diff options
| author | Andrej Valek <andrej.valek@siemens.com> | 2023-06-23 13:14:56 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-07-19 23:25:01 +0100 |
| commit | be9883a92bad0fe4c1e9c7302c93dea4ac680f8c (patch) | |
| tree | 6d9d35acbb91f98016956168b4ea90f9b9ce0764 /meta/lib/oe | |
| parent | ebb8b39463cef3c3d0f90f054c433b2f5256cb1a (diff) | |
| download | poky-be9883a92bad0fe4c1e9c7302c93dea4ac680f8c.tar.gz | |
cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
(From OE-Core rev: 34f682a24b7075b12ec308154b937ad118d69fe5)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib/oe')
| -rw-r--r-- | meta/lib/oe/cve_check.py | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index dbaa0b373a..5bf3caac47 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py | |||
| @@ -130,6 +130,13 @@ def get_patched_cves(d): | |||
| 130 | if not fname_match and not text_match: | 130 | if not fname_match and not text_match: |
| 131 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) | 131 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) |
| 132 | 132 | ||
| 133 | # Search for additional patched CVEs | ||
| 134 | for cve in (d.getVarFlags("CVE_STATUS") or {}): | ||
| 135 | decoded_status, _, _ = decode_cve_status(d, cve) | ||
| 136 | if decoded_status == "Patched": | ||
| 137 | bb.debug(2, "CVE %s is additionally patched" % cve) | ||
| 138 | patched_cves.add(cve) | ||
| 139 | |||
| 133 | return patched_cves | 140 | return patched_cves |
| 134 | 141 | ||
| 135 | 142 | ||
| @@ -218,3 +225,21 @@ def convert_cve_version(version): | |||
| 218 | 225 | ||
| 219 | return version + update | 226 | return version + update |
| 220 | 227 | ||
| 228 | def decode_cve_status(d, cve): | ||
| 229 | """ | ||
| 230 | Convert CVE_STATUS into status, detail and description. | ||
| 231 | """ | ||
| 232 | status = d.getVarFlag("CVE_STATUS", cve) | ||
| 233 | if status is None: | ||
| 234 | return ("", "", "") | ||
| 235 | |||
| 236 | status_split = status.split(':', 1) | ||
| 237 | detail = status_split[0] | ||
| 238 | description = status_split[1].strip() if (len(status_split) > 1) else "" | ||
| 239 | |||
| 240 | status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) | ||
| 241 | if status_mapping is None: | ||
| 242 | bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) | ||
| 243 | status_mapping = "Unpatched" | ||
| 244 | |||
| 245 | return (status_mapping, detail, description) | ||