From patchwork Wed May 14 12:57:04 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62933 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82B12C3ABCC for ; Wed, 14 May 2025 13:37:00 +0000 (UTC) Received: from EUR05-DB8-obe.outbound.protection.outlook.com (EUR05-DB8-obe.outbound.protection.outlook.com [40.107.20.79]) by mx.groups.io with SMTP id smtpd.web10.102114.1747229810110090257 for ; Wed, 14 May 2025 06:36:50 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=uIGmWPeR; spf=pass (domain: ericsson.com, ip: 40.107.20.79, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=tXtQO/CqoGDl1ns9XHjzHMrFBgi1C91g54FmiMHFyGh7zNpIyZM/jnXcGws7/19jas/XEAUchHq3WklixV4pW+3KOygOuaVB6NLCMFbhId78hHNmpEbV5ro5EWlvFfSsafB24Ie0L8jkP1Rvx5G3kuy2+IXq1x2cEcfZFDZYrbFCFIH5QnjHIIofksoGjqpQ4vmnGQaYH3OUeFpjD28uCjWoupanQeneK50uy3sJB5dW2rXz2ynvK3/sBbGepmYcmKBui+/xT/gassfy/pdrexQfXRYWxcuT9/O/6qC9iicHF4QDQ4VMw2o3nxc7tDzZfPKzEre5fAoubNasdAftvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D4IB/tqYvKu3Z39WPDgO82mDlvjI90oO06ChSJPnuHg=; b=dE58jaat9oMdHJp5+rEUWLOzX26K5QXXDGxFZrpJuBXiUyWjjvTSUM+0AkOGQtZZCTgxHySmqTJivkpwBOd4HmlH9kmMSJcWlYt0RtQEo0Ur7hdgxXKspiyNkBUQGL0SZ3l+AFjRVA8l5gTykUnN5H/GtAVuKwtBm1pQ3hVulxSMv825c7jziLozO2cWOFBl9W5Oo0hbsVm1oC+EeuW7l5J8gU845cw+B55WufRSdX9lzfTcKfmfnpPOUd8J3HQ64jaJbNItt74HhBSIXPWErTdP0Lab2tsTrkE2Fv+/ZW5uYZES2zoVprdXj0oTG3ESEfogPclxJ3I1cXTZB9+pbg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=gmail.com smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D4IB/tqYvKu3Z39WPDgO82mDlvjI90oO06ChSJPnuHg=; b=uIGmWPeRRb6KTGrUbpPV4+HhEA39HpUJMaqf4/w2pWShlySemE6TfcH54V7gepWtST+9qJ3ZXxl1Tri6Vx4kvqbjS+yDrBHxDdEP6po2Up1Xnbxtfux+owGO+fOBFYN+j83z9wer9AvUDwBR2H7YmkpFBm0y11nGHwSJmW1rMjrFRvVRtuKDU8p9YaJsiF7HYCpokIObAiW5m5+VpyVKu7LgQqDUUK/38c58CfJo1xbtD9ZbnJyCQn0dr/kUvu3rLEVwsedE0bmgn5Vz5QpVKfDARX97mEf3tGYGGf+ICVRhmq4q+76Br5oIaBV1fVy9+21raOjLa0btoR6JMg9ihg== Received: from AM0PR04CA0105.eurprd04.prod.outlook.com (2603:10a6:208:be::46) by DB9PR07MB10052.eurprd07.prod.outlook.com (2603:10a6:10:4cd::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8722.28; Wed, 14 May 2025 13:36:46 +0000 Received: from AMS0EPF000001B6.eurprd05.prod.outlook.com (2603:10a6:208:be:cafe::d) by AM0PR04CA0105.outlook.office365.com (2603:10a6:208:be::46) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8722.28 via Frontend Transport; Wed, 14 May 2025 13:36:46 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by AMS0EPF000001B6.mail.protection.outlook.com (10.167.16.170) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8722.18 via Frontend Transport; Wed, 14 May 2025 13:36:46 +0000 Received: from seroius18815.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.64) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Wed, 14 May 2025 15:36:46 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18815.sero.gic.ericsson.se (Postfix) with ESMTP id D66FF410F604; Wed, 14 May 2025 14:57:22 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id BEB8970E61C0; Wed, 14 May 2025 14:57:22 +0200 (CEST) From: To: CC: Daniel Turull , Joshua Watt , Peter Marko Subject: [PATCH v4 1/3] spdx: add option to include only compiled sources Date: Wed, 14 May 2025 14:57:04 +0200 Message-ID: <20250514125706.495571-2-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250514125706.495571-1-daniel.turull@ericsson.com> References: <20250514125706.495571-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMS0EPF000001B6:EE_|DB9PR07MB10052:EE_ X-MS-Office365-Filtering-Correlation-Id: 81b32486-7815-462d-9ffa-08dd92ec5f78 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|376014|1800799024|36860700013|82310400026; X-Microsoft-Antispam-Message-Info: NsVYvs6q+ym/jpVTBTqbndnBBNiEFAZ8+ivP2dU+L7RKXV4QSb4LTbQSetDemuEZURPG5QTMObVFZxy0jJI9ClJ+FZFNYtj74RfUBhghUylTzwfXkqaSE6IiT5n+xtlJy/+D/aszj8LlZM7B+kgnm086TlCUwpRz2SJH5TuC5NOQatna0SXHFjn0nFE5RyzCMrwEynaGNCUhvIcFmW7dz4z5Rn5WH+nun6WPtGidK8gJDFZUDmntzfGcgHOre6HwAju6qNMuGNnMLw3FI0pqgOWmy4BtYWrKK+gvZDkNge2O+ZHBcxYTp24YmaY4rNVxXM/u2k8ZNg6q5GF0mul6qJwCNbCbwABBYqoiSprl1QWlkpuvEZWeCmGmYANh14ASNrcANK0Qo+oq8GY4X/Kk+Fum/FuC0KCR+F7JojWWvW2IszgKlGkux0tC/q0SMK+HwFii8fRjU+luftycnRZrOML+pBZqt8Bmbj4QEWctlyzBhD0VSAmwClPkeclXJwQN/cKkT3v2BZq0VKrdGf6lCQc7npnKQ+/mKcOK3JDyf8FYJuUoi5+VVFqLNt4XokoMFWuXy4onqNCpX9RvlZUgf4yltIPsm6tYmgO0HYpeUwBwu7TliwfiyukD1BlIxRbtoJ2VWIe24FIH3rTrX0P5nqldRwH5SWmQoEvRp797DAEk4pckUzsh3dbJUAHIF42+41ShCfBgEPRGzQKekHv/SNUjLgM3zsYcU4XoKVlaHCqgEdCKZmhlSHHTLuw4qPAwpyFnJHh2YJ6IVv0OXjZVVCn1dJTgb4a/JTYyQVwGnnFahlNy7Au+40UpO0/wZ5iz81VcIWPH9XKyPnqXZSqG8ym1WJOFR//KPzn7luDUZvpgqXZpeTVEhA+T2f2w0YB0Hiw5HmouZFOfVgSVFd69+qNjbHNJ/RWrWRUsLchm1LwRU6aJ7/BlSOUT/m3g5qjcGFRfEhj+mDPFQ+XZpgE/88J8sMk9Q+g5PHuDFZfw7AMzhPzOCGotlR8OGv03iH1fh68qE8Y4n/K4n/piZpT1Qc+2V/2+zdFqMRJLzPdmKSFUYPPWKVScabkjhPEZC3kGQpCS9muy13q5t1v0d4SAOYh7JlhViswGyY5jPvzk1rCR3kCKxZnfFG9a1gfDF+i9ctyUTAq/sGaN4oEBu/7gZF+EWrboA45/acOoG9SczfwkeVxm/fzfr+0i2Susv1kX7PFhuroORMKXxNxzybzzTZmwxVnpn26yDiaEfiDmTFuz5rGjMI4aUd3K2l01a8vCI5TPvR1yd2M3A4dfv0vGhGI2dcsqI6/fsjIW+gc6u4FaNk7YLZx2kHuVYGYoxKVMFTNcq9ugKr+53do3qdZUC3RcIeQH2VedxW5q+AeaYHo3eDClplEpV/QLbANHdUCRrdEzpazRX+sJLz/Y4Zy7M2FSfPyz2J/ejUcvbV+f1OnOOewdGJ7ZURWLw14dWrWDeFAvV/coJaZF7FpikIVTYg== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(376014)(1800799024)(36860700013)(82310400026);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 May 2025 13:36:46.7389 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 81b32486-7815-462d-9ffa-08dd92ec5f78 X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: AMS0EPF000001B6.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB10052 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 May 2025 13:37:00 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216493 From: Daniel Turull When SPDX_INCLUDE_COMPILED_SOURCES is enabled, only include the source code (.c) files that are used during compilation. This enables an external tool to use the SPDX information to disregard vulnerabilities that are not compiled. This commit adds the basics, so recipes can implement it own methods. CC: Joshua Watt CC: Peter Marko Signed-off-by: Daniel Turull --- meta/classes/create-spdx-2.2.bbclass | 9 ++++++++ meta/classes/spdx-common.bbclass | 3 +++ meta/lib/oe/spdx30_tasks.py | 9 ++++++++ meta/lib/oe/spdx_common.py | 33 ++++++++++++++++++++++++++++ 4 files changed, 54 insertions(+) diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass index 7e8f8b9ff5..dd8ee6ecbe 100644 --- a/meta/classes/create-spdx-2.2.bbclass +++ b/meta/classes/create-spdx-2.2.bbclass @@ -137,6 +137,11 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv spdx_files = [] file_counter = 1 + + check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1" + if check_compiled_sources: + compiled_sources = oe.spdx_common.get_compiled_sources(d) + bb.debug(1, f"Total compiled files: {len(compiled_sources)}") for subdir, dirs, files in os.walk(topdir): dirs[:] = [d for d in dirs if d not in ignore_dirs] if subdir == str(topdir): @@ -147,6 +152,10 @@ def add_package_files(d, doc, spdx_pkg, topdir, get_spdxid, get_types, *, archiv filename = str(filepath.relative_to(topdir)) if not filepath.is_symlink() and filepath.is_file(): + # Check if file is compiled + if check_compiled_sources: + if not oe.spdx_common.is_compiled_source(file, compiled_sources): + break spdx_file = oe.spdx.SPDXFile() spdx_file.SPDXID = get_spdxid(file_counter) for t in get_types(filepath): diff --git a/meta/classes/spdx-common.bbclass b/meta/classes/spdx-common.bbclass index 713a7fc651..e9dde34513 100644 --- a/meta/classes/spdx-common.bbclass +++ b/meta/classes/spdx-common.bbclass @@ -26,6 +26,9 @@ SPDX_TOOL_VERSION ??= "1.0" SPDXRUNTIMEDEPLOY = "${SPDXDIR}/runtime-deploy" SPDX_INCLUDE_SOURCES ??= "0" +SPDX_INCLUDE_COMPILED_SOURCES ??= "0" +SPDX_COMPILED_SOURCES_DIR ??= "${LOG_DIR}/spdx-compiled/${PN}" +SPDX_COMPILED_SOURCES ??= "${SPDX_FILES_DIR}/compiled_src-${BP}.txt" SPDX_UUID_NAMESPACE ??= "sbom.openembedded.org" SPDX_NAMESPACE_PREFIX ??= "http://spdx.org/spdxdocs" diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 61d7ba45e3..083e004330 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -156,6 +156,11 @@ def add_package_files( bb.note(f"Skip {topdir}") return spdx_files + check_compiled_sources = d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1" + if check_compiled_sources: + compiled_sources = oe.spdx_common.get_compiled_sources(d) + bb.debug(1, f"Total compiled files: {len(compiled_sources)}") + for subdir, dirs, files in os.walk(topdir, onerror=walk_error): dirs[:] = [d for d in dirs if d not in ignore_dirs] if subdir == str(topdir): @@ -167,6 +172,10 @@ def add_package_files( filepath = Path(subdir) / file if filepath.is_symlink() or not filepath.is_file(): continue + # Check if file is compiled + if check_compiled_sources: + if not oe.spdx_common.is_compiled_source(file, compiled_sources): + break filename = str(filepath.relative_to(topdir)) file_purposes = get_purposes(filepath) diff --git a/meta/lib/oe/spdx_common.py b/meta/lib/oe/spdx_common.py index 4caefc7673..e1b7f576dd 100644 --- a/meta/lib/oe/spdx_common.py +++ b/meta/lib/oe/spdx_common.py @@ -242,3 +242,36 @@ def fetch_data_to_uri(fd, name): uri = uri + "@" + fd.revision return uri + + +def is_compiled_source (filename, compiled_sources): + """ + Check if the file, is a compiled file + """ + import os + # If we don't have compiled source, we asume all are compiled. + if len(compiled_sources) == 0: + return True + _, extension = os.path.splitext(filename) + # Special case, that we need to ignore, since this is not a source file + # We filter .c files + if filename.rfind(".mod.c") > 0 or extension != ".c": + return True + # Check that the c file is in the list + if filename in compiled_sources: + return True + return False + +def get_compiled_sources(d): + """ + Return compiled files from the SPDX_COMPILED_FILES file + """ + cfiles = [] + sources = d.getVar('SPDX_COMPILED_SOURCES') + if not sources: + return cfiles + if not os.path.isfile(sources): + return cfiles + with open(sources, 'r') as f: + cfiles = [line.strip() for line in f] + return cfiles From patchwork Wed May 14 12:57:05 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62993 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9AE13C3ABDA for ; Thu, 15 May 2025 01:25:55 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (EUR05-AM6-obe.outbound.protection.outlook.com [40.107.22.43]) by mx.groups.io with SMTP id smtpd.web11.3461.1747272351110839759 for ; Wed, 14 May 2025 18:25:51 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=ZbXK5xIi; spf=pass (domain: ericsson.com, ip: 40.107.22.43, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=U97p5OfAYJQyrxBqjtNfOKG+txmFNUGDMboJz6PtUYja/24gGOhKi88GFgF7xdjw+uFoPLbc+OMXhUpVqW49VwakZIDO5bHufaCMPGQvgd5m42dcIO/waV0VI9FqvCgHkqMdoTFEpoiHJkBuCCm3H3gWC8CF4MzzVTc2JpqlFQnx9mJUIwNnztobUOR2GJvQu0HZXqNuUTG+bo+yzCmJywdo7Ey/Qqi+0TEulOIbarnHh3joseNPLoAiIMVF43bHSytN+7hjaWwlufF9wmDdWBPqWfL08J1DtnoK4RI4EJ1F5ZJG3Pq+5FIbARlh4mLgRL3ke3SI+lITHaTwwjRyIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=r0XZBT+CcBsku8vVTZ1kS3EbkLEq6kMOnnbdoJkkKcc=; b=mHnapQGFKXr2/pH/BdvwokmgGnmttfdoal+k6HO1rhI9jUydTwDH2gVL+wv4vX/CraZM2uhHUOhlezYLsUqz/Bp0YxbCoWrqW35InUU/ba1V7BSloJDRlDzYhhyph/F5sFeRuAO/YEeRWym57SmfHlTSZarbos6tGkvH7ONPMu0eGQzL5j30VtBVAiS/cmG4f/YooYcAWvkliafV+GJ/tecw+3pFy0qxqyq28s/n0ua7FSrxYIQrMf8hzeAtCZ89YF7kt+0Wqi4mgB5iJl2ihHnjWfMJ1rEStDBOMVsqk7MQUvEbLAc57olv6GsH7E5Zj9YMqOABGFz6qXXYU8Sxvw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=gmail.com smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=r0XZBT+CcBsku8vVTZ1kS3EbkLEq6kMOnnbdoJkkKcc=; b=ZbXK5xIif1AI2LAe78Yj+uPCBfBpk0H2RbLKphwUVjQsYYajWs6t63W+xvqPecjJPLSNj6fiN7pxmwEkFB8+31FEmYRmGKjt6U2Hut4U7AucDR/G88QyAL9MTpgCQtihfzrGHzxyj3GW1BK9IFclfKk5uf38huOC1yRegvVfbLOJ1GZ6JQs+PS0eKIRoG723ck1Q1xH3+2LVbfOoQOMRuoj/wphfjJQ4vOYv4iF6VL1ZEAkWTphY6RKH8wA/4LwIpJLRISltFmR5IW9DPd06VAkhpnjz2TAcy3MIr2Er7VH15w59DmVWJLH4TF4xANNfPTr4OF9bJ057fjTLe/B3nw== Received: from DB8PR06CA0024.eurprd06.prod.outlook.com (2603:10a6:10:100::37) by DB9PR07MB7098.eurprd07.prod.outlook.com (2603:10a6:10:1fa::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8722.30; Thu, 15 May 2025 01:25:43 +0000 Received: from DU2PEPF00028D03.eurprd03.prod.outlook.com (2603:10a6:10:100:cafe::94) by DB8PR06CA0024.outlook.office365.com (2603:10a6:10:100::37) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8722.20 via Frontend Transport; Thu, 15 May 2025 01:25:43 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by DU2PEPF00028D03.mail.protection.outlook.com (10.167.242.187) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8722.18 via Frontend Transport; Thu, 15 May 2025 01:25:43 +0000 Received: from seroius18815.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Thu, 15 May 2025 03:25:35 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18815.sero.gic.ericsson.se (Postfix) with ESMTP id 82B8B410FCB1; Wed, 14 May 2025 14:57:28 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id 6AB6F70E61C0; Wed, 14 May 2025 14:57:28 +0200 (CEST) From: To: CC: Daniel Turull , Marta Rybczynska , Bruce Ashfield , "Peter Marko" Subject: [PATCH v4 2/3] kernel: add support to extract compiled files Date: Wed, 14 May 2025 14:57:05 +0200 Message-ID: <20250514125706.495571-3-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250514125706.495571-1-daniel.turull@ericsson.com> References: <20250514125706.495571-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU2PEPF00028D03:EE_|DB9PR07MB7098:EE_ X-MS-Office365-Filtering-Correlation-Id: b1aae62b-09d2-4f55-9a75-08dd934f693b X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700013|82310400026|376014; X-Microsoft-Antispam-Message-Info: 0WaPxyk6VmYRwfckc6nEJKFtgUY+QWHfLxsUROIKQDqT8fQio/AQKecfsRjO/tABDiN+CHx8rahcX1MmCUO4uQ++sYDeYLVaggGHnq0FQgNjdeKl33XJlrdcJuLjgvh837ua1eFQbKOrqPe9ktz1zQmkTr0/5vjeUDEgN1cOReikZmb8Jg7eBf0jyvoP6QPQOlPH4Iaq6j0AB2Dh6GVCdnpIeVUClEChE2GWpiPO3dXUg4wuf+EQblNIXM7wbbMiRk46nMJ/e06vInh5DLw9UgRwuFc2ZpdMFVOLqzLnhIsgpAsSt7MNWYEvIkUKjopQx2tmB0mxqJUdUKYeZTjYQ7pEC8olsTFLq4X5kPMfgQobcKsS72Y8tdSJRQOqLuLq668d8q/x8ASWKj3LVmIz9JHUcEcc84FH7X2Ag+ABMsitq8VHCpw6FhR/KdI9PRg7DrY117x3aTsTMIgPMAIqW6p/M0KgasFOWrY80NcEh10R1QVG4Rwa79RUfk+846NdjFsOkW2GsnQUc5yl1Eiino63VOL4KxeIR8JcPzy+M+TH2xTGdaViUD2QENTTGqbqGJFj/iYiTcFvToTzKHpyGm/fVmB2yJjNdNKTBFNYd/cEbGe+iBVBkUZZ6Xx0/IQS/3Z9uIw6NkVANXk3S/luJ7otAYKLaaorD5OdZO58Ug/8Ur89Q8FtbjBZeeDMf4FgU/ZS5j6AHJ/kEP5bYwH4/Himaqjc74tqsJ3Y+YJbK/xGsnC8gTHyUCAO6WcC+IAFxv4B2iVIJXVMJcn3LhyqNDyHhrGC/CoBgOT0OxnSKdPoKGDt70SWNEHd0CLIqsbTULzmnfFqD3UIlm1aGf3QWZzccUat3E5rnbkutPSx9g97RdJuLxIlv2eyxHbEq2Of8Xvtjs4Lx5brsHMby4EapNt0LvJXRrqAr6K75773QH5NjhPei1oJU7aMW5yLwaPdbpaCfFloBzqCB/+tQq34Pf0e1Hm5YjWyZxevBlTwrG3UTHazLDCSEvVDH3Cjx2nqmTkYN1LcIDYiJ9XY5BOrcp2Ic2EvUclkfyp2oV/u9FsStaW0SSEb5Yanng/+m4VCdcNGsF/7nSvsx5woVokAPqHSjtnvLzCVCB6Q02OVA7lFelpE0jU5eVQvaEHk6N4cI99ptiKYyjKzyqhZ9XzKtwQfgDvCKzjr2JI8BVgoyy9DZUHD7FDwoSu03/kE6uR/wCpdXj2aGvfL9u9F5jJEC4Eg5Ek74DtD9MnQJoOLX5uhOru2nm7nkG07ssxz5QE9FhbgZMHvQXxmaYaNbuTG72pkz6nJkQSCu1SOyVANEF3NZHOS9Spb7GzHHN05GZZQSnc8Pkb6F0lkzox8qRrUGcwPSybOIGixIbZ+E3mbcE3LwmR+T92InilEn/UeUPtD0x946h0p2BRc17YSKwVHgECmC7Ei/bKXW10uTxqrJV3SLDkQXcFCIyhxi9iW+eb6F/u/any4xUu48oJyJ1jEfoDPmo7hDOkJZ82wfNXyVJ2AN1/ZUldS/P/XjgweCnHk X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(82310400026)(376014);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 May 2025 01:25:43.2825 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: b1aae62b-09d2-4f55-9a75-08dd934f693b X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: DU2PEPF00028D03.eurprd03.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR07MB7098 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 15 May 2025 01:25:55 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216564 From: Daniel Turull Use gen_compile_commands.py to extract files used during compilation for the used kernel configuration. To enable set SPDX_INCLUDED_COMPILED_SOURCES="1" The location can be controlled with KERNEL_FILES_DIR CC: Marta Rybczynska CC: Bruce Ashfield CC: Peter Marko Signed-off-by: Daniel Turull --- meta/classes-recipe/kernel.bbclass | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/meta/classes-recipe/kernel.bbclass b/meta/classes-recipe/kernel.bbclass index 36ce659762..acef8b86ce 100644 --- a/meta/classes-recipe/kernel.bbclass +++ b/meta/classes-recipe/kernel.bbclass @@ -159,6 +159,9 @@ set -e image_task = d.getVar('INITRAMFS_TASK') if image_task: d.appendVarFlag('do_configure', 'depends', ' ${INITRAMFS_TASK}') + if d.getVar("SPDX_INCLUDE_COMPILED_SOURCES") == "1": + bb.build.addtask('do_save_compiled_files', 'do_build', 'do_compile do_compile_kernelmodules', d) + d.appendVarFlag('do_create_spdx', 'depends', f'{pn}:do_save_compiled_files') } # Here we pull in all various kernel image types which we support. @@ -867,3 +870,19 @@ EXPORT_FUNCTIONS do_deploy # Add using Device Tree support inherit kernel-devicetree + +# in case we don't use spdx bbclass +SPDX_COMPILED_SOURCES_DIR ?= "${LOG_DIR}/spdx-compiled/${PN}" +SPDX_COMPILED_SOURCES ?= "${SPDX_COMPILED_SOURCES_DIR}/compiled_src-${MACHINE}-${BP}.txt" + +KERNEL_COMPILED_FILES ?= "${SPDX_COMPILED_SOURCES_DIR}/compiled_commands-${MACHINE}-${BP}.json" + +do_save_compiled_files() { + bbdebug 1 "Saving compiled files in ${SPDX_COMPILED_SOURCES}" + mkdir -p ${SPDX_COMPILED_SOURCES_DIR} + ${S}/scripts/clang-tools/gen_compile_commands.py -o ${KERNEL_COMPILED_FILES} -d ${B} + # Make paths releative to the kernel source + sed -i 's|${B}/||g' ${KERNEL_COMPILED_FILES} + sed -i 's|${S}/||g' ${KERNEL_COMPILED_FILES} + grep '"file": ' ${KERNEL_COMPILED_FILES} | awk '{print $2}' | tr -d '"' > ${SPDX_COMPILED_SOURCES} +} From patchwork Wed May 14 12:57:06 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Turull X-Patchwork-Id: 62932 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 56550C3ABD8 for ; Wed, 14 May 2025 12:57:40 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (EUR05-AM6-obe.outbound.protection.outlook.com [40.107.22.44]) by mx.groups.io with SMTP id smtpd.web11.101791.1747227458372931785 for ; Wed, 14 May 2025 05:57:38 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="dkim: body hash did not verify" header.i=@ericsson.com header.s=selector1 header.b=a3IEOkMR; spf=pass (domain: ericsson.com, ip: 40.107.22.44, mailfrom: edaturu@ericsson.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=IsEzC+TUwy4Dc5YLb4sp/DskPd9797IXZP40taXwtlGx05HE3r+4Gqp0GRKMwgN1aP4F0p7gEmlym0ss/HRUNTeMxRI6hX0oPQtPn0hzZpr21nClfcFoID5YqCFh+/DxL2RQM4hXk2dcvEG5g2q7OuHv9xrwrdpumzy+xxKq+UFmXFbbtAQ+2olKIvOZpz0S4ypfE/DiQBXJ5FxA5uDT8cgZSI7GI6gdWe491tjkisfc+nOs/mJDKasd1D5x8FyrDkfqOfDHxFPn5XQ1tXqnhDLOuqbQiQoxwpCIMIsTq9YnULvnThUJbuZF9LTiKYZBnPn2bApfDoxfbPffcvH9dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=t9SCgQtKh7Nll8oFBtC9HaW6XwG6j3XuDltqnZFCxVk=; b=MbbTevTJ1Ctu6chr5M+FTkxmkIeDV1TG4mzNlxV3juTJAjC+t+vz/hhfc3QcXeEyCnQQzuxbHo3g5CaSY4IMhdutXx1UeFHQgUShKgfePLou4uNsu/BS75fFAO2xUmt3wWwnAzjOCIA21a1qd37Ti6lm0PD/iKidW6TrWnlkGNjowWcqTDYQjrwunfDgvz0Ab0vDvZx85aV9dykHb48FQB7+kUOuTgKAmbsuUrYksxtcqAfuCscFC5kXBteSTJqW/Sln4wupMWrwdDS+pncfQLth409afH2uSczQv4PwTRH1g/+L+HCes1d+//Xo+5UD1eTE5JfZfLFB9xMIDjawJw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 192.176.1.74) smtp.rcpttodomain=gmail.com smtp.mailfrom=ericsson.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=ericsson.com; dkim=none (message not signed); arc=none (0) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=t9SCgQtKh7Nll8oFBtC9HaW6XwG6j3XuDltqnZFCxVk=; b=a3IEOkMRKt6t0N1mLXcZ9lLtn/bAl+Tdg1DekeQW6Tpc4Odhl2+6pdK6Tftv/CAX6MmZRiq/ighTFKdT0iCRIac8CowFNF21BYQrvyExVL0UtfHBy5BOdamaj10ANbFTonrHuvFX4OzaS930m5d80LQW6KWqjDXarCpCCguSWSNY5G2EczU+7CQHhoU2s0m3TEUKmqMqbb3TeJ8mwyKSQZfvzvNuRtm3woPssGKRJQPGPTZpTb3vtXF8DeqX4BtpVXWjC42CPw5EF3cHnoIKNILbjfX5M+2rQ2FeGEgPT1yTcbrCXxN1T2IaXMQ7Z84n0rsBH3eGqFx/V9ozLZqixg== Received: from AM8P251CA0024.EURP251.PROD.OUTLOOK.COM (2603:10a6:20b:21b::29) by PAWPR07MB9830.eurprd07.prod.outlook.com (2603:10a6:102:38d::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8722.30; Wed, 14 May 2025 12:57:34 +0000 Received: from AMS0EPF0000019B.eurprd05.prod.outlook.com (2603:10a6:20b:21b:cafe::fe) by AM8P251CA0024.outlook.office365.com (2603:10a6:20b:21b::29) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.8722.23 via Frontend Transport; Wed, 14 May 2025 12:57:34 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 192.176.1.74) smtp.mailfrom=ericsson.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=ericsson.com; Received-SPF: Pass (protection.outlook.com: domain of ericsson.com designates 192.176.1.74 as permitted sender) receiver=protection.outlook.com; client-ip=192.176.1.74; helo=oa.msg.ericsson.com; pr=C Received: from oa.msg.ericsson.com (192.176.1.74) by AMS0EPF0000019B.mail.protection.outlook.com (10.167.16.247) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8722.18 via Frontend Transport; Wed, 14 May 2025 12:57:34 +0000 Received: from seroius18813.sero.gic.ericsson.se (153.88.142.248) by smtp-central.internal.ericsson.com (100.87.178.62) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.14; Wed, 14 May 2025 14:57:33 +0200 Received: from seroius08462.sero.gic.ericsson.se (seroius08462.sero.gic.ericsson.se [10.63.237.245]) by seroius18813.sero.gic.ericsson.se (Postfix) with ESMTP id 75FCA16E64D; Wed, 14 May 2025 14:57:33 +0200 (CEST) Received: by seroius08462.sero.gic.ericsson.se (Postfix, from userid 160155) id 63FA670E61C0; Wed, 14 May 2025 14:57:33 +0200 (CEST) From: To: CC: Daniel Turull , Peter Marko , Marta Rybczynska Subject: [PATCH v4 3/3] improve_kernel_cve_report: add script for postprocesing of kernel CVE data Date: Wed, 14 May 2025 14:57:06 +0200 Message-ID: <20250514125706.495571-4-daniel.turull@ericsson.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250514125706.495571-1-daniel.turull@ericsson.com> References: <20250514125706.495571-1-daniel.turull@ericsson.com> MIME-Version: 1.0 X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AMS0EPF0000019B:EE_|PAWPR07MB9830:EE_ X-MS-Office365-Filtering-Correlation-Id: 873922fb-b529-4696-a7a4-08dd92e6e530 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|1800799024|36860700013|376014|82310400026|13003099007; X-Microsoft-Antispam-Message-Info: lGqVOmDq7w6+QnQ69B3yK0+EZaZkA2CUNtDLMFgwBEfEtSnkPomAvu3iaLerAy9zmQPtSXCQ2hC6RBlDxxlDaoP/B/e7bIHAY7d/JUAr6YA4+1H1uJvgQ+3g6a8Jzau1sNHeVIOn2crRaNJTy5oZLDDbW43Ocev9piE+5J7blJwtJgofC3Gl5DeJbUaXj94yylhRl8Ri44BjXZAU9eGm9wZ9nxllv2earV75S+mZjoLHq6WVZgdlVdKafu2y03zUA9VttuxEfR79CjwqS2RgLGzu78N5z6MmmDxVESRHJ6PoirMtmrML8kk94ydx+awqKKkt3dVaUWZkgYLMmd3WVZFO7FNai/7JDyPe4vA9aMO9oriR49hpzHOXAR3BYcSJTgMwDPvvlX+9mC5oJHN9RfMdjboWzr6dyPuj6lV2lXa+Z/yqBK0XG9713eZO0hnfNbu7icpFKCY/RwZWIGZNSrc+edC3HmEamY7atjcZrIJ6dOaVjBqTDZNeX470u/M7s4uZao7v25qwMT0d1f2UTFRFrBhNuR3YQnuyf0DrmNNEbKS6xxG7+bU2LpkmW4h5Xx+VEecSOWS1G5fnqqMs75KqP3FsenhMG9qk3fRCQXN0sYVc4qj3WUYWEScZ/GqviGerfXOeVxs6QtPaiHpQ6WVRMtua0HHbbkydsPGMABv1r4gabrCBgGcJEn3xADPOUCJBN26xGKlw9TBGsT0nPhw8c8ozF2HuLMm4Y6INGe6j08qSSW8ENCa0Hj3+vhpwftFutLOCo3WWO7WxTZOeVwcGGbuV3b86NUvl0Akgp4AK8tduOCN/n5vKQLbWRk66RcIZxVPnNP5VTCFGRG5zqX7gTLIrydU9D7F6WAygv9jbHhKhSYFrDQiicB3sy/DXKqdzQSG8xY8+UPotUppHOH6VFTYZ2TvCkYJ2blaCcH1J6fYgfWn1wmxR3gSr0ZZQtjLUp7BWIofmORMs8/O7XQfIbO8HEXNznvXEKdFjYLyW8CrA40t3d2kEBPZiCu5hwr20jwP1QGQe1msgMPRjID3EG30V9Qht+fxAbf/7wHmqDRIWzXVHR9IRNTtDPLkb6IwFMjg8wsJRKXXutVdpQpjPEBnvazzF0zgoBieyRTeTJ67JKuTRCGCC3vHJo0kIYra4gQ8rigucbj2PLjcmlft1qoUgouQu2YYC0uMi5Guf1KrEDHqHDu5Z2U5ZEK0Lgb/C4+qjjPz5olaUm5JpLMwD87wCLKeSaFTocciOBW8BHYFN2Ky2C1p12P5usD2qXNwo1QapSAdzxzIpbzG5F1L1hV+OhV5inojOhRycDYNqtXE+ghTeyPtGT57JzctkKF6toiU9WHzK3uShZs9fWxFob+iGTyRgptYFMadds2Vf75oVOLF7NfE8w/oOiwbV++FF4LUQ57e6n8/e6/JLCkK08NgpcaKOiUHmsMs2BBjcd/mR5j4r00kdb9eP4/kr1PXegbiQHOhXMSp/lG5q+Q== X-Forefront-Antispam-Report: CIP:192.176.1.74;CTRY:SE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:oa.msg.ericsson.com;PTR:office365.se.ericsson.net;CAT:NONE;SFS:(13230040)(1800799024)(36860700013)(376014)(82310400026)(13003099007);DIR:OUT;SFP:1101; X-OriginatorOrg: ericsson.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 May 2025 12:57:34.1100 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 873922fb-b529-4696-a7a4-08dd92e6e530 X-MS-Exchange-CrossTenant-Id: 92e84ceb-fbfd-47ab-be52-080c6b87953f X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=92e84ceb-fbfd-47ab-be52-080c6b87953f;Ip=[192.176.1.74];Helo=[oa.msg.ericsson.com] X-MS-Exchange-CrossTenant-AuthSource: AMS0EPF0000019B.eurprd05.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAWPR07MB9830 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 May 2025 12:57:40 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/216491 From: Daniel Turull Adding postprocessing script to process data from linux CNA that includes more accurate metadata and it is updated directly by the source. Example of enhanced CVE from a report from cve-check: { "id": "CVE-2024-26710", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "summary": "In the Linux kernel, the following vulnerability [...]", "scorev2": "0.0", "scorev3": "5.5", "scorev4": "0.0", "modified": "2025-03-17T15:36:11.620", "vector": "LOCAL", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "detail": "not-applicable-config", "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']" }, And same from a report generated with vex: { "id": "CVE-2024-26710", "status": "Ignored", "link": "https://nvd.nist.gov/vuln/detail/CVE-2024-26710", "detail": "not-applicable-config", "description": "Source code not compiled by config. ['arch/powerpc/include/asm/thread_info.h']" }, For unpatched CVEs, provide more context in the description: Tested with 6.12.22 kernel { "id": "CVE-2025-39728", "status": "Unpatched", "link": "https://nvd.nist.gov/vuln/detail/CVE-2025-39728", "summary": "In the Linux kernel, the following vulnerability has been [...], "scorev2": "0.0", "scorev3": "0.0", "scorev4": "0.0", "modified": "2025-04-21T14:23:45.950", "vector": "UNKNOWN", "vectorString": "UNKNOWN", "detail": "version-in-range", "description": "Needs backporting (fixed from 6.12.23)" }, CC: Peter Marko CC: Marta Rybczynska Signed-off-by: Daniel Turull --- scripts/contrib/improve_kernel_cve_report.py | 437 +++++++++++++++++++ 1 file changed, 437 insertions(+) create mode 100755 scripts/contrib/improve_kernel_cve_report.py diff --git a/scripts/contrib/improve_kernel_cve_report.py b/scripts/contrib/improve_kernel_cve_report.py new file mode 100755 index 0000000000..d1ce694c5f --- /dev/null +++ b/scripts/contrib/improve_kernel_cve_report.py @@ -0,0 +1,437 @@ +#! /usr/bin/env python3 +# +# Copyright OpenEmbedded Contributors +# +# The script uses another source of CVE information from linux-vulns +# to enrich the cve-summary from cve-check or vex. +# It can also use the list of compiled files to ignore CVEs that are not +# affected since the files are not compiled. +# +# It creates a new json file with updated CVE information +# +# Compiled files can be extracted adding the following in local.conf +# SPDX_INCLUDE_COMPILED_SOURCES:pn-linux-yocto = "1" +# +# Tested with the following CVE sources: +# - https://git.kernel.org/pub/scm/linux/security/vulns.git +# - https://github.com/CVEProject/cvelistV5 +# +# Example: +# python3 ./openembedded-core/scripts/contrib/improve_kernel_cve_report.py -s build/tmp/log/spdx-compiled/kernel_files/compiled_src-qemux86-64-linux-yocto-6.12.27+git.txt --kernel-version 6.12.27 --datadir ./vulns +# python3 ./openembedded-core/scripts/contrib/improve_kernel_cve_report.py -s build/tmp/log/spdx-compiled/linux-yocto/compiled_src-qemux86-64-linux-yocto-6.12.27+git.txt --datadir ./vulns --old-cve-report build/tmp/log/cve/cve-summary.json +# +# SPDX-License-Identifier: GPLv2 + +import argparse +import json +import sys +import logging +import glob +import os +import pathlib +from packaging.version import Version + +def is_linux_cve(cve_info): + '''Return true is the CVE belongs to Linux''' + if not "affected" in cve_info["containers"]["cna"]: + return False + for affected in cve_info["containers"]["cna"]["affected"]: + if not "product" in affected: + return False + if affected["product"] == "Linux" and affected["vendor"] == "Linux": + return True + return False + +def get_kernel_cves(datadir, compiled_files, version): + """ + Get CVEs for the kernel + """ + cves = {} + + check_config = len(compiled_files) > 0 + + base_version = Version(f"{version.major}.{version.minor}") + + # Check all CVES from kernel vulns + pattern = os.path.join(datadir, '**', "CVE-*.json") + cve_files = glob.glob(pattern, recursive=True) + not_applicable_config = 0 + fixed_as_later_backport = 0 + vulnerable = 0 + not_vulnerable = 0 + for cve_file in sorted(cve_files): + cve_info = {} + with open(cve_file, "r", encoding='ISO-8859-1') as f: + cve_info = json.load(f) + + if len(cve_info) == 0: + logging.error("Not valid data in %s. Aborting", cve_file) + break + + if not is_linux_cve(cve_info): + continue + cve_id = os.path.basename(cve_file)[:-5] + description = cve_info["containers"]["cna"]["descriptions"][0]["value"] + if cve_file.find("rejected") >= 0: + logging.debug("%s is rejected by the CNA", cve_id) + cves[cve_id] = { + "id": cve_id, + "status": "Ignored", + "detail": "rejected", + "summary": description, + "description": f"Rejected by CNA" + } + continue + if any(elem in cve_file for elem in ["review", "reverved", "testing"]): + continue + + is_vulnerable, first_affected, last_affected, better_match_first, better_match_last, affected_versions = get_cpe_applicability(cve_info, version) + + logging.debug("%s: %s (%s - %s) (%s - %s)", cve_id, is_vulnerable, better_match_first, better_match_last, first_affected, last_affected) + + if is_vulnerable is None: + logging.warning("%s doesn't have good metadata", cve_id) + if is_vulnerable: + is_affected = True + affected_files = [] + if check_config: + is_affected, affected_files = check_kernel_compiled_files(compiled_files, cve_info) + + if not is_affected and len(affected_files) > 0: + logging.debug( + "%s - not applicable configuration since affected files not compiled: %s", + cve_id, affected_files) + cves[cve_id] = { + "id": cve_id, + "status": "Ignored", + "detail": "not-applicable-config", + "summary": description, + "description": f"Source code not compiled by config. {affected_files}" + } + not_applicable_config +=1 + # Check if we have backport + else: + if not better_match_last: + fixed_in = last_affected + else: + fixed_in = better_match_last + logging.debug("%s needs backporting (fixed from %s)", cve_id, fixed_in) + cves[cve_id] = { + "id": cve_id, + "status": "Unpatched", + "detail": "version-in-range", + "summary": description, + "description": f"Needs backporting (fixed from {fixed_in})" + } + vulnerable += 1 + if (better_match_last and + Version(f"{better_match_last.major}.{better_match_last.minor}") == base_version): + fixed_as_later_backport += 1 + # Not vulnerable + else: + if not first_affected: + logging.debug("%s - not known affected %s", + cve_id, + better_match_last) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "version-not-in-range", + "summary": description, + "description": "No CPE match" + } + not_vulnerable += 1 + continue + backport_base = Version(f"{better_match_last.major}.{better_match_last.minor}") + if version < first_affected: + logging.debug('%s - fixed-version: only affects %s onwards', + cve_id, + first_affected) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "fixed-version", + "summary": description, + "description": f"only affects {first_affected} onwards" + } + not_vulnerable += 1 + elif last_affected <= version: + logging.debug("%s - fixed-version: Fixed from version %s", + cve_id, + last_affected) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "fixed-version", + "summary": description, + "description": f"fixed-version: Fixed from version {last_affected}" + } + not_vulnerable += 1 + elif backport_base == base_version: + logging.debug("%s - cpe-stable-backport: Backported in %s", + cve_id, + better_match_last) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "cpe-stable-backport", + "summary": description, + "description": f"Backported in {better_match_last}" + } + not_vulnerable += 1 + else: + logging.debug("%s - version not affected %s", cve_id, str(affected_versions)) + cves[cve_id] = { + "id": cve_id, + "status": "Patched", + "detail": "version-not-in-range", + "summary": description, + "description": f"Range {affected_versions}" + } + not_vulnerable += 1 + + logging.info("Total CVEs ignored due to not applicable config: %d", not_applicable_config) + logging.info("Total CVEs not vulnerable due version-not-in-range: %d", not_vulnerable) + logging.info("Total vulnerable CVEs: %d", vulnerable) + + logging.info("Total CVEs already backported in %s: %s", base_version, + fixed_as_later_backport) + return cves + +def read_compiled_files(compiled_file_data): + """ + Open and return list of compiled files + """ + kfiles = [] + with open(compiled_file_data, 'r', encoding='ISO-8859-1') as f: + kfiles = [line.strip() for line in f] + return kfiles + +def check_kernel_compiled_files(compiled_files, cve_info): + """ + Return if a CVE affected us depending on compiled files + """ + files_affected = [] + is_affected = False + + for item in cve_info['containers']['cna']['affected']: + if "programFiles" in item: + for f in item['programFiles']: + if f not in files_affected: + files_affected.append(f) + + if len(files_affected) > 0: + for f in files_affected: + if f in compiled_files: + logging.debug("File match: %s", f) + is_affected = True + return is_affected, files_affected + +def get_cpe_applicability(cve_info, v): + ''' + Check if version is affected and return affected versions + ''' + base_branch = Version(f"{v.major}.{v.minor}") + affected = [] + if not 'cpeApplicability' in cve_info["containers"]["cna"]: + return None, None, None, None, None, None + + for nodes in cve_info["containers"]["cna"]["cpeApplicability"]: + for node in nodes.values(): + vulnerable = False + matched_branch = False + first_affected = Version("5000") + last_affected = Version("0") + better_match_first = Version("0") + better_match_last = Version("5000") + + if len(node[0]['cpeMatch']) == 0: + first_affected = None + last_affected = None + better_match_first = None + better_match_last = None + + for cpe_match in node[0]['cpeMatch']: + version_start_including = Version("0") + version_end_excluding = Version("0") + if 'versionStartIncluding' in cpe_match: + version_start_including = Version(cpe_match['versionStartIncluding']) + else: + version_start_including = Version("0") + # if versionEndExcluding is missing we are in a branch, which is not fixed. + if "versionEndExcluding" in cpe_match: + version_end_excluding = Version(cpe_match["versionEndExcluding"]) + else: + # if versionEndExcluding is missing we are in a branch, which is not fixed. + version_end_excluding = Version( + f"{version_start_including.major}.{version_start_including.minor}.5000" + ) + affected.append(f" {version_start_including}-{version_end_excluding}") + # Detect if versionEnd is in fixed in base branch. It has precedence over the rest + branch_end = Version(f"{version_end_excluding.major}.{version_end_excluding.minor}") + if branch_end == base_branch: + if version_start_including <= v < version_end_excluding: + vulnerable = cpe_match['vulnerable'] + # If we don't match in our branch, we are not vulnerable, + # since we have a backport + matched_branch = True + better_match_first = version_start_including + better_match_last = version_end_excluding + if version_start_including <= v < version_end_excluding and not matched_branch: + if version_end_excluding < better_match_last: + better_match_first = max(version_start_including, better_match_first) + better_match_last = min(better_match_last, version_end_excluding) + vulnerable = cpe_match['vulnerable'] + matched_branch = True + + first_affected = min(version_start_including, first_affected) + last_affected = max(version_end_excluding, last_affected) + # Not a better match, we use the first and last affected instead of the fake .5000 + if vulnerable and better_match_last == Version(f"{base_branch}.5000"): + better_match_last = last_affected + better_match_first = first_affected + return vulnerable, first_affected, last_affected, better_match_first, better_match_last, affected + +def copy_data(old, new): + '''Update dictionary with new entries, while keeping the old ones''' + for k in new.keys(): + old[k] = new[k] + return old + +# Function taken from cve_check.bbclass. Adapted to cve fields +def cve_update(cve_data, cve, entry): + # If no entry, just add it + if cve not in cve_data: + cve_data[cve] = entry + return + # If we are updating, there might be change in the status + if cve_data[cve]['status'] == "Unknown": + cve_data[cve] = copy_data(cve_data[cve], entry) + return + if cve_data[cve]['status'] == entry['status']: + return + if entry['status'] == "Unpatched" and cve_data[cve]['status'] == "Patched": + logging.warning("CVE entry %s update from Patched to Unpatched from the scan result", cve) + cve_data[cve] = copy_data(cve_data[cve], entry) + return + if entry['status'] == "Patched" and cve_data[cve]['status'] == "Unpatched": + logging.warning("CVE entry %s update from Unpatched to Patched from the scan result", cve) + cve_data[cve] = copy_data(cve_data[cve], entry) + return + # If we have an "Ignored", it has a priority + if cve_data[cve]['status'] == "Ignored": + logging.debug("CVE %s not updating because Ignored", cve) + return + # If we have an "Ignored", it has a priority + if entry['status'] == "Ignored": + cve_data[cve] = copy_data(cve_data[cve], entry) + logging.debug("CVE entry %s updated from Unpatched to Ignored", cve) + return + logging.warning("Unhandled CVE entry update for %s %s from %s %s to %s", + cve, cve_data[cve]['status'], cve_data[cve]['detail'], entry['status'], entry['detail']) + +def main(): + parser = argparse.ArgumentParser( + description="Update cve-summary with kernel compiled files and kernel CVE information" + ) + parser.add_argument( + "-s", + "--sources", + help="Compiled source for the kernel", + ) + parser.add_argument( + "--datadir", + type=pathlib.Path, + help="Directory where CVE data is", + required=True + ) + parser.add_argument( + "--old-cve-report", + help="CVE report to update. (Optional)", + ) + parser.add_argument( + "--kernel-version", + help="Kernel version. Needed if old cve_report is not provided (Optional)", + type=Version + ) + parser.add_argument( + "--new-cve-report", + help="Output file", + default="cve-summary-enhance.json" + ) + parser.add_argument( + "-D", + "--debug", + help='Enable debug ', + action="store_true") + + args = parser.parse_args() + + if args.debug: + log_level=logging.DEBUG + else: + log_level=logging.INFO + logging.basicConfig(format='[%(filename)s:%(lineno)d] %(message)s', level=log_level) + + if not args.kernel_version and not args.old_cve_report: + parser.error("either --kernel-version or --old-cve-report are needed") + return -1 + + # by default we don't check the compiled files, unless provided + compiled_files = [] + if args.sources: + compiled_files = read_compiled_files(args.sources) + + if args.old_cve_report: + with open(args.old_cve_report, encoding='ISO-8859-1') as f: + cve_report = json.load(f) + else: + #If summary not provided, we create one + cve_report = { + "version": "1", + "package": [ + { + "name": "linux-yocto", + "version": str(args.kernel_version), + "products": [ + { + "product": "linux_kernel", + "cvesInRecord": "Yes" + } + ], + "issue": [] + } + ] + } + + for pkg in cve_report['package']: + is_kernel = False + for product in pkg['products']: + if product['product'] == "linux_kernel": + is_kernel=True + if not is_kernel: + continue + + kernel_cves = get_kernel_cves(args.datadir, + compiled_files, + Version(pkg["version"])) + logging.info("Total kernel cves from kernel CNA: %s", len(kernel_cves)) + cves = {issue["id"]: issue for issue in pkg["issue"]} + logging.info("Total kernel before processing cves: %s", len(cves)) + + for cve in kernel_cves: + cve_update(cves, cve, kernel_cves[cve]) + + pkg["issue"] = [] + for cve in sorted(cves): + pkg["issue"].extend([cves[cve]]) + logging.info("Total kernel cves after processing: %s", len(pkg['issue'])) + + with open(args.new_cve_report, "w", encoding='ISO-8859-1') as f: + json.dump(cve_report, f, indent=2) + + return 0 + +if __name__ == "__main__": + sys.exit(main()) +