diff options
| author | Hongxu Jia <hongxu.jia@windriver.com> | 2025-03-12 13:58:03 +0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2025-03-12 15:58:14 +0000 |
| commit | 99e1e8c0b90612f27294a9130dd3f47f22a58c60 (patch) | |
| tree | 385107cb6864e7985c837704df817e813c493845 | |
| parent | 143103a1c457ebfd4fe088cc5d8233b934d3e2a9 (diff) | |
| download | poky-99e1e8c0b90612f27294a9130dd3f47f22a58c60.tar.gz | |
lib: spdx30_tasks: remove duplicated patched CVEs
Due to commit [lib: spdx30_tasks: Handle patched CVEs][1] applied,
duplicated CVE identifier for each CVE which increased +25% build
time (image task: do_create_image_sbom_spdx)
$ bitbake binutils-cross-x86_64
$ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584
"spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584",
"https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584"
"identifier": "CVE-2023-25584",
"https://cveawg.mitre.org/api/cve/CVE-2023-25584",
"https://www.cve.org/CVERecord?id=CVE-2023-25584"
"spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/962efd5da447b81b017db54d3077be796d2e5b6e770a6b050467b24339c0995f/vulnerability/CVE-2023-25584",
"https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584"
"identifier": "CVE-2023-25584",
"https://cveawg.mitre.org/api/cve/CVE-2023-25584",
"https://www.cve.org/CVERecord?id=CVE-2023-25584"
Since the commit [cve-check: annotate CVEs during analysis][2] improved
function get_patched_cves to:
- Check each patch file;
- Search for additional patched CVEs from CVE_STATUS;
And return dictionary patched_cve for each cve:
{
"abbrev-status": "xxx",
"status": "xxx",
"justification": "xxx",
"resource": "xxx",
"affected-vendor": "xxx",
"affected-product": "xxx",
}
But while adding CVE in meta/lib/oe/spdx30_tasks.py, the cve_by_status
requires decoded_status
{
"mapping": "xxx",
"detail": "xxx",
"description": "xxx",
}
This commit converts patched_cve to decoded_status
patched_cve["abbrev-status"] --> decoded_status["mapping"]
patched_cve["status"] --> decoded_status["detail"]
patched_cve["justification"] --> decoded_status["description"]
And remove duplicated search for additional patched CVEs from CVE_STATUS
(calling oe.cve_check.decode_cve_status)
After applying this commit
$ bitbake binutils-cross-x86_64
$ jq . tmp/deploy/spdx/3.0.1/x86_64/recipes/recipe-binutils-cross-x86_64.spdx.json | grep CVE-2023-25584
"spdxId": "http://spdx.org/spdxdocs/binutils-cross-x86_64-5de92009-80e6-55c5-8b1f-cc37f04fbe09/381bf593d99c005ecd2c2e0815b86bca2b9ff4cc2db59587aaddd3db95c67470/vulnerability/CVE-2023-25584",
"https://rdf.openembedded.org/spdx/3.0/alias": "http://spdxdocs.org/openembedded-alias/by-doc-hash/594f521fb7a3a4e9a2d3905303ffb04b016c3ce7693a775cca08be5af4d06658/binutils-cross-x86_64/UNIHASH/vulnerability/CVE-2023-25584"
"identifier": "CVE-2023-25584",
"https://cveawg.mitre.org/api/cve/CVE-2023-25584",
"https://www.cve.org/CVERecord?id=CVE-2023-25584"
[1] https://git.openembedded.org/openembedded-core/commit/?id=1ff496546279d8a97df5ec475007cfb095c2a0bc
[2] https://git.openembedded.org/openembedded-core/commit/?id=452e605b55ad61c08f4af7089a5a9c576ca28f7d
(From OE-Core rev: 08595b39b46ef2bf3a928d4528292ee31a990c98)
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Mathieu Dubois-Briand <mathieu.dubois-briand@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/lib/oe/spdx30_tasks.py | 19 |
1 files changed, 7 insertions, 12 deletions
diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index e20bb0c86f..3d80f05612 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py | |||
| @@ -498,18 +498,13 @@ def create_spdx(d): | |||
| 498 | # Add CVEs | 498 | # Add CVEs |
| 499 | cve_by_status = {} | 499 | cve_by_status = {} |
| 500 | if include_vex != "none": | 500 | if include_vex != "none": |
| 501 | for cve in oe.cve_check.get_patched_cves(d): | 501 | patched_cves = oe.cve_check.get_patched_cves(d) |
| 502 | spdx_cve = build_objset.new_cve_vuln(cve) | 502 | for cve, patched_cve in patched_cves.items(): |
| 503 | build_objset.set_element_alias(spdx_cve) | 503 | decoded_status = { |
| 504 | 504 | "mapping": patched_cve["abbrev-status"], | |
| 505 | cve_by_status.setdefault("Patched", {})[cve] = ( | 505 | "detail": patched_cve["status"], |
| 506 | spdx_cve, | 506 | "description": patched_cve.get("justification", None) |
| 507 | "patched", | 507 | } |
| 508 | "", | ||
| 509 | ) | ||
| 510 | |||
| 511 | for cve in d.getVarFlags("CVE_STATUS") or {}: | ||
| 512 | decoded_status = oe.cve_check.decode_cve_status(d, cve) | ||
| 513 | 508 | ||
| 514 | # If this CVE is fixed upstream, skip it unless all CVEs are | 509 | # If this CVE is fixed upstream, skip it unless all CVEs are |
| 515 | # specified. | 510 | # specified. |