From patchwork Wed Apr 16 14:28:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 61436 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0B9F9C369BD for ; Wed, 16 Apr 2025 14:29:25 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (EUR05-AM6-obe.outbound.protection.outlook.com [40.107.22.69]) by mx.groups.io with SMTP id smtpd.web11.20608.1744813759945809704 for ; Wed, 16 Apr 2025 07:29:20 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=wVaIDMdJ; spf=pass (domain: ericsson.com, ip: 40.107.22.69, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=N4SoVE3fY2czfj10iNwV/NieymJm7NaLeCeMLOVt7PLde09VPlt3kam5F+3n2pXr+msGC9uKn8jnEKXD7BbY3zrq39fHgJZSVyQZSZURc651B3+OT2N4rHlwaz6/frYSRqUGFMjHAUqdS0Si6qwUTZoOBufY3wUtpzNdXX/UJvm852TWdmcFVyE5YLlfuG+la3fbt+zoRO2eFBaOUAetJEeftaRbTx7oc8LP0aLSwGJcAWBVl0c9FZ+PSFfv5WEwNXpAxCuDsoYBXW6gblcjERwtXJsoXqGcB4YbNDSun+ZAovcT2+IRHULnBDcTexuOHnPdXuMyFNYsdyyj0E+F0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=OyHkdplejEzC+Mn7AFXuZDJncymw8CYnbxmVzvQQJYk=; b=RyiYgQucAlyVBCdJxeWm9A0pkvLtTDfZavSMnquiYyiTsix1pihXDfTXypyBVIgZ17rMoKUsk1ozTPq+j6uFOn11iZ/9kXCHMkMpo3+tC3C9MEgcVRpf0YcIz3qiFmAnNZVyWkH29OuAwJ1iCmkbMlGmgrg7e+ZrQKChA5spr4dZwhovbbPK52QWQT5PgfHAddEJFWVCHLLjeiGODv8i2h8KoE4m2mfM8yT6PTo1B/agBwfX1Ud5/EUKjGOb0MpEPMaahma0ZwwLUv/651irDgy1fFUoA9/CkwsIhe1VKmwFnqWlbj46Rm3l2sqUkqRD1+dZWXDBEpfwc/OeE9P2Lg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OyHkdplejEzC+Mn7AFXuZDJncymw8CYnbxmVzvQQJYk=; b=wVaIDMdJFRizzMuHP+VEbanzMQZ4aOsC7aRgs3iMVGBCWriVaQNql8RcRoQoT36wWbaSSyt4mAIgGhoozNaMoE/Zu21xPLPHRUA8ew+4M1nIjDEfT7EcN5vJxHcLl33wEggQ1JsWMnYDhNFesxfMVIqNazvOUQO/9AhZbf4nqwIprSlHTLCNbVFpgYua39FH7H4qZvyP5CyTV1kSr8ZLUi8w1LfIuTdaUMvKQm2tljoKIzPcsuVRZeOHU+q9xjt/8J4XX6MU9mx+lhZ4lezGvulZRq6YYRdnglt9ufW7calihAYNiAW+ti+7SppihUp7jmxg7F16MDYFf49+m7MWfg== Received: from AM0PR10CA0117.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:208:e6::34) by AS8PR07MB9211.eurprd07.prod.outlook.com (2603:10a6:20b:5ed::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8632.32; Wed, 16 Apr 2025 14:29:15 +0000 Received: from AM4PEPF00027A66.eurprd04.prod.outlook.com (2603:10a6:208:e6:cafe::57) by AM0PR10CA0117.outlook.office365.com (2603:10a6:208:e6::34) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8632.34 via Frontend Transport; Wed, 16 Apr 2025 14:29:15 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by AM4PEPF00027A66.mail.protection.outlook.com (10.167.16.91) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8655.12 via Frontend Transport; Wed, 16 Apr 2025 14:29:15 +0000 Received: from seroius18814.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.60) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Wed, 16 Apr 2025 16:29:15 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18814.sero.gic.ericsson.se (Postfix) with ESMTP id DE43F4020C02; Wed, 16 Apr 2025 16:29:14 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id C73367000229; Wed, 16 Apr 2025 16:29:14 +0200 (CEST) From: To: CC: , , , , , Daniel Turull Subject: [PATCH 1/2] linux-vulns: fetch kernel.org CNA info Date: Wed, 16 Apr 2025 16:28:58 +0200 Message-ID: <20250416142859.909037-2-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250416142859.909037-1-daniel.turull@ericsson.com> References: <20250416142859.909037-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM4PEPF00027A66:EE_|AS8PR07MB9211:EE_ X-MS-Office365-Filtering-Correlation-Id: 6e053b5b-8ab9-4e48-f8f8-08dd7cf310e4 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|36860700013|82310400026|13003099007; X-Microsoft-Antispam-Message-Info: 3G7unp2yCIibO6L34eOClIWKHLVIGeWtff/BI6KKoJfL/AQulbOmtqBGcT6UxgbHySMSnp+8KoXQoFKmAqpk0SrnvWwmQ4KgD1HWhECwl8Nb+YC6IUjbXnnIx21k9WO/uPIow8nYZr/p2klCB38a/99KdoULOcG/cQlS3cN74c5YJX/hL4WBlf/SbFvtA9cSHXzIcgVJjPmJFkVEC2EmiZT1SQ/eQCIAatfPvNm1dooWtrA/jLQeOn/C8UKY93e2WI3Q0GTN9VEXF94q94H9JprDncW/H/TrGQHV+63GK6TuPfNEtk8zvPlhtFP2do1JPJtdF22VUXs3/gvV+oJ/KFFkEbL4SiFkDysGIYOOpYyLkTJqKyREITd8Ac75G4veGmLSXnkeAfw5Lx0OgvL3VZHEnJQ8AG2Gj41F06tlcPwUS7JxFgLlnMnk81ReCUtQvFBROEn7aTvKgl1ita/DCC3H4zoOfnoNKSZNq2fLAw5APmXFZcjAi9ffcK/ktw6ELDAWrKltq0Gcn6SLN6PHTErh8rz09EnoMMHbmDHSWap/mqeEPRoGlc4MuJxUfE63/8JvLvpN1LruxWlrDwGvU12ggE62GChFHLTZ1zloSZ0qDa7/tvWh2tgyBBsenjAHGZveZtTy0oQHAxBQDvgr6wk4a/0UDYUUSD7xV4VIV27RNzNkBE5Sr2AqolRSzvaH93anxDMKWWSJpxlbWeaBY5vkQQ4d2FPsQuANtEwUO5+FYUPg3xZl05C93O2ThCeL1x6LFHtpoySzjTkoq7Ox0kNkYQHZifXjW3dSYWA6ifpoTNr75Uxrz4r8nx/a86arGoKJNCUXqbUamhn1R7D2NpmI3WFPVZAEN6+NeYpmig1seCkS04xWgLn4VCudBex1y6CeMGeYfhTRjrBC02NNsAlTjF5ZFmKkZKg3XStqRAo5cLBNPLhKK/ujZmVhb+YzdEMVZk5R6iacpTt+c3QF5Rdr8NOQ5imZBCBAYrL0YmKEE9BseFsPJiw2144/m0kPwdFww4DYikoE9OEv6PZ4PGLPi2GsRFA6763evIM9xSMdm0k1TrcTVc+tqRZbIDyYGJEflJel38/AlqbotJV+75ROYOZ2Re4zBBlZRp96N68CVE3Q2I9rXvOVYFX794CcMMXPi+uEauUaP27vGVoyW+cLHKBJzeF2kPedXUV9CZCZOu0I7V+lqWHbm7pbq+hPhy5Gi+KRU2GAEyBwkqPmltWUUR8xiAT2pM61PVI+jIktah30GVd2f/CA5ik/rFz8hAqtczJ8ZWcPighNsGuCD4QjXCfFFNeEb2Bp3UHDl0S6nGPXq4MO6I6kGUlpdb4fHUpl86AyANC/WEO9oktzXm3lBp5q/1jiX2PZ3D2Ubb8FAUC2ls7RUJ/Y/hiJ/drfQ7jlEbJSEVkQnI52wo9hz/q7RrQKsBx1mpZY83XSoNJcR+S21gFoWul9ZCCINIO1+I9+LJS2fqYktM/fxz+VKf4ABt4PdBJL1iKuJ3WyvZQU7aXnI+z9iy3YVvxv+R+PXR31Fb4poQinL+Q5ZkBF5w== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(376014)(1800799024)(36860700013)(82310400026)(13003099007);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Apr 2025 14:29:15.8192 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 6e053b5b-8ab9-4e48-f8f8-08dd7cf310e4 X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: AM4PEPF00027A66.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB9211 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 16 Apr 2025 14:29:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214992 From: Daniel Turull Add CVE data source for kernel.org. It includes more information than the one provided by NVD. Signed-off-by: Daniel Turull --- meta/conf/distro/include/maintainers.inc | 1 + meta/recipes-core/meta/linux-vulns_git.bb | 42 +++++++++++++++++++++++ 2 files changed, 43 insertions(+) create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 8065287c17..ec427fe6a4 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned " RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned " RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador " RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield " +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned " RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield " RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield " RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield " diff --git a/meta/recipes-core/meta/linux-vulns_git.bb b/meta/recipes-core/meta/linux-vulns_git.bb new file mode 100644 index 0000000000..158790f082 --- /dev/null +++ b/meta/recipes-core/meta/linux-vulns_git.bb @@ -0,0 +1,42 @@ +SUMMARY = "CVE information from kernel.org" +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \ +and assigned to the Linux kernel project." +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" +LICENSE = "GPL-2.0-only & cve-tou" +LIC_FILES_CHKSUM = "file://LICENSES/GPL-2.0-only.txt;md5=c89d4ad08368966d8df5a90ea96bebe4\ + file://LICENSES/cve-tou.txt;md5=0d1f8ff7666c210e0b0404fd9d7e6703" +SECTION = "base" + +SRC_URI = "git://git.kernel.org/pub/scm/linux/security/vulns;branch=master;protocol=https" +inherit native + +SRCREV="${AUTOREV}" +PV = "1.0-git-${SRCREV}" + +S = "${WORKDIR}/git" + +KERNEL_CNA_REPO ??= "${DL_DIR}/CVE_CHECK/vulns" + +python do_unpack:append(){ + # Make symbolic link so it is easy to find + import os + source_path = d.getVar("S") + link_path = d.getVar("KERNEL_CNA_REPO") + if os.path.exists(link_path): + os.remove(link_path) + bb.utils.mkdirhier(os.path.dirname(link_path)) + os.symlink(source_path, link_path) +} + +deltask do_patch +deltask do_configure +deltask do_compile +deltask do_install +deltask do_cve_check +deltask do_populate_sysroot +deltask do_runtime_spdx +deltask do_create_spdx +deltask do_populate_lic +do_fetch[nostamp] = "1" + +EXCLUDE_FROM_WORLD = "1" From patchwork Wed Apr 16 14:28:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 61437 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 15C19C369C2 for ; Wed, 16 Apr 2025 14:29:25 +0000 (UTC) Received: from EUR02-DB5-obe.outbound.protection.outlook.com (EUR02-DB5-obe.outbound.protection.outlook.com [40.107.249.62]) by mx.groups.io with SMTP id smtpd.web11.20610.1744813763314353792 for ; Wed, 16 Apr 2025 07:29:23 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=Qh5y+W7a; spf=pass (domain: ericsson.com, ip: 40.107.249.62, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=O5DHADO24rbA98S3pOMmpCQyvzVY1OW0DBBQ2smtgnAvp9tHfS9hdJis2B+ztgvGh6bbLBrNdTb7WOhr31fSnxMILCJmAWe+fro4qtcpz3Ve6XI3DBXWs0Jok17brS52RUKPnb9JMQHhHSQwwm/L/hLhdFzE6qcAR3+29tn9ddObLbvY68k5uKyfVxjIbjc1F906zidCU2rLD6eAEAx70TASfKAB7ODU2FXjbCKBZsSgGX1MuyglJOi3bsNhzisZv8WRaiYMvEkXWVvuYC6ZrsbBOvYDQxxV8pZHETyrNjARr/7B/MBGyrW5Rgp+ymF81xxhE/U4fg+AcNJOWjjakg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bYSU/kbDNwhbodE59l33j7vQHRmlA1qsJNRBrs3zvU0=; b=PW0PFJf6hwpABM58zupH1YPePkayOQZHv/t35ZArxLWEZOoyTUZlZ3pa6aayjqZ3F4KW0e6BqbTSh2YCw5wzer+vR9m/aMaU/xtHGXicMcDBUIYnGF6IbZXp1BMKfWv+N3WRwWAyc6Y+YLzjycGNzbnf9dds6W9BQdZ+kCL6vw8xQuRVEnniqV4bhNueDs5Wu/edG+K6VXgiWdwjrefkN2H2EZZBi/ywqTB7vrb8d2YcyVtFU4V544I0qjx2Sc9sQflSUQ7yLRkuYyo2TFHH4SdV4KT+1wHV9fECL1JOCFl4NYHmUe534hrny3W/7qmTslWr25C0cU3Q7FoUwRE4Og== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=arm.com smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=bYSU/kbDNwhbodE59l33j7vQHRmlA1qsJNRBrs3zvU0=; b=Qh5y+W7aXOK22KkDHEBDkz1VNxtS3eSMBKiuLpckGr+xFh9YYl4Xbes0G+AvVlXvta/Uf0vpmAk+eFkSruSf6O5ee2OyAaj5G2LzHYvw51WgX73dR1+rWv3uL8/24Ycx7850eJd3IRaEqO2q1VGFs846qXoIi3pIdRIpfZlQyt8/4Mbw39MxGCpkPwP8D5yiNgZehzDIy9irQQuSFMUaklvBMyy1x7hTyDuM95vpAwkV7js0oJQgfOFZXDeGKNrQ9qLtv8lyJLOWiw6yawPHiy513bnxKNaLPPxu6ED8CZQzEy8BzMDIjcPqrdj2UZ/2k065XToCnW6R/eVnHzZl+Q== Received: from AM0PR10CA0044.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:150::24) by AM7PR07MB6642.eurprd07.prod.outlook.com (2603:10a6:20b:1a7::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8655.22; Wed, 16 Apr 2025 14:29:18 +0000 Received: from AMS0EPF0000019A.eurprd05.prod.outlook.com (2603:10a6:20b:150:cafe::51) by AM0PR10CA0044.outlook.office365.com (2603:10a6:20b:150::24) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8632.36 via Frontend Transport; Wed, 16 Apr 2025 14:29:18 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by AMS0EPF0000019A.mail.protection.outlook.com (10.167.16.246) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8655.12 via Frontend Transport; Wed, 16 Apr 2025 14:29:16 +0000 Received: from seroius18815.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.64) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Wed, 16 Apr 2025 16:29:16 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18815.sero.gic.ericsson.se (Postfix) with ESMTP id D93BD4020A84; Wed, 16 Apr 2025 16:29:15 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id C6ACB7000229; Wed, 16 Apr 2025 16:29:15 +0200 (CEST) From: To: CC: , , , , , Daniel Turull Subject: [PATCH 2/2] cve-check-kernel: verify kernel CVEs using programFile from kernel.org CNA Date: Wed, 16 Apr 2025 16:28:59 +0200 Message-ID: <20250416142859.909037-3-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250416142859.909037-1-daniel.turull@ericsson.com> References: <20250416142859.909037-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMS0EPF0000019A:EE_|AM7PR07MB6642:EE_ X-MS-Office365-Filtering-Correlation-Id: bc7949cd-450a-497c-4788-08dd7cf31176 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|82310400026|376014|36860700013|1800799024|13003099007; X-Microsoft-Antispam-Message-Info: x/ILaE+KdYpOyww26pt+vIF+SpUWRy019sfQT7hi5h7wpOSDJF5bz52spd1UUgkVagV2xB6V9zVjDy5kKiQUWPZv6ODIALanc36oq8Qqh7v5pZ+ehhEtSyO4iI63bhguBdhpHCcWS5/uNrklRcU8aTCYbYYdGmIBcvT05VB5GGAcZLGd7yeu9Hbi3pZkyFc4Ckk2B3hY4RNvF7vjsqAUqQixdMPBA7QcUctnlYMNrbDQeP1CfJ/vTO0yfSzyMnTj6ZqH1zl9P/qaS8UDAazOxEbjhnsCQlraUzWPILtIN6HGiYz2Cnbatcgz39y4Qje6LfiVxSs7+6NxafdTwqizeOsEo3EOdaKhR2vdCruhIC1AToBMq0YPz9XhlHa3hBw7ikVmxFcMgS9CTu/m0jCl2FYvHe+dbylxgxCYg8732+QgyzDwyS2qtMFGgTcTL9y0HPOzJqTjgcVL1G794UO4rjS7UVLjnpUa20Z+a7Mp3jkC1MJ8nu4ac/1OBHE8kPvKSXfu9P3dbDruH750QfuY7QnuC7zmkeKRCJTY3tZjnjNOA7zakqCLRzvvUDMm6s2EWl9O3ZYh639qbE5VtepkEHvzHg1oOTYf9bX34W0Eqyu0j99eromHI+APP2UcnbS3pVjuc+w1sZMwqGEpBN60FPrZFJQpX/DqetZAEun2y66ipEyPfvlKEgNH7/QWSisv0hQ+eOrr2uvf+G9QE61Cvwwev4vBzJ/npBct/CuUCja17q7bPdoi6YEb1NANezDZmz2dr0GFK/VcuPS2ftsApQuWRR92TwAW08xPXXgtb0S3ovG/MARzzIpwZo76Pwj/0xtd48fIJM9ubA/eICfDU/0Twk0r/UXNs3aLE23pc6omiybOqNOrZzYE1E01Y2P2ElmVqcZ5TTumdgUvGl2jBq6T6b4CvaVAW8phArxWnXLgYKn4svFUj/VGm3ZBS7G2wRSJIjAnrQfmXt58A8+OClCI004pN+1AiJqaGHxodvLqalJOgGMtDtPh5MQPDVeKu0kkqoG6VqPRvXTSPhxxz+ac3WeD8W/sXt3oiOiQgV/2Gb/5/pfo2wD7K2m+L8yfGaco+AH2pxYd3UvRD/HJzKbeqbsTEKMzzF0SYZjbmEjCm3cxRyN4OVjMaKqWFXLxk80bY99OwyQztooeP6Jf3wFdPAnYeJMyfOBUlru16gNmP02Hb4rP0yJE93rnwuIatnvRwpGVRKLuqB9b5soaZlw/C3vp2G1lTuoYwNPvOGZzCev4uDkWl6PO/xoB4cKmCy9EHOULAIXgcsmjNK2SmN8F+dqlDN0mXXUCcdTdNj4aJj8KhSA6jtzAI+JEqj+IEJDU06IERg9e5WCtMgHrNoL+6rFyF0eUTSHxhHvJ8MChaoBrYtzi1pNwq9gbQCR8wmceRQspCO5eWlGOr9Nh7rxyqofMSFD/2urbCkZoVOlqsss73oPonHx2Yj6vPIb/arIenG1fF1FPsCW3asoky/1/nDEjsiwm79lT6gMPeSWOK5hpYWo0xeVGgfJLJT6ovQkkHvEJA0Ag7vUuQknr5g== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(82310400026)(376014)(36860700013)(1800799024)(13003099007);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Apr 2025 14:29:16.7714 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: bc7949cd-450a-497c-4788-08dd7cf31176 X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: AMS0EPF0000019A.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6642 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 16 Apr 2025 14:29:25 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/214993 From: Daniel Turull This class is used to check the CVEs against a specific kernel configuration. Depends on data from the kernel.org CNA https://git.kernel.org/pub/scm/linux/security/vulns.git The CVE data provided by kernel.org includes the files that are affected by a given CVE and are provided as json files It requires the kernel to be compiled to be able to extract which files are used. It is created as optional check on top cve-check. To enable add in your local.conf INHERIT += cve-check INHERIT += cve-check-kernel To test it bitbake virtual/kernel -c cve_check_kernel Signed-off-by: Daniel Turull --- meta/classes/cve-check-kernel.bbclass | 132 ++++++++++++++++++++++++++ 1 file changed, 132 insertions(+) create mode 100644 meta/classes/cve-check-kernel.bbclass diff --git a/meta/classes/cve-check-kernel.bbclass b/meta/classes/cve-check-kernel.bbclass new file mode 100644 index 0000000000..c01f0efd1d --- /dev/null +++ b/meta/classes/cve-check-kernel.bbclass @@ -0,0 +1,132 @@ +# +# Copyright OpenEmbedded Contributors +# +# SPDX-License-Identifier: MIT +# +# This class is used to check the CVEs against a specific kernel configuration. +# Depends on data from the kernel.org CNA +# https://git.kernel.org/pub/scm/linux/security/vulns.git +# The CVE data provided by kernel.org includes the files that are +# affected by a given CVE and are provided as json files +# +# It requires the kernel to be compiled to be able to extract which files are +# used. It is created as optional check on top cve-check. +# +# To enable add in your local.conf +# INHERIT += cve-check +# INHERIT += cve-check-kernel +# +# Then execute +# bitbake virtual/kernel -c cve_check_kernel +# + +KERNEL_FILES_DIR ?= "${LOG_DIR}/cve/kernel_files" +KERNEL_SRC_FILES ?= "${KERNEL_FILES_DIR}/compile_commands.json" +KERNEL_CNA_REPO ?= "${DL_DIR}/CVE_CHECK/vulns" + +python () { + if not bb.data.inherits_class("cve-check", d): + raise bb.parse.SkipRecipe("Skip cve-check-kernel when cve-check class is not loaded.") + + if d.getVar('PN', True) == d.getVar("PREFERRED_PROVIDER_virtual/kernel", True): + bb.build.addtask('do_save_compiled_files', None, 'do_compile_kernelmodules', d) + bb.build.addtask('do_cve_check_kernel', 'do_build', None, d) + d.appendVarFlag('do_cve_check_kernel', 'depends', 'virtual/kernel:do_cve_check ') + d.appendVarFlag('do_cve_check_kernel', 'depends', 'virtual/kernel:do_compile_kernelmodules ') + d.appendVarFlag('do_cve_check_kernel', 'depends', 'linux-vulns:do_unpack ') +} + +do_save_compiled_files() { + bbplain "Fetching compiled files" + mkdir -p ${KERNEL_FILES_DIR} + ${S}/scripts/clang-tools/gen_compile_commands.py -o ${KERNEL_SRC_FILES} +} + +def get_files_in_cve(d, cve): + import os + import glob + import json + datadir = d.getVar('KERNEL_CNA_REPO', True) + pattern = os.path.join(datadir, '**', f"{cve}.json") + cve_files = glob.glob(pattern, recursive=True) + files_affected = [] + if len(cve_files) == 0: + return None + # Assuming one match + with open(cve_files[0]) as f: + k_cve = json.load(f) + for item in k_cve['containers']['cna']['affected']: + if item["defaultStatus"] == "affected": + if "programFiles" in item: + files = item['programFiles'] + files_affected.extend(files) + if len(files_affected) == 0: + return None + return files_affected + +python do_cve_check_kernel() { + import json + bb.plain("Updating CVEs using compiled files") + kfiles = [] + cves = {} + affected= [] + + with open(d.getVar('KERNEL_SRC_FILES', True), 'r') as file: + for item in json.load(file): + kfiles.append(item['file'].replace(f"{d.getVar('S')}/","")) + bb.debug(1, f"Total used kernel source files: {len(kfiles)}") + + # We want to use the file in log directory + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + direct_file = d.getVar("CVE_CHECK_LOG_JSON") + fragment_file = os.path.basename(deploy_file) + fragment_path = os.path.join(cvelogpath, fragment_file) + + with open(fragment_path, 'r') as file: + cves = json.load(file) + + total = 0 + for cve in cves['package'][0]['issue']: + status = cve['status'] + id = cve['id'] + + if status == 'Unpatched': + is_affected = False + total += 1 + affected_files = get_files_in_cve(d, id) + if affected_files is None: + bb.debug(1, f"No file information for {id}") + affected.append(id) + is_affected = True + continue + for f in affected_files: + if f in kfiles: + bb.debug(1, f"File match in {id}: {f}") + affected.append(id) + is_affected = True + break + if not is_affected: + bb.debug(1, f"Changing status. Files in {id} not compiled. {affected_files}") + cve["status"] = "Ignored" + cve["detail"] = "not-applicable-config" + cve["description"] = f"Source code not compiled by config. {affected_files}" + + # Update cve files generated from cve-check + write_string = json.dumps(cves, indent=2) + with open(direct_file, 'w') as f: + bb.note("Writing file %s with CVE information" % direct_file) + f.write(write_string) + if d.getVar("CVE_CHECK_COPY_FILES") == "1": + with open(deploy_file, "w") as f: + f.write(write_string) + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": + with open(fragment_path, "w") as f: + f.write(write_string) + + # Summary + bb.warn(f"Before filter we have {total} CVEs") + bb.warn(f"After programFile filter we have {len(affected)}") + bb.warn(f"Affected CVEs after filtering: {affected}") +} +