From patchwork Sun Nov 24 20:13:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 53084 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id B89C2D75E5D for ; Sun, 24 Nov 2024 20:14:48 +0000 (UTC) Received: from mta-64-226.siemens.flowmailer.net (mta-64-226.siemens.flowmailer.net [185.136.64.226]) by mx.groups.io with SMTP id smtpd.web10.3857.1732479277066243642 for ; Sun, 24 Nov 2024 12:14:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=CmPzX1Lc; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.226, mailfrom: fm-256628-20241124201432249e2bccc6e58ce9ef-bprmfi@rts-flowmailer.siemens.com) Received: by mta-64-226.siemens.flowmailer.net with ESMTPSA id 20241124201432249e2bccc6e58ce9ef for ; Sun, 24 Nov 2024 21:14:33 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc; bh=ALZNxHHOayt5JDbYw5cy0zYmR8CZeK4+fdivJnaJqdg=; b=CmPzX1LcnIUN37gA21S2koZSTPoKYM2yzTQQlwV2uoK9dffXWCbA3olpv1q+OTMZ4jLLcb qW/gsPHHgzUXTrAdN59YDhpsQKLv16NS3ouj3epczhQYeZGn1jaAf8UJcbahysTrr8yf0lCz vmHgLtnF+7mjSE+thcnvGCaWYiiOWyggfTYcBvIWflzjKQ7zEphUsIpSA905QG9exgmfqp8j T4bvtbs19T/GpfOleCC8iSzMfRQaw0znPq4OhG8LNsQWEpsTgddFvUQrkxxiZxS1250xscB2 54dXC1O0YuNzLWcMS26SFIiZWOPPu86V9R6jJClcEsRLSHXR/49//rEA==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko , Marta Rybczynska Subject: [OE-core][PATCH 1/2] cve-check: restore CVE_CHECK_SHOW_WARNINGS functionality Date: Sun, 24 Nov 2024 21:13:41 +0100 Message-Id: <20241124201342.27405-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 24 Nov 2024 20:14:48 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/207715 From: Peter Marko Commit 05ef4f2a7b225c8d230eaca8d333ffb921729d79 removed this functionality by accident. It was implemented in text exporter, while it should have been a global feature independent on exporter type to avoid such accidental deletion. Signed-off-by: Peter Marko Cc: Marta Rybczynska --- meta/classes/cve-check.bbclass | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 0c92b87f52..33d41b912d 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -422,6 +422,11 @@ def check_cves(d, cve_data): if not cves_in_recipe: bb.note("No CVE records for products in recipe %s" % (pn)) + if d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": + unpatched_cves = [cve for cve in cve_data if cve_data[cve]["abbrev-status"] == "Unpatched"] + if unpatched_cves: + bb.warn("Found unpatched CVE (%s)" % " ".join(unpatched_cves)) + return (cve_data, cves_status) def get_cve_info(d, cve_data): From patchwork Sun Nov 24 20:13:42 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Marko X-Patchwork-Id: 53085 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 98673E6780A for ; Sun, 24 Nov 2024 20:15:38 +0000 (UTC) Received: from mta-64-228.siemens.flowmailer.net (mta-64-228.siemens.flowmailer.net [185.136.64.228]) by mx.groups.io with SMTP id smtpd.web10.3874.1732479338002903501 for ; Sun, 24 Nov 2024 12:15:38 -0800 Authentication-Results: mx.groups.io; dkim=pass header.i=peter.marko@siemens.com header.s=fm2 header.b=BYpsChK1; spf=pass (domain: rts-flowmailer.siemens.com, ip: 185.136.64.228, mailfrom: fm-256628-20241124201535e459e01ad90e949d2e-72siab@rts-flowmailer.siemens.com) Received: by mta-64-228.siemens.flowmailer.net with ESMTPSA id 20241124201535e459e01ad90e949d2e for ; Sun, 24 Nov 2024 21:15:35 +0100 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; s=fm2; d=siemens.com; i=peter.marko@siemens.com; h=Date:From:Subject:To:Message-ID:MIME-Version:Content-Type:Content-Transfer-Encoding:Cc:References:In-Reply-To; bh=pzch2tmlNLHOIO6EK0Mhh2zBfvwl0Ia0dI7O+YITBSk=; b=BYpsChK1gsc4LKTX+TDKGQWZtcjP5ahCoTi3lzZgrbAnrh5SLkyBrROe/VlYnHyXsewwkT poO5335YGKVhYSLkynwW+ZOw5oDWp4WTYrnlNuZzd/wlAjDHB41Krj/ljJ6fsjjIefgsjIIF 7Z8USoLyVvnNAnIAbgoyD7OqvSyEZLBcvWKXB26TkPGGDM9nQ40Sj7m7DxyNHMGqaDCgA1d+ JGImvZxoQZ6phtIeyrVvtpyz763ABIks2JjFGAOVFt7uKUsCd+PJjvlwdKpGBhHk9IhKD3LN 8aSYgTJ8sXjpaFiGzJvBlaFFM5DqNnx4VrJY/3q3m3a5/ErjuGa/u3Vg==; From: Peter Marko To: openembedded-core@lists.openembedded.org Cc: Peter Marko Subject: [OE-core][PATCH 2/2] cve-check: fix cvesInRecord Date: Sun, 24 Nov 2024 21:13:42 +0100 Message-Id: <20241124201342.27405-2-peter.marko@siemens.com> In-Reply-To: <20241124201342.27405-1-peter.marko@siemens.com> References: <20241124201342.27405-1-peter.marko@siemens.com> MIME-Version: 1.0 X-Flowmailer-Platform: Siemens Feedback-ID: 519:519-256628:519-21489:flowmailer List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Sun, 24 Nov 2024 20:15:38 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/207716 From: Peter Marko Currently flag cvesInRecord is set to false if all CVEs are ignored or patched. This is inconsistent as it shows false if a CVE was fixed via patch and true if this CVE was fixed by upgrade. In both cases the CVE is valid and was fixed. As I understand this flag, it should say if any CVE exists for particular component's product (regardless of how this CVE is handled) and can be used to validate if a product is correctly set. Note that skipping ignored CVEs may make sense in some cases, as ignored may mean that NVD DB is wrong, but in many cases it is ignored for other reasons. Further patch can be done to evaluate ignore subtype but that would be against my understanding of this flag as described above. Signed-off-by: Peter Marko --- meta/classes/cve-check.bbclass | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 33d41b912d..6e10dd915a 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -343,18 +343,19 @@ def check_cves(d, cve_data): for cverow in cve_cursor: cve = cverow[0] - if cve_is_ignored(d, cve_data, cve): - bb.note("%s-%s ignores %s" % (product, pv, cve)) - continue - elif cve_is_patched(d, cve_data, cve): - bb.note("%s has been patched" % (cve)) - continue # Write status once only for each product if not cves_in_product: cves_status.append([product, True]) cves_in_product = True cves_in_recipe = True + if cve_is_ignored(d, cve_data, cve): + bb.note("%s-%s ignores %s" % (product, pv, cve)) + continue + elif cve_is_patched(d, cve_data, cve): + bb.note("%s has been patched" % (cve)) + continue + vulnerable = False ignored = False