diff options
author | Andrej Valek <andrej.valek@siemens.com> | 2023-06-23 13:14:56 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-07-19 23:25:01 +0100 |
commit | be9883a92bad0fe4c1e9c7302c93dea4ac680f8c (patch) | |
tree | 6d9d35acbb91f98016956168b4ea90f9b9ce0764 /meta/lib | |
parent | ebb8b39463cef3c3d0f90f054c433b2f5256cb1a (diff) | |
download | poky-be9883a92bad0fe4c1e9c7302c93dea4ac680f8c.tar.gz |
cve-check: add option to add additional patched CVEs
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
(From OE-Core rev: 34f682a24b7075b12ec308154b937ad118d69fe5)
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib')
-rw-r--r-- | meta/lib/oe/cve_check.py | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index dbaa0b373a..5bf3caac47 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py | |||
@@ -130,6 +130,13 @@ def get_patched_cves(d): | |||
130 | if not fname_match and not text_match: | 130 | if not fname_match and not text_match: |
131 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) | 131 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) |
132 | 132 | ||
133 | # Search for additional patched CVEs | ||
134 | for cve in (d.getVarFlags("CVE_STATUS") or {}): | ||
135 | decoded_status, _, _ = decode_cve_status(d, cve) | ||
136 | if decoded_status == "Patched": | ||
137 | bb.debug(2, "CVE %s is additionally patched" % cve) | ||
138 | patched_cves.add(cve) | ||
139 | |||
133 | return patched_cves | 140 | return patched_cves |
134 | 141 | ||
135 | 142 | ||
@@ -218,3 +225,21 @@ def convert_cve_version(version): | |||
218 | 225 | ||
219 | return version + update | 226 | return version + update |
220 | 227 | ||
228 | def decode_cve_status(d, cve): | ||
229 | """ | ||
230 | Convert CVE_STATUS into status, detail and description. | ||
231 | """ | ||
232 | status = d.getVarFlag("CVE_STATUS", cve) | ||
233 | if status is None: | ||
234 | return ("", "", "") | ||
235 | |||
236 | status_split = status.split(':', 1) | ||
237 | detail = status_split[0] | ||
238 | description = status_split[1].strip() if (len(status_split) > 1) else "" | ||
239 | |||
240 | status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) | ||
241 | if status_mapping is None: | ||
242 | bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) | ||
243 | status_mapping = "Unpatched" | ||
244 | |||
245 | return (status_mapping, detail, description) | ||