From patchwork Tue Apr 29 14:38:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62111 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 234F3C369DC for ; Tue, 29 Apr 2025 14:39:14 +0000 (UTC) Received: from AS8PR04CU009.outbound.protection.outlook.com (AS8PR04CU009.outbound.protection.outlook.com [52.101.70.20]) by mx.groups.io with SMTP id smtpd.web10.98.1745937552421802461 for ; Tue, 29 Apr 2025 07:39:12 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=InLTW8Hs; spf=pass (domain: ericsson.com, ip: 52.101.70.20, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=Qtx2BbE4VH/t0NXzd7jjEHangJ0KBXNU5GnGNexcSyjaBxliTtrxdg+vDQ83VCll2OV81ZscU4pOW6ueOgHuF9LYtYViGUmRI40kaUstUTZ34bmxy39jrWlkrd/7EO4zD9haOaId2R4uMNym+PO7cpd+6o2JzqPi1hkrVE0NJTl1uIXa1TlvT+Sxd/Dsd+9GgCKeLDUhx4F2Z/1le5T8/C+iyzWu11fHRYGpap5X564QS9wEuWv7ch0FfxVJ156y7KTC2maL0O1tPs042HHE+MR/yjT/lDS7gT//0yYHW8pSCudjRr5sw+Bh4V33nqH7gOX6edbhp7qWp05+uqKpcw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/B7GtLxPEWtYx7CA1R098ShUtnmiactZ2YE8qdmIaq4=; b=s0jQ8XFstnMmESuJIAfH/0lrxSoyZVEMnU8BSWFv1SaQXOBdrdkZyhPsrUWPnxlmGZlATUaYd2HfpqRUu6scHueoS+w+v03LGYSKoGqcBAJmEVHhJEbRBBTz1GyQU/IvibhxNcDuU8PZvuuqwdnNet4U+Yb9r5e1aDuVf8umM5kLso0E5lEd2hf3/m/N1GtG2O88ErHPEe5pnjn/QGkDPNO56N1a8hVIz1JmBsjYkAINi+hQZ/QEbmTGxqPDROOfHEpemKHkbsUWL3XHr5xaVGOX7PK/2FwIrpRO8jnoThYLMhiXjSxpKrSfB101duNmxQ6WcHOjl0D8wzxIFCXz6A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/B7GtLxPEWtYx7CA1R098ShUtnmiactZ2YE8qdmIaq4=; b=InLTW8HsIYKpcMD/i8kqJ3Kb5xUtYZkNdYqTLkz9ID+JvCqAS7N+6NzWmta0H4fQyX+r0xixKuMLUS8CQS12fGb61fIc2lXO6A/v0T2ibBfRgMmdn1AYpxCxzc01a68mI8Mc6LtqLi4sJRWmPbYhH6jc5A0NtvuMUn/TSLIxalJRf7T6xwBk9YXzoleD10nFrX4vGowx10OYe4zamKes5stSrZ6e0UvGmQ+4s53t+GTyBbDab0p+a+6/ACLFvizXlAYI1nm0+1VzzkTMXJrwjcMClE6ZW4geLQNhQeJFB/e6qtetzc11+rxTnWH8dmePLUaVamwWvLxZQH2csHnsUg== Received: from PR3P191CA0035.EURP191.PROD.OUTLOOK.COM (2603:10a6:102:55::10) by AS8PR07MB7910.eurprd07.prod.outlook.com (2603:10a6:20b:39c::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.33; Tue, 29 Apr 2025 14:39:08 +0000 Received: from AM2PEPF0001C717.eurprd05.prod.outlook.com (2603:10a6:102:55:cafe::d7) by PR3P191CA0035.outlook.office365.com (2603:10a6:102:55::10) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.41 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by AM2PEPF0001C717.mail.protection.outlook.com (10.167.16.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.20 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 Received: from seroius18815.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.69) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Tue, 29 Apr 2025 16:39:08 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18815.sero.gic.ericsson.se (Postfix) with ESMTP id C10DB4020847; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id A8B3E700022A; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) From: To: CC: , Daniel Turull , Peter Marko Subject: [PATCH v3 1/8] linux-vulns: fetch kernel.org CNA info Date: Tue, 29 Apr 2025 16:38:57 +0200 Message-ID: <20250429143904.634082-2-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250429143904.634082-1-daniel.turull@ericsson.com> References: <20250429143904.634082-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM2PEPF0001C717:EE_|AS8PR07MB7910:EE_ X-MS-Office365-Filtering-Correlation-Id: e0964c0b-37b7-4dc5-928c-08dd872b998b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|82310400026|36860700013; X-Microsoft-Antispam-Message-Info: Txz30frRQf9TOxNaYmm7074uqm3nJFHRbbXjlT7uy24NKhioAuYNZj4tLFccb6FkmaA8RidiLdHn0HgF7B6kv1Wc0sZkomISsVJ2TIZ8L1KNXfDeifXKoahLBHo5Xao9kZZldQXkgIS/iu+hb1Xc4aLr3JsyY+Q0rf6eWuFBEiSqOfR+iLPQbVxL2MubN0SW4UmN87HCsN90QNo2+WmXkdBurTyba/GsyRPCC+0Kl++jLfSggRE81IDIuwGmZub4g8A14AmS0s+uzCmnkl91mdrez5czedRPHhrOW2rSBOctXgysgs5tId9KEmtOKDOnHkqmpWI2K16pqmGoeXOVlIcnMGakSW4TFgJOobMComVLK/qljD7uQIRdZEKL3GONl5h+ADHYCQOIeGX37KKBfqySRE1CyMv0y47LNZBqqmed2qUYVaqdzpYX84VQcWMGtbFIPOgZ29JCOSc7/GYLYQVscH+kpfeyN5wbUaIM3rYhG6d9+m7ESKDMB7ADSp1VeN8Gg8hh3Id9IS8NPqfihHbzpLwWRwtYg9vCstWBAfi+4e+2F4R8jcuP3TwT1OumvBTZB2omxVjmbDTHjQVzDcN9LzWyoZKu9eJviPRjWDdFzwoqjE3jJKMiOE8ygLhIwSeO5gpYxSz7GfyxwAWK5HhbK71uM/p5Cfn9LRfnDxi7i0IFTByZ6NAXW3nuankjPN4li+Hs/NDZHh65vphEA1QS/r4KtNPKIpxtdRN+EnT7I/PsTXnzAX6HEMAwScmSPF3W27Tt69KGtHr0GzzOukw3f0ctPAQgYN3yVImjzRx73xYaR7GXaOsrRe3zCCZZPi5/mcA/cugKhhzFDLIb/dlpNg0gNoARuV1Egj01jbZkWa9Wqbw17OQGqTV4QGWsAl5Zlw85pkDpmZ0pntuK/Q9MXH53pqc0YW3sBeL0Pi6UIq+iio3YIe4PrvzmDxSGJeW5/VEfn+VqmzEHNSOlFwp+noUrADyvRc/GwCd4sPNVXF59TIWsO8dLSnjBQN2iJbrw5b7JGC0wk+M03DkV9OWJrZWg6PnTy8QBUf+mB6MKu4mKtAM4XHcNYNmi4D0vl+g+Ry85Lc7KScIGoqraTyBRRShQhDNh8X3I9tenvBNS/Iucrk+/fTTGhCyyKVCG5m0xCgNYbHesLbwrsnzlQvn2SPIkg1UXyLxcUKjOMrMe6OQSAetlhw3pV1RrcZyvUP9eVF2q4upy3k+/ssjqBJJSaIKID5j8tD380Zmd63fV3jOTmFn8UHukJZ6qexp70jtWe056EzZoNdAskpGq6mhO1xk/kJvKgqn4UCVMIrSq/bVCOOZ3nFhZ9KyvW1Pk/rDNl2MIjOjeAlHMB5poqT5LTDr0z4/9j12lB8kgzJadt6MB1V5VngBlifj/BXT/lAgU6+d1myYc5CjfzMQS1R/poM9tUCh0+hmtu09EmhBXE4qqw0a5jUzi+cCQcRVfwHWBc8+SSuCtAf/uoIzmyFbuS4VVvIkwhbUqYEiB0t8Ld/D7aNNy0zBJHyp9Wq3hK6p2fa2sU/qoqrP+lGHTdw== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(376014)(82310400026)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2025 14:39:08.5254 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e0964c0b-37b7-4dc5-928c-08dd872b998b X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: AM2PEPF0001C717.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7910 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 29 Apr 2025 14:39:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215667 From: Daniel Turull Add CVE data source for kernel.org. It includes more information than the one provided by NVD. Use similar mechanism and same variables as cve-check to define when to update. To use without internet access, change variable VULNS_URL to a local copy or mirror. CC: Peter Marko Signed-off-by: Daniel Turull Signed-off-by: Daniel Turull > --- meta/conf/distro/include/maintainers.inc | 1 + meta/recipes-core/meta/linux-vulns_git.bb | 76 +++++++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 8065287c17..ec427fe6a4 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned " RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned " RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador " RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield " +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned " RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield " RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield " RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield " diff --git a/meta/recipes-core/meta/linux-vulns_git.bb b/meta/recipes-core/meta/linux-vulns_git.bb new file mode 100644 index 0000000000..fc48558eb8 --- /dev/null +++ b/meta/recipes-core/meta/linux-vulns_git.bb @@ -0,0 +1,76 @@ +SUMMARY = "CVE information from kernel.org" +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \ +and assigned to the Linux kernel project." +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" +LICENSE = "GPL-2.0-only & cve-tou" +SECTION = "base" + +INHIBIT_DEFAULT_DEPS = "1" + +inherit native +inherit nopackages + +VULNS_URL ?= "https://git.kernel.org/pub/scm/linux/security/vulns" +CVE_CHECK_KERNEL_DB_DIR ??= "${DL_DIR}/CVE_CHECK/vulns" + +# Use same intervals as cve-update-db-native. By default: once a day (24*60*60). +# Use 0 to force the update +# Use a negative value to skip the update + +CVE_DB_UPDATE_INTERVAL ??= "86400" + +python do_fetch(){ + import os + import bb.utils + + bb.utils.export_proxies(d) + db_file = d.getVar("CVE_CHECK_KERNEL_DB_DIR") + repo_url = d.getVar("VULNS_URL") + + try: + import time + update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) + + if update_interval < 0: + bb.note("Kernel CVE database update skipped") + return + if time.time() - os.path.getmtime(db_file) < update_interval: + bb.debug(2,"Kernel CVE database, recently updated, skipping") + return + + except OSError: + pass + + bb.utils.mkdirhier(os.path.dirname(db_file)) + # Configure cmd + if not os.path.exists(db_file): + cmd = f"git clone {repo_url} {db_file}" + else: + cmd = f"git -C {db_file} pull" + try: + bb.fetch2.runfetchcmd(cmd, d) + except bb.fetch2.FetchError as e: + bb.warn(f"Kernel vulns repo url not accessible. {repo_url}") + bb.warn("Set VULNS_URL in local.conf to point to a local copy or mirror") +} + +do_clean() { + rm -rf ${CVE_CHECK_KERNEL_DB_DIR} +} + +deltask do_patch +deltask do_unpack +deltask do_configure +deltask do_compile +deltask do_install +deltask do_populate_sysroot +deltask do_runtime_spdx +deltask do_create_spdx +deltask do_populate_lic +deltask do_cve_check + +do_fetch[nostamp] = "1" +do_fetch[file-checksums] = "" +do_fetch[vardeps] = "" + +EXCLUDE_FROM_WORLD = "1" From patchwork Tue Apr 29 14:38:58 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62108 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2724BC3ABA5 for ; Tue, 29 Apr 2025 14:39:14 +0000 (UTC) Received: from EUR02-DB5-obe.outbound.protection.outlook.com (EUR02-DB5-obe.outbound.protection.outlook.com [40.107.249.60]) by mx.groups.io with SMTP id smtpd.web10.100.1745937552984497825 for ; Tue, 29 Apr 2025 07:39:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=acy3ATu5; spf=pass (domain: ericsson.com, ip: 40.107.249.60, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=FO7pNIYVKFHZooCjETVha8oSMUM7MR4IAXiISVFXe6ywYva7FaeGj1dJzJg8VNCwQyuzeaWhNQRp/4hPe4cZG6wjZ5NHUqiwgMyqkMdEVt4Dzy2xvn5gyEkoXUncM1g5+a/hZSJRPzOzj2963PgPk5kbZBaAZzkXVPCdWhzquKFOzE0mwSTNs3KtHavVHPRDstRxgE+olDXPWtLiRBntggjRou4QWroCyz2xOsExQrfWCpG38Xtmu4WrzyPd3ja5hMZ8T3y1G4lgk43uvANLXnwTVuzqKgc3Noh3oCv00IN7U9di6D7ZlUfN4n5kavOJSlvNUzlKabHjRHVe4wtrKg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=6uRwcSID8sTy5Bp1xeAtPCEarAyOGRUcguyD1ePHQrg=; b=pcHCq0L6mYOTCZaT2oELMxWN4HKp6Ntf/bFU688s+aHuvY/Hiaol7TCp1zGf1m1k/9v79F1UaWyoo3on3SoONWzKbcvuSi73imort62B8NvxVz/Igr5gkiPds6FH8BVI+aK2zc2bdnIyfgGQk+8irLZZgLzh7FRJoKUlWLsC7DEauMHBQCv3YPoPT9p6ZmwRYnLLeXpaUT+GmTFyEI3YzHWKK4qSo/WGxTMHPr6FW1Rp7SZSVTUbwKEJedemkYNWG1N8YfP6hEs9fRmK/tk3XEYoS+HlQ3a6weJmwRwFybk4pnf2zLLGwIyhmOzIgWWfy9ZMKjTPEcRINGdFp2hSig== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6uRwcSID8sTy5Bp1xeAtPCEarAyOGRUcguyD1ePHQrg=; b=acy3ATu5TgoDx5NBa+aegffIowLZ84+7dqkHy2sCyL1ye5yQ1Gnoumh9drMejK4zgx/NA2ftHYgWfknSOxgev7lHI1ftu4a2H+UWzuA58M8u7bcpO1p6WTyFIi/hrn5xJ58l9Oqc/oBOqXZNBQFOQwkcXQJYbIrKyyvtlNQwoQd7YGU1DRjX99WmBxzIwNkHb+ZngGHZP0AKfI/YQt+oQ4JxIRHB4dBAOY+1rKSURkRAwNUyxduAOTG2918spAnwSpmPAiwrfBRdSuoruM1MJjUIb4TActiuRaq230fNA3uJU4Ume4mvGsH+pvwahvStXKHmUDjQgz15hG9pneB6Wg== Received: from DB8PR09CA0024.eurprd09.prod.outlook.com (2603:10a6:10:a0::37) by VI1PR07MB10018.eurprd07.prod.outlook.com (2603:10a6:800:1e0::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.33; Tue, 29 Apr 2025 14:39:09 +0000 Received: from DU6PEPF00009528.eurprd02.prod.outlook.com (2603:10a6:10:a0:cafe::d2) by DB8PR09CA0024.outlook.office365.com (2603:10a6:10:a0::37) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.38 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by DU6PEPF00009528.mail.protection.outlook.com (10.167.8.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.20 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 Received: from seroius18813.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.65) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Tue, 29 Apr 2025 16:39:08 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18813.sero.gic.ericsson.se (Postfix) with ESMTP id CA8BB95833; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id AE0BE700022B; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) From: To: CC: , Daniel Turull Subject: [PATCH v3 2/8] cve-check: fix debug message Date: Tue, 29 Apr 2025 16:38:58 +0200 Message-ID: <20250429143904.634082-3-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250429143904.634082-1-daniel.turull@ericsson.com> References: <20250429143904.634082-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU6PEPF00009528:EE_|VI1PR07MB10018:EE_ X-MS-Office365-Filtering-Correlation-Id: 40948d88-31f1-49ba-6340-08dd872b998c X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|36860700013|82310400026|376014|1800799024; X-Microsoft-Antispam-Message-Info: TcliYtR9yOYHdFyTwpBMcAEA9S15n4UfcJ3NXsyhWDdWlQ5xXAN3HrmvR6LGbjwkfKpPOzsXhpk3r4pMEOdAx+qR611CanXuOMksM4soXFUq61Mbq2ZRsHb/JZKhw+a9tPBHU9Ahf2yAfoDCUPdCDfNvh7WB5aIe6rhWb+ybAdNLa46UIYF96U8QwR3c4zyKTVPxC9FM6jDtvnosvcObJGMlueTy0CA6hhHij48CyBCf3ifwri7vO5AuQJC0WY476YusJ7mHswDUXIR1qGWN0NFzzwprgFwEcLynhk6NQ5xma/o41Jlq/JCzSyPJ14P3/n1DC0Zf4/cBVieAH8yEfIfFUtm7ogkijooT06yDgSSVoZAgGlS5V3GdzPPDXT0YiIlA629K7rUaq82SEd0sNU2iclsbpGdfRYfjm0P1WKgcg49hjupZcLCmsctJFXW7Bv6ZqCmO7i/0qSltRtJOTTifL4WqvL6jwlAsdtzbhcvvpUrEpy9CbIXALxZ5xMjrFqr8+TNkv+Pw2obWSdMgKX9CRo0yICzTRfHEAPOmtKtYV+k6CB4e2/4vWS/yfBXMhHzCC1JDn0YOtMfzNgB+enl3h6D/yAuMzcYMXTFrWhUoHRoYWnvR6POucalPRBhnPiusgCxZiD8s1MhLhmiFCK0nFb4JEQOFn00YXwPQFgMiuQbLukRFMPj+zoHw0cbJVOSuSyR1BSARF1CjaNsCC04YRkikUbLY5cAsQ8Rr4AGfz6ONNTS22CGIQChoWqvMvQ9uwA3SwoWixPRziyXk0Q8Ph2XdqSVW6KOmmUa7xLscR+XOWizt+QA5lTbk6Vy1Rjv0wr0n4YFBmJjnWjbkUmL7OAhaq89rxKeJX5sOsgUn+ZxMSxMfOaIDWjqFlvY8IwTKbNOrRvFzyxDTUHtSPLHnSSommkquP6U+SGFv4JNavbjuW8BiOGy9mFi6uFO2eumzvF5izGziIuwHd1HZ6WXd9BmIW7oKOeVd5WWEiL0KMRc9cdEnQD5slebXZokZ+D6eE5vHjkRY5XVndI0sQm1vvN0rcNhvRFrIbUUdKpDI2UZ4kzV8d/FftoqyBGz6azvSQyJn+sk5eC2hUte1QXLy3bUtzMuvpTJ4P4mdr8l514RctRpAJL8PkS2c+T4gShkAUxHPntX1fxd6hdBaKcL7ScwOGLIcKKgYptrrjhQCTfxzYLO039S40dISjt2yrnfWfe07v9sI37vciMHq1di/srnXItFdcLfEPpmakQOHj5RdoWC/qSP+ufwbnBflvHL51hXfrCHg59YDL6YGxGMYd9H8tIhdrUyFkBT+4RAadZQ3Sg8jxYZaVXBC8juCAlSa37DYs5vuinBYvgW6Ng/NZbsrxJdXZmyC4KlYKC4poOXWPGFuy8+TJXY2CstiV8DxG+gAkAZsqk3ziEHMCrjY8q53taeEBldkR+Cle4SBudy/C1WDAUz/We16doNlpHkcTmlC24cJWG9xs8NA1mqLs1KuBox6nG/oLMeeHh0HEpeU+H/xKJsG26ljQUbC X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(36860700013)(82310400026)(376014)(1800799024);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2025 14:39:08.5078 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 40948d88-31f1-49ba-6340-08dd872b998c X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: DU6PEPF00009528.eurprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB10018 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 29 Apr 2025 14:39:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215670 From: Daniel Turull Debug level was not added as a parameter, causing a warning. Signed-off-by: Daniel Turull --- meta/classes/cve-check.bbclass | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 1aef00d297..c63ebd56e1 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -277,7 +277,7 @@ def cve_update(d, cve_data, cve, entry): cve_data[cve] = entry return # If we are updating, there might be change in the status - bb.debug("Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status'])) + bb.debug(1, "Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status'])) if cve_data[cve]['abbrev-status'] == "Unknown": cve_data[cve] = entry return @@ -288,16 +288,16 @@ def cve_update(d, cve_data, cve, entry): if entry['status'] == "version-in-range" and cve_data[cve]['status'] == "version-not-in-range": # New result from the scan, vulnerable cve_data[cve] = entry - bb.debug("CVE entry %s update from Patched to Unpatched from the scan result" % cve) + bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result" % cve) return if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched": if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range": # Range does not match the scan, but we already have a vulnerable match, ignore - bb.debug("CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve) + bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve) return # If we have an "Ignored", it has a priority if cve_data[cve]['abbrev-status'] == "Ignored": - bb.debug("CVE %s not updating because Ignored" % cve) + bb.debug(1, "CVE %s not updating because Ignored" % cve) return bb.warn("Unhandled CVE entry update for %s from %s to %s" % (cve, cve_data[cve], entry)) From patchwork Tue Apr 29 14:38:59 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62110 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32BC3C3ABAB for ; Tue, 29 Apr 2025 14:39:14 +0000 (UTC) Received: from EUR02-DB5-obe.outbound.protection.outlook.com (EUR02-DB5-obe.outbound.protection.outlook.com [40.107.249.64]) by mx.groups.io with SMTP id smtpd.web11.110.1745937552581874944 for ; Tue, 29 Apr 2025 07:39:12 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=MmvxU4nY; spf=pass (domain: ericsson.com, ip: 40.107.249.64, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=iy+IqJmIy1BUKn0/zaK/bZxetng/Deybxjp0XCGMiUkIweARcCRWY1r8y+SeIJpPrvlD7S0LPHeZGVLp79nQiTFRVuj4ezcVevvMCF3/19jMRaR6in7J5fZn7Mg/Fz11tDRkeB21Rroc9POdaz8LfvA++FEk1JNw36faquehXqhXbfBtofsKhQbz2U2iLuedTu3DGxbVc9UO8LvmEMqqTlf1nAM4wxyiDc3jk3XDgo+JM+Ky5d2B9oORNGlLrVmRzmgcguTtw5+7aT8xAcuh0qBu+BEihftJAELjLGlgbcFspvK8qa64BQ7HzrmqheuonfdP0Fhn+pd+qUzFafIQwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=yOS3y0epCls3c/4Vk0iVxpFybRek3VFU+Kwnq14Q1yk=; b=Lh0h3tv5dPNPHn5EK4pyAssOiOap26s+j8tZSmQSKW1lve0nJdTvhBog/SY3DV5Ac70ojACAUKyAxS7AdjnrCEPjHgBLua7E3PRZC7Kd1hG+MBrJUz2ajuTcRaYdtBGfcMxCl6+USOxHnrXdlORC6lxxIYHmR4HuE22u4bjXkeFj7PV8I6FvCc0zLS9Fwx70NQyZQaWebTjXOVUgUI9zasny4NJvuWhEGcv90xxq9IdtTb9kDT3+RcWpkts0dIbg0JR6vpUxgZ7aCYs1kvyXlX8WySKA+0QsHymCrcVb1xEUgV2JR3GCTb1pYFxwu5vSWBmCGPZdEdKl38HpHKn4GA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=gmail.com smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yOS3y0epCls3c/4Vk0iVxpFybRek3VFU+Kwnq14Q1yk=; b=MmvxU4nY8azhqowVFptLmxmrS6Lq86dg12cJ2fRnXdtx8qcltdi1TJh86b3EoK8Al8nx97zpibNba1GUDXZFAAK4zJJv12oHeKbHyqQFc4RPEPiYHRGtwho5rMK11oxP3hL2xsM26FdH6g0Tf5dxiNH/qmtm0Hfyt9824sPgQBHpcEGwOvaqj4EkJ795oylMMH6+FKeAHKoTDVUVe5v2CYBxrj/uYC16p3jHw1XDyK523eTGRGmv+zqUO0giLQjcJCu1JjdtIJJYEr1QhX3kQe+t9RMbxy/Q68Whn5NWWGp7NWrXyu5DB7Y1f+Qj9ij1MfKvgDJTuIyBO44fU+A28Q== Received: from AM0PR06CA0126.eurprd06.prod.outlook.com (2603:10a6:208:ab::31) by AM9PR07MB7699.eurprd07.prod.outlook.com (2603:10a6:20b:2c0::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.19; Tue, 29 Apr 2025 14:39:08 +0000 Received: from AM3PEPF0000A78F.eurprd04.prod.outlook.com (2603:10a6:208:ab:cafe::dd) by AM0PR06CA0126.outlook.office365.com (2603:10a6:208:ab::31) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.35 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by AM3PEPF0000A78F.mail.protection.outlook.com (10.167.16.118) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.20 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 Received: from seroius18814.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Tue, 29 Apr 2025 16:39:08 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18814.sero.gic.ericsson.se (Postfix) with ESMTP id DB6104020C05; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id B2B0970E75F2; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) From: To: CC: , Daniel Turull , Bruce Ashfield , Peter Marko Subject: [PATCH v3 3/8] kernel: add support to extract compiled files Date: Tue, 29 Apr 2025 16:38:59 +0200 Message-ID: <20250429143904.634082-4-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250429143904.634082-1-daniel.turull@ericsson.com> References: <20250429143904.634082-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AM3PEPF0000A78F:EE_|AM9PR07MB7699:EE_ X-MS-Office365-Filtering-Correlation-Id: 46ba11cc-32fb-4bc2-971d-08dd872b9988 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700013|82310400026|376014; X-Microsoft-Antispam-Message-Info: 5cQMGN+ZGjM3g9ZMtxrohB8Tj/GfwW7lXmahYjiRVDw+nzs0g+Zx+mfFavFOyeaO1zsWxh5+LI4YNGTK++X8/G8kbkhqps/IWw7UHwa7u6eQYI9HipVSS8N9PJU24ZgWWBuwOZTrZUOpAa5BY+C6W1BJcmPJv6Mk3mQbCd/pj+D54ulBqkpJQb9sKxNkZ1CNxJslCTRZda9mf0mIZrS1mZsKvxdFlWMwoHdYMNmp/mfzz6pYeuE8J6EzIzvu35vmzyA3sZ3yeHcotNbAboYec/vw1sRpFdVbIY+bH3d20VGnv9saz3xYt7xG6hQIGtzXOablTsrdmGI9YATSaDhS8mffn3q3EMhG0tMdLuByOT7+lXQ0SoUgO6AJS5CFAdAlyytoC2RtiPJp53sqbiYlZvRsMwLxkITwfzsLI95aKvU4HQ44nNHDVneoN/2j1eq8nW9sJweo8f3tE7TJYWr1ix1eD2+ULqgwZ5hmwT1ZFtTEeA+oGyTqGEFcHoEjc+veUET7gvo24GbRJP+UoBcLpFiuQkPdWKLFwjY4PNSoav6KFL574iurP+C7EDTxjn6DJoPJ76PZ5gU5CPUI+tvFSnsWdtOD59WZ5rrDgYjsiYVYU9tj8sm+E0yHmMNf4bLzr1n7uV27jVFKicjWs9ggNC/vKt6OSwShe4zr6IgGZI5ZL3RbRAI3imFeayUFIVZn9RQ8u/SSVS4QShe/7dDUKk5MDvarIc81mVSI6x3uOEegJyk7+PMveZ5alQSfbRdifdkbmWDyVaZDpQPNywZATVcZN0ugMFyczXlhSy/joFv1fRYBkmuHGAEaO8LafOo4Kags245gLHyBtAk8/jyJjfEBDNjQGvIpvSAlDMhbdTBxcXLLOwVq7TG120QNwghdvqIcw3BPJ0Vn9k5SrO/eNMntcXOCJaYFTeWFFU+8m/EY/MmKXyeXj+zRtFs12nTqQxDeycX8ptwYnUbozjl0MurZQj11QIsZC46JBaPMDxYyMcB2ghekc79s+xn3Zsxjs4Y8sFfB0HWTSHHbfKFUC0b6csbRj9GMKeKR9j27N8CLHTNRmQ1E6zqa7JR5uqIxR75Zpipigo3IIZSBHuf/43I34rcxfcfdfJY3gJ0HJJSFGnNJYizpjylnfYra9u8eX5NkfH8fh0ohOkEWGua5/BDIFSJzwpBEuOUDKfQZZn3v/IY7RyaU7qWl+uSO9+7AqpOWwnEbj9aIUpDBAOV2I3u0wpHckEzcsA3X8DByywl8OBomuIGT+PYqHWQ+iW53asJhRrbKzCSU6MO/rjzUId2chcSX5gXroJAzOPFxUIg2gGnOHfjRKlMvS9RRYS+2mmAq2WN8Q+Giz/iFtb49N1cEGHgslxen2d2KV4wOQmx6tBVL8IcFBiAQicK6/X9kxt7iWqvY4SWFmZXdJQzdr6PtfQz0oywsqgFYLxcZ247c7EZQeL5CpK+KLe26NMTZTW2wDqBti8iXrzptOmHKOlmHWSWKeK3QpwUjDPLZpiAW3sWEhwAH1NR77QvP93jR X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(82310400026)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2025 14:39:08.5080 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 46ba11cc-32fb-4bc2-971d-08dd872b9988 X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: AM3PEPF0000A78F.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR07MB7699 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 29 Apr 2025 14:39:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215668 From: Daniel Turull Use gen_compile_commands.py to extract files used during compilation for the used kernel configuration. CC: Bruce Ashfield CC: Peter Marko Signed-off-by: Daniel Turull --- meta/classes-recipe/kernel.bbclass | 37 ++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass index 36ce659762..e321f6e228 100644 --- a/meta/classes-recipe/kernel.bbclass +++ b/meta/classes-recipe/kernel.bbclass @@ -159,6 +159,8 @@ set -e image_task = d.getVar('INITRAMFS_TASK') if image_task: d.appendVarFlag('do_configure', 'depends', ' ${INITRAMFS_TASK}') + if d.getVar('CVE_CHECK_KERNEL_CONFIG') == '1': + bb.build.addtask('do_save_compiled_files', None, 'do_compile do_compile_kernelmodules', d) } # Here we pull in all various kernel image types which we support. @@ -867,3 +869,38 @@ EXPORT_FUNCTIONS do_deploy # Add using Device Tree support inherit kernel-devicetree + +KERNEL_FILES_DIR ?= "${LOG_DIR}/cve/kernel_files" +KERNEL_SRC_FILES ?= "${KERNEL_FILES_DIR}/compile_commands.json" + +do_save_compiled_files() { + bbdebug 1 "Saving compiled files in ${KERNEL_SRC_FILES}" + mkdir -p ${KERNEL_FILES_DIR} + ${S}/scripts/clang-tools/gen_compile_commands.py -o ${KERNEL_SRC_FILES} -d ${B} +} + +# Helper functions for spdx and cve-check +# Check if the file, is a kernel compiled file +def is_compiled_source(d, filename, kernel_sources): + import os + + _, extension = os.path.splitext(filename) + # Special case, that we need to ignore, since this is not a source file + # We filter .c files + if filename.rfind(".mod.c") > 0 or extension != ".c": + return True + # Check that the c file is in the list + if filename in kernel_sources: + return True + return False + +# Get results from the save_compiled files and include also header files, extracting path +def get_compiled_sources(d): + import json + import os + kfiles = [] + with open(d.getVar('KERNEL_SRC_FILES'), 'r') as f: + for item in json.load(f): + kfile = os.path.basename(item['file']) + kfiles.append(kfile) + return kfiles From patchwork Tue Apr 29 14:39:00 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62109 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32C4EC3ABAF for ; Tue, 29 Apr 2025 14:39:14 +0000 (UTC) Received: from AM0PR02CU008.outbound.protection.outlook.com (AM0PR02CU008.outbound.protection.outlook.com [52.101.72.48]) by mx.groups.io with SMTP id smtpd.web10.99.1745937552619668247 for ; Tue, 29 Apr 2025 07:39:12 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=JBgA1fW2; spf=pass (domain: ericsson.com, ip: 52.101.72.48, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=S6Jf/mRRicCsihjAKawRXaaM2TydZHFcBk+v7mKwvJi+dQJhRb0fJMULa11Tk7jkPNCAye8X4cK3rtorVLUexGYkjbKtQeU7f5iyjccoo0HfXDVqoq1m/NGbfDwhMvE4Kyd62jizTklP7oyb58FU1rYVXAKFN1gCsWHy7O8RbZPew9bcFHXxARrM9EqeDWDTSNyhtj5bgx3426kPFLAeR00r7kLXiGUHA/Mmm7siujd1g6aarmMsaD/RUGV4ZN7zqf0mJ5PNKRHZLQIpg+rsPWEpy/3r5Pk8OOAt3OOxam1QF1mHkUJ2SzahrrMDL1slTUg74C/mnB0lTTtgyFejVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Jm8v9LvaSCGIxPHZS5JYvOYgE6e74mADG0WF5ehg5eY=; b=H2zijTsSvEzzMurd5A9OOq+Thgn6UI8teU/A6KcdeGuz4MwCGRsk1Rwk/ZYEDFLQQiLZ1IvgEuiXeBZSgbwDCYopkK9sw3Sz+YOrnfdNPu69IoJq1utGdVN0vSPzTXOVJBe8YXR6PALnlFDDyo8ApZFHnF7pb1P8X7el3z2AaVmAxT3Bg6fINM7vBf1/mKK+KA+ts8vmPA40HZ9L9CCHngm5enEGPYcMWR0o0R3nFofePR3t57DV01Cx5yh84OfzbeXY7IKCmQGrXNV/LOmW9V5CMt1BQO3xpLi1VAPq2so0yxzC9LmtQviLjt1AD7bvf3bMDfkE66JaO+vBttj77g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jm8v9LvaSCGIxPHZS5JYvOYgE6e74mADG0WF5ehg5eY=; b=JBgA1fW26GlCHn6jM5KBTbsCe6VsfSTDgI1p/zaCgcRZTexLCbCVAnzv6ckR4hmUKEjFVqelu+cfAp4vu2aUx5coyuZUUjiS84lVTWNu+3O/7cGan3oN/67pi4S21BqvLF8gT9XNKHQRssnXy6sj/702Cw3G2xoCT6AsLRqHGNmlWto3PuQW35aJFHKfCpjSrvxPdXSOxau69afElv9kdSFU7vwuMUzcGuqNxIB/QOoeyg4JJqdGt+pBskboeWPLEexHmPQaPCmU3VNwb1xUhWmOSKysWeQwk+3jkahmos/oRTaA+c5XMz/EmIK4h5B+kerjInSJxWuOkFhh0YWb0w== Received: from DB8PR09CA0004.eurprd09.prod.outlook.com (2603:10a6:10:a0::17) by AM9PR07MB7266.eurprd07.prod.outlook.com (2603:10a6:20b:2c4::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.33; Tue, 29 Apr 2025 14:39:09 +0000 Received: from DU6PEPF00009528.eurprd02.prod.outlook.com (2603:10a6:10:a0:cafe::8c) by DB8PR09CA0004.outlook.office365.com (2603:10a6:10:a0::17) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.39 via Frontend Transport; Tue, 29 Apr 2025 14:39:09 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by DU6PEPF00009528.mail.protection.outlook.com (10.167.8.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.20 via Frontend Transport; Tue, 29 Apr 2025 14:39:09 +0000 Received: from seroius18815.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.65) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Tue, 29 Apr 2025 16:39:08 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18815.sero.gic.ericsson.se (Postfix) with ESMTP id CBF034020856; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id B737170E75F3; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) From: To: CC: , Daniel Turull , Peter Marko Subject: [PATCH v3 4/8] cve-check: move message outsite check_cves and sort Date: Tue, 29 Apr 2025 16:39:00 +0200 Message-ID: <20250429143904.634082-5-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250429143904.634082-1-daniel.turull@ericsson.com> References: <20250429143904.634082-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU6PEPF00009528:EE_|AM9PR07MB7266:EE_ X-MS-Office365-Filtering-Correlation-Id: ec88bfe9-61af-4d09-6026-08dd872b9a36 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|82310400026|36860700013; X-Microsoft-Antispam-Message-Info: xKjMBVKQX/PWOuJVRFQ/MzsIiLYmgzkBMlSdBiZvb/zrg0EGbrl1RW671hWpwUuvaZlJ9AqvdDNH5seV2FPDRyIynNnTlqjTH5+qSg7lTFE4Hh7aJUfkEfCIoi4jHVppsbHIu7dvu4IMoEEdDI48AzS2TlxuzJMCJogxmIM/KTGUvAkIUvj7mS+ljM22N7ahB3hD3zdxIVvI7iCeCAZjrmH31LGNJLFmQqs74Zq+gNVrJNuPuEuVFteJabhzipWo9Ee57d+iDq0p2liC/a3ZI+woo9bf0z0KSL80QlRiCW/EUIvAKhE2oFpkQXF7j9oHI3RZz/eufb6vHZjxoXFSK5hiZycR5bPZFdKks4b1aO1p+aqLHY3rrltkPVJRzOpxhOb5pEzah2fKVSE8rcPUn15O4GfdiCbKR7doOg+O8cUJOoKp6CTAXzVLF1djfaeounBIXbsjGNiJU1Zi2VL6mN/5Eqt9C6aOxUtm57par0XPjHDCDjL0WIp3kZGq7FDadvgUlhuRmDbiatwqc8Wi706E4gfkyXwgAk2L0Z3gyNcMOi+AHzigedzWOsSilqAjRjWwIW3x/Qngj/zsj0IMY/gkUQM4kWHXXWAmqPPzvoSGgdbtzpEbLAg3GLd78vC8+u6YrxtD5us3x9BdBZasZ9NoWY22rVb1/NWe3smJLvViO931GWYCKHlCPafoDnUf72Q3mmMcAxote5BbRqZSouUadO7WBv3Rqbtw2oIhMGLrFLM39q/p0bMJPFSP+uZLueg1tPwTQQvT/7Eq+PJ/cE9cRbdEVZqJMtkGy+xjiR9C7RpAhF8bC6cMliMQwyhiNOWqOttCxJW3J8i7jpNTkvR5nyJZbZ+TzK/1SvCdZl2umDoQwe8nkIQqFdTLg5JhwDbEW4oMmQGRJIWpvkHzzoGwy5d48b12y18meidnt8qeeYBFe90I+qmVrVo+xqk2I5+j/gF1RB3pcPqZA7ZPc8XmTCkP8GHPk/X1G372zr3FlWI5GLuYOOdLkHANDXTDtMhqlxoqaQH6ti6WnsEqh0FXjIhfGMgEqfPV6Ie1Ti2SSYwfK5tVi4tRo0wYBFSD4GBz/59WAMH+m8STlkj6Jg+NbXCmfknClvYXLuOMT0S9fra+ZUUdBVSTxb4n61/oZ5VJk6w49y3fPVt1F67eTsdLJURVY1xIZj8gOMYZfKAz+JbnxvRqUk733FW0Qnw/6+4yae+jMiWOGoLiGHGESwO9v/yyiDOsMXRl8E8GjKh++dLlZsxG8bEBQkFEGMPy+yp6Rta2NgtsXwF6z1wqHutVNQEC/uPK9vcjzu9XEnHS20lUtwjXwqjfeB2/vN+FgScqylJZIbAZUHiSL0ZuPck+isyBseUTU0iZrhRBGa2SY/DyLFYEqatUSsg70/MXbc2X+dy4nU6vKE6vXBAtySn6aL2KxlmtThnB3vc2w6zaj/uzzC8F5m63z2oTrj+rRVhrQsgWQ/jZ9xv8R6V9kS9K8Y+Y/8v4Apd/nt/UGz+6uPEVHOzIPuA/ImFf2puu X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(376014)(82310400026)(36860700013);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2025 14:39:09.6083 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: ec88bfe9-61af-4d09-6026-08dd872b9a36 X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: DU6PEPF00009528.eurprd02.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR07MB7266 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 29 Apr 2025 14:39:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215669 From: Daniel Turull When adding corrections from multiple sources of CVEs, the message showing standing CVES should be at the end. Also sort them. CC: Peter Marko Signed-off-by: Daniel Turull --- meta/classes/cve-check.bbclass | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index c63ebd56e1..cce10c70ee 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -173,6 +173,12 @@ python do_cve_check () { if len(cve_data) or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): get_cve_info(d, cve_data) cve_write_data(d, cve_data, status) + + if d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": + unpatched_cves = [cve for cve in cve_data if cve_data[cve]["abbrev-status"] == "Unpatched"] + if unpatched_cves: + bb.warn("Found unpatched CVE (%s)" % " ".join(sorted(unpatched_cves))) + else: bb.note("No CVE database found, skipping CVE check") @@ -422,10 +428,6 @@ def check_cves(d, cve_data): if not cves_in_recipe: bb.note("No CVE records for products in recipe %s" % (pn)) - if d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": - unpatched_cves = [cve for cve in cve_data if cve_data[cve]["abbrev-status"] == "Unpatched"] - if unpatched_cves: - bb.warn("Found unpatched CVE (%s)" % " ".join(unpatched_cves)) return (cve_data, cves_status) From patchwork Tue Apr 29 14:39:01 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62107 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 28F3FC3ABAC for ; Tue, 29 Apr 2025 14:39:14 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (EUR05-AM6-obe.outbound.protection.outlook.com [40.107.22.61]) by mx.groups.io with SMTP id smtpd.web10.102.1745937553560266368 for ; Tue, 29 Apr 2025 07:39:13 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=Pa6b2xU1; spf=pass (domain: ericsson.com, ip: 40.107.22.61, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=P9hk7czRMZzZ9EsGy1+zTOlNU6U4Wu16EqcUNibQOA5UxirzUNObEHjeQd31My82R8cjCJf+ipxvfou9uV+nCefQuKkvbLDzIB50fViyiiwbOw0nriVs1yRB3RhjcU4yyUFSa/lobV9vh5IFVKOkqo+RAjqzsWhGXDXV8k+HXmtW7lgO47MB343RNCI0QHsLuVVC0FjBtbnYW+Gzb827sHLk8s0oAMkvq5sXxI+MKJ0ED/XyAfULBdjTbIJPSmzvh2TnSnWFTAu4DPGhLUTBIBGY+4HoOJDBN9MgbPz/CWYOli+Nhzrct2+EzfwH9UiDYDle6pLi3EmXWdo1gVMSYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=/q/MqUUj71Z+qaRJFzWD4/u/wiaibQ0BYN4b29mlxrE=; b=LG8mr5TjBFSHUwvX37iw7qogRh5GbpIWpdRvtiwo5ZtKpLKYyJcTtwuoxk0RlR5FOMyyU3xTchAtOgRTnoEIz8LlqA+jb+WI9/8SZfSwJLqDPEmBaM1FyAoFL8uQV7Z7QX5hMX8CW69M9+Ik2PEwJat8K/SJlvasw2Y3DhA3b8cgkTOaNquEEd4qJlrvsiNri7iCNni5CZAalZ2W0RLECobtOw/gCLD6N9vf7bFjGmwEwdvoA3zDkULYchGafCncOMklUyfqo21zkBNlHm3LzKGmtJhIYoR3JdhZjWBC1jKi5y9o6aI741pDOUUDTUOVG9/kUJvjSuNTAxhWICLP0Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=gmail.com smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=/q/MqUUj71Z+qaRJFzWD4/u/wiaibQ0BYN4b29mlxrE=; b=Pa6b2xU1cWadC8Jwk4EoUd8UV9nnG0Ld5PDhMwdD4WT4iu8IXH6TjYXkVnpRGGUUyWXstpq3DMEoOZxMgtVRVFY4NfHF/P06KPVtiMttSON2Ml1Yg/ROTgUpFzm2/PT/epWYxDl+56liH4lPBSQSmL4zzv8vZFLS93ztCkUywF//fDVFTYdrwhB6yzZ80b26ltj3/h60h+m6ccIwWxwjfSmPEqHiNMBZsmbWbqeH2/e2k48OROdj1GMIznT1S7Pl1/MUgWgVl8StSiF0QTTYHZYxWpUO7isKf8dGdn7b+8qrE2+LVAqqdEfNbM7twQxycefHBw5nOi0hreqWaiX33A== Received: from AS9PR06CA0217.eurprd06.prod.outlook.com (2603:10a6:20b:45e::17) by PAWPR07MB9830.eurprd07.prod.outlook.com (2603:10a6:102:38d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.31; Tue, 29 Apr 2025 14:39:08 +0000 Received: from AMS0EPF000001A5.eurprd05.prod.outlook.com (2603:10a6:20b:45e:cafe::aa) by AS9PR06CA0217.outlook.office365.com (2603:10a6:20b:45e::17) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.40 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by AMS0EPF000001A5.mail.protection.outlook.com (10.167.16.232) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.20 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 Received: from seroius18815.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.60) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Tue, 29 Apr 2025 16:39:08 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18815.sero.gic.ericsson.se (Postfix) with ESMTP id EE277402066E; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id BBB8E70E75F4; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) From: To: CC: , Daniel Turull , Joshua Watt , Peter Marko Subject: [PATCH v3 5/8] spdx: add option to include only compiled kernel files Date: Tue, 29 Apr 2025 16:39:01 +0200 Message-ID: <20250429143904.634082-6-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250429143904.634082-1-daniel.turull@ericsson.com> References: <20250429143904.634082-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMS0EPF000001A5:EE_|PAWPR07MB9830:EE_ X-MS-Office365-Filtering-Correlation-Id: 1ae0fdac-35ab-48a2-79b6-08dd872b99a1 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700013|82310400026|376014|13003099007; X-Microsoft-Antispam-Message-Info: 7gO4PVBkC33mavJBJaMCnoXS3xRMhn4zGMTRH3RS5THDW0S2J2YyWi0IBk/0G01hh1iM4ARBJsd3cJLwYb74lH4Ed8XbO+aRLnN1oj2oejtCS64TX89o2nbpwpDMYDQx/IgSg9OZQntDeuF7yRqaX7BBbDFhj8Z2JWAPEdmF0DV/g8DWfr01udrTCHzrukBb1HdJZNOY9LmcqyS6fwxedkG8nFojsQUmCGd3X3mW9Dh3yGh1X83qrwNm3ABz1cFd7K6ZGA13Lrh+OwEp6lbDG5XyRCGQ2E9WNR5nOVb3S5z6eqY8byeXeTN6k6ve6kJJVWxMJyaj2GxIyXfFdGT0u0t33r3ILy1yVaMWgXT7w2A6uSUDgIFWic+/uwyC1+xHgd6qM4S0anLfCmYRJcbe8bZGTazTWGF0659YKpA/CJdIUZ6ikJZgepsfiWm4YWSwGMl9fpTiLVzoXS4n59i0ALfySQhnJbWmxuqyYNDUcVvk17YWfoGjdl4KIE1LG/luULO/LP3GGsxidV0d5nwQ8RF4/jDXLx+nSrjF0ZC3vldjh6dxQBzQboAd9klpqz+vffAWy27//gKigdx+jIBp8vChcyj8UKB+wL+Z7eDD620k2k+zHkhInZbaK37GBSLxe4PFpJx/PKn18TtXIeEQqdH8tNuSMFEFdUcSzo8UNTMgXnHI+kCMvSNnFnqFhsEAnU+7/t48lf99QNj6v7eLj367Qz42604C6OVyrZdrjjqx/wFYrOWYfBgyGKcc8yEbpcHTBg98tae3yp4ae3q8e07cw6VkVtrAEWIf3WC0YJ452HGL82bZ7Okdn47+TmcRIt5Mgot8xacXTDHu1etD/HzFxnYVW9v4vPOjLf+VoTNEbDkBPxDE4s2iHVxS7bEvyvexYJX9GtVZcwS6DbYfpEilOhf0HcebTVXPJ8TvgEZtnqdvoBdr3o2iPo4iw8CH2iC6bxqgXoR4+65+DR2kmmT4FiUQVyd/sHv1hJcAZB81n4lUsRF9OFbaLODSzau6fqLOZsV0YvjsZM7BYPQ40MWRly/16cBH6ZTQnc6BZ01eshoZqorbT/JYLQ/kZtNaNXIsPwKl9fUoHShdMd8ezgyxE4yXBHq94HI+TIcedkWgMgFWjmlXmIldsVV3ifqLeclADK2CUeXUULY7d6xQT4pnB1+ohQrwdlrBX+3LVGGzJyePoRgzgfRsfSQyqS6BgQy0qjEXeO64lhiw4pYFEHXy5rfUDFM2BPAD/p+id2L5DxB1qmVHiwyn1xNZDmaTYjINKWEkdzM4HlpoorkvICQnsha8v0XprXnNcIujHJwyF1R1ZJe61/3coRCxoFF9AxUXlEO04Xh4VW2YJDckNMCdgjROGo9x7G02P+tPuc0OwQKnl2IShxNFv3ZCFCGCijm6tPjQ401PU4ENm9Kurb0TCxpkTWdJzeTSLVsCChwvemRE+AWELQRk4rI4D3hvBu3Z72TPWznnRAj3QSXkRA== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(82310400026)(376014)(13003099007);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2025 14:39:08.6693 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 1ae0fdac-35ab-48a2-79b6-08dd872b99a1 X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: AMS0EPF000001A5.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR07MB9830 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 29 Apr 2025 14:39:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215671 From: Daniel Turull When CVE_CHECK_KERNEL_CONFIG is enabled, only include the source code (.c, .h) files that are used during compilation. This enables an external tool to use the SPDX information to disregard vulnerabilities that are not compiled. CC: Joshua Watt CC: Peter Marko Signed-off-by: Daniel Turull --- meta/classes/create-spdx-2.2.bbclass | 8 ++++++++ meta/classes/spdx-common.bbclass | 1 + meta/lib/oe/spdx30_tasks.py | 8 ++++++++ 3 files changed, 17 insertions(+) diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 7e8f8b9ff5..5009ebf5f1 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -137,6 +137,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv spdx_files = [] file_counter = 1 + + check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1" + if check_compiled_sources: + compiled_sources = bb.build.exec_func('get_compiled_sources', d) for subdir, dirs, files in os.walk(topdir): dirs[:] = [d for d in dirs if d not in ignore_dirs] if subdir == str(topdir): @@ -147,6 +151,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv filename = str(filepath.relative_to(topdir)) if not filepath.is_symlink() and filepath.is_file(): + # Check if file is compiled + if check_compiled_sources: + if not bb.build.exec_func('is_compiled_source', d, file, kernel_sources): + break spdx_file = oe.spdx.SPDXFile() spdx_file.SPDXID = get_spdxid(file_counter) for t in get_types(filepath): diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass index 713a7fc651..1e3249cbd3 100644 --- a/meta/classes/spdx-common.bbclass +++ b/meta/classes/spdx-common.bbclass @@ -26,6 +26,7 @@ SPDX_TOOL_VERSION ??= "1.0" SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy" SPDX_INCLUDE_SOURCES ??= "0" +SPDX_INCLUDE_COMPILED_SOURCES ??= "0" SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org" SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index ba965821f8..9fe75e76e1 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -156,6 +156,10 @@ def add_package_files( bb.note(f"Skip {topdir}") return spdx_files + check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1" + if check_compiled_sources: + compiled_sources = bb.build.exec_func('get_compiled_sources', d) + for subdir, dirs, files in os.walk(topdir, onerror=walk_error): dirs[:] = [d for d in dirs if d not in ignore_dirs] if subdir == str(topdir): @@ -167,6 +171,10 @@ def add_package_files( filepath = Path(subdir) / file if filepath.is_symlink() or not filepath.is_file(): continue + # Check if file is compiled + if check_compiled_sources: + if not bb.build.exec_func('is_compiled_source', d, file, kernel_sources): + break filename = str(filepath.relative_to(topdir)) file_purposes = get_purposes(filepath) From patchwork Tue Apr 29 14:39:02 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62112 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3845EC3ABAD for ; Tue, 29 Apr 2025 14:39:14 +0000 (UTC) Received: from DUZPR83CU001.outbound.protection.outlook.com (DUZPR83CU001.outbound.protection.outlook.com [52.101.67.15]) by mx.groups.io with SMTP id smtpd.web11.111.1745937553769489909 for ; Tue, 29 Apr 2025 07:39:14 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=gtRREMH7; spf=pass (domain: ericsson.com, ip: 52.101.67.15, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=shK1hhyURmMdsSXEi9+PCuJTRfupEkgIFrrx94gHK58BjbFUt6A65q9JLzYYLrWkOsiwK8CPYL+iYPuxCEy3pd7SviyjGEF8A0wzrnUT/d02Y4rOcwCE6v/AC6v3lWXtVCH806QV1dYiKWr1Y8Fs3lsZgK5GZZT46GxamEZEYtzPRlDzql1sIp/zDcYg9JqPOQ6IFSRQeTJiFrEpodFqwqa8h6sBWym0X38/nch3r3oj0+LoKHfKwarEgWdV+X2cqAg18RyECpC9QcOEA9nA8uGmOb3nBOZX5o3KhRveiH7LUZBq950NBCjHSF/rRrqENhYYqRtVQzvu4q/y+RbuFQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Ov/qwUB8n81iVMOdCraPBC24MN+AHJyANA66Q4nr8+w=; b=idvop0WM8vKeUwdewV9DtOmrTIe0pjJGK6hr9jGvBpWutnBlfmkRiniALIreEXvrd5Bfxi06S78ym24O0p6jG7ehHRHpWpF3j6zoBB3VznSuNSMVAb/QyUQcUoJzBuxjNpmXrFRRecHgpFbwyy7jYQHNAYRjFeZuO2ZHBUvlN6L+W8zRS5sezyQrXPygbbHBfONjnkyydydfr8HBW8Y75bzmgP+HnswNOG0JjpFWK8lHs/cWwNaC0e668xanpV9NnuKU3Pf7MQYKQGz8FIXjy1nkMC2RE83aFsPHN4vNw8+pQKz5axeIRJ8IsK1xJ3OM0NIjOphJkIRuGZyfkDdUeA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ov/qwUB8n81iVMOdCraPBC24MN+AHJyANA66Q4nr8+w=; b=gtRREMH7z4oS94TQMOnKyMNLdSbv5uRfdLAb05xvJkg23rptNtJ3FijWr4VMJ2jck+bKHyp9pdv7Dm1RGHPiTOCR5eUKQDqEcV12YXk6oqsA0j939Bloz62DdFf11PJeyO84dccBU1NZQFPdRrO6rg6qls2imk0XmflHcWrnb2xfJA31o7HAECwMP5N7lHYVInthByUKWzQNaRiabE7Mrvqr8d6s3s3LPWWgBW7Yj5iJga1LHynvA4Ni7cfi5hqmXYLvNt1QMNV5Jp5YI8qrQ8bKTNAss5rJLKSp21kcWKbvGlWN+MA28N+KLwtghAxf/lvoo6boBm1nAikGnatwuw== Received: from DUZPR01CA0006.eurprd01.prod.exchangelabs.com (2603:10a6:10:3c3::13) by DB8PR07MB6380.eurprd07.prod.outlook.com (2603:10a6:10:13a::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.33; Tue, 29 Apr 2025 14:39:08 +0000 Received: from DB1PEPF000509E3.eurprd03.prod.outlook.com (2603:10a6:10:3c3:cafe::7b) by DUZPR01CA0006.outlook.office365.com (2603:10a6:10:3c3::13) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.41 via Frontend Transport; Tue, 29 Apr 2025 14:39:16 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by DB1PEPF000509E3.mail.protection.outlook.com (10.167.242.53) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.33 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 Received: from seroius18813.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.63) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Tue, 29 Apr 2025 16:39:08 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18813.sero.gic.ericsson.se (Postfix) with ESMTP id EAFA695835; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id C00FA70E75F5; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) From: To: CC: , Daniel Turull Subject: [PATCH v3 6/8] cve-check: optionally allow to force update Date: Tue, 29 Apr 2025 16:39:02 +0200 Message-ID: <20250429143904.634082-7-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250429143904.634082-1-daniel.turull@ericsson.com> References: <20250429143904.634082-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF000509E3:EE_|DB8PR07MB6380:EE_ X-MS-Office365-Filtering-Correlation-Id: 7e977960-fa0b-47f7-c152-08dd872b997a X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|36860700013|82310400026; X-Microsoft-Antispam-Message-Info: oCUplpjY5rVJs+svgpFvfB0fHscE3TzKondpHYAopkPo307J0Z7IzQxVlu/dg0T8CK9xgWTSqoAG7oQQYXIqMnmYbv/bKny1VoF4ToBhX8ucy+coCRR9rB0E2s1om1NeTm49exhF6j5vFu9WutHR9PLYLJpGxnbmyLl1nwqAUYxqXB9c1pw/7vvKo8srb8fi6sx2wyWkTIZiRkukLY6JlxWpueO9WFqPvrd2M263DTmkxj1nVkGsEy1GtDP7ig0SedRewpSUJ4TKTZE4vPcxidDSPjfBf9cLqBtp1UqKCSpYhFXNLue5zybtTzuswuU0Ra8vvQouCqpBT5MaNr55UwUpqYVa7L0nuQjWq2gUlYjCVM6Hlqqi+PCELGjRDXwM12KFOUXc6Ai/Kc7BTleOu2O4eVgY3qUpCNUTK2h00VwpnWDNPJh9HMpdcgnjrvDTzVeq//mEsLJhnTUTfP+gPLI2cSDsSgw7/EqyYtDm68G9iYOPZIsT1jQBSod55H2rrhXFCN6DjDn77+a3mJlluQT5qJCx1HsOmPgknuNjwzJtH/iqojPbKUHZ4OmevROT3gNj24alcmr+Ylpx6EnFTKXmGeF+kej6/ZW9xDcwy7+Y+Exg6XAoXwn5SQNWqZIus3+1VfY3Q6SviXugYfRS6sRiLXDohIHP8gFY7Xy9gfbxPJB1MAUGaTlpttTm/FO+djRUZyAD0BeDKEX3dXeI+7tPf7wkLC8+ZJY0O/74RJ7ClG5iUmZUfLgtl2NKXPsBYcuMcTioH8aT0Xv6/9e6XX7rv7BYskGnLr8nu7sujS5O2iY44F8TlMzEL3X7KHJW9MtJGQIzSyhfrMID6sslu0uk6VTjsuVm/bv0eu/kQXir3Hc09N6Fw8q4W1PX+Vx7v5cF+56u89BpSf/61QGDGzCwg+6Dd+Sm9d3Qpd5r03RK6ZqCU9ykEKcQPM9h+bkNmG1qVYrQh7CnqS4G7bKJ3UlV24+CkZ9nDl1Ss+RQQMgNMpDED82/KZ7ccGjoN8zAenkBTLEV/NXbi85pc/ESUuPXuf0lAtHQroImhHzP+9shY//wKM4g1W5FmAg6Q1ZUMmXpS5HwehvxuthaR30pr4vgVPTJs5x7LuZmMYyaO811OgAXfDGOUhD/QfQoVbOrpkhs/yOGaCTIPwj36pC1knov8s+oU+pWVdIZpWn2VXGvIrkVjsjQYGZwiHnInzKPlqqIsUQzI5j4C5o3RgwYS7QcVCaQoVI2QRXROzFQCMANlaeCIHB601IwXXAiWOYOKAyfMaXXZvda2Rh5h4X5DEtU8QetYQXZQGKu9Wr18/i2+ZSn25rm8OE4/nz1ZjXZKC9wYUwdai5eUxsWeIveYYG7+qzhj8k7n1ev+ZGO265wRyjO+iV57j0MX17s/cbV0CjeWxIni9M2LyGIOSWsk3asV1Zpex2v+VoRWiOgSAioFHZOaBp7v10t50ezf12WEl17pO3kjdzp6WclqfCbE4MwLT6d3uxnY+3NIndCU6xH5eCKXO7hLx/6EL8Pq3Px X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(376014)(36860700013)(82310400026);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2025 14:39:08.3945 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 7e977960-fa0b-47f7-c152-08dd872b997a X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF000509E3.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB8PR07MB6380 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 29 Apr 2025 14:39:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215672 From: Daniel Turull When introducing multiple sources of CVE potentially it could be the case that the answers are different due to data quality. Allow to override CVE information from the scan from Unpatched to patched Signed-off-by: Daniel Turull --- meta/classes/cve-check.bbclass | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index cce10c70ee..81512c255d 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -277,7 +277,7 @@ def cve_is_patched(d, cve_data, cve): return True return False -def cve_update(d, cve_data, cve, entry): +def cve_update(d, cve_data, cve, entry, force_update=False): # If no entry, just add it if cve not in cve_data: cve_data[cve] = entry @@ -297,7 +297,11 @@ def cve_update(d, cve_data, cve, entry): bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result" % cve) return if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched": - if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range": + if force_update: + cve_data[cve] = entry + bb.debug(1, "CVE entry %s forced to update from Patched to Unpatched from the scan result" % cve) + return + elif entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range": # Range does not match the scan, but we already have a vulnerable match, ignore bb.debug(1, "CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve) return @@ -416,7 +420,7 @@ def check_cves(d, cve_data): if not vulnerable: bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) - cve_update(d, cve_data, cve, {"abbrev-status": "Patched", "status": "version-not-in-range"}) + cve_update(d, cve_data, cve, {"abbrev-status": "Patched", "status": "version-not-in-range"}, force_update=True) cve_cursor.close() if not cves_in_product: From patchwork Tue Apr 29 14:39:03 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62114 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45616C3ABAB for ; Tue, 29 Apr 2025 14:39:24 +0000 (UTC) Received: from PA4PR04CU001.outbound.protection.outlook.com (PA4PR04CU001.outbound.protection.outlook.com [40.107.162.8]) by mx.groups.io with SMTP id smtpd.web11.112.1745937554900363562 for ; Tue, 29 Apr 2025 07:39:15 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=s5z86H+6; spf=pass (domain: ericsson.com, ip: 40.107.162.8, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=GLOywDGjjerH4NwrILLRy9O9k0Al0VJLKc+MNvVJVv1Iv8gSamZVxfESLzUEO2OaHvymjD23G/EdlwUMpCCk0ew5U4it3isYEyq/p5tHGu0XqdsuNNuS3bkstQ6pYawHIjU0kUyHgdg28V6b+sF0FQ5sFqyTwDk6SAjKI7sZhGrNOzZoAiDPng0dms1nIYM3BtEwH+D0kapq62+PrdlJzAAwsNu9PRpFAtshRMfZXJgJe+ySeuW7wSOoH+2INoL+ZQ4AlZbHfi25KlQ1MFhv1JYPlaldu/S4L2b2kX6UHef58miKnrZ3j6+53h5FZmF5Y4tRX91oDZtdA1V6lRSSYQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LO2G8IZ5AgHg19ep1KJlZ0K851Pt2uMutPxoLyU93dE=; b=kkr51QnmWGOREY1YGsVJSsG5p55KLux5d1G0KGzaWeKtQlHwtdw/O5BFmrocU2CCajDZ4Arn1TdXpzrWewNKuAglQ9rcGGJu2J+ziuNMHIheKHI4FHcC/xBHN0JpARmnpDpHd1o9jdHGvA/kA6LyvyNaECEs/bS4AWivWAGCIKvAvgkwyLPu2wIcczFjpS7U5UGix2kWjjuQ54mrh9BOBFkH82tTTk7yw4HOyGfKALvJw+ZmM45adpT6KWpvraBPosQlmEAwFRIm5Hpwvn9c5JSOS4M9bSXoMqgj1EW7qDGIMklwamRnP1DMOS2sYZ6zxqffTjI01uynuHaezLlxug== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LO2G8IZ5AgHg19ep1KJlZ0K851Pt2uMutPxoLyU93dE=; b=s5z86H+6Ii0YhiODyY46Xnki5SnVeoCQfP3seWw+3ZhvNM9IIoWmBxjSWK32HLGGZjg/i6VKDHB9nWqMDpodSlLkefTSoy8ePL90OzSu/1wZZRjZyuNxFXbImHf0JvQxW622UD06Vqd/Z2cnTUYCrqjvU9QqfYSouxysoCWDXfsGYyVnF1uGiBiFBxDomtApxVwETaX5oBbxGh9IOXbT0/yssVmLlF89METyZ8dVIwt1R/FQZbv30z9aVEiiVSnbm98A3L3UPyMmoCsP/enLuQFAOov/G6i/fROFs6V1CwjtN2Pp7gv5MnPR1/DOPMRl2pohF9lYVzHFuaLMk/5TXA== Received: from DU2PR04CA0065.eurprd04.prod.outlook.com (2603:10a6:10:232::10) by GVXPR07MB9774.eurprd07.prod.outlook.com (2603:10a6:150:111::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.34; Tue, 29 Apr 2025 14:39:09 +0000 Received: from DB1PEPF00050A00.eurprd03.prod.outlook.com (2603:10a6:10:232:cafe::b2) by DU2PR04CA0065.outlook.office365.com (2603:10a6:10:232::10) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.40 via Frontend Transport; Tue, 29 Apr 2025 14:39:09 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by DB1PEPF00050A00.mail.protection.outlook.com (10.167.242.42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.20 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 Received: from seroius18814.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Tue, 29 Apr 2025 16:39:08 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18814.sero.gic.ericsson.se (Postfix) with ESMTP id F2B674020C0E; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id C4E9C70E75F6; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) From: To: CC: , Daniel Turull , Peter Marko Subject: [PATCH v3 7/8] cve-check, vex, spdx: use metadata from linux-vulns to enhance CVE reporting Date: Tue, 29 Apr 2025 16:39:03 +0200 Message-ID: <20250429143904.634082-8-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250429143904.634082-1-daniel.turull@ericsson.com> References: <20250429143904.634082-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF00050A00:EE_|GVXPR07MB9774:EE_ X-MS-Office365-Filtering-Correlation-Id: 41bc6e74-0522-4aa2-62cd-08dd872b99ae X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|82310400026|36860700013|13003099007; X-Microsoft-Antispam-Message-Info: FmrtMe2oySTzWAeNY7yGvzmIXBQnZjX+Mpwf4NAY/VCB/Nvdc46IDnah9Ps11OckuxWjvzrDwO7563+kgmCwzKfdlDxScxzYRdrdeQvkgPhbvNCgu/qbCLXISY0uaCDfDPJvJSDi6NAES2rYgR89mwWCFBo3sK5RS5UAgREcwlKQcRYTngG+zInuTG1TumOM9Znx4yl6df6A+kDMrWUMMBR+JKmQ6SPWtDAj7+Sm3H1nugK9kLCJmHVcROtnZrOp+Wt4qA4wWHM/2SxIs2NO57CA7NK3Cz9MyzndEwKY41smcYrPtzYsf0W0BTLyznVqieNPAopWd/bFdOyXxbUBuwnSvsjHdlHoDXERizbaw+lbZF//tYL09y1ODC9MefkFq7Cufjv4inNWof57FI5OYJjRX8n2Sk2ZiUKOxsemaAZB3k8TUgs1V6k3GCgondEqd9Ytq3tiBEGQq7DC5m5u8x1DqcLrYu4Dso6xfUznxWd8jzfSKtJOYFcxjuVQLsw37vfgsqE9+4DM2Vkl1AHzXKbKglTX8KfxhErp7LnMWNARjNuCQTJv57w9NM4fp68A57HJIDswCfT4yF0JTOTjDZx4kGhGK07A9fz4DKdbreVRlvF1hjkLpbFdDGQUoAbHBdGIGe5YPQXT6B/7ZzVuBGy+RyXPbYr+B+wsEEoHH8exhxkUm4iJ+PPmFbPYFxF26tcFXovORSqyzUPXtTeSw4u++NAlicYhmNZFJiUf/ksWFKMo2E9CPor7x75BOHA0k8ICu0zxdMa0zANbTxADZzKaoIsKsDJ5dyWy9FSOqmI2o1rJ9SJC7WveTQfMXV8pylE7BSEkBh4kv36/hDV/oAku78ldBEmRvEeMyu8P4u8auejpU5WMFp/zIHcsNukZEMri/PQ4s72FXpFiHc5OcQ7L5jqFrCO1eX2Ujvc4YqchzcVqEnb+FuiRHlchgM/EA672oZwytuXlDmtHlTaJNChuYnkIgaHw06nXCgNgP6+CeNo4ZS66PSr2vaXd7WlRFUo609LbJbLBvM6lATvM/FPicdi/lrmIZ3qZxoNfqZgFxCcW3qJK3/sXyIbOSMOUvRjRfq1XGYJUKZYOklbQFhd9AI5LEizTGE3eA2ZFGnFhIPGRrBUWwi8O742zRbNS/7Zz6RX6d//iBNMI1S5SQLELPXlkZe0L2Bc0s8FmX/vdknCKTh/5nIhVcVCobnZ0ZzEpx3nOEKUnpv4+dckX19mJnii91+D+wgsnzpZ0z7Ey14cgXLyk9yohsZYVy1ZP9kym3e0BFiuK9X5/LJExEfzPx0cIt5aV0ExEs3Jpe6ihSbzWUSLx3kyJamShsO2DPfs/tK6DxyTpF/9WHl4r/FIzgdLxphdAClT1M9dSbHeADzoj2a7EbbdzeV+cA3clXvs7QmUCG+eVyjRfMtKwjp1w6VglvL7rcPb9SF82AY7uVlqKt/M0QRKQBTGsTxWOl7ajx1Bx7Dc/oPO8xecUYRC240mMAfi8hpbjXqymc7ltTDOX8QnIQpxZG+7yCgkU+7mPMLH2E40sn092fws5oQ== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(376014)(82310400026)(36860700013)(13003099007);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2025 14:39:08.7297 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 41bc6e74-0522-4aa2-62cd-08dd872b99ae X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF00050A00.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR07MB9774 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 29 Apr 2025 14:39:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215673 From: Daniel Turull Introducing two new options to check kernel CVEs using linux-vulns. - CVE_CHECK_KERNEL = "1" To add linux-vulns metadata on cve-report for cve_check, vex and spdx. This will check for kernel CVEs, and use the metadata to resolve them. Enabled by default - CVE_CHECK_KERNEL_CONFIG = "1" CVE Check using kernel compiled files, disabled by default since it requires a compiled kernel and it will increase cve-check times. Metadata in the CVE information includes the affected files, and using the compiled files by the kernel we can ignore some of the cves. The above variables are defined in cve_check.bbclass, vex.bbclass and spdx.bbclass in case not all classes are used at the same time. The ones in cve_check has priority. Example of output with CVE_CHECK_KERNEL_CONFIG when using cve-check: { "id": "CVE-2024-26710", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "summary": "In the Linux kernel, the following vulnerability [...]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "modified": "2025-03-17T15:36:11.620", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "detail": "not-applicable-config", "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']" }, And same with vex: { "id": "CVE-2024-26710", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "detail": "not-applicable-config", "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']" }, And new information for the Unpatched showing where the fix (if any) is available: Tested with 6.12.22 kernel { "id": "CVE-2025-39728", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728", "summary": "In the Linux kernel, the following vulnerability has been [...], "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "modified": "2025-04-21T14:23:45.950", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "detail": "version-in-range", "description": "Needs backporting (fixed from 6.12.23)" }, Tested with cve-check, create-spdx2.2, create-spdx3.0, vex CC: Peter Marko Signed-off-by: Daniel Turull --- meta/classes/cve-check.bbclass | 23 +++- meta/classes/spdx-common.bbclass | 3 + meta/classes/vex.bbclass | 11 ++ meta/lib/oe/cve_check.py | 211 ++++++++++++++++++++++++++++++- 4 files changed, 245 insertions(+), 3 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 81512c255d..da396747f2 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -34,6 +34,13 @@ CVE_VERSION ??= "${PV}" # Possible database sources: NVD1, NVD2, FKIE NVD_DB_VERSION ?= "FKIE" +# CVE Check using kernel CNA and compiled files +CVE_CHECK_KERNEL ?= "1" +# CVE Check using kernel compiled files +CVE_CHECK_KERNEL_CONFIG ?= "0" +# Location of the linux-vulns data +CVE_CHECK_KERNEL_DB_DIR ?= "${DL_DIR}/CVE_CHECK/vulns" + # Use different file names for each database source, as they synchronize at different moments, so may be slightly different CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'nvdcve_1-3.db' if d.getVar('NVD_DB_VERSION') == 'NVD1' else 'nvdfkie_1-1.db'}" CVE_CHECK_DB_FETCHER ?= "${@'cve-update-nvd2-native' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'cve-update-db-native'}" @@ -111,6 +118,9 @@ python () { if nvd_database_type not in ("NVD1", "NVD2", "FKIE"): bb.erroronce("Malformed NVD_DB_VERSION, must be one of: NVD1, NVD2, FKIE. Defaulting to NVD2") d.setVar("NVD_DB_VERSION", "NVD2") + + from oe.cve_check import extend_cve_kernel_config + extend_cve_kernel_config(d, "do_cve_check") } def generate_json_report(d, out_path, link_path): @@ -161,15 +171,24 @@ python do_cve_check () { """ Check recipe for patched and unpatched CVEs """ - from oe.cve_check import get_patched_cves + from oe.cve_check import get_patched_cves, get_kernel_cves with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True): + cve_data = {} + # Add all reported CVES from linux-vulns + cve_check_kernel = d.getVar("CVE_CHECK_KERNEL") + if "linux_kernel" in d.getVar("CVE_PRODUCT") and cve_check_kernel == "1": + kernel_unpatched_cves, kernel_patched_cves = get_kernel_cves(d) + cve_data.update(kernel_patched_cves) + cve_data.update(kernel_unpatched_cves) if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): try: patched_cves = get_patched_cves(d) + # Update cve_data, this will cover the manually reported with CVE_STATUS + cve_data.update(patched_cves) except FileNotFoundError: bb.fatal("Failure in searching patches") - cve_data, status = check_cves(d, patched_cves) + cve_data, status = check_cves(d, cve_data) if len(cve_data) or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): get_cve_info(d, cve_data) cve_write_data(d, cve_data, status) diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass index 1e3249cbd3..83d35d0e3f 100644 --- a/meta/classes/spdx-common.bbclass +++ b/meta/classes/spdx-common.bbclass @@ -41,6 +41,9 @@ SPDX_MULTILIB_SSTATE_ARCHS ??= "${SSTATE_ARCHS}" python () { from oe.cve_check import extend_cve_status extend_cve_status(d) + + from oe.cve_check import extend_cve_kernel_config + extend_cve_kernel_config(d, "do_create_spdx") } def create_spdx_source_deps(d): diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass index 905d67b47d..3d49b1ad0e 100644 --- a/meta/classes/vex.bbclass +++ b/meta/classes/vex.bbclass @@ -26,6 +26,14 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" +CVE_CHECK_KERNEL_DB_DIR ?= "${DL_DIR}/CVE_CHECK/vulns" +# CVE Check using kernel CNA and compiled files +CVE_CHECK_KERNEL ?= "1" +# CVE Check using kernel compiled files +CVE_CHECK_KERNEL_CONFIG ?= "0" +# Location of the linux-vulns data +CVE_CHECK_KERNEL_DB_DIR ?= "${DL_DIR}/CVE_CHECK/vulns" + CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve" CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json" @@ -78,6 +86,9 @@ python () { from oe.cve_check import extend_cve_status extend_cve_status(d) + + from oe.cve_check import extend_cve_kernel_config + extend_cve_kernel_config(d, "do_generate_vex") } def generate_json_report(d, out_path, link_path): diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ae194f27cf..b548402928 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -47,6 +47,7 @@ class Version(): self._version.pre_l, self._version.pre_v ) + self.version = version def __eq__(self, other): if not isinstance(other, Version): @@ -58,6 +59,9 @@ class Version(): return NotImplemented return self._key > other._key + def __str__(self) -> str: + return self.version + def _cmpkey(release, patch_l, pre_l, pre_v): # remove leading 0 _release = tuple( @@ -202,8 +206,14 @@ def get_patched_cves(d): "affected-product": decoded_status["product"], } - return patched_cves + # If we are parsing the kernel, check compiled files + cve_check_kernel = d.getVar("CVE_CHECK_KERNEL") + if "linux_kernel" in d.getVar("CVE_PRODUCT") and cve_check_kernel == "1": + bb.debug(1, "Checking kernel CVEs") + _kernel_unpatched_cves, kernel_patched_cves = get_kernel_cves(d) + patched_cves.update(kernel_patched_cves) + return patched_cves def get_cpe_ids(cve_product, version): """ @@ -376,3 +386,202 @@ def extend_cve_status(d): d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) else: bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) + +def extend_cve_kernel_config(d, task): + pn = d.getVar('PN') + # For kernel CVEs, add required dependencies + if "linux_kernel" in d.getVar("CVE_PRODUCT"): + if d.getVar("CVE_CHECK_KERNEL_CONFIG") == "1": + bb.debug(1, "Checking kernel CVEs using kernel config") + depends = f" {pn}:do_save_compiled_files " + d.appendVarFlag(task, "depends", depends) + d.setVar('CVE_CHECK_KERNEL','1') + d.setVar('SPDX_INCLUDE_COMPILED_SOURCE','1') + if d.getVar("CVE_CHECK_KERNEL") == "1": + bb.debug(1, "Checking kernel CVEs using linux-vulns") + d.appendVarFlag(task, "depends", " linux-vulns:do_fetch ") + +def get_kernel_cves(d): + """ + Get CVEs for the kernel + """ + import glob + import json + patched_cves = {} + unpatched_cves = {} + datadir = f"{d.getVar('CVE_CHECK_KERNEL_DB_DIR')}/cve/published/" + version_str = d.getVar("LINUX_VERSION") + check_config = d.getVar("CVE_CHECK_KERNEL_CONFIG") + version = Version(version_str) + base_version = Version(".".join(version_str.split(".")[0:2])) + + # Check all CVES from kernel vulns + pattern = os.path.join(datadir, '**', f"CVE-*.json") + cve_files = glob.glob(pattern, recursive=True) + not_applicable_config = 0 + fixed_as_later_backport = 0 + for cve_file in cve_files: + cve_info = {} + with open(cve_file, "r") as f: + cve_info = json.load(f) + + if len(cve_info) == 0: + bb.error(f"Not valid data in {cve_file}. Aborting") + break + cve_id = cve_info["cveMetadata"]["cveID"] + + first_affected, fixed, backport_ver = get_kernel_fixed_versions(cve_info, base_version) + if not fixed: + if check_config == "1": + is_affected, affected_files = check_kernel_compiled_files(d, cve_info) + else: + is_affected = True + if not is_affected and len(affected_files) > 0: + bb.debug(1, f"{cve_id} - not applicable configuration since affected files not compiled: {affected_files}") + patched_cves[cve_id] = { + "abbrev-status": "Ignored", + "status": "not-applicable-config", + "justification": f"Source code not compiled by config. {affected_files}" + } + else: + bb.debug(1, f"{cve_id} not fixed usptream") + description = cve_info["containers"]["cna"]["descriptions"][0]["value"] + unpatched_cves[cve_id] = { + "abbrev-status": "Unpatched", + "status": "version-in-range", + "summary": description, + "justification": f"No fix available upstream" + } + elif first_affected and version < first_affected: + bb.debug(1, f'{cve_id} - "fixed-version: only affects {first_affected} onwards"') + patched_cves[cve_id] = { + "abbrev-status": "Patched", + "status": "fixed-version", + "justification": f"only affects {first_affected} onwards" + } + elif fixed <= version: + bb.debug(1, f'{cve_id} - "fixed-version: Fixed from version {fixed}"') + patched_cves[cve_id] = { + "abbrev-status": "Patched", + "status": "fixed-version", + "justification": f"fixed-version: Fixed from version {fixed}" + } + else: + if backport_ver: + if backport_ver <= version: + bb.debug(1, f'{cve_id} - "cpe-stable-backport: Backported in {backport_ver}"') + patched_cves[cve_id] = { + "abbrev-status": "Patched", + "status": "cpe-stable-backport", + "justification": f"Backported in {backport_ver}" + } + else: + bb.debug(1, f"{cve_id}: needs backporting (fixed from {backport_ver})") + description = cve_info["containers"]["cna"]["descriptions"][0]["value"] + unpatched_cves[cve_id] = { + "abbrev-status": "Unpatched", + "status": "version-in-range", + "summary": description, + "justification": f"Needs backporting (fixed from {backport_ver})" + } + fixed_as_later_backport += 1 + else: + # Check if file affected + if check_config == "1": + is_affected, affected_files = check_kernel_compiled_files(d, cve_info) + else: + is_affected = True + if not is_affected and len(affected_files) > 0: + bb.debug(1, f"{cve_id} - not applicable configuration since affected files not compiled: {affected_files}") + patched_cves[cve_id] = { + "abbrev-status": "Ignored", + "status": "not-applicable-config", + "justification": f"Source code not compiled by config. {affected_files}" + } + not_applicable_config +=1 + else: + bb.debug(1, f"{cve_id}: needs backporting (fixed from {fixed})") + description = cve_info["containers"]["cna"]["descriptions"][0]["value"] + unpatched_cves[cve_id] = { + "abbrev-status": "Unpatched", + "status": "version-in-range", + "summary": description, + "justification": f"Needs backporting (fixed from {fixed})" + } + if len(cve_files) > 0: + bb.debug(1, f"Total CVEs ignored due to not applicable config {not_applicable_config}") + bb.debug(1, f"Total vulnerable CVEs: {len(unpatched_cves)}") + bb.debug(1, f"Total CVEs already backported in {base_version}: {fixed_as_later_backport}") + return unpatched_cves, patched_cves + +def check_kernel_compiled_files(d, cve_info): + """ + Return if a CVE affected us depending on compiled files + """ + import json + files_affected = [] + kfiles = [] + is_affected = False + with open(d.getVar('KERNEL_SRC_FILES'), 'r') as file: + for item in json.load(file): + kfiles.append(item['file'].replace(f"{d.getVar('S')}/","")) + + for item in cve_info['containers']['cna']['affected']: + if item["defaultStatus"] == "affected": + if "programFiles" in item: + files = item['programFiles'] + files_affected.extend(files) + + if len(files_affected) > 0: + for f in files_affected: + if f in kfiles: + bb.debug(1, f"File match: {f}") + is_affected = True + return is_affected, files_affected + +def get_kernel_fixed_versions(cve_info, base_version): + ''' + Get fixed versions for a given CVE + ''' + first_affected = None + fixed = None + fixed_backport = None + next_version = Version(str(base_version) + ".5000") + for affected in cve_info["containers"]["cna"]["affected"]: + # In case the CVE info is not complete, it might not have default status and therefore + # we don't know the status of this CVE. + if not "defaultStatus" in affected: + return first_affected, fixed, fixed_backport + if affected["defaultStatus"] == "affected": + for version in affected["versions"]: + v = Version(version["version"]) + if v == 0: + # Skiping non-affected + continue + if version["status"] == "affected" and not first_affected: + first_affected = v + elif (version["status"] == "unaffected" and + version['versionType'] == "original_commit_for_fix"): + fixed = v + elif base_version < v and v < next_version: + fixed_backport = v + elif affected["defaultStatus"] == "unaffected": + # Only specific versions are affected. We care only about our base version + if "versions" not in affected: + continue + for version in affected["versions"]: + if "versionType" not in version: + continue + if version["versionType"] == "git": + continue + v = Version(version["version"]) + # in case it is not in our base version + less_than = Version(version["lessThan"]) + + if not first_affected: + first_affected = v + fixed = less_than + if base_version < v and v < next_version: + fixed_backport = less_than + + return first_affected, fixed, fixed_backport From patchwork Tue Apr 29 14:39:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62113 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45648C3ABAC for ; Tue, 29 Apr 2025 14:39:24 +0000 (UTC) Received: from EUR03-AM7-obe.outbound.protection.outlook.com (EUR03-AM7-obe.outbound.protection.outlook.com [40.107.105.41]) by mx.groups.io with SMTP id smtpd.web10.104.1745937557354171598 for ; Tue, 29 Apr 2025 07:39:17 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=Uikb5h3l; spf=pass (domain: ericsson.com, ip: 40.107.105.41, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=kS4YTFGOB4+rjuSVVw7DDxIg/xVys5sCSK4bRkgaBVC0XrzhV1lzcChHjO8wBw97y39EhwUjaq+7RIiGpX68E4QkDY3BZVl5/E8J/2mWo2V24bwMwkbWRSfXtCg+q0jSCd/2sQ6Smpz11YvtKd2acIdvVcHjuxTZD2icUZYOC4uRns0AVIFa1ryuzeTVjv/Y9hOqb4lPRmVNlnPLCAZ6N+tWNl7H4zLXy295YVTRPG6nvwvKnP7MpsODVKsRhnX8uFfGRROLsaolmKwXSFa84AZCPhipV9rMTJStrIhWKl5sdwGI+qCWD476shbd7+hUkp/uV6eZd0mOtSh+EIj03A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=N+qqmtRkrh20UB0tGxYyzCOBUh8CSBjjuSBZNlzc1GI=; b=rCATLpNpvSfZMHlPuxnhf283MGlxcqPb6RG8no3n/bdACZ4oPXFJPHY4JheSjnT5AO+eZ7IdW23SDvDOJ4OmkA/lUqXZHdSRpk3pEDTd7Hh6mDAfyJybTmAsL5drD3u1LuPiLqkenJwCLSx4y1M6t3FtGn//MtqRpjAxEFzEWSqz8W3ol0ksL3hOMiO+O4RTR64WAxTRdrD3A2sLaIQqh4JP8fgaeqO+vCH7GsiWFWxopOavKAAWwI4l9zroysBqXlPwpf9JmDUeItoFCGJj86I2FWlnHzmHv8zicjnEAcWrhxp1DE6DwgPoOU96YlTvCx7LLePWB0k7TG5nLEpM+g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=lists.openembedded.org smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=N+qqmtRkrh20UB0tGxYyzCOBUh8CSBjjuSBZNlzc1GI=; b=Uikb5h3lvW9FO5YvKTM7fNT6fHrdiSXSPA5ObWPr3P3HzDe5huBdkqF7bauY+jez7CkozE9gvXl8pvr9YdAVuKb4G8WyXIIPOX0U/hbVWwzAjAsNoOEKcEZm8hvznmyi5omfRsJgTDvUw25TKVy4RbEE7mAx0ZZ0ZiwsrRdEFpqQzN6OKqi551nJtA5QEmWnqgpftE/jZD4CMAOdrla6Z+XzMESt2+589/Zc3XCIngdcftK6Q+IMJAiqXtL7tWs7o2uLfZjomn2X8SugevTFR00e7r74FsJwNhMtejYLKMwCr32PWOfz8nm/Ak1X20n5Bompea+H71yWwPe4+mgeDQ== Received: from DU2PR04CA0082.eurprd04.prod.outlook.com (2603:10a6:10:232::27) by PAXPR07MB8446.eurprd07.prod.outlook.com (2603:10a6:102:2b8::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8678.31; Tue, 29 Apr 2025 14:39:09 +0000 Received: from DB1PEPF00050A00.eurprd03.prod.outlook.com (2603:10a6:10:232:cafe::e7) by DU2PR04CA0082.outlook.office365.com (2603:10a6:10:232::27) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8655.35 via Frontend Transport; Tue, 29 Apr 2025 14:39:09 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by DB1PEPF00050A00.mail.protection.outlook.com (10.167.242.42) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.20 via Frontend Transport; Tue, 29 Apr 2025 14:39:08 +0000 Received: from seroius18815.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Tue, 29 Apr 2025 16:39:08 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18815.sero.gic.ericsson.se (Postfix) with ESMTP id 01EC34021583; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id C957970E75F7; Tue, 29 Apr 2025 16:39:07 +0200 (CEST) From: To: CC: , Daniel Turull , Peter Marko Subject: [PATCH v3 8/8] cve-exclusions: correct CVE_STATUS Date: Tue, 29 Apr 2025 16:39:04 +0200 Message-ID: <20250429143904.634082-9-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.48.1 In-Reply-To: <20250429143904.634082-1-daniel.turull@ericsson.com> References: <20250429143904.634082-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DB1PEPF00050A00:EE_|PAXPR07MB8446:EE_ X-MS-Office365-Filtering-Correlation-Id: c6cb3a8f-692e-41db-1fff-08dd872b99bc X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|376014|36860700013|82310400026|13003099007; X-Microsoft-Antispam-Message-Info: m1YGDES+rsd0HVeFwx98zEi+dz/htAZfC2pVBe6W4sQzndgO0BlRnQMdT9JnqPNFQuNn5nxTOp2YHIW+/PHKHEnQPlfVw9Vs96/topT82mBFChoKh3encJRZyBsqBRK93WcGOySjI3CE7jWPslPGsMIwF/nQ7shlFUlHame+AIPxgCBNZ182klAU2oa0Q9usRHtk1hxztvRnldhvlvTqxt4oAn/Ke0A2f0YEhCAh4nk3DM32KimoDXqK4sQ2+aqCsK5anEmOLBwQTpmtOris72wv2Bu/uL401oAp4j0e3keS3Ftw/srd6JTpGN+52NEpvncfqitv4P5ybcjQ4CcO/BVnMRoxj+672nLOu0/81xqS4PHh8lLBS8m63zRFygm4AYsOqoaYrDEni+7V/ltmEaoax7ACnrR+jvI5lu+9VDog+uaKzV3zv286eiqGm4TxD0jYJyAIpdf8EIzg/vKk6PbKdSUrZ+ArcLyNDrgrFoara9odBySi8vowD00/R9FK/UOKZebChc8qHdk5IkW3p3Vg+7DLPmpzxMgL+Fv07tdM9uARd6mD6mDOd+PBfNFlhYXhbhlLo7k+1NGhP/kGxQPlsgjqYvZHr4N0vkzCDw/hyhcAIME69ekdxSiboPwMvDQNHNN1mbguTo0LtRl1r8chTvOjr2oOGm2CS8uFZ0YqvFqmc2BAm5Qf5L7nME+bnVyXg8mT1eqIy0ULOLYr9G70D6xdXCG+EEHRQGH9GZtNRPsll+/u7ZQJUMSaAC0OBADmdInofgLTf2CkTuoV+SWophA0a5ayZX1h2C7WLWWOh6QQX8ymbsjhJ6/C/+4c0ks4H44/WKMJ1HiblCOgTVAMBPTmDAoq1z6wiZ7S6Z29v8ZwH6YtTrGZ21E5e0Gqd+cS8JZAKJ+DPlsmx6+AhJez91u9nLsB+etXckxK+7emS//WPcgMRETLgzwctSaM7yU2uxF5JNe99dLi4UR5p8EWuAiFXrz6ULfuUvRRaj00dtMd8/RfQBinFtT2QtCt/nDL8/vPCsAyCVhsxVSlVpIWutsFdAIksa6uPh98WB8kpYREheRB+mz7EYbji6+arXS4wFs2LG1+0tDL/B7OWP5b3T7Nxob3v2Tj03n3ZHS79tkiNg6qTBP9kS3cTIyeHHOqi39IzB5pGTR9kwhMC/1yEYixcJWx39WU931Sksv4S/cR27E2TTPEPMVAXVzXCMr33jkyQvN4+T31k60XdroFfJY31MAK+oOg+FWnFihXjIxM+G+YNBl8gt/yYKF3rirZ1ByNgJm6CA17NkYwO+4rrR+CJAP02RZRbPp24FdkocNtUDa44CBDhc7Peh1XlghU6YNQtv3qKSSw2x1wyFHKMkGS8C4m5N/eWfG8vQOjofTjg7NRW9P1QadaT25NXGUGawngIIa4fiH/0rbVh7ZK9yDjaOzOBwv4f8529UGJ50tPF2cuZeBT2FAQVk102zvSgtDXluOnq0tG/ViU3HVAB4+T+Cjw7uE5wOs3cKT5OGXqiF/jcHFDY+Hf1ECgcTEjX7+lfw6a0hyb9Vn1ng== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(376014)(36860700013)(82310400026)(13003099007);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2025 14:39:08.8079 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: c6cb3a8f-692e-41db-1fff-08dd872b99bc X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: DB1PEPF00050A00.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR07MB8446 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Tue, 29 Apr 2025 14:39:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/215675 From: Daniel Turull Some old CVEs do not have proper metadata to be able to resolve them or at wrongly assigned to the linux kernel. The new kernel cve handling fails to report not vulnerable for a few CVEs that were introduced in LTS branch. CC: Peter Marko Signed-off-by: Daniel Turull --- meta/recipes-kernel/linux/cve-exclusion.inc | 31 +++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/meta/recipes-kernel/linux/cve-exclusion.inc b/meta/recipes-kernel/linux/cve-exclusion.inc index f1b7db44b6..a80588ddeb 100644 --- a/meta/recipes-kernel/linux/cve-exclusion.inc +++ b/meta/recipes-kernel/linux/cve-exclusion.inc @@ -155,3 +155,34 @@ CVE_STATUS[CVE-2023-7042] = "fixed-version: Fixed from 6.9rc1" #Fix https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7315dc1e122c85ffdfc8defffbb8f8b616c2eb1a CVE_STATUS[CVE-2024-0193] = "fixed-version: Fixed from 6.7" + +#Fix https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=6c54b7bc8a31ce0f7cc7f8deef05067df414f1d8 +CVE_STATUS[CVE-2023-53012] = "fixed-version: Fixed from 6.2rc5" + +#Fix https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=2f10d4a51bbcd938f1f02f16c304ad1d54717b96 +CVE_STATUS[CVE-2024-35788] = "fixed-version: Fixed from 6.9rc2" + +#Fix: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=c8243def299793ac6c85fdc1086089c800c1051a +CVE_STATUS[CVE-2024-57920] = "cpe-stable-backport: Backported in 6.12.10" + +#Fix: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=62b9ad7e52d4777f7e775ee1f0ad2452f6041024 +CVE_STATUS[CVE-2025-21988] = "cpe-stable-backport: Backported in 6.12.20" + +# Vulnerable code only in lts branches until 6.1.129 and 6.6.78 +CVE_STATUS[CVE-2025-40364] = "fixed-version: Fixed from 6.7" + +CVE_STATUS[CVE-2019-14899] = "cpe-incorrect: related to opevpn" + +CVE_STATUS[CVE-2021-3714] = "not-applicable-platform: specific to RHEL with securelevel patches" + +CVE_STATUS[CVE-2021-3864] = "not-applicable-platform: specific to RHEL with securelevel patches" + +CVE_STATUS[CVE-2023-3079] = "cpe-incorrect: not Linux but chrome" + +CVE_STATUS[CVE-2022-1247] = "not-applicable-platform: specific to RHEL with securelevel patches" + +CVE_STATUS[CVE-2023-3640] = "not-applicable-platform: specific to RHEL with securelevel patches" + +CVE_STATUS[CVE-2023-6238] = "not-applicable-platform: specific to RHEL with securelevel patches" + +CVE_STATUS[CVE-2023-6535] = "not-applicable-platform: specific to RHEL with securelevel patches"