > +INHIBIT_DEFAULT_DEPS = "1" > + > +inherit native > +inherit nopackages > + > +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" > +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" > + > +# Use same intervals as cve-update-db-native. By default: once a day > (24*60*60). > +# Use 0 to force the update > +# Use a negative value to skip the update > + > +CVE_DB_UPDATE_INTERVAL ??= "86400" > + > +python do_fetch(){ > + import os > + import bb.utils > + > + bb.utils.export_proxies(d) > + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") > + repo_url = d.getVar("VULNS_URL") > + > + try: > + import time > + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) > + > + if update_interval < 0: > + bb.note("Kernel CVE database update skipped") > + return > + if time.time() - os.path.getmtime(db_file) < update_interval: > + bb.debug(2,"Kernel CVE database, recently updated, skipping") > + return > + > + except OSError: > + pass > + > + bb.utils.mkdirhier(os.path.dirname(db_file)) > + # Configure cmd > + if not os.path.exists(db_file): > + cmd = f"git clone {repo_url} {db_file}" > + else: > + cmd = f"git -C {db_file} pull" > + try: > + bb.fetch2.runfetchcmd(cmd, d) > + except bb.fetch2.FetchError as e: > + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") > + bb.warn("Set VULNS_URL in local.conf to point to a local copy or > mirror") > +} > + > +do_clean() { > + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} > +} > + > +deltask do_patch > +deltask do_unpack > +deltask do_configure > +deltask do_compile > +deltask do_install > +deltask do_populate_sysroot > +deltask do_runtime_spdx > +deltask do_create_spdx > +deltask do_populate_lic > +deltask do_cve_check > + > +do_fetch[nostamp] = "1" > +do_fetch[file-checksums] = "" > +do_fetch[vardeps] = "" > + > +EXCLUDE_FROM_WORLD = "1" > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#215667): > https://lists.openembedded.org/g/openembedded-core/message/215667 > Mute This Topic: https://lists.openembedded.org/mt/112521333/5827677 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > rybczynska@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
Hi, On the original patch I had it as normal SRC_URI, but I changed to the variable not to interfere with the fetcher. Now I tested and I see that SRC_URI just works fine. I'll send a new patch with the change. After the comment from Peter, I decided to skip the git fetcher since we need to use the latest version and AUTOREV is not working with offline builds. The variable needs to be overridden in case we need to use a mirror. Or is it a way to use existing premirrors without the fetcher? Thanks Daniel -----Original Message----- From: Richard Purdie <richard.purdie@linuxfoundation.org> Sent: Tuesday, 29 April 2025 16:43 To: Daniel Turull <daniel.turull@ericsson.com>; openembedded-core@lists.openembedded.org Cc: Peter.Marko@siemens.com Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA info On Tue, 2025-04-29 at 16:38 +0200, Daniel Turull via lists.openembedded.org wrote: > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > Use similar mechanism and same variables as cve-check to define when > to update. > > To use without internet access, change variable VULNS_URL to a local > copy or mirror. > > CC: Peter Marko <peter.marko@siemens.com> > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 76 > +++++++++++++++++++++++ > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb If this is a real git repo, why can't we use a standard SRC_URI ? That would avoid having to invent new mirror variables and so on? Cheers, Richard
Hi Marta, The CVE database from NVD doesn’t have all the metadata, specially the files affected. I’ll test it with https://github.com/CVEProject/cvelistV5, since the data from the kernel should be the same. But the repository is much bigger. No, I haven’t tested with world builds. I’ll give it a try. Probably the file that I’m generating with should be specific for a config, so we don’t override it. Best regards, Daniel From: Marta Rybczynska <rybczynska@gmail.com> Sent: Tuesday, 29 April 2025 16:48 To: Daniel Turull <daniel.turull@ericsson.com> Cc: openembedded-core@lists.openembedded.org; Peter.Marko@siemens.com Subject: Re: [OE-core] [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA info Thank you for providing this work Daniel. Are you able to obtain the same result with the raw CVE database? This patchset works for the Linux kernel only. Also, have you tested if it works with the world build for multiple kernel images (i.e. different configs) from the same source tree? I would be rather going for a post-processing with a given config after generating the json files instead of modifying the processing. My 0.02. Kind regards, Marta On Tue, Apr 29, 2025 at 4:39 PM Daniel Turull via lists.openembedded.org<http://lists.openembedded.org/> <daniel.turull=ericsson.com@lists.openembedded.org<mailto:ericsson.com@lists.openembedded.org>> wrote: From: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> Add CVE data source for kernel.org<http://kernel.org/>. It includes more information than the one provided by NVD. Use similar mechanism and same variables as cve-check to define when to update. To use without internet access, change variable VULNS_URL to a local copy or mirror. CC: Peter Marko <peter.marko@siemens.com<mailto:peter.marko@siemens.com>> Signed-off-by: Daniel Turull <daniel.turull@ericsson.com<mailto:daniel.turull@ericsson.com>> --- meta/conf/distro/include/maintainers.inc | 1 + meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> | 76 +++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 8065287c17..ec427fe6a4 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br<mailto:otavio.salvador@ossystems.com.br>>" RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org<mailto:unassigned@yoctoproject.org>>" RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com<mailto:bruce.ashfield@gmail.com>>" diff --git a/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> new file mode 100644 index 0000000000..fc48558eb8 --- /dev/null +++ b/meta/recipes-core/meta/linux-vulns_git.bb<http://linux-vulns_git.bb/> @@ -0,0 +1,76 @@ +SUMMARY = "CVE information from kernel.org<http://kernel.org/>" +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \ +and assigned to the Linux kernel project." +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" +LICENSE = "GPL-2.0-only & cve-tou" +SECTION = "base" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native +inherit nopackages + +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" + +# Use same intervals as cve-update-db-native. By default: once a day (24*60*60). +# Use 0 to force the update +# Use a negative value to skip the update + +CVE_DB_UPDATE_INTERVAL ??= "86400" + +python do_fetch(){ + import os + import bb.utils + + bb.utils.export_proxies(d) + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") + repo_url = d.getVar("VULNS_URL") + + try: + import time + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) + + if update_interval < 0: + bb.note("Kernel CVE database update skipped") + return + if time.time() - os.path.getmtime(db_file) < update_interval: + bb.debug(2,"Kernel CVE database, recently updated, skipping") + return + + except OSError: + pass + + bb.utils.mkdirhier(os.path.dirname(db_file)) + # Configure cmd + if not os.path.exists(db_file): + cmd = f"git clone {repo_url} {db_file}" + else: + cmd = f"git -C {db_file} pull" + try: + bb.fetch2.runfetchcmd(cmd, d) + except bb.fetch2.FetchError as e: + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") + bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror") +} + +do_clean() { + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} +} + +deltask do_patch +deltask do_unpack +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot +deltask do_runtime_spdx +deltask do_create_spdx +deltask do_populate_lic +deltask do_cve_check + +do_fetch[nostamp] = "1" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +EXCLUDE_FROM_WORLD = "1" -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#215667): https://lists.openembedded.org/g/openembedded-core/message/215667 Mute This Topic: https://lists.openembedded.org/mt/112521333/5827677 Group Owner: openembedded-core+owner@lists.openembedded.org<mailto:openembedded-core%2Bowner@lists.openembedded.org> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [rybczynska@gmail.com<mailto:rybczynska@gmail.com>] -=-=-=-=-=-=-=-=-=-=-=-
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 8065287c17..ec427fe6a4 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br>" RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com>" +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com>" diff --git a/meta/recipes-core/meta/linux-vulns_git.bb b/meta/recipes-core/meta/linux-vulns_git.bb new file mode 100644 index 0000000000..fc48558eb8 --- /dev/null +++ b/meta/recipes-core/meta/linux-vulns_git.bb @@ -0,0 +1,76 @@ +SUMMARY = "CVE information from kernel.org" +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \ +and assigned to the Linux kernel project." +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" +LICENSE = "GPL-2.0-only & cve-tou" +SECTION = "base" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native +inherit nopackages + +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" + +# Use same intervals as cve-update-db-native. By default: once a day (24*60*60). +# Use 0 to force the update +# Use a negative value to skip the update + +CVE_DB_UPDATE_INTERVAL ??= "86400" + +python do_fetch(){ + import os + import bb.utils + + bb.utils.export_proxies(d) + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") + repo_url = d.getVar("VULNS_URL") + + try: + import time + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) + + if update_interval < 0: + bb.note("Kernel CVE database update skipped") + return + if time.time() - os.path.getmtime(db_file) < update_interval: + bb.debug(2,"Kernel CVE database, recently updated, skipping") + return + + except OSError: + pass + + bb.utils.mkdirhier(os.path.dirname(db_file)) + # Configure cmd + if not os.path.exists(db_file): + cmd = f"git clone {repo_url} {db_file}" + else: + cmd = f"git -C {db_file} pull" + try: + bb.fetch2.runfetchcmd(cmd, d) + except bb.fetch2.FetchError as e: + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") + bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror") +} + +do_clean() { + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} +} + +deltask do_patch +deltask do_unpack +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot +deltask do_runtime_spdx +deltask do_create_spdx +deltask do_populate_lic +deltask do_cve_check + +do_fetch[nostamp] = "1" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +EXCLUDE_FROM_WORLD = "1"