Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=walnascar 2025-03-19T10:07:30+00:00 2025-03-19T10:07:30+00:00 Marta Rybczynska rybczynska@gmail.com 2025-03-18T06:54:02+00:00 urn:sha1:8e11797a563066da97ffac639d3173281a8c1ca9 Move to the FKIE feed by default, as it is showing better stability than NVD2. Content of the feed should be the same. (From OE-Core rev: 10580a6d36aa1366732f9c030345bd4590eb9f74) Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-02-18T12:04:03+00:00 Niko Mauno niko.mauno@vaisala.com 2025-02-14T14:27:56+00:00 urn:sha1:5eaba2308f13fb1e96e826033bc58d9902a61f84 According to Yocto reference manual, in description of the IMAGE_LINK_NAME variable, it is said that It is possible to set this to "" to disable symlink creation, however, you also need to set :term:`IMAGE_NAME` to still have a reasonable value e.g.:: IMAGE_LINK_NAME = "" IMAGE_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_VERSION_SUFFIX}" However, when using following additions in local.conf file: INHERIT += "cve-check" IMAGE_LINK_NAME = "" IMAGE_NAME = "${IMAGE_BASENAME}${IMAGE_MACHINE_SUFFIX}${IMAGE_VERSION_SUFFIX}" the implicit symlink creation in cve_check_write_rootfs_manifest leads to following build failure $ bitbake core-image-minimal core-image-base ... ERROR: core-image-base-1.0-r0 do_image_complete: Recipe core-image-base is trying to install files into a shared area when those files already exist. The files and the manifests listing them are: /home/poky/build/tmp/deploy/images/qemux86-64/.json (matched in manifest-qemux86_64-core-image-minimal.image_complete) Please adjust the recipes so only one recipe provides a given file. Mitigate the issue by creating the symlink only in case IMAGE_LINK_NAME has not been set to empty string. (From OE-Core rev: 64bfec359bd909761ce0a6a716286d938ed162d1) Signed-off-by: Niko Mauno <niko.mauno@vaisala.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-02-18T11:56:04+00:00 Marta Rybczynska rybczynska@gmail.com 2025-02-13T05:57:53+00:00 urn:sha1:52dc3286dfc15b3fba18a66325a9e50bebaaa0d2 Allow choice of one of three feeds and update task dependencies accordingly. All feeds contain data from NVD and are stored in different files. Set the NVD_DB_VERSION variable to choose feed: NVD2 (default) - the NVD feed with API version 2 NVD1 - the NVD JSON feed (deprecated) FKIE - the FKIE-CAD feed reconstruction In case of malformed database feed name, we default to NVD2 and show an error. (From OE-Core rev: f265812bfb6797aee10e7be42865736c9ff3478f) Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-11-28T12:27:12+00:00 Peter Marko peter.marko@siemens.com 2024-11-24T20:13:42+00:00 urn:sha1:cc8ba2f80b6934830ebe666e1c1e1ca4e6556ef1 Currently flag cvesInRecord is set to false if all CVEs are ignored or patched. This is inconsistent as it shows false if a CVE was fixed via patch and true if this CVE was fixed by upgrade. In both cases the CVE is valid and was fixed. As I understand this flag, it should say if any CVE exists for particular component's product (regardless of how this CVE is handled) and can be used to validate if a product is correctly set. Note that skipping ignored CVEs may make sense in some cases, as ignored may mean that NVD DB is wrong, but in many cases it is ignored for other reasons. Further patch can be done to evaluate ignore subtype but that would be against my understanding of this flag as described above. (From OE-Core rev: c5d499693672ec9619392011b765941cf94aa319) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-11-28T12:27:12+00:00 Peter Marko peter.marko@siemens.com 2024-11-24T20:13:41+00:00 urn:sha1:275aec49b68553926a5ec24e41653e30ff4d2619 Commit 05ef4f2a7b225c8d230eaca8d333ffb921729d79 removed this functionality by accident. It was implemented in text exporter, while it should have been a global feature independent on exporter type to avoid such accidental deletion. (From OE-Core rev: 2996b11596afca288a6b7f409a5287063d331f3b) Signed-off-by: Peter Marko <peter.marko@siemens.com> Cc: Marta Rybczynska <marta.rybczynska@ygreky.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-10-25T14:25:33+00:00 Peter Marko peter.marko@siemens.com 2024-10-23T09:45:22+00:00 urn:sha1:3b551fc466b992ac09ab04d54ddcb3c36e1dd670 https://nvd.nist.gov/general/news/cvss-v4-0-official-support CVSS v4.0 was released in November 2023 NVD announced support for it in June 2024 Current stats are: * cvss v4 provided, but also v3, so cve-check showed a value sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 != 0.0; 2069 * only cvss v4 provided, so cve-check did not show any sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 = 0.0; 260 (From OE-Core rev: 358dbfcd80ae1fa414d294c865dd293670c287f0) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-10-18T14:01:04+00:00 Katawann quent_55@hotmail.com 2024-09-19T20:33:05+00:00 urn:sha1:d32bab0137fac9bdfad64aac64274ab41402cc56 Added the "modified" field to the JSON export in the cve-check.class. This field captures the last modification date of each CVE, providing more detailed information on changes and updates within the exported data. (From OE-Core rev: 740b8a0b23c4021d07c3714420e3ea8b46e61454) Signed-off-by: Katawann <quent_55@hotmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-08-25T14:36:30+00:00 Marta Rybczynska rybczynska@gmail.com 2024-08-23T13:10:34+00:00 urn:sha1:f06fbe9bd8e90d9cabac25bf74b5c7e6f56b1877 Remove the TEXT format support, as the JSON format offers more functions. Users who do automation should have migrated already. Support of both formats makes the code more complex than necessary. Users can convert JSON files to TEXT files with cve-json-to-text.py in scripts/ (From OE-Core rev: 05ef4f2a7b225c8d230eaca8d333ffb921729d79) Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-08-20T13:12:40+00:00 Marta Rybczynska rybczynska@gmail.com 2024-08-14T05:30:37+00:00 urn:sha1:fb3f440b7d808d4e29b6ab90e75313d5cf516c36 Add status information for each CVE under analysis. Previously the information passed between different function of the cve-check class included only tables of patched, unpatched, ignored vulnerabilities and the general status of the recipe. The VEX work requires more information, and we need to pass them between different functions, so that it can be enriched as the analysis progresses. Instead of multiple tables, use a single one with annotations for each CVE encountered. For example, a patched CVE will have: {"abbrev-status": "Patched", "status": "version-not-in-range"} abbrev-status contains the general status (Patched, Unpatched, Ignored and Unknown that will be added in the VEX code) status contains more detailed information that can come from CVE_STATUS and the analysis. Additional fields of the annotation include for example the name of the patch file fixing a given CVE. We also use the annotation in CVE_STATUS to filter out entries that do not apply to the given recipe (From OE-Core rev: 452e605b55ad61c08f4af7089a5a9c576ca28f7d) Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-08-20T13:12:40+00:00 Marta Rybczynska rybczynska@gmail.com 2024-08-14T05:30:35+00:00 urn:sha1:bf34db143956294d64998beb3a83f46c1e39d9d9 CVE_STATUS contains assesment of a given CVE, but until now it didn't have include the affected vendor/product. In the case of a global system include, that CVE_STATUS was visible in all recipes. This patch allows encoding of affected product/vendor to each CVE_STATUS assessment, also for groups. We can then filter them later and use only CVEs that correspond to the recipe. This is going to be used in meta/conf/distro/include/cve-extra-exclusions.inc and similar places. (From OE-Core rev: abca80a716e92fc18d3085aba1a15f4bac72379c) Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>