| Message ID | 20250701180410.33055-1-JPEWhacker@gmail.com |
|---|---|
| State | New |
| Headers | show |
| Series | spdx30: Allow VEX Justification to be configurable | expand |
Joshua Watt via lists.openembedded.org <JPEWhacker= gmail.com@lists.openembedded.org> escreveu (terça, 1/07/2025 à(s) 19:04): > Instead of hard coding the VEX justifications for "Ignored" CVE status, > add a map that configures what justification should be used for each > status. > > This allows other justifications to be easily added, and also ensures > that status fields added externally (by downstream) can set an > appropriate justification if necessary. > > Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> > --- > meta/conf/cve-check-map.conf | 4 ++++ > meta/lib/oe/spdx30_tasks.py | 33 ++++++++++++++++----------------- > 2 files changed, 20 insertions(+), 17 deletions(-) > > diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf > index ac956379d19..0563bcaf94b 100644 > --- a/meta/conf/cve-check-map.conf > +++ b/meta/conf/cve-check-map.conf > @@ -28,8 +28,12 @@ CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" > CVE_CHECK_STATUSMAP[disputed] = "Ignored" > # use when vulnerability depends on build or runtime configuration which > is not used > CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" > +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = > "vulnerableCodeNotPresent" > + > # use when vulnerability affects other platform (e.g. Windows or Debian) > CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" > +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = > "vulnerableCodeNotPresent" > Looks like this one should be not-applicable-platform instead of not-applicable-config. Jose > + > # use when upstream acknowledged the vulnerability but does not plan to > fix it > CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" > > diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py > index 5d9f3168d97..c352dab1520 100644 > --- a/meta/lib/oe/spdx30_tasks.py > +++ b/meta/lib/oe/spdx30_tasks.py > @@ -724,24 +724,23 @@ def create_spdx(d): > impact_statement=description, > ) > > - if detail in ( > - "ignored", > - "cpe-incorrect", > - "disputed", > - "upstream-wontfix", > - ): > - # VEX doesn't have justifications for this > - pass > - elif detail in ( > - "not-applicable-config", > - "not-applicable-platform", > - ): > - for v in spdx_vex: > - v.security_justificationType = ( > - > oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent > + vex_just_type = d.getVarFlag( > + "CVE_CHECK_VEX_JUSTIFICATION", detail > + ) > + if vex_just_type: > + if ( > + vex_just_type > + not in > oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS > + ): > + bb.fatal( > + f"Unknown vex justification > '{vex_just_type}', detail '{detail}', for ignored {cve}" > ) > - else: > - bb.fatal(f"Unknown detail '{detail}' for > ignored {cve}") > + > + for v in spdx_vex: > + v.security_justificationType = > oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[ > + vex_just_type > + ] > + > elif status == "Unknown": > bb.note(f"Skipping {cve} with status 'Unknown'") > else: > -- > 2.49.0 > > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#219713): > https://lists.openembedded.org/g/openembedded-core/message/219713 > Mute This Topic: https://lists.openembedded.org/mt/113933828/5052612 > Group Owner: openembedded-core+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [ > quaresma.jose@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index ac956379d19..0563bcaf94b 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -28,8 +28,12 @@ CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" CVE_CHECK_STATUSMAP[disputed] = "Ignored" # use when vulnerability depends on build or runtime configuration which is not used CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent" + # use when vulnerability affects other platform (e.g. Windows or Debian) CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" +CVE_CHECK_VEX_JUSTIFICATION[not-applicable-config] = "vulnerableCodeNotPresent" + # use when upstream acknowledged the vulnerability but does not plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 5d9f3168d97..c352dab1520 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -724,24 +724,23 @@ def create_spdx(d): impact_statement=description, ) - if detail in ( - "ignored", - "cpe-incorrect", - "disputed", - "upstream-wontfix", - ): - # VEX doesn't have justifications for this - pass - elif detail in ( - "not-applicable-config", - "not-applicable-platform", - ): - for v in spdx_vex: - v.security_justificationType = ( - oe.spdx30.security_VexJustificationType.vulnerableCodeNotPresent + vex_just_type = d.getVarFlag( + "CVE_CHECK_VEX_JUSTIFICATION", detail + ) + if vex_just_type: + if ( + vex_just_type + not in oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS + ): + bb.fatal( + f"Unknown vex justification '{vex_just_type}', detail '{detail}', for ignored {cve}" ) - else: - bb.fatal(f"Unknown detail '{detail}' for ignored {cve}") + + for v in spdx_vex: + v.security_justificationType = oe.spdx30.security_VexJustificationType.NAMED_INDIVIDUALS[ + vex_just_type + ] + elif status == "Unknown": bb.note(f"Skipping {cve} with status 'Unknown'") else:
Instead of hard coding the VEX justifications for "Ignored" CVE status, add a map that configures what justification should be used for each status. This allows other justifications to be easily added, and also ensures that status fields added externally (by downstream) can set an appropriate justification if necessary. Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> --- meta/conf/cve-check-map.conf | 4 ++++ meta/lib/oe/spdx30_tasks.py | 33 ++++++++++++++++----------------- 2 files changed, 20 insertions(+), 17 deletions(-)