diff mbox series

bolt: disable CVE checking for this recipe

Message ID 20230929170731.749414-1-jeffrey.pautler@ni.com
State Under Review
Headers show
Series bolt: disable CVE checking for this recipe | expand

Commit Message

Jeffrey Pautler Sept. 29, 2023, 5:07 p.m. UTC
This bolt product does not currently have an entry in the CVE database.
However, the default cve-check logic that maps recipes to products in
the CVE database is incorrectly matching this package to a different
bolt product made by bolt-cms. As a result, CVE checking incorrectly
reports CVEs for that product for this package.

Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
---
 meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++
 1 file changed, 2 insertions(+)

Comments

Mikko Rapeli Oct. 2, 2023, 9:22 a.m. UTC | #1
Hi,

On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote:
> This bolt product does not currently have an entry in the CVE database.
> However, the default cve-check logic that maps recipes to products in
> the CVE database is incorrectly matching this package to a different
> bolt product made by bolt-cms. As a result, CVE checking incorrectly
> reports CVEs for that product for this package.
> 
> Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
> ---
>  meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> index b6ad6337c..583cc6378 100644
> --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd"
>  
>  S = "${WORKDIR}/git"
>  
> +CVE_CHECK_SKIP_RECIPE = "${PN}"

I think this is wrong and dangerous for anyone who in the future tries to use
cve checker for this recipe. Instead, set the CVE product with vendor correctly
so that other products/vendors don't mix the results? Hopefully any new CVEs
in the future will set the same vendor and product.

Cheers,

-Mikko

>  inherit cmake pkgconfig meson features_check
>  
>  FILES:${PN} += "${datadir}/dbus-1/* \
> -- 
> 2.34.1
> 

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#105252): https://lists.openembedded.org/g/openembedded-devel/message/105252
> Mute This Topic: https://lists.openembedded.org/mt/101662068/7159507
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [mikko.rapeli@linaro.org]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Alex Stewart Oct. 2, 2023, 3:53 p.m. UTC | #2
On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote:
> Hi,
>
> On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote:
>> This bolt product does not currently have an entry in the CVE database.
>> However, the default cve-check logic that maps recipes to products in
>> the CVE database is incorrectly matching this package to a different
>> bolt product made by bolt-cms. As a result, CVE checking incorrectly
>> reports CVEs for that product for this package.
>>
>> Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
>> ---
>>   meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
>> index b6ad6337c..583cc6378 100644
>> --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
>> +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
>> @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd"
>>   
>>   S = "${WORKDIR}/git"
>>   
>> +CVE_CHECK_SKIP_RECIPE = "${PN}"
> I think this is wrong and dangerous for anyone who in the future tries to use
> cve checker for this recipe. Instead, set the CVE product with vendor correctly
> so that other products/vendors don't mix the results? Hopefully any new CVEs
> in the future will set the same vendor and product.

Are you suggesting that he set the string to something like...
`cpe:*:a:freedesktop:bolt:*`

on the hopes that, if the Free Desktop folks open a CPE in the future, 
that it will match?

>
> Cheers,
>
> -Mikko
>
>>   inherit cmake pkgconfig meson features_check
>>   
>>   FILES:${PN} += "${datadir}/dbus-1/* \
>> -- 
>> 2.34.1
>>
>>
>>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#105303): https://lists.openembedded.org/g/openembedded-devel/message/105303
> Mute This Topic: https://lists.openembedded.org/mt/101662068/3616788
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [alex.stewart@ni.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
Khem Raj Oct. 2, 2023, 4:06 p.m. UTC | #3
If we want to use a not yet Defined value then it would be good to inform
upstream about the issue and also add a comment next to the definition so
we can correct it in future

On Mon, Oct 2, 2023 at 8:53 AM Alex Stewart <alex.stewart@ni.com> wrote:

>
>
> On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote:
> > Hi,
> >
> > On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote:
> >> This bolt product does not currently have an entry in the CVE database.
> >> However, the default cve-check logic that maps recipes to products in
> >> the CVE database is incorrectly matching this package to a different
> >> bolt product made by bolt-cms. As a result, CVE checking incorrectly
> >> reports CVEs for that product for this package.
> >>
> >> Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
> >> ---
> >>   meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++
> >>   1 file changed, 2 insertions(+)
> >>
> >> diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> >> index b6ad6337c..583cc6378 100644
> >> --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> >> +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> >> @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd"
> >>
> >>   S = "${WORKDIR}/git"
> >>
> >> +CVE_CHECK_SKIP_RECIPE = "${PN}"
> > I think this is wrong and dangerous for anyone who in the future tries
> to use
> > cve checker for this recipe. Instead, set the CVE product with vendor
> correctly
> > so that other products/vendors don't mix the results? Hopefully any new
> CVEs
> > in the future will set the same vendor and product.
>
> Are you suggesting that he set the string to something like...
> `cpe:*:a:freedesktop:bolt:*`
>
> on the hopes that, if the Free Desktop folks open a CPE in the future,
> that it will match?
>
> >
> > Cheers,
> >
> > -Mikko
> >
> >>   inherit cmake pkgconfig meson features_check
> >>
> >>   FILES:${PN} += "${datadir}/dbus-1/* \
> >> --
> >> 2.34.1
> >>
> >>
> >>
> >
> >
> >
>
> --
> Alex Stewart
> Software Engineer - NI Real-Time OS
> NI (National Instruments)
>
> alex.stewart@ni.com
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#105305):
> https://lists.openembedded.org/g/openembedded-devel/message/105305
> Mute This Topic: https://lists.openembedded.org/mt/101662068/1997914
> Group Owner: openembedded-devel+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [
> raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
>
Marta Rybczynska Oct. 2, 2023, 6:14 p.m. UTC | #4
On Mon, 2 Oct 2023, 17:53 Alex Stewart, <alex.stewart@ni.com> wrote:

>
>
> On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote:
> > Hi,
> >
> > On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote:
> >> This bolt product does not currently have an entry in the CVE database.
> >> However, the default cve-check logic that maps recipes to products in
> >> the CVE database is incorrectly matching this package to a different
> >> bolt product made by bolt-cms. As a result, CVE checking incorrectly
> >> reports CVEs for that product for this package.
> >>
> >> Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
> >> ---
> >>   meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++
> >>   1 file changed, 2 insertions(+)
> >>
> >> diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> >> index b6ad6337c..583cc6378 100644
> >> --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> >> +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> >> @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd"
> >>
> >>   S = "${WORKDIR}/git"
> >>
> >> +CVE_CHECK_SKIP_RECIPE = "${PN}"
> > I think this is wrong and dangerous for anyone who in the future tries
> to use
> > cve checker for this recipe. Instead, set the CVE product with vendor
> correctly
> > so that other products/vendors don't mix the results? Hopefully any new
> CVEs
> > in the future will set the same vendor and product.
>
> Are you suggesting that he set the string to something like...
> `cpe:*:a:freedesktop:bolt:*`
>
> on the hopes that, if the Free Desktop folks open a CPE in the future,
> that it will match?
>

Or you can ignore CVEs that are badly assigned to this project. That works
if there is a manageable number.

Kind regards,
Marta

>
Mikko Rapeli Oct. 3, 2023, 4:54 a.m. UTC | #5
Hi,

On Mon, Oct 02, 2023 at 11:53:42AM -0400, Alex Stewart wrote:
> On 10/2/23 05:22, Mikko Rapeli via lists.openembedded.org wrote:
> > Hi,
> > 
> > On Fri, Sep 29, 2023 at 12:07:31PM -0500, Jeffrey Pautler wrote:
> > > This bolt product does not currently have an entry in the CVE database.
> > > However, the default cve-check logic that maps recipes to products in
> > > the CVE database is incorrectly matching this package to a different
> > > bolt product made by bolt-cms. As a result, CVE checking incorrectly
> > > reports CVEs for that product for this package.
> > > 
> > > Signed-off-by: Jeffrey Pautler <jeffrey.pautler@ni.com>
> > > ---
> > >   meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb | 2 ++
> > >   1 file changed, 2 insertions(+)
> > > 
> > > diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> > > index b6ad6337c..583cc6378 100644
> > > --- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> > > +++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
> > > @@ -12,6 +12,8 @@ SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd"
> > >   S = "${WORKDIR}/git"
> > > +CVE_CHECK_SKIP_RECIPE = "${PN}"
> > I think this is wrong and dangerous for anyone who in the future tries to use
> > cve checker for this recipe. Instead, set the CVE product with vendor correctly
> > so that other products/vendors don't mix the results? Hopefully any new CVEs
> > in the future will set the same vendor and product.
> 
> Are you suggesting that he set the string to something like...
> `cpe:*:a:freedesktop:bolt:*`
> 
> on the hopes that, if the Free Desktop folks open a CPE in the future, that
> it will match?

Yes, if other Freedesktop projects have used these before.

Cheers,

-Mikko
diff mbox series

Patch

diff --git a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
index b6ad6337c..583cc6378 100644
--- a/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
+++ b/meta-oe/recipes-bsp/bolt/bolt_0.9.5.bb
@@ -12,6 +12,8 @@  SRCREV = "5a8a5866a847561566499847d46a97c612b4e6dd"
 
 S = "${WORKDIR}/git"
 
+CVE_CHECK_SKIP_RECIPE = "${PN}"
+
 inherit cmake pkgconfig meson features_check
 
 FILES:${PN} += "${datadir}/dbus-1/* \