From patchwork Thu Jul 20 07:31:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrej Valek X-Patchwork-Id: 27735 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9314BEB64DA for ; Thu, 20 Jul 2023 07:32:14 +0000 (UTC) Received: from EUR02-AM0-obe.outbound.protection.outlook.com (EUR02-AM0-obe.outbound.protection.outlook.com [40.107.247.81]) by mx.groups.io with SMTP id smtpd.web11.7767.1689838328519034611 for ; Thu, 20 Jul 2023 00:32:09 -0700 Authentication-Results: mx.groups.io; dkim=fail reason="body hash did not verify" header.i=@siemens.com header.s=selector2 header.b=sQ/lMlbS; spf=pass (domain: siemens.com, ip: 40.107.247.81, mailfrom: andrej.valek@siemens.com) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=POZYH2e8DAGWT6KXAlLM/vQCiaUR/V+8GN8kiPhV49Rn8z9afQzSz6cYX8Cf7bt2KGUeBaUXAUz1QpuYCxl7VXQG4FXgFjyc3xv9xAW3vUBCcQ92zat722yyssdyPwsYvV1UEX3Yc0dOPsO5ZlipIkXp3SAav9accIkhhZE6EP7wpZMhBQODvRCFBEn8DtE/szL7OrrS1o8nlaCl4xvB/cSJyZXhLKvUT6vhcNHfwa1HBHBQ4m6hJso5F2tuP+oQyXchPszB5JrvyptILK2QaMr8GLYhTr7TONF5sLU9vUg9YG6eaGRvjof3w/aBqEMlatQ+Aq6dUruWyX2UbYe85Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7DKup8ddEfCeeJitaStFBbAt8wHWFnqI8mUd2bY3maI=; b=YNr5xgsUEpZZEEjrZvLFmPKsJIzQ56Q7rViocdbWPG+K61wpc3RenO655qRNpOGSP/E9faaB0+RMysMO1EtxJjNw3OnF5sfRfjTLSicd3gb9fBuG6GHH0DxWQAmNI6Pi8AywmuaISUUpfmWJWZiK4SKHwvJ6I9ThKX3SNj94ggx03/v5QBWJxVymi53PlEuGV38N8Fq8VcMpxk+o9EY/lIcxfWuh+AaYWT0lC8pdhB62iBoocb6S8t062LgejhlBpLrSLIrvYF7rnBsfmRQwM4ABER36yWamthP2/vdpDtSdaZW3zt6IaJuBeKPzkxOuf3vqhXfOf8p58IWx3QA3Vg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 194.138.21.75) smtp.rcpttodomain=lists.yoctoproject.org smtp.mailfrom=siemens.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=siemens.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=siemens.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7DKup8ddEfCeeJitaStFBbAt8wHWFnqI8mUd2bY3maI=; b=sQ/lMlbS4XCfcpM/2kHiaXZtgDCvlwIXQoRVQJfXHXlK0r8aX78FtqcwEtJe+2jtNxi0z5/Jkf894UVcmc7lOPA1RMoC050Q0yKfZ466Tmp5AgugD7vsC53zCSkj/57zbYMA+da/3RqdyuL1Ckt1Yy2fDt32TpWXYs7gNPcxOWY9+yFJ5Sk6oXG/1WCRQqY8exZFbTZkKW6QuLwpePov9yiFMGBdFj0DxL75tx2rV2EpSo6wo4RxknP2IK1KlDL2cZBgmc5LLZBUoqzI2mtCAGTyJq/IqsCPgTGl1tV3lQg5YQt8L8RAl2lMtqqaklWmOddaIZhRFWUQsFQDZazuaQ== Received: from FR3P281CA0109.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:a3::9) by DB3PR10MB6860.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:43d::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.24; Thu, 20 Jul 2023 07:32:05 +0000 Received: from VE1EUR01FT074.eop-EUR01.prod.protection.outlook.com (2603:10a6:d10:a3:cafe::70) by FR3P281CA0109.outlook.office365.com (2603:10a6:d10:a3::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6588.18 via Frontend Transport; Thu, 20 Jul 2023 07:32:05 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 194.138.21.75) smtp.mailfrom=siemens.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=siemens.com; Received-SPF: Pass (protection.outlook.com: domain of siemens.com designates 194.138.21.75 as permitted sender) receiver=protection.outlook.com; client-ip=194.138.21.75; helo=hybrid.siemens.com; pr=C Received: from hybrid.siemens.com (194.138.21.75) by VE1EUR01FT074.mail.protection.outlook.com (10.152.2.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6609.25 via Frontend Transport; Thu, 20 Jul 2023 07:32:04 +0000 Received: from DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) by DEMCHDC8VRA.ad011.siemens.net (194.138.21.75) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.12; Thu, 20 Jul 2023 09:32:00 +0200 Received: from md3hr6tc.ad001.siemens.net (139.22.41.153) by DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.25; Thu, 20 Jul 2023 09:32:00 +0200 From: Andrej Valek To: CC: Andrej Valek , , , Peter Marko Subject: [PATCH v2] ref-manual: document CVE_STATUS and CVE_CHECK_STATUSMAP Date: Thu, 20 Jul 2023 09:31:30 +0200 Message-ID: <20230720073130.41355-1-andrej.valek@siemens.com> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20230519085823.90027-1-andrej.valek@siemens.com> References: <20230519085823.90027-1-andrej.valek@siemens.com> MIME-Version: 1.0 X-Originating-IP: [139.22.41.153] X-ClientProxiedBy: DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) To DEMCHDC8WAA.ad011.siemens.net (139.25.226.104) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: VE1EUR01FT074:EE_|DB3PR10MB6860:EE_ X-MS-Office365-Filtering-Correlation-Id: fa27c277-d74b-42a9-f1fb-08db88f36a88 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: N2C5+rCTXVn4y2jQxPMt/kFx/uacuKqJ9nLZrYgMzUs+K/1+hdprPP9b8qU0WZ92vAEyAvWgIu2jf2w//Lcoxn60RFUmiIc6jXpafnedKw8Oj2ahISAgpPPIE5FnylHRfbc6ckrdCnwQH/l9EM6MN6V9Nr+fgi0q9He7p70gDg26YsXSYiSW2WizazbadgX97x5zBvpskGmZ4SkdydJBepjIe58EnkYKO0DnHCWGq32hFhaVPFx4vaFGa55laGOCGBXa0gqdChLYuhc9WVbHXjrN8Igqv1TP1VT3IrS9Q3tsvETaZUoMgg0iqPHF0RjjTqkD7TGn29iE3WVjWK3aZNTqo8S0GcLiCFb2fJ82makHH1SOVY7hm0lTeVcKA0z9VHgUQDFusPQZE3viFkhnlFLcX/khuCjPaAB6sBJ34iz419Miq8MNcdRUjq82ddEUenl9tKPun6yYf0l747wNwgu6+JxcNIEt8ZX3ekdu8EAeT+twfcsrKFWrWZc0rlJzd7I+eox++pa1TqbtpzaOVBxBmkosKXPYPC8wQeiRtedykXGfUV5CqBf/5a1gS9iEZos9d+Nug9mNkYEy258OwEIxolvOlPtQtzfaiL5hW48lB+hSpBiMEqXOQKwPlW8OxR8zF3a5Jtdz15tSuGHjX1jz7uc6FDQdE5KgL1UBIOkIUyfrSGCXBk3wwU9Tz5h5Yl7LQrU+/iZtV16wAoZOZB3bspE2J2bwM41ENOMSiAC6ZtxTaYEX87jizG0XFznPwN2daDkNwPSrkiaMAHTQhA== X-Forefront-Antispam-Report: CIP:194.138.21.75;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:hybrid.siemens.com;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230028)(4636009)(376002)(396003)(136003)(346002)(39860400002)(82310400008)(451199021)(40470700004)(46966006)(36840700001)(70206006)(40460700003)(44832011)(36860700001)(6666004)(81166007)(107886003)(2906002)(356005)(6916009)(8676002)(316002)(8936002)(4326008)(36756003)(47076005)(82740400003)(5660300002)(82960400001)(70586007)(16526019)(2616005)(956004)(186003)(336012)(1076003)(40480700001)(26005)(41300700001)(86362001)(478600001)(83380400001)(54906003)(36900700001);DIR:OUT;SFP:1101; X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 20 Jul 2023 07:32:04.8222 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: fa27c277-d74b-42a9-f1fb-08db88f36a88 X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=38ae3bcd-9579-4fd4-adda-b42e1495d55a;Ip=[194.138.21.75];Helo=[hybrid.siemens.com] X-MS-Exchange-CrossTenant-AuthSource: VE1EUR01FT074.eop-EUR01.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB3PR10MB6860 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 20 Jul 2023 07:32:14 -0000 X-Groupsio-URL: https://lists.yoctoproject.org/g/docs/message/4066 Deprecate CVE_CHECK_IGNORE with CVE_STATUS Signed-off-by: Andrej Valek Signed-off-by: Peter Marko Reviewed-by: Michael Opdenacker --- documentation/dev-manual/new-recipe.rst | 3 +- documentation/dev-manual/vulnerabilities.rst | 13 +++++--- documentation/ref-manual/classes.rst | 6 ++-- documentation/ref-manual/variables.rst | 33 +++++++++++++++++--- 4 files changed, 41 insertions(+), 14 deletions(-) diff --git a/documentation/dev-manual/new-recipe.rst b/documentation/dev-manual/new-recipe.rst index 1be04a765..af390773a 100644 --- a/documentation/dev-manual/new-recipe.rst +++ b/documentation/dev-manual/new-recipe.rst @@ -1253,8 +1253,7 @@ In the following example, ``lz4`` is a makefile-based package:: S = "${WORKDIR}/git" - # Fixed in r118, which is larger than the current version. - CVE_CHECK_IGNORE += "CVE-2014-4715" + CVE_STATUS[CVE-2014-4715] = "fixed-version: Fixed in r118, which is larger than the current version" EXTRA_OEMAKE = "PREFIX=${prefix} CC='${CC}' CFLAGS='${CFLAGS}' DESTDIR=${D} LIBDIR=${libdir} INCLUDEDIR=${includedir} BUILD_STATIC=no" diff --git a/documentation/dev-manual/vulnerabilities.rst b/documentation/dev-manual/vulnerabilities.rst index 0ee3ec52c..6d87d02ec 100644 --- a/documentation/dev-manual/vulnerabilities.rst +++ b/documentation/dev-manual/vulnerabilities.rst @@ -130,7 +130,8 @@ Fixing vulnerabilities in recipes ================================= If a CVE security issue impacts a software component, it can be fixed by updating to a newer -version of the software component or by applying a patch. For Poky and OE-Core master branches, updating +version of the software component, by applying a patch or by marking it as patched via +:term:`CVE_STATUS` variable flag. For Poky and OE-Core master branches, updating to a newer software component release with fixes is the best option, but patches can be applied if releases are not yet available. @@ -158,7 +159,8 @@ CVE checker will then capture this information and change the CVE status to ``Pa in the generated reports. If analysis shows that the CVE issue does not impact the recipe due to configuration, platform, -version or other reasons, the CVE can be marked as ``Ignored`` using the :term:`CVE_CHECK_IGNORE` variable. +version or other reasons, the CVE can be marked as ``Ignored`` by using +the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``. As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those issues in the CVE database directly. @@ -175,6 +177,8 @@ is found in the name of the file, the corresponding CVE is considered as patched Don't forget that if multiple CVE IDs are found in the filename, only the last one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch file. The found CVE IDs are also considered as patched. +Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched`` +and these are also considered as patched. Then, the code looks up all the CVE IDs in the NIST database for all the products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: @@ -182,8 +186,9 @@ products defined in :term:`CVE_PRODUCT`. Then, for each found CVE: - If the package name (:term:`PN`) is part of :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``. -- If the CVE ID is part of :term:`CVE_CHECK_IGNORE`, it is - set as ``Ignored``. +- If the CVE ID has status ``CVE_STATUS[] = "ignored"`` or if it's set to + any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``, + it is set as ``Ignored``. - If the CVE ID is part of the patched CVE for the recipe, it is already considered as ``Patched``. diff --git a/documentation/ref-manual/classes.rst b/documentation/ref-manual/classes.rst index e555a80b5..b8d07f102 100644 --- a/documentation/ref-manual/classes.rst +++ b/documentation/ref-manual/classes.rst @@ -517,10 +517,10 @@ The ``Patched`` state of a CVE issue is detected from patch files with the forma ``CVE-ID.patch``, e.g. ``CVE-2019-20633.patch``, in the :term:`SRC_URI` and using CVE metadata of format ``CVE: CVE-ID`` in the commit message of the patch file. -If the recipe lists the ``CVE-ID`` in :term:`CVE_CHECK_IGNORE` variable, then the CVE state is reported -as ``Ignored``. Multiple CVEs can be listed separated by spaces. Example:: +If the recipe adds ``CVE-ID`` as flag of the :term:`CVE_STATUS` variable with status +mapped to ``Ignored``, then the CVE state is reported as ``Ignored``:: - CVE_CHECK_IGNORE += "CVE-2020-29509 CVE-2020-29511" + CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" If CVE check reports that a recipe contains false positives or false negatives, these may be fixed in recipes by adjusting the CVE product name using :term:`CVE_PRODUCT` and :term:`CVE_VERSION` variables. diff --git a/documentation/ref-manual/variables.rst b/documentation/ref-manual/variables.rst index ac5b97a52..7e93f731a 100644 --- a/documentation/ref-manual/variables.rst +++ b/documentation/ref-manual/variables.rst @@ -1653,11 +1653,7 @@ system and gives an overview of their function and contents. and kernel module recipes). :term:`CVE_CHECK_IGNORE` - The list of CVE IDs which are ignored. Here is - an example from the :oe_layerindex:`Python3 recipe`:: - - # This is windows only issue. - CVE_CHECK_IGNORE += "CVE-2020-15523" + This variable is deprecated and should be replaced by :term:`CVE_STATUS`. :term:`CVE_CHECK_SHOW_WARNINGS` Specifies whether or not the :ref:`ref-classes-cve-check` @@ -1698,6 +1694,33 @@ system and gives an overview of their function and contents. CVE_PRODUCT = "vendor:package" + :term:`CVE_STATUS` + The CVE ID which is patched or should be ignored. Here is + an example from the :oe_layerindex:`Python3 recipe`:: + + CVE_STATUS[CVE-2020-15523] = "not-applicable-platform: Issue only applies on Windows" + + It has format "reason: description" and description is optional. + Reason is mapped to final CVE state by mapping via :term:`CVE_CHECK_STATUSMAP` + + :term:`CVE_STATUS_GROUPS` + If there are many CVEs with the same status and reason, they can by simplified by using this + variable instead of many similar lines with :term:`CVE_STATUS`:: + + CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED" + + CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0002" + CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows" + CVE_STATUS_PATCHED = "CVE-1234-0003 CVE-1234-0004" + CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally" + + :term:`CVE_CHECK_STATUSMAP` + Mapping variable for all possible reasons of :term:`CVE_STATUS` to + set of ``Patched``, ``Unpatched`` and ``Ignored``. + See :ref:`ref-classes-cve-check` or ``meta/conf/cve-check-map.conf`` for more details:: + + CVE_CHECK_STATUSMAP[cpe-incorrect] = "Ignored" + :term:`CVE_VERSION` In a recipe, defines the version used to match the recipe version against the version in the `NIST CVE database `__