<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/lib/oe/cve_check.py, branch scarthgap</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=scarthgap'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2025-12-01T15:34:55+00:00</updated>
<entry>
<title>cve-check: extract extending CVE_STATUS to library function</title>
<updated>2025-12-01T15:34:55+00:00</updated>
<author>
<name>Benjamin Robin (Schneider Electric)</name>
<email>benjamin.robin@bootlin.com</email>
</author>
<published>2025-11-21T09:54:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=d1f8b0c6ddb1adad4be4cb465463e13d12c81ecc'/>
<id>urn:sha1:d1f8b0c6ddb1adad4be4cb465463e13d12c81ecc</id>
<content type='text'>
The same code for extending CVE_STATUS by CVE_CHECK_IGNORE and
CVE_STATUS_GROUPS is used on multiple places.
Create a library function to have the code on single place and ready for
reuse by additional classes.

Conflicts:
  meta/classes/cve-check.bbclass
  meta/lib/oe/cve_check.py

(From OE-Core rev: ddd295c7d4c313fbbb24f7a5e633d4adfea4054a)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 45e18f4270d084d81c21b1e5a4a601ce975d8a77)
Signed-off-by: Benjamin Robin (Schneider Electric) &lt;benjamin.robin@bootlin.com&gt;
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve_check: cleanup logging</title>
<updated>2024-01-23T11:53:41+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2024-01-22T14:04:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=bfaea5f7ecbfae5f962a910c6fda7ee1399b3b09'/>
<id>urn:sha1:bfaea5f7ecbfae5f962a910c6fda7ee1399b3b09</id>
<content type='text'>
Primarily list the number of patches found, useful when debugging.

Also clean up some bad escaping that caused warnings and use
re.IGNORECASE instead of manually doing case-insenstive rang matches.

(From OE-Core rev: 10acc75b7f3387b968bacd51aade6a8dc11a463f)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve_check: handle CVE_STATUS being set to the empty string</title>
<updated>2024-01-23T11:53:41+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2024-01-22T14:04:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ab375ea3fe58ec4655302b25b7bd6013b2a791de'/>
<id>urn:sha1:ab375ea3fe58ec4655302b25b7bd6013b2a791de</id>
<content type='text'>
Handle CVE_STATUS[...] being set to an empty string just as if it was
not set at all.

This is needed for evaluated CVE_STATUS values to work, i.e. when
setting not-applicable-config if a PACKAGECONFIG is disabled.

(From OE-Core rev: 2c9f20f746251505d9d09262600199ffa87731a2)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: don't warn if a patch is remote</title>
<updated>2023-11-03T16:58:40+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2023-11-03T13:28:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=7ffa4d4044b9288eefa44fcc80c246a4def2435b'/>
<id>urn:sha1:7ffa4d4044b9288eefa44fcc80c246a4def2435b</id>
<content type='text'>
We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time.  The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.

Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.

(From OE-Core rev: 0251cad677579f5b4dcc25fa2f8552c6040ac2cf)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: slightly more verbose warning when adding the same package twice</title>
<updated>2023-10-26T14:29:34+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2023-10-23T17:38:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c1e7eed4f7e5c710f71c216231e44cf757f0454a'/>
<id>urn:sha1:c1e7eed4f7e5c710f71c216231e44cf757f0454a</id>
<content type='text'>
Occasionally the cve-check tool will warn that it is adding the same
package twice.  Knowing what this package is might be the first step
towards understanding where this message comes from.

(From OE-Core rev: c1179faec8583a8b7df192cf1cbf221f0e3001fc)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve_check: Fix cpe_id generation</title>
<updated>2023-08-22T14:13:54+00:00</updated>
<author>
<name>Jasper Orschulko</name>
<email>jasper@fancydomain.eu</email>
</author>
<published>2023-08-21T12:02:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=92983dba651cffe5c11973d90aad00c581a79c93'/>
<id>urn:sha1:92983dba651cffe5c11973d90aad00c581a79c93</id>
<content type='text'>
Use "*" (wildcard) instead of "a" (application)in cpe_id generation,
as the product is not necessarily of type application, e.g.
linux_kernel, which is of type "o" (operating system).

(From OE-Core rev: cae9528b002c06143bf048b991b9d7e93968cb6b)

(From OE-Core rev: e7c1def3c3c3a72249802ef6fb64292277a7a53e)

Signed-off-by: Jasper Orschulko &lt;jasper@fancydomain.eu&gt;
Signed-off-by: Luca Ceresoli &lt;luca.ceresoli@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: add option to add additional patched CVEs</title>
<updated>2023-07-19T22:25:01+00:00</updated>
<author>
<name>Andrej Valek</name>
<email>andrej.valek@siemens.com</email>
</author>
<published>2023-06-23T11:14:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=be9883a92bad0fe4c1e9c7302c93dea4ac680f8c'/>
<id>urn:sha1:be9883a92bad0fe4c1e9c7302c93dea4ac680f8c</id>
<content type='text'>
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

(From OE-Core rev: 34f682a24b7075b12ec308154b937ad118d69fe5)

Signed-off-by: Andrej Valek &lt;andrej.valek@siemens.com&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: Fix false negative version issue</title>
<updated>2023-03-30T11:30:38+00:00</updated>
<author>
<name>Geoffrey GIRY</name>
<email>geoffrey.giry@smile.fr</email>
</author>
<published>2023-03-28T10:23:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=81740facf458a5a3326c0cfca20ebf75d8fe91d0'/>
<id>urn:sha1:81740facf458a5a3326c0cfca20ebf75d8fe91d0</id>
<content type='text'>
NVD DB store version and update in the same value, separated by '_'.
The proposed patch check if the version from NVD DB contains a "_",
ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.

[YOCTO #14127]

Reviewed-by: Yoann CONGAL &lt;yoann.congal@smile.fr&gt;
(From OE-Core rev: 7d00f6ec578084a0a0e5caf36241d53036d996c4)

Signed-off-by: Geoffrey GIRY &lt;geoffrey.giry@smile.fr&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: Don't use f-strings</title>
<updated>2022-08-14T07:13:32+00:00</updated>
<author>
<name>Ernst Sjöstrand</name>
<email>ernstp@gmail.com</email>
</author>
<published>2022-08-12T06:05:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c80405aa9d32f5e9b7eb50fe2ddcec5f8e8cf20d'/>
<id>urn:sha1:c80405aa9d32f5e9b7eb50fe2ddcec5f8e8cf20d</id>
<content type='text'>
Since we're keeping cve-check aligned between the active branches,
and dunfell is supported on Python 3.5, we can't use f-strings.

(From OE-Core rev: 1821cf7464cbba521b55a9c128fe8812c0cc5eca)

Signed-off-by: Ernst Sjöstrand &lt;ernstp@gmail.com&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>lib: Add copyright statements to files without one</title>
<updated>2022-08-12T11:00:43+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2022-08-10T19:40:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ce08cf4825f0e4e42509794a2dcd53a3ea5126e4'/>
<id>urn:sha1:ce08cf4825f0e4e42509794a2dcd53a3ea5126e4</id>
<content type='text'>
Where there isn't a copyright statement, add one to make it explicit.
Also add license identifiers as MIT if there isn't one.

(From OE-Core rev: bb731d1f3d2a1d50ec0aed864dbca54cf795b040)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
