From patchwork Wed Jul 24 15:25:26 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 46798 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98B48C3DA63 for ; Wed, 24 Jul 2024 15:25:50 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.web11.13307.1721834744631238739 for ; Wed, 24 Jul 2024 08:25:45 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Qln1VDE/; spf=pass (domain: gmail.com, ip: 209.85.221.46, mailfrom: rybczynska@gmail.com) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-369c609d0c7so4014317f8f.3 for ; Wed, 24 Jul 2024 08:25:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721834742; x=1722439542; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=4EI3tIgzzhdu4nMmqxv6X+83jPYyNrOMuW9JMrVg/Ac=; b=Qln1VDE/mVwQWep7PunrudC+sdi0ZxeiwMjMEStooXkQg3xxyQj1q95usM8gzrLCZs 0OfCMjdTb/Xfnt3GOQzbOVbh/yBgerQmrQp/FziNYMrXY8Eb2sW2Zealj+d8ar2MIa7n y8yC9VdcgHv9NXj2GShEvfzf15Gr8HV/3h8s8KOAjsIU1h10gmSldUmWBpUNlWVFBeuI WMCTmyAft8x87mykKjFV564M7RXojOJuu40nYME2jxDi0lAu51L/o9FaHIPi3UFYbtBL pa/+rF1HmC12mPAOa/I1zFja/MZqp5QPAuoMg3K+3o7nw37qlH1zgHIH/d9w1Y1MAiWR 58Eg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721834742; x=1722439542; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=4EI3tIgzzhdu4nMmqxv6X+83jPYyNrOMuW9JMrVg/Ac=; b=R/y8DQF3qvo9pnuYHDpBiS6AHm5/cT3AEv2QxgXPy/b9Q+TiK9Pn4z+lKc5/rPE0ZV aUjhSWog3ybFF4e+r2AMOsLDIf1+sMWcw4hXG6S3SoZg9/mNmYFyIXf/07tg7M66ePOk LbVU9YPlXQ7syywj+2YMbzC4UCz5qqxLuD6tjFH7Yc/cojc9pk7d9Yktz4D5pJ0Wi8U4 eEQfEiRqKDJkDUpzO9qz64j0HcdXk5ByIhxdQobBPLpxMcBoK6A6JfpmSNvG2QWGQ8+4 t7xrAXf5XN/84arA/yCU5xE0ja7rU/oWyz6KZWTugBrV2qu0ZO11jonUL8axwCFUOMNz fAPA== X-Gm-Message-State: AOJu0Yy9YJFcEVM93zIkaL+rN1T+DVWoI8kGQDSZF4eCkP6KZ4pYHvbO ZJRTB0PuZ1bY0TT9k99n/PHrqzAqJUAgAa25qYUXSDOjvKa3CFXZ9czzUQ== X-Google-Smtp-Source: AGHT+IGggwp957iCdw7VQDzG/q514gN5dUZzo2Yi1XDqd+G0mgxkb7nWK/hI7THUp9XinBTDs8BiUQ== X-Received: by 2002:a05:6000:b81:b0:368:6f64:307c with SMTP id ffacd0b85a97d-36b319f6dccmr13351f8f.15.1721834741661; Wed, 24 Jul 2024 08:25:41 -0700 (PDT) Received: from localhost.localdomain ([80.215.234.192]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-427f93e667bsm33636125e9.29.2024.07.24.08.25.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jul 2024 08:25:40 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska , Samantha Jalabert Subject: [OE-core][PATCH v3 1/5] cve-check: annotate CVEs during analysis Date: Wed, 24 Jul 2024 17:25:26 +0200 Message-ID: <20240724152530.25856-1-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 24 Jul 2024 15:25:50 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/202448 Add status information for each CVE under analysis. Previously the information passed between different function of the cve-check class included only tables of patched, unpatched, ignored vulnerabilities and the general status of the recipe. The VEX work requires more information, and we need to pass them between different functions, so that it can be enriched as the analysis progresses. Instead of multiple tables, use a single one with annotations for each CVE encountered. For example, a patched CVE will have: {"abbrev-status": "Patched", "status": "version-not-in-range"} abbrev-status contains the general status (Patched, Unpatched, Ignored and Unknown that will be added in the VEX code) status contains more detailed information that can come from CVE_STATUS and the analysis. Additional fields of the annotation include for example the name of the patch file fixing a given CVE. The side-effect of this change is that all entries from CVE_STATUS are available in the result file. That includes entries from the optional file cve-extra-exclusions.inc even if they might have no link with the recipe (apply to a different package). This will be fixed by moving all entries from that file to appropriate recipes. From now on, CVE_STATUS should be added directly in the recipe file or in include files added only to affected recipes. Signed-off-by: Marta Rybczynska Signed-off-by: Samantha Jalabert --- meta/classes/cve-check.bbclass | 208 +++++++++++++++++---------------- meta/lib/oe/cve_check.py | 12 +- 2 files changed, 115 insertions(+), 105 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 93a2a1413d..504310514e 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -188,10 +188,10 @@ python do_cve_check () { patched_cves = get_patched_cves(d) except FileNotFoundError: bb.fatal("Failure in searching patches") - ignored, patched, unpatched, status = check_cves(d, patched_cves) - if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): - cve_data = get_cve_info(d, patched + unpatched + ignored) - cve_write_data(d, patched, unpatched, ignored, cve_data, status) + cve_data, status = check_cves(d, patched_cves) + if len(cve_data) or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): + get_cve_info(d, cve_data) + cve_write_data(d, cve_data, status) else: bb.note("No CVE database found, skipping CVE check") @@ -294,7 +294,51 @@ ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest ' if d do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" -def check_cves(d, patched_cves): +def cve_is_ignored(d, cve_data, cve): + if cve not in cve_data: + return False + if cve_data[cve]['abbrev-status'] == "Ignored": + return True + return False + +def cve_is_patched(d, cve_data, cve): + if cve not in cve_data: + return False + if cve_data[cve]['abbrev-status'] == "Patched": + return True + return False + +def cve_update(d, cve_data, cve, entry): + # If no entry, just add it + if cve not in cve_data: + cve_data[cve] = entry + return + # If we are updating, there might be change in the status + bb.debug("Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status'])) + if cve_data[cve]['abbrev-status'] == "Unknown": + cve_data[cve] = entry + return + if cve_data[cve]['abbrev-status'] == entry['abbrev-status']: + return + # Update like in {'abbrev-status': 'Patched', 'status': 'version-not-in-range'} to {'abbrev-status': 'Unpatched', 'status': 'version-in-range'} + if entry['abbrev-status'] == "Unpatched" and cve_data[cve]['abbrev-status'] == "Patched": + if entry['status'] == "version-in-range" and cve_data[cve]['status'] == "version-not-in-range": + # New result from the scan, vulnerable + cve_data[cve] = entry + bb.debug("CVE entry %s update from Patched to Unpatched from the scan result" % cve) + return + if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched": + if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range": + # Range does not match the scan, but we already have a vulnerable match, ignore + bb.debug("CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve) + return + # If we have an "Ignored", it has a priority + if cve_data[cve]['abbrev-status'] == "Ignored": + bb.debug("CVE %s not updating because Ignored" % cve) + return + bb.warn("Unhandled CVE entry update for %s from %s to %s" % (cve, cve_data[cve], entry)) + +def check_cves(d, cve_data): """ Connect to the NVD database and find unpatched cves. """ @@ -304,28 +348,19 @@ def check_cves(d, patched_cves): real_pv = d.getVar("PV") suffix = d.getVar("CVE_VERSION_SUFFIX") - cves_unpatched = [] - cves_ignored = [] cves_status = [] cves_in_recipe = False # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) products = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) if not products: - return ([], [], [], []) + return ([], []) pv = d.getVar("CVE_VERSION").split("+git")[0] # If the recipe has been skipped/ignored we return empty lists if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split(): bb.note("Recipe has been skipped by cve-check") - return ([], [], [], []) - - # Convert CVE_STATUS into ignored CVEs and check validity - cve_ignore = [] - for cve in (d.getVarFlags("CVE_STATUS") or {}): - decoded_status, _, _ = decode_cve_status(d, cve) - if decoded_status == "Ignored": - cve_ignore.append(cve) + return ([], []) import sqlite3 db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") @@ -344,11 +379,10 @@ def check_cves(d, patched_cves): for cverow in cve_cursor: cve = cverow[0] - if cve in cve_ignore: + if cve_is_ignored(d, cve_data, cve): bb.note("%s-%s ignores %s" % (product, pv, cve)) - cves_ignored.append(cve) continue - elif cve in patched_cves: + elif cve_is_patched(d, cve_data, cve): bb.note("%s has been patched" % (cve)) continue # Write status once only for each product @@ -364,7 +398,7 @@ def check_cves(d, patched_cves): for row in product_cursor: (_, _, _, version_start, operator_start, version_end, operator_end) = row #bb.debug(2, "Evaluating row " + str(row)) - if cve in cve_ignore: + if cve_is_ignored(d, cve_data, cve): ignored = True version_start = convert_cve_version(version_start) @@ -403,16 +437,16 @@ def check_cves(d, patched_cves): if vulnerable: if ignored: bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv)) - cves_ignored.append(cve) + cve_update(d, cve_data, cve, {"abbrev-status": "Ignored"}) else: bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) - cves_unpatched.append(cve) + cve_update(d, cve_data, cve, {"abbrev-status": "Unpatched", "status": "version-in-range"}) break product_cursor.close() if not vulnerable: bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) - patched_cves.add(cve) + cve_update(d, cve_data, cve, {"abbrev-status": "Patched", "status": "version-not-in-range"}) cve_cursor.close() if not cves_in_product: @@ -420,48 +454,45 @@ def check_cves(d, patched_cves): cves_status.append([product, False]) conn.close() - diff_ignore = list(set(cve_ignore) - set(cves_ignored)) - if diff_ignore: - oe.qa.handle_error("cve_status_not_in_db", "Found CVE (%s) with CVE_STATUS set that are not found in database for this component" % " ".join(diff_ignore), d) if not cves_in_recipe: bb.note("No CVE records for products in recipe %s" % (pn)) - return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status) + return (cve_data, cves_status) -def get_cve_info(d, cves): +def get_cve_info(d, cve_data): """ Get CVE information from the database. """ import sqlite3 - cve_data = {} db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") conn = sqlite3.connect(db_file, uri=True) - for cve in cves: + for cve in cve_data: cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)) for row in cursor: - cve_data[row[0]] = {} - cve_data[row[0]]["summary"] = row[1] - cve_data[row[0]]["scorev2"] = row[2] - cve_data[row[0]]["scorev3"] = row[3] - cve_data[row[0]]["modified"] = row[4] - cve_data[row[0]]["vector"] = row[5] - cve_data[row[0]]["vectorString"] = row[6] + # The CVE itdelf has been added already + if row[0] not in cve_data: + bb.note("CVE record %s not present" % row[0]) + continue + #cve_data[row[0]] = {} + cve_data[row[0]]["NVD-summary"] = row[1] + cve_data[row[0]]["NVD-scorev2"] = row[2] + cve_data[row[0]]["NVD-scorev3"] = row[3] + cve_data[row[0]]["NVD-modified"] = row[4] + cve_data[row[0]]["NVD-vector"] = row[5] + cve_data[row[0]]["NVD-vectorString"] = row[6] cursor.close() conn.close() - return cve_data -def cve_write_data_text(d, patched, unpatched, ignored, cve_data): +def cve_write_data_text(d, cve_data): """ Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and CVE manifest if enabled. """ - from oe.cve_check import decode_cve_status - cve_file = d.getVar("CVE_CHECK_LOG") fdir_name = d.getVar("FILE_DIRNAME") layer = fdir_name.split("/")[-3] @@ -478,7 +509,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): return # Early exit, the text format does not report packages without CVEs - if not patched+unpatched+ignored: + if not len(cve_data): return nvd_link = "https://nvd.nist.gov/vuln/detail/" @@ -487,36 +518,29 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): bb.utils.mkdirhier(os.path.dirname(cve_file)) for cve in sorted(cve_data): - is_patched = cve in patched - is_ignored = cve in ignored - - status = "Unpatched" - if (is_patched or is_ignored) and not report_all: + if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"): continue - if is_ignored: - status = "Ignored" - elif is_patched: - status = "Patched" - else: - # default value of status is Unpatched - unpatched_cves.append(cve) - write_string += "LAYER: %s\n" % layer write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve - write_string += "CVE STATUS: %s\n" % status - _, detail, description = decode_cve_status(d, cve) - if detail: - write_string += "CVE DETAIL: %s\n" % detail - if description: - write_string += "CVE DESCRIPTION: %s\n" % description - write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] - write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] - write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] - write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] - write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"] + write_string += "CVE STATUS: %s\n" % cve_data[cve]["abbrev-status"] + + if 'status' in cve_data[cve]: + write_string += "CVE DETAIL: %s\n" % cve_data[cve]["status"] + if 'justification' in cve_data[cve]: + write_string += "CVE DESCRIPTION: %s\n" % cve_data[cve]["justification"] + + if "NVD-summary" in cve_data[cve]: + write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["NVD-summary"] + write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev2"] + write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev3"] + write_string += "VECTOR: %s\n" % cve_data[cve]["NVD-vector"] + write_string += "VECTORSTRING: %s\n" % cve_data[cve]["NVD-vectorString"] + write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) + if cve_data[cve]["abbrev-status"] == "Unpatched": + unpatched_cves.append(cve) if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) @@ -568,13 +592,11 @@ def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_fi with open(index_path, "a+") as f: f.write("%s\n" % fragment_path) -def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): +def cve_write_data_json(d, cve_data, cve_status): """ Prepare CVE data for the JSON format, then write it. """ - from oe.cve_check import decode_cve_status - output = {"version":"1", "package": []} nvd_link = "https://nvd.nist.gov/vuln/detail/" @@ -592,8 +614,6 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): if include_layers and layer not in include_layers: return - unpatched_cves = [] - product_data = [] for s in cve_status: p = {"product": s[0], "cvesInRecord": "Yes"} @@ -608,39 +628,31 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): "version" : package_version, "products": product_data } + cve_list = [] for cve in sorted(cve_data): - is_patched = cve in patched - is_ignored = cve in ignored - status = "Unpatched" - if (is_patched or is_ignored) and not report_all: + if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"): continue - if is_ignored: - status = "Ignored" - elif is_patched: - status = "Patched" - else: - # default value of status is Unpatched - unpatched_cves.append(cve) - issue_link = "%s%s" % (nvd_link, cve) cve_item = { "id" : cve, - "summary" : cve_data[cve]["summary"], - "scorev2" : cve_data[cve]["scorev2"], - "scorev3" : cve_data[cve]["scorev3"], - "vector" : cve_data[cve]["vector"], - "vectorString" : cve_data[cve]["vectorString"], - "status" : status, - "link": issue_link + "status" : cve_data[cve]["abbrev-status"], + "link": issue_link, } - _, detail, description = decode_cve_status(d, cve) - if detail: - cve_item["detail"] = detail - if description: - cve_item["description"] = description + if 'NVD-summary' in cve_data[cve]: + cve_item["summary"] = cve_data[cve]["NVD-summary"] + cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] + cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] + cve_item["vector"] = cve_data[cve]["NVD-vector"] + cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] + if 'status' in cve_data[cve]: + cve_item["detail"] = cve_data[cve]["status"] + if 'justification' in cve_data[cve]: + cve_item["description"] = cve_data[cve]["justification"] + if 'resource' in cve_data[cve]: + cve_item["patch-file"] = cve_data[cve]["resource"] cve_list.append(cve_item) package_data["issue"] = cve_list @@ -652,12 +664,12 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file) -def cve_write_data(d, patched, unpatched, ignored, cve_data, status): +def cve_write_data(d, cve_data, status): """ Write CVE data in each enabled format. """ if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1": - cve_write_data_text(d, patched, unpatched, ignored, cve_data) + cve_write_data_text(d, cve_data) if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": - cve_write_data_json(d, patched, unpatched, ignored, cve_data, status) + cve_write_data_json(d, cve_data, status) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ed5c714cb8..6aba90183a 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -88,7 +88,7 @@ def get_patched_cves(d): # (cve_match regular expression) cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) - patched_cves = set() + patched_cves = {} patches = oe.patch.src_patches(d) bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) for url in patches: @@ -98,7 +98,7 @@ def get_patched_cves(d): fname_match = cve_file_name_match.search(patch_file) if fname_match: cve = fname_match.group(1).upper() - patched_cves.add(cve) + patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file} bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) # Remote patches won't be present and compressed patches won't be @@ -124,7 +124,7 @@ def get_patched_cves(d): cves = patch_text[match.start()+5:match.end()] for cve in cves.split(): bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) - patched_cves.add(cve) + patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file} text_match = True if not fname_match and not text_match: @@ -132,10 +132,8 @@ def get_patched_cves(d): # Search for additional patched CVEs for cve in (d.getVarFlags("CVE_STATUS") or {}): - decoded_status, _, _ = decode_cve_status(d, cve) - if decoded_status == "Patched": - bb.debug(2, "CVE %s is additionally patched" % cve) - patched_cves.add(cve) + decoded_status, detail, description = decode_cve_status(d, cve) + patched_cves[cve] = {"abbrev-status": decoded_status, "status": detail, "justification": description} return patched_cves From patchwork Wed Jul 24 15:25:27 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 46800 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 79027C3DA7E for ; Wed, 24 Jul 2024 15:26:00 +0000 (UTC) Received: from mail-wm1-f48.google.com (mail-wm1-f48.google.com [209.85.128.48]) by mx.groups.io with SMTP id smtpd.web11.13309.1721834752561435719 for ; Wed, 24 Jul 2024 08:25:52 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jtWYMkTo; spf=pass (domain: gmail.com, ip: 209.85.128.48, mailfrom: rybczynska@gmail.com) Received: by mail-wm1-f48.google.com with SMTP id 5b1f17b1804b1-428035c0bb2so231935e9.1 for ; Wed, 24 Jul 2024 08:25:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721834750; x=1722439550; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bCFDlrASHkZw6WssTjjSvadGWOfkJn96f0OhZ8GIQjw=; b=jtWYMkToouVmw5NnlkvA7rAAxW0rlhI7UY4Xyaez2fn6MkziuE5BpzMkB8raeRYBR5 zkMSlSIJcbfT8dMvn3aV1v5n1tRoX2NshCe6ff8cId4I5S7rPlqyW+mitcsAAP+jBhq6 IJVZnqrHicOCY0VzFdxWNAMvfCKOOlk8+igBmlkEn6P2P2xAyZkCQrZvvB8++fVyTml3 +iqOtdxyPLUr44Y9WZlEe2r25OuBhzadVLiLbTjpZSGaH+/3VTYVuPlMX2drPSlkHB2G KYB0cEXYZyrp9C/YiecewpDI0s+oOcyTVfquOdLucwpdRDWpH71s5PaMtaDSDkVnKdN2 n+eQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721834750; x=1722439550; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bCFDlrASHkZw6WssTjjSvadGWOfkJn96f0OhZ8GIQjw=; b=gtaQLYEJnj+g/ei9eP4lBVNvm7omt3tjjSILf28WJprGTeP3wheR8DgqmH3YgrjzfE dpl6GYVTU9wVjmeszJ0NpGSOI9neTKo+oU2WFWF6NMsvBoBiNUI3ZDa7nrAqARz2VMRt Grrom18t6Sv7+4xAEkYp802eg4fBFepkB7vgPgYHneAu/0uJRbv/Iedg8O7ayOJ8LpCL e37Cq4Ncu5MpikR9bm4jIcKEGedtCJjb2D5qtP9bmEzmlSESaz5Fy6vI2qc8Y+RzeWES 9waFIoaQERUVBQ94JNQxpllSlVyH3sEVnD1Uk12jYWn6IYN9AQURSJ14Ynwhr65QagPt aqOw== X-Gm-Message-State: AOJu0YxRQN1nUO8lFyF8m0ZlEgD0T3IcRKiAICZVk1VsremPWDzcAjaY SbMYBu2FhxxXZg70eiKDBLAEMpcHvs5+4GSN9IBd2UC5b/nIeqJ8zRWZeg== X-Google-Smtp-Source: AGHT+IFDkYes8d/tYRLU5IeBs8R4N8itT/fvzymp+yLTeOyolWW1l5pdUEVNOY5Aee3eODFGJ3i01w== X-Received: by 2002:a05:600c:154a:b0:426:62a2:34fc with SMTP id 5b1f17b1804b1-427f9a0b797mr17953085e9.11.1721834749814; Wed, 24 Jul 2024 08:25:49 -0700 (PDT) Received: from localhost.localdomain ([80.215.234.192]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-427f93e667bsm33636125e9.29.2024.07.24.08.25.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jul 2024 08:25:49 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Samantha Jalabert , Marta Rybczynska Subject: [OE-core][PATCH v3 2/5] cve_check: Update selftest with new status detail Date: Wed, 24 Jul 2024 17:25:27 +0200 Message-ID: <20240724152530.25856-2-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240724152530.25856-1-marta.rybczynska@syslinbit.com> References: <20240724152530.25856-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 24 Jul 2024 15:26:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/202449 From: Samantha Jalabert Signed-off-by: Samantha Jalabert Signed-off-by: Marta Rybczynska --- meta/lib/oeqa/selftest/cases/cve_check.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index 60cecd1328..a40272c919 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -217,9 +217,10 @@ CVE_CHECK_REPORT_PATCHED = "1" # m4 CVE should not be in logrotate self.assertNotIn("CVE-2008-1687", found_cves) # logrotate has both Patched and Ignored CVEs + detail = "version-not-in-range" self.assertIn("CVE-2011-1098", found_cves) self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched") - self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0) + self.assertEqual(found_cves["CVE-2011-1098"]["detail"], detail) self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0) detail = "not-applicable-platform" description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used" From patchwork Wed Jul 24 15:25:28 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 46802 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8D454C3DA63 for ; Wed, 24 Jul 2024 15:26:00 +0000 (UTC) Received: from mail-wr1-f46.google.com (mail-wr1-f46.google.com [209.85.221.46]) by mx.groups.io with SMTP id smtpd.web11.13312.1721834755572146860 for ; Wed, 24 Jul 2024 08:25:55 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=HTxj+PuU; spf=pass (domain: gmail.com, ip: 209.85.221.46, mailfrom: rybczynska@gmail.com) Received: by mail-wr1-f46.google.com with SMTP id ffacd0b85a97d-368440b073bso714101f8f.0 for ; Wed, 24 Jul 2024 08:25:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721834753; x=1722439553; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dyADFcLlUlLB78t0HCcebY7mck6pLa6VvZwbvV4MTMQ=; b=HTxj+PuU9dDq/G5nG9ondyUJGjMlA0kEIBjvwvbvwdaU+wly1KpnHxUrUoiSlaxQBI +HT1N77vxeK0bmS9mRMxEnFahap7C95OuyVNrca+LW2J8FTcfbWe/d4/4/xuIWDZ2gT9 JFT0uwCBoXItMSofs17dihkAIkVjDV3L3cvWVCpwRloD4Eowm4nqXuKP1MCEN9FOAK+j WaY25+ESSn9n0aTrZ+uVxwM1UIzx4T44jebnPwOEhWxbto3NOpGUO5qM4hmTrX38Ojy3 CWjvv6Al9INpOJJw84fC9pZ1YJ3ECwvmkloPAc2/BQyCWN0mD8dCOHApBGilJ3qnePgQ W6vA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721834753; x=1722439553; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dyADFcLlUlLB78t0HCcebY7mck6pLa6VvZwbvV4MTMQ=; b=ZABKohyXtYjVzCRRGI8DWEZxH2yx6up9Egut7NgV38WtSeRwAzAY3ufNrSEc3D/TFU MFC1mW5rFoWwy8Be7pvbdziIVkjZ8BT+Y9oQKhD34bpEC0eqN4FlH6VbFKh5ums+tk4c RP53Sv2cT593oxmwcn5eVV95PR8kq5dcBbWSvwHfjsrhv6YaykpOlt474GYX9l8zLpQ4 Aa4DAJkRc/ZlgsEcuq26VDw5EPYzbDaR2SWBIs1cAVhH0MggeL6vWPriCQHyuj5QyES0 aOJZzzBPaiEYoxPhu59qSP7QmRkwBpH6r3FcEcbhR+Oy0KTNp6c8PXxLurPQB4TGaKYl 0pSg== X-Gm-Message-State: AOJu0Yz/ysD5MEYiKaHKrDFbJv7Bh/JpeJksnD3xcIVWx8Am4TTsKj90 8ubPttewXpDEwR75kz8C2v7pDKWfZwgwglGRUeRmTDYjvIHRpFq2jgHXeQ== X-Google-Smtp-Source: AGHT+IEmJoPjTn2ZUWY/FP9KXFh/mvd5Nkrp8LMhsT6Cponh0OznBiXZ14mLP+xkewsuKV+3ArBHUg== X-Received: by 2002:adf:f08c:0:b0:368:35b8:129e with SMTP id ffacd0b85a97d-369f66bb63dmr1965906f8f.13.1721834753121; Wed, 24 Jul 2024 08:25:53 -0700 (PDT) Received: from localhost.localdomain ([80.215.234.192]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-427f93e667bsm33636125e9.29.2024.07.24.08.25.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jul 2024 08:25:52 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska , Samantha Jalabert Subject: [OE-core][PATCH v3 3/5] vex.bbclass: add a new class Date: Wed, 24 Jul 2024 17:25:28 +0200 Message-ID: <20240724152530.25856-3-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240724152530.25856-1-marta.rybczynska@syslinbit.com> References: <20240724152530.25856-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 24 Jul 2024 15:26:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/202450 The "vex" class generates the minimum information that is necessary for VEX generation by an external CVE checking tool. It is a drop-in replacement of "cve-check". It uses the same variables from recipes to make the migration and backporting easier. The goal of this class is to allow generation of the CVE list of an image or distribution on-demand, including the latest information from vulnerability databases. Vulnerability data changes every day, so a status generated at build becomes out-of-date very soon. Research done for this work shows that the current VEX formats (CSAF and OpenVEX) do not provide enough information to generate such rolling information. Instead, we extract the needed data from recipe annotations (package names, CPEs, versions, CVE patches applied...) and store for later use in the format that is an extension of the CVE-check JSON output format. This output can be then used (separately or with SPDX of the same build) by an external tool to generate the vulnerability annotation and VEX statements in standard formats. Signed-off-by: Marta Rybczynska Signed-off-by: Samantha Jalabert --- meta/classes/vex.bbclass | 310 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 310 insertions(+) create mode 100644 meta/classes/vex.bbclass diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass new file mode 100644 index 0000000000..bb16e2a529 --- /dev/null +++ b/meta/classes/vex.bbclass @@ -0,0 +1,310 @@ +# +# Copyright OpenEmbedded Contributors +# +# SPDX-License-Identifier: MIT +# + +# This class is used to generate metadata needed by external +# tools to check for vulnerabilities, for example CVEs. +# +# In order to use this class just inherit the class in the +# local.conf file and it will add the generate_vex task for +# every recipe. If an image is build it will generate a report +# in DEPLOY_DIR_IMAGE for all the packages used, it will also +# generate a file for all recipes used in the build. +# +# Variables use CVE_CHECK prefix to keep compatibility with +# the cve-check class +# +# Example: +# bitbake -c generate_vex openssl +# bitbake core-image-sato +# bitbake -k -c generate_vex universe +# +# The product name that the CVE database uses defaults to BPN, but may need to +# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff). +CVE_PRODUCT ??= "${BPN}" +CVE_VERSION ??= "${PV}" + +CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve" + +CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json" +CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt" + +CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" +CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json" +CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.json" + +# Skip CVE Check for packages (PN) +CVE_CHECK_SKIP_RECIPE ?= "" + +# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned +# separately with optional detail and description for this status. +# +# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows" +# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally" +# +# Settings the same status and reason for multiple CVEs is possible +# via CVE_STATUS_GROUPS variable. +# +# CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED" +# +# CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0003" +# CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows" +# CVE_STATUS_PATCHED = "CVE-1234-0002 CVE-1234-0004" +# CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally" +# +# All possible CVE statuses could be found in cve-check-map.conf +# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" +# CVE_CHECK_STATUSMAP[fixed-version] = "Patched" +# +# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead. +# Keep CVE_CHECK_IGNORE until other layers migrate to new variables +CVE_CHECK_IGNORE ?= "" + +# Layers to be excluded +CVE_CHECK_LAYER_EXCLUDELIST ??= "" + +# Layers to be included +CVE_CHECK_LAYER_INCLUDELIST ??= "" + + +# set to "alphabetical" for version using single alphabetical character as increment release +CVE_VERSION_SUFFIX ??= "" + +python () { + if bb.data.inherits_class("cve-check", d): + raise bb.parse.SkipRecipe("Skipping recipe: found incompatible combination of cve-check and vex enabled at the same time.") + + # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS + cve_check_ignore = d.getVar("CVE_CHECK_IGNORE") + if cve_check_ignore: + bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS") + for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split(): + d.setVarFlag("CVE_STATUS", cve, "ignored") + + # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once + for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split(): + cve_group = d.getVar(cve_status_group) + if cve_group is not None: + for cve in cve_group.split(): + d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) + else: + bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) +} + +def generate_json_report(d, out_path, link_path): + if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")): + import json + from oe.cve_check import cve_check_merge_jsons, update_symlinks + + bb.note("Generating JSON CVE summary") + index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH") + summary = {"version":"1", "package": []} + with open(index_file) as f: + filename = f.readline() + while filename: + with open(filename.rstrip()) as j: + data = json.load(j) + cve_check_merge_jsons(summary, data) + filename = f.readline() + + summary["package"].sort(key=lambda d: d['name']) + + with open(out_path, "w") as f: + json.dump(summary, f, indent=2) + + update_symlinks(out_path, link_path) + +python vex_save_summary_handler () { + import shutil + import datetime + from oe.cve_check import update_symlinks + + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + + bb.utils.mkdirhier(cvelogpath) + timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S') + + json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON")) + json_summary_name = os.path.join(cvelogpath, "cve-summary-%s.json" % (timestamp)) + generate_json_report(d, json_summary_name, json_summary_link_name) + bb.plain("Complete CVE JSON report summary created at: %s" % json_summary_link_name) +} + +addhandler vex_save_summary_handler +vex_save_summary_handler[eventmask] = "bb.event.BuildCompleted" + +python do_generate_vex () { + """ + Generate metadata needed for vulnerability checking for + the current recipe + """ + from oe.cve_check import get_patched_cves + + try: + patched_cves = get_patched_cves(d) + cves_status = [] + products = d.getVar("CVE_PRODUCT").split() + for product in products: + if ":" in product: + _, product = product.split(":", 1) + cves_status.append([product, False]) + + except FileNotFoundError: + bb.fatal("Failure in searching patches") + + cve_write_data_json(d, patched_cves, cves_status) +} + +addtask generate_vex before do_build + +python vex_cleanup () { + """ + Delete the file used to gather all the CVE information. + """ + bb.utils.remove(e.data.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")) +} + +addhandler vex_cleanup +vex_cleanup[eventmask] = "bb.event.BuildCompleted" + +python vex_write_rootfs_manifest () { + """ + Create VEX/CVE manifest when building an image + """ + + import json + from oe.rootfs import image_list_installed_packages + from oe.cve_check import cve_check_merge_jsons, update_symlinks + + deploy_file_json = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + if os.path.exists(deploy_file_json): + bb.utils.remove(deploy_file_json) + + # Create a list of relevant recipies + recipies = set() + for pkg in list(image_list_installed_packages(d)): + pkg_info = os.path.join(d.getVar('PKGDATA_DIR'), + 'runtime-reverse', pkg) + pkg_data = oe.packagedata.read_pkgdatafile(pkg_info) + recipies.add(pkg_data["PN"]) + + bb.note("Writing rootfs VEX manifest") + deploy_dir = d.getVar("IMGDEPLOYDIR") + link_name = d.getVar("IMAGE_LINK_NAME") + + json_data = {"version":"1", "package": []} + text_data = "" + + save_pn = d.getVar("PN") + + for pkg in recipies: + # To be able to use the CVE_CHECK_RECIPE_FILE_JSON variable we have to evaluate + # it with the different PN names set each time. + d.setVar("PN", pkg) + + pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + if os.path.exists(pkgfilepath): + with open(pkgfilepath) as j: + data = json.load(j) + cve_check_merge_jsons(json_data, data) + + d.setVar("PN", save_pn) + + link_path = os.path.join(deploy_dir, "%s.json" % link_name) + manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON") + + with open(manifest_name, "w") as f: + json.dump(json_data, f, indent=2) + + update_symlinks(manifest_name, link_path) + bb.plain("Image VEX JSON report stored in: %s" % manifest_name) +} + +ROOTFS_POSTPROCESS_COMMAND:prepend = "vex_write_rootfs_manifest; " +do_rootfs[recrdeptask] += "do_generate_vex " +do_populate_sdk[recrdeptask] += "do_generate_vex " + +def cve_write_data_json(d, cve_data, cve_status): + """ + Prepare CVE data for the JSON format, then write it. + Done for each recipe. + """ + + from oe.cve_check import get_cpe_ids + import json + + output = {"version":"1", "package": []} + nvd_link = "https://nvd.nist.gov/vuln/detail/" + + fdir_name = d.getVar("FILE_DIRNAME") + layer = fdir_name.split("/")[-3] + + include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() + exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + + if exclude_layers and layer in exclude_layers: + return + + if include_layers and layer not in include_layers: + return + + product_data = [] + for s in cve_status: + p = {"product": s[0], "cvesInRecord": "Yes"} + if s[1] == False: + p["cvesInRecord"] = "No" + product_data.append(p) + product_data = list({p['product']:p for p in product_data}.values()) + + package_version = "%s%s" % (d.getVar("EXTENDPE"), d.getVar("PV")) + cpes = get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION")) + package_data = { + "name" : d.getVar("PN"), + "layer" : layer, + "version" : package_version, + "products": product_data, + "cpes": cpes + } + + cve_list = [] + + for cve in sorted(cve_data): + issue_link = "%s%s" % (nvd_link, cve) + + cve_item = { + "id" : cve, + "status" : cve_data[cve]["abbrev-status"], + "link": issue_link, + } + if 'NVD-summary' in cve_data[cve]: + cve_item["summary"] = cve_data[cve]["NVD-summary"] + cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] + cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] + cve_item["vector"] = cve_data[cve]["NVD-vector"] + cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] + if 'status' in cve_data[cve]: + cve_item["detail"] = cve_data[cve]["status"] + if 'justification' in cve_data[cve]: + cve_item["description"] = cve_data[cve]["justification"] + if 'resource' in cve_data[cve]: + cve_item["patch-file"] = cve_data[cve]["resource"] + cve_list.append(cve_item) + + package_data["issue"] = cve_list + output["package"].append(package_data) + + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + + write_string = json.dumps(output, indent=2) + + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + index_path = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH") + bb.utils.mkdirhier(cvelogpath) + fragment_file = os.path.basename(deploy_file) + fragment_path = os.path.join(cvelogpath, fragment_file) + with open(fragment_path, "w") as f: + f.write(write_string) + with open(index_path, "a+") as f: + f.write("%s\n" % fragment_path) From patchwork Wed Jul 24 15:25:29 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 46801 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B960AC3DA7F for ; Wed, 24 Jul 2024 15:26:00 +0000 (UTC) Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com [209.85.208.174]) by mx.groups.io with SMTP id smtpd.web11.13316.1721834758065292736 for ; Wed, 24 Jul 2024 08:25:58 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LopNHaBj; spf=pass (domain: gmail.com, ip: 209.85.208.174, mailfrom: rybczynska@gmail.com) Received: by mail-lj1-f174.google.com with SMTP id 38308e7fff4ca-2ef7fef3ccfso38806101fa.3 for ; Wed, 24 Jul 2024 08:25:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721834756; x=1722439556; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jiI9KetorS/9A07ChLdSkFBO47gtER30WpzVa4qfC3k=; b=LopNHaBj1/EjZKDgr61pnDfOF75te5btZtNPFJaoxqTLEh2ilEzAF12O2HSbyuztha 9MiIYZ0OsuTsKwaWF0fTibg7fWv2b+TMeFrS0mYZyT6ay6qiCRMRqPAVqkGsNLvQLQer 8cOpYE2IeUyPzwOmfqPy9sIjVehK4vGs3KCzzVkvbzshsNZ40II2b/CZ5OCl7qiqgJ5L NxHW3zUdYH/ey9EseJMazLHs3DS0w/PK3tjGBy90oVZs4ZiLZvxq15ZsMrAmyZHWwjyw H6FnfMix/AdodbIZUQgDWwCRDywG5rbgYNiUTGSbIvmTmuPszTu+DeIixHdiLaXWaBH/ CcyA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721834756; x=1722439556; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jiI9KetorS/9A07ChLdSkFBO47gtER30WpzVa4qfC3k=; b=Ptj6b40+8Xl2evIL3e3s5tObSbdZo1NoCVNpWkIcz2nFOXvFb9zjZxNZuE2vZGqfsm R56w9jTvk3n+CKrTN6aTfRNJWaVpcIN5klO9a/XfMPqNp+M4h0inAXQRdYRSYiEfdfuQ U/UBNNPfna72Qv6Hm04BNeEW0fNanzPd32pnrLFAWkwdDXfV8VQMMsVCv9vftKX+K1KQ EJpNVJm9loqQVElsLBVH+jzPgzgEU463P6T4lex9lBJqBQd6/ux/1KA+hh/bFSJkihdO TtzeL4s5GLY/7t7f34i7vzjZ1XIs8b8hW6zBvfyUhFwHhlsFroFbHXItCOn64C3vWh7e 4wHg== X-Gm-Message-State: AOJu0YyJ75TuKAY3Cna6jfZpIBXV1+GmEzdjyuOqvXDCUZA/bDXr4qgN 9cwCZYdkQwUMTwqw+6AFoBbQsleTwq5go6PX59iurekG1LkvO97sdxjLqQ== X-Google-Smtp-Source: AGHT+IEUakvLUXmlggTzCS5Sw4lpG7fFKufXSH6vNjIVjEol0wa4Ns800GkPfXrAAWcdHqrdjl3cPQ== X-Received: by 2002:a05:651c:222b:b0:2ef:2fcc:c9fb with SMTP id 38308e7fff4ca-2f039dbabc6mr1537081fa.36.1721834755355; Wed, 24 Jul 2024 08:25:55 -0700 (PDT) Received: from localhost.localdomain ([80.215.234.192]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-427f93e667bsm33636125e9.29.2024.07.24.08.25.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jul 2024 08:25:54 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska , Samantha Jalabert Subject: [OE-core][PATCH v3 4/5] cve-check-map: add new statuses Date: Wed, 24 Jul 2024 17:25:29 +0200 Message-ID: <20240724152530.25856-4-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240724152530.25856-1-marta.rybczynska@syslinbit.com> References: <20240724152530.25856-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 24 Jul 2024 15:26:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/202451 Add 'fix-file-included', 'version-not-in-range' and 'version-in-range' generated by the cve-check. 'fix-file-included' means that a fix file for the CVE has been located. 'version-not-in-range' means that the product version has been found outside of the vulnerable range. 'version-in-range' means that the product version has been found inside of the vulnerable range. Signed-off-by: Marta Rybczynska Signed-off-by: Samantha Jalabert --- meta/conf/cve-check-map.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index 17b0f15571..ac956379d1 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -8,11 +8,17 @@ CVE_CHECK_STATUSMAP[backported-patch] = "Patched" CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" # use when NVD DB does not mention correct version or does not mention any verion at all CVE_CHECK_STATUSMAP[fixed-version] = "Patched" +# use when a fix file has been included (set automatically) +CVE_CHECK_STATUSMAP[fix-file-included] = "Patched" +# do not use directly: automatic scan reports version number NOT in the vulnerable range (set automatically) +CVE_CHECK_STATUSMAP[version-not-in-range] = "Patched" # used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" # use when CVE is confirmed by upstream but fix is still not available CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" +# do not use directly: automatic scan reports version number IS in the vulnerable range (set automatically) +CVE_CHECK_STATUSMAP[version-in-range] = "Unpatched" # used for migration from old concept, do not use for new vulnerabilities CVE_CHECK_STATUSMAP[ignored] = "Ignored" @@ -26,3 +32,6 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" # use when upstream acknowledged the vulnerability but does not plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" + +# use when it is impossible to conclude if the vulnerability is present or not +CVE_CHECK_STATUSMAP[unknown] = "Unknown" From patchwork Wed Jul 24 15:25:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 46799 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 724D4C3DA61 for ; Wed, 24 Jul 2024 15:26:00 +0000 (UTC) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mx.groups.io with SMTP id smtpd.web11.13318.1721834759884258986 for ; Wed, 24 Jul 2024 08:26:00 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NxEIkf2Z; spf=pass (domain: gmail.com, ip: 209.85.128.50, mailfrom: rybczynska@gmail.com) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-4266f344091so51270385e9.0 for ; Wed, 24 Jul 2024 08:25:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721834757; x=1722439557; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=EXXeRNeEmoq/p3Ku0ko9Jhovzn3sLGnI24diyCyHrsQ=; b=NxEIkf2Zq9OaZiLQx1TgdRjg7bJ3fsGJcbQTClCvwmDAEJZnwuaX12KdI0kLscTpBI YDqs6GmMtAb4KzW3f8dFZjn/jJ8cQU9k8ME9bC5glBU/qDAkI/iuxmpX5e1YCKD36iJJ aIA5Vq4tCvoVZfHFlXqp8SxKKv8K+O/Pgn5fvTM0VYhvb6Op8elVPUNAejp3l5Hos3jE uDqADiagvhQDz62Q6QrwooTNKw6R3X/5rFUkuNqBXTez9sZblUBOHP1biMpnAcpHsNqD ofsBu05sXOmZoaeoQ3y/l82QUeR4R4zkjM1wTmOEd0DXaxELyTU8rpu2kI7V0jvHaVwJ hwsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721834757; x=1722439557; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=EXXeRNeEmoq/p3Ku0ko9Jhovzn3sLGnI24diyCyHrsQ=; b=OhoM7Jp6n4kBvY4CzUs4XqCZJFYJrGo3UBy7RhjLqKKw9x9C+Dk0rkPzKO9DKTNRJ4 vslKfFj9BjQRctHnBiVc13auD9kKMor613SbqwoYzcw/KMK+EAQclgfCSvDC0+DLo8uq ms9Ca4UoPiwiFfmysJUwE7PtU4SZjBmQeR0/zZTOQM5clyYmCEjhVcicDaPQvuJy7lOp 8bvHl8dEkKr978HacQHkOQQjLOVph2EXPYQu0c3V/TcdAXKZvaWUGFAzoZVgect+secw kSTAK6LCBt9GPyixhCTxNRAo4PGkhHaGP+zRN3f/0WHZ6wdTm60t7AqdGwtsBzSNnFvi wyOA== X-Gm-Message-State: AOJu0YzQDiX1bNKOESZLtUnuWgAUgtHUN7jCtL8uxw7yWxuYTmzx9VtF anD4PWoTFxJP7T+d5urb2CT4d9i+8NiozOQudSoFWSPNflK8KUMaUF3Mqw== X-Google-Smtp-Source: AGHT+IGpVnzl7HNZfYtYv+gqWyu4nBeyBuPbWMPHkNhEqYTr+TI43pIfbMymvyQoRDZJEKWczGzvCQ== X-Received: by 2002:a05:600c:1ca2:b0:426:62c5:4741 with SMTP id 5b1f17b1804b1-427f7a151cdmr22032945e9.2.1721834757231; Wed, 24 Jul 2024 08:25:57 -0700 (PDT) Received: from localhost.localdomain ([80.215.234.192]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-427f93e667bsm33636125e9.29.2024.07.24.08.25.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Jul 2024 08:25:56 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska Subject: [OE-core][PATCH v3 5/5] cve-extra-exclusions.inc: add deprecation notice Date: Wed, 24 Jul 2024 17:25:30 +0200 Message-ID: <20240724152530.25856-5-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240724152530.25856-1-marta.rybczynska@syslinbit.com> References: <20240724152530.25856-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 24 Jul 2024 15:26:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/202452 This file contains CVE_STATUS without machine-readable information on which recipe it applies to. All entries should be verified and, if appropriate, moved to their corresponding recipes. Signed-off-by: Marta Rybczynska --- meta/conf/distro/include/cve-extra-exclusions.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index fcef6a14fb..71c5bc31f8 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -1,3 +1,6 @@ +# THIS FILE IS DEPRECATED, DO NOT ADD NEW ENTRIES +# All entries from this file should migrate to appropriate recipes. +# # This file contains a list of CVE's where resolution has proven to be impractical # or there is no reasonable action the Yocto Project can take to resolve the issue. # It contains all the information we are aware of about an issue and analysis about