<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/classes/cve-check.bbclass, branch yocto-2.4</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-2.4</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=yocto-2.4'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2017-09-05T14:01:02+00:00</updated>
<entry>
<title>cve-check.bbclass: detect patched CVE's also from patch file names</title>
<updated>2017-09-05T14:01:02+00:00</updated>
<author>
<name>Mikko Rapeli</name>
<email>mikko.rapeli@bmw.de</email>
</author>
<published>2017-09-04T06:22:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=beb089b23627f084695f17802ffc5af192bbdbee'/>
<id>urn:sha1:beb089b23627f084695f17802ffc5af192bbdbee</id>
<content type='text'>
While poky master branch has been fixed so that all CVE patch files have
the:

CVE: CVE-2017-1234556

strings in the patch comments, many older versions of poky and other meta
layers are not, but the CVE patches quite often have the CVE id in the
patch file name.

If the CVE: string also found, there are no duplicates in the report.

(From OE-Core rev: 5ee5b0c66627c9e974c838b86e2e659c2f601f2a)

Signed-off-by: Mikko Rapeli &lt;mikko.rapeli@bmw.de&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check.bbclass: use "+git" as separator in PV instead of "git+"</title>
<updated>2017-07-24T08:13:32+00:00</updated>
<author>
<name>Mikko Rapeli</name>
<email>mikko.rapeli@bmw.de</email>
</author>
<published>2017-07-20T13:23:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=87af2104afc3c6119ac150873aca0aeded3d3c42'/>
<id>urn:sha1:87af2104afc3c6119ac150873aca0aeded3d3c42</id>
<content type='text'>
PV is the recipe major version number. cve-check tries to map that to
NVD database release versions of the component. If the recipe sources
are taken from git, the PV can be automatically modified to include
git details, but the syntax is like 233+gitAUTOINC+a1e2ef7ec9.
In CVE checks we want to remove the git details and just use the major
version information, in this example 233.

Thus use "+git" as the separator and use the first part before the separator
as SW product version number in CVE check.

Fixes version number for e.g. systemd recipe. If systemd PV is
233+gitAUTOINC+a1e2ef7ec9 there will be no matches from CVE database where
latest release mentioned is plain 233. If the filter is set to +git, then
CVE PV is 233 and issues like this are detected by do_cve_check:

https://nvd.nist.gov/vuln/detail/CVE-2017-1000082

(From OE-Core rev: db8815abe3db60b0510fb378bf6d82172c2f2768)

Signed-off-by: Mikko Rapeli &lt;mikko.rapeli@bmw.de&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check.bbclass: use weak assignment for default CVE_PRODUCT</title>
<updated>2017-07-24T08:13:31+00:00</updated>
<author>
<name>Mikko Rapeli</name>
<email>mikko.rapeli@bmw.de</email>
</author>
<published>2017-07-20T13:23:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=edaeec5809b7bb0f1817b92a5e6af6b686598ea5'/>
<id>urn:sha1:edaeec5809b7bb0f1817b92a5e6af6b686598ea5</id>
<content type='text'>
This way also bbclasses can override it. For example kernel.bbclass
could set CVE_PRODUCT to linux_kernel for all users of the class
which compile Linux kernels.

(From OE-Core rev: 74672a7de5ada45ab8e25b89cbdea3ec33b63b7f)

Signed-off-by: Mikko Rapeli &lt;mikko.rapeli@bmw.de&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: add do_rootfs dependency on cve-check</title>
<updated>2017-06-12T14:08:30+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2017-06-07T06:04:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=253660a139ed1a31c61ab701a9e44a88b1836f5d'/>
<id>urn:sha1:253660a139ed1a31c61ab701a9e44a88b1836f5d</id>
<content type='text'>
Since do_rootfs depends on cve-check results of all recipes,
we need to recursively depend on recipe do_cve_check.

(From OE-Core rev: a1af526e43cb476472a6203882c12deef297f542)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: do not parse error output</title>
<updated>2017-06-12T14:08:30+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2017-06-07T06:04:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=7e9a61cab88273e08b45d52ab4a975ad2bac3731'/>
<id>urn:sha1:7e9a61cab88273e08b45d52ab4a975ad2bac3731</id>
<content type='text'>
Sometimes there are control messages in cve-check-tool printed to
stderr. These lead to parsing error and thus failed build.
This can happen for instance when cve database needs to be
refreshed during build.

(From OE-Core rev: 6d8a17f4c50be292990e37de65630a6b84466ee6)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: clean cve-check recipe result before re-building</title>
<updated>2017-06-12T14:08:30+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2017-06-07T06:04:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=1a146e58854c0998b840945c18c9bfc1e8bd1f42'/>
<id>urn:sha1:1a146e58854c0998b840945c18c9bfc1e8bd1f42</id>
<content type='text'>
If there is cve report for a recipe in previous build and there
is no result for current one, old cves are kept in CVE_CHECK_DIR.
This happens on version upgrade or when cve/recipe is whitelisted.

(From OE-Core rev: 85b4941c71a0e3c08a8c48d52a94dfe2897d2c92)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check.bbclass: make warning contain CVE IDs</title>
<updated>2017-05-18T13:01:46+00:00</updated>
<author>
<name>Chen Qi</name>
<email>Qi.Chen@windriver.com</email>
</author>
<published>2017-05-09T09:31:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=86795b756a503825539e8677d20e719a8e8eb9d1'/>
<id>urn:sha1:86795b756a503825539e8677d20e719a8e8eb9d1</id>
<content type='text'>
When warning users about unpatched CVE, we'd better put CVE IDs into
the warning message, so that it would be more straight forward for the
user to know which CVEs are not patched.

So instead of:
  WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log.
We should have:
  WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log.

(From OE-Core rev: ad46069e7b58f2fba373131716f28407816fa1a6)

Signed-off-by: Chen Qi &lt;Qi.Chen@windriver.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check.bbclass: Fix dependencies</title>
<updated>2017-02-15T17:29:56+00:00</updated>
<author>
<name>Jussi Kukkonen</name>
<email>jussi.kukkonen@intel.com</email>
</author>
<published>2017-02-09T19:38:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=0d637857f2a8387e38da2ed590a10daf595ed124'/>
<id>urn:sha1:0d637857f2a8387e38da2ed590a10daf595ed124</id>
<content type='text'>
With recipe-specific sysroots the cve_check task must depend on
cve-check-tool-native:do_populate_sysroot to get the cve-check-tool
binary into the recipe sysroot.

A normal DEPENDS isn't used to avoid cyclic dependencies.

(From OE-Core rev: bd60b1018bc0304bc928701e6d1090c8b1223616)

Signed-off-by: Jussi Kukkonen &lt;jussi.kukkonen@intel.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>meta: remove True option to getVar calls</title>
<updated>2016-12-16T10:23:23+00:00</updated>
<author>
<name>Joshua Lock</name>
<email>joshua.g.lock@intel.com</email>
</author>
<published>2016-12-14T21:13:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c4e2c59088765d1f1de7ec57cde91980f887c2ff'/>
<id>urn:sha1:c4e2c59088765d1f1de7ec57cde91980f887c2ff</id>
<content type='text'>
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.

Search made with the following regex: getVar ?\(( ?[^,()]*), True\)

(From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f)

Signed-off-by: Joshua Lock &lt;joshua.g.lock@intel.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: allow recipes to override the product name</title>
<updated>2016-12-13T22:55:19+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2016-12-07T11:25:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=058891183e7669ce5c939c2c9a4b5422d5fa2956'/>
<id>urn:sha1:058891183e7669ce5c939c2c9a4b5422d5fa2956</id>
<content type='text'>
Add a new variable CVE_PRODUCT for the product name to look up in the NVD
database.  Default this to BPN, but allow recipes such as tiff (which is libtiff
in NVD) to override it.

(From OE-Core rev: ba330051570a4c991885ee726cb187e0c911bd4f)

Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
