<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/lib/oe/cve_check.py, branch styhead-5.1.4</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=styhead-5.1.4</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=styhead-5.1.4'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2024-11-30T13:41:59+00:00</updated>
<entry>
<title>cve-check: fix malformed cve status description with : characters</title>
<updated>2024-11-30T13:41:59+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2024-10-30T18:49:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2b4c64dbef651adac2b371ea19fae4284f4ed1f7'/>
<id>urn:sha1:2b4c64dbef651adac2b371ea19fae4284f4ed1f7</id>
<content type='text'>
When CPE is not provided and character ":" is in cve status description,
current code takes only last part of split function.
This works only if there is no ":" in description, otherwise it drops
the other split parts.

Do a new split of the original string to take the whole description unchanged.
This fixes following entries from world build of poky+meta-oe+meta-python:

tiff-4.6.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2015-7313
CVE_STATUS:  fixed-version: Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue
description: //security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue
corrected:   Tested with check from https://security-tracker.debian.org/tracker/CVE-2015-7313 and already 4.3.0 doesn't have the issue

gnupg-2.5.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2022-3219
CVE_STATUS:  upstream-wontfix: Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993
description: //dev.gnupg.org/T5993
corrected:   Upstream doesn't seem to be keen on merging the proposed commit - https://dev.gnupg.org/T5993

libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35325
CVE_STATUS:  upstream-wontfix: Upstream thinks this is a misuse (or wrong use) of the libyaml API - https://github.com/yaml/libyaml/issues/303
description: //github.com/yaml/libyaml/issues/303
corrected:   Upstream thinks this is a misuse (or wrong use) of the libyaml API - https://github.com/yaml/libyaml/issues/303

libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35326
CVE_STATUS:  upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302
description: //github.com/yaml/libyaml/issues/302
corrected:   Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302

libyaml-0.2.5-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2024-35328
CVE_STATUS:  upstream-wontfix: Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302
description: //github.com/yaml/libyaml/issues/302
corrected:   Upstream thinks there is no working code that is exploitable - https://github.com/yaml/libyaml/issues/302

cpio-2.15-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2023-7216
CVE_STATUS:  disputed: intended behaviour, see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html
description: //lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html
corrected:   intended behaviour, see https://lists.gnu.org/archive/html/bug-cpio/2024-03/msg00000.html

openssh-9.9p1-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2023-51767
CVE_STATUS:  upstream-wontfix: It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1.
description: //bugzilla.mindrot.org/show_bug.cgi?id=3656#c1.
corrected:   It was demonstrated on modified sshd and does not exist in upstream openssh https://bugzilla.mindrot.org/show_bug.cgi?id=3656#c1.

cups-2.4.10-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2021-25317
CVE_STATUS:  not-applicable-config: This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply.
description: root, so this doesn't apply.
corrected:   This concerns /var/log/cups having lp ownership, our /var/log/cups is root:root, so this doesn't apply.

unzip-1_6.0-r0 do_cve_check: CVE_STATUS with 3 parts for CVE-2008-0888
CVE_STATUS:  fixed-version: Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&amp;action=diff applied to 6.0 source
description: //bugzilla.redhat.com/attachment.cgi?id=293893&amp;action=diff applied to 6.0 source
corrected:   Patch from https://bugzilla.redhat.com/attachment.cgi?id=293893&amp;action=diff applied to 6.0 source

syslog-ng-4.7.0-r0 do_cve_check: CVE_STATUS with 6 parts for CVE-2022-38725
CVE_STATUS:  cpe-incorrect: cve-check wrongly matches cpe:2.3:a:oneidentity:syslog-ng:*:*:*:*:premium:*:*:* &lt; 7.0.32
description: syslog-ng:*:*:*:*:premium:*:*:* &lt; 7.0.32
corrected:   cve-check wrongly matches cpe:2.3:a:oneidentity:syslog-ng:*:*:*:*:premium:*:*:* &lt; 7.0.32

(From OE-Core rev: 5cd34a34879ad424f3b1637b48892d6fa037861d)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit cc33dd9176726cb4b2d2f142ed1bc655da8e0a9f)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve-check: do not skip cve status description after :</title>
<updated>2024-11-30T13:41:59+00:00</updated>
<author>
<name>Peter Marko</name>
<email>peter.marko@siemens.com</email>
</author>
<published>2024-10-30T18:49:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=449107b22b3aab032ee7da05a47ff76b8c6e3398'/>
<id>urn:sha1:449107b22b3aab032ee7da05a47ff76b8c6e3398</id>
<content type='text'>
Correct maxsplit parameter from 5 to 4 to not drop text if
description contains ":".

Example:
&gt;&gt;&gt; "detail: cpe:vendor:product:description:cont".split(':', 5)
['detail', ' cpe', 'vendor', 'product', 'description', 'xxx']
&gt;&gt;&gt; "detail: cpe:vendor:product:description:cont".split(':', 4)
['detail', ' cpe', 'vendor', 'product', 'description:xxx']

(From OE-Core rev: 4921605aab4c9588e5c96de3afe08e9d35f51145)

Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
(cherry picked from commit 3c4d8ca41ac0b429af92bf0ea84f1dfd0cda9e1f)
Signed-off-by: Steve Sakoman &lt;steve@sakoman.com&gt;
</content>
</entry>
<entry>
<title>cve-check: annotate CVEs during analysis</title>
<updated>2024-08-20T13:12:40+00:00</updated>
<author>
<name>Marta Rybczynska</name>
<email>rybczynska@gmail.com</email>
</author>
<published>2024-08-14T05:30:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=fb3f440b7d808d4e29b6ab90e75313d5cf516c36'/>
<id>urn:sha1:fb3f440b7d808d4e29b6ab90e75313d5cf516c36</id>
<content type='text'>
Add status information for each CVE under analysis.

Previously the information passed between different function of the
cve-check class included only tables of patched, unpatched, ignored
vulnerabilities and the general status of the recipe.

The VEX work requires more information, and we need to pass them
between different functions, so that it can be enriched as the
analysis progresses. Instead of multiple tables, use a single one
with annotations for each CVE encountered. For example, a patched
CVE will have:

{"abbrev-status": "Patched", "status": "version-not-in-range"}

abbrev-status contains the general status (Patched, Unpatched,
Ignored and Unknown that will be added in the VEX code)
status contains more detailed information that can come from
CVE_STATUS and the analysis.

Additional fields of the annotation include for example the name
of the patch file fixing a given CVE.

We also use the annotation in CVE_STATUS to filter out entries
that do not apply to the given recipe

(From OE-Core rev: 452e605b55ad61c08f4af7089a5a9c576ca28f7d)

Signed-off-by: Marta Rybczynska &lt;marta.rybczynska@syslinbit.com&gt;
Signed-off-by: Samantha Jalabert &lt;samantha.jalabert@syslinbit.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: encode affected product/vendor in CVE_STATUS</title>
<updated>2024-08-20T13:12:40+00:00</updated>
<author>
<name>Marta Rybczynska</name>
<email>rybczynska@gmail.com</email>
</author>
<published>2024-08-14T05:30:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=bf34db143956294d64998beb3a83f46c1e39d9d9'/>
<id>urn:sha1:bf34db143956294d64998beb3a83f46c1e39d9d9</id>
<content type='text'>
CVE_STATUS contains assesment of a given CVE, but until now it didn't have
include the affected vendor/product. In the case of a global system include,
that CVE_STATUS was visible in all recipes.

This patch allows encoding of affected product/vendor to each CVE_STATUS
assessment, also for groups. We can then filter them later and use only
CVEs that correspond to the recipe.

This is going to be used in meta/conf/distro/include/cve-extra-exclusions.inc
and similar places.

(From OE-Core rev: abca80a716e92fc18d3085aba1a15f4bac72379c)

Signed-off-by: Marta Rybczynska &lt;marta.rybczynska@syslinbit.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve_check: cleanup logging</title>
<updated>2024-01-23T11:53:41+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2024-01-22T14:04:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=bfaea5f7ecbfae5f962a910c6fda7ee1399b3b09'/>
<id>urn:sha1:bfaea5f7ecbfae5f962a910c6fda7ee1399b3b09</id>
<content type='text'>
Primarily list the number of patches found, useful when debugging.

Also clean up some bad escaping that caused warnings and use
re.IGNORECASE instead of manually doing case-insenstive rang matches.

(From OE-Core rev: 10acc75b7f3387b968bacd51aade6a8dc11a463f)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve_check: handle CVE_STATUS being set to the empty string</title>
<updated>2024-01-23T11:53:41+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2024-01-22T14:04:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ab375ea3fe58ec4655302b25b7bd6013b2a791de'/>
<id>urn:sha1:ab375ea3fe58ec4655302b25b7bd6013b2a791de</id>
<content type='text'>
Handle CVE_STATUS[...] being set to an empty string just as if it was
not set at all.

This is needed for evaluated CVE_STATUS values to work, i.e. when
setting not-applicable-config if a PACKAGECONFIG is disabled.

(From OE-Core rev: 2c9f20f746251505d9d09262600199ffa87731a2)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: don't warn if a patch is remote</title>
<updated>2023-11-03T16:58:40+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2023-11-03T13:28:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=7ffa4d4044b9288eefa44fcc80c246a4def2435b'/>
<id>urn:sha1:7ffa4d4044b9288eefa44fcc80c246a4def2435b</id>
<content type='text'>
We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time.  The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.

Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.

(From OE-Core rev: 0251cad677579f5b4dcc25fa2f8552c6040ac2cf)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: slightly more verbose warning when adding the same package twice</title>
<updated>2023-10-26T14:29:34+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2023-10-23T17:38:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=c1e7eed4f7e5c710f71c216231e44cf757f0454a'/>
<id>urn:sha1:c1e7eed4f7e5c710f71c216231e44cf757f0454a</id>
<content type='text'>
Occasionally the cve-check tool will warn that it is adding the same
package twice.  Knowing what this package is might be the first step
towards understanding where this message comes from.

(From OE-Core rev: c1179faec8583a8b7df192cf1cbf221f0e3001fc)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve_check: Fix cpe_id generation</title>
<updated>2023-08-22T14:13:54+00:00</updated>
<author>
<name>Jasper Orschulko</name>
<email>jasper@fancydomain.eu</email>
</author>
<published>2023-08-21T12:02:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=92983dba651cffe5c11973d90aad00c581a79c93'/>
<id>urn:sha1:92983dba651cffe5c11973d90aad00c581a79c93</id>
<content type='text'>
Use "*" (wildcard) instead of "a" (application)in cpe_id generation,
as the product is not necessarily of type application, e.g.
linux_kernel, which is of type "o" (operating system).

(From OE-Core rev: cae9528b002c06143bf048b991b9d7e93968cb6b)

(From OE-Core rev: e7c1def3c3c3a72249802ef6fb64292277a7a53e)

Signed-off-by: Jasper Orschulko &lt;jasper@fancydomain.eu&gt;
Signed-off-by: Luca Ceresoli &lt;luca.ceresoli@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: add option to add additional patched CVEs</title>
<updated>2023-07-19T22:25:01+00:00</updated>
<author>
<name>Andrej Valek</name>
<email>andrej.valek@siemens.com</email>
</author>
<published>2023-06-23T11:14:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=be9883a92bad0fe4c1e9c7302c93dea4ac680f8c'/>
<id>urn:sha1:be9883a92bad0fe4c1e9c7302c93dea4ac680f8c</id>
<content type='text'>
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status

Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"

CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"

(From OE-Core rev: 34f682a24b7075b12ec308154b937ad118d69fe5)

Signed-off-by: Andrej Valek &lt;andrej.valek@siemens.com&gt;
Signed-off-by: Peter Marko &lt;peter.marko@siemens.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
