Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=styhead 2025-05-25T11:37:57+00:00 2025-05-25T11:37:57+00:00 Daniel Turull daniel.turull@ericsson.com 2025-04-30T14:06:58+00:00 urn:sha1:5ad0c3ae5b2164406b7969a92aecfde341b4a48f Debug level was not added as a parameter, causing a warning. (From OE-Core rev: 182a915fc733791d4583b956df2e62aa35613f5c) Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2025-02-12T14:29:33+00:00 Peter Marko peter.marko@siemens.com 2024-11-24T20:13:42+00:00 urn:sha1:2d4aee3d97bdcdd48ccb2a4fd34399e13cca9e22 Currently flag cvesInRecord is set to false if all CVEs are ignored or patched. This is inconsistent as it shows false if a CVE was fixed via patch and true if this CVE was fixed by upgrade. In both cases the CVE is valid and was fixed. As I understand this flag, it should say if any CVE exists for particular component's product (regardless of how this CVE is handled) and can be used to validate if a product is correctly set. Note that skipping ignored CVEs may make sense in some cases, as ignored may mean that NVD DB is wrong, but in many cases it is ignored for other reasons. Further patch can be done to evaluate ignore subtype but that would be against my understanding of this flag as described above. (From OE-Core rev: 0fb2bfb8d6c77009385d7deca2e758bdee5c9b07) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c5d499693672ec9619392011b765941cf94aa319) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2025-02-12T14:29:33+00:00 Peter Marko peter.marko@siemens.com 2024-11-24T20:13:41+00:00 urn:sha1:a1b7ded85a1e4791038ff69115635c01f36b4a74 Commit 05ef4f2a7b225c8d230eaca8d333ffb921729d79 removed this functionality by accident. It was implemented in text exporter, while it should have been a global feature independent on exporter type to avoid such accidental deletion. (From OE-Core rev: 3cf7c6bcd569cb19ac2b9c05f1134fdda6e9e714) Signed-off-by: Peter Marko <peter.marko@siemens.com> Cc: Marta Rybczynska <marta.rybczynska@ygreky.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 2996b11596afca288a6b7f409a5287063d331f3b) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-11-26T13:37:09+00:00 Peter Marko peter.marko@siemens.com 2024-10-23T09:45:22+00:00 urn:sha1:a99c033f4c22b2270acebb45e16487eade2b77c5 https://nvd.nist.gov/general/news/cvss-v4-0-official-support CVSS v4.0 was released in November 2023 NVD announced support for it in June 2024 Current stats are: * cvss v4 provided, but also v3, so cve-check showed a value sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 != 0.0; 2069 * only cvss v4 provided, so cve-check did not show any sqlite> select count(*) from nvd where scorev4 != 0.0 and scorev3 = 0.0; 260 (From OE-Core rev: 7ce34ce58f83bc02fa2c04bec54e358e8614157e) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 358dbfcd80ae1fa414d294c865dd293670c287f0) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-11-26T13:37:09+00:00 Katawann quent_55@hotmail.com 2024-09-19T20:33:05+00:00 urn:sha1:6a44d7c07807fc1f84b412a2fced054f71818d70 Added the "modified" field to the JSON export in the cve-check.class. This field captures the last modification date of each CVE, providing more detailed information on changes and updates within the exported data. (From OE-Core rev: 242bf4dcd4f85ec4d212fd68e060cf9fb307e96e) Signed-off-by: Katawann <quent_55@hotmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 740b8a0b23c4021d07c3714420e3ea8b46e61454) Signed-off-by: Steve Sakoman <steve@sakoman.com> 2024-09-04T11:38:44+00:00 Richard Purdie richard.purdie@linuxfoundation.org 2024-08-29T11:57:40+00:00 urn:sha1:ead03cae663d19ce202cdfefad50b59ada7f1073 We planned to drop SSTATEPOSTINSTFUNC some time ago with the introduction of postfuncs. Finally get around to doing that which should make the buildhistory code a little more readable. Unfortunately ordering the buildhistory function calls after the sstate ones is difficult without coding that into the sstate class. This patch does that to ensure everything functions as expected until we can find a better way. This is still likely preferable than the generic sstate postfuncs support since the function flow is much more readable. (From OE-Core rev: c9e2a8fa2f0305ef1247ec405555612326f798f8) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-08-25T14:36:30+00:00 Marta Rybczynska rybczynska@gmail.com 2024-08-23T13:10:34+00:00 urn:sha1:f06fbe9bd8e90d9cabac25bf74b5c7e6f56b1877 Remove the TEXT format support, as the JSON format offers more functions. Users who do automation should have migrated already. Support of both formats makes the code more complex than necessary. Users can convert JSON files to TEXT files with cve-json-to-text.py in scripts/ (From OE-Core rev: 05ef4f2a7b225c8d230eaca8d333ffb921729d79) Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-08-20T13:12:40+00:00 Marta Rybczynska rybczynska@gmail.com 2024-08-14T05:30:39+00:00 urn:sha1:3859ff591568ac8879be602379ded9762d5fec26 The "vex" class generates the minimum information that is necessary for VEX generation by an external CVE checking tool. It is a drop-in replacement of "cve-check". It uses the same variables from recipes to make the migration and backporting easier. The goal of this class is to allow generation of the CVE list of an image or distribution on-demand, including the latest information from vulnerability databases. Vulnerability data changes every day, so a status generated at build becomes out-of-date very soon. Research done for this work shows that the current VEX formats (CSAF and OpenVEX) do not provide enough information to generate such rolling information. Instead, we extract the needed data from recipe annotations (package names, CPEs, versions, CVE patches applied...) and store for later use in the format that is an extension of the CVE-check JSON output format. This output can be then used (separately or with SPDX of the same build) by an external tool to generate the vulnerability annotation and VEX statements in standard formats. (From OE-Core rev: 6352ad93a72e67d6dfa82e870222518a97c426fa) Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-08-20T13:12:40+00:00 Marta Rybczynska rybczynska@gmail.com 2024-08-14T05:30:37+00:00 urn:sha1:fb3f440b7d808d4e29b6ab90e75313d5cf516c36 Add status information for each CVE under analysis. Previously the information passed between different function of the cve-check class included only tables of patched, unpatched, ignored vulnerabilities and the general status of the recipe. The VEX work requires more information, and we need to pass them between different functions, so that it can be enriched as the analysis progresses. Instead of multiple tables, use a single one with annotations for each CVE encountered. For example, a patched CVE will have: {"abbrev-status": "Patched", "status": "version-not-in-range"} abbrev-status contains the general status (Patched, Unpatched, Ignored and Unknown that will be added in the VEX code) status contains more detailed information that can come from CVE_STATUS and the analysis. Additional fields of the annotation include for example the name of the patch file fixing a given CVE. We also use the annotation in CVE_STATUS to filter out entries that do not apply to the given recipe (From OE-Core rev: 452e605b55ad61c08f4af7089a5a9c576ca28f7d) Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2024-08-20T13:12:40+00:00 Marta Rybczynska rybczynska@gmail.com 2024-08-14T05:30:35+00:00 urn:sha1:bf34db143956294d64998beb3a83f46c1e39d9d9 CVE_STATUS contains assesment of a given CVE, but until now it didn't have include the affected vendor/product. In the case of a global system include, that CVE_STATUS was visible in all recipes. This patch allows encoding of affected product/vendor to each CVE_STATUS assessment, also for groups. We can then filter them later and use only CVEs that correspond to the recipe. This is going to be used in meta/conf/distro/include/cve-extra-exclusions.inc and similar places. (From OE-Core rev: abca80a716e92fc18d3085aba1a15f4bac72379c) Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>