| Message ID | 20240303175323.2526814-1-dnagodra@cisco.com |
|---|---|
| State | New |
| Headers | show |
| Series | [master] cve-check: Add provision to exclude classes | expand |
A gentle reminder >-----Original Message----- >From: dnagodra@cisco.com <dnagodra@cisco.com> >Sent: Sunday, March 3, 2024 11:23 PM >To: openembedded-core@lists.openembedded.org >Cc: xe-linux-external(mailer list) <xe-linux-external@cisco.com>; Dhairya >Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) <dnagodra@cisco.com> >Subject: [master] [PATCH] cve-check: Add provision to exclude classes > >From: Dhairya Nagodra <dnagodra@cisco.com> > >- There are times when exluding a package that inherits a particular > class/classes may be desired. >- This provides the framework for that via the variable: > CVE_CHECK_CLASS_EXCLUDELIST > >Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com> >--- > meta/classes/cve-check.bbclass | 12 ++++++++++++ > 1 file changed, 12 insertions(+) > >diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass >index 56ba8bceef..6d459642fe 100644 >--- a/meta/classes/cve-check.bbclass >+++ b/meta/classes/cve-check.bbclass >@@ -100,6 +100,8 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= "" > # Layers to be included > CVE_CHECK_LAYER_INCLUDELIST ??= "" > >+# Classes to be excluded >+CVE_CHECK_CLASS_EXCLUDELIST ??= "" > > # set to "alphabetical" for version using single alphabetical character as >increment release CVE_VERSION_SUFFIX ??= "" >@@ -466,6 +468,7 @@ def cve_write_data_text(d, patched, unpatched, >ignored, cve_data): > > include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() > exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() >+ exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split() > > report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1" > >@@ -475,6 +478,10 @@ def cve_write_data_text(d, patched, unpatched, >ignored, cve_data): > if include_layers and layer not in include_layers: > return > >+ for excluded in exclude_classes: >+ if bb.data.inherits_class(excluded, d): >+ return >+ > # Early exit, the text format does not report packages without CVEs > if not patched+unpatched+ignored: > return >@@ -581,6 +588,7 @@ def cve_write_data_json(d, patched, unpatched, >ignored, cve_data, cve_status): > > include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() > exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() >+ exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split() > > report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1" > >@@ -590,6 +598,10 @@ def cve_write_data_json(d, patched, unpatched, >ignored, cve_data, cve_status): > if include_layers and layer not in include_layers: > return > >+ for excluded in exclude_classes: >+ if bb.data.inherits_class(excluded, d): >+ return >+ > unpatched_cves = [] > > product_data = [] >-- >2.35.6
On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org <dnagodra=cisco.com@lists.openembedded.org> wrote: > > From: Dhairya Nagodra <dnagodra@cisco.com> > > - There are times when exluding a package that inherits a particular > class/classes may be desired. > - This provides the framework for that via the variable: > CVE_CHECK_CLASS_EXCLUDELIST What’s the use-case for this? Note that you can control whether cve-check runs per-layer already, if that’s useful. Ross
>-----Original Message----- >From: Ross Burton <Ross.Burton@arm.com> >Sent: Friday, March 15, 2024 9:39 PM >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) ><dnagodra@cisco.com> >Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer >list) <xe-linux-external@cisco.com> >Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude >classes > >On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org ><dnagodra=cisco.com@lists.openembedded.org> wrote: >> >> From: Dhairya Nagodra <dnagodra@cisco.com> >> >> - There are times when exluding a package that inherits a particular >> class/classes may be desired. >> - This provides the framework for that via the variable: >> CVE_CHECK_CLASS_EXCLUDELIST > >What’s the use-case for this? Note that you can control whether cve-check >runs per-layer already, if that’s useful. Currently, the CVE report is generated for all packages associated with the build. However, not all of them might be getting used in the target device. The package associated with native, nativesdk, cross classes are examples of such. This patch would provide a way to exclude these packages in the CVE report. So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native", The report would not have the entries for these packages: gnupg-native, nasm-native, binutils-native (and so on) This is helpful when one wants to concentrate their CVE fixing efforts to the specific packages going into the target device. Regards, Dhairya > >Ross
Hi, On Fri, Mar 15, 2024 at 07:52:00PM +0000, Dhairya Nagodra via lists.openembedded.org wrote: > > > >-----Original Message----- > >From: Ross Burton <Ross.Burton@arm.com> > >Sent: Friday, March 15, 2024 9:39 PM > >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) > ><dnagodra@cisco.com> > >Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer > >list) <xe-linux-external@cisco.com> > >Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude > >classes > > > >On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org > ><dnagodra=cisco.com@lists.openembedded.org> wrote: > >> > >> From: Dhairya Nagodra <dnagodra@cisco.com> > >> > >> - There are times when exluding a package that inherits a particular > >> class/classes may be desired. > >> - This provides the framework for that via the variable: > >> CVE_CHECK_CLASS_EXCLUDELIST > > > >What’s the use-case for this? Note that you can control whether cve-check > >runs per-layer already, if that’s useful. > > Currently, the CVE report is generated for all packages associated with the build. > However, not all of them might be getting used in the target device. > The package associated with native, nativesdk, cross classes are examples of such. > This patch would provide a way to exclude these packages in the CVE report. > So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native", > The report would not have the entries for these packages: > gnupg-native, nasm-native, binutils-native (and so on) > > This is helpful when one wants to concentrate their CVE fixing efforts to the > specific packages going into the target device. CVE check generates report summaries for all images already. Doesn't that cover this usecase? And many build tools end up talking to servers in the Internet so detecting and fixing CVEs in them is also quite important. Cheers, -Mikko
On 15 Mar 2024, at 19:52, Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) <dnagodra@cisco.com> wrote: >> What’s the use-case for this? Note that you can control whether cve-check >> runs per-layer already, if that’s useful. > > Currently, the CVE report is generated for all packages associated with the build. > However, not all of them might be getting used in the target device. > The package associated with native, nativesdk, cross classes are examples of such. > This patch would provide a way to exclude these packages in the CVE report. > So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native", > The report would not have the entries for these packages: > gnupg-native, nasm-native, binutils-native (and so on) For this specific use-case I’d suggest filtering the JSON to remove all -native entries. Also as Mikko said, a CVE in gcc-cross would absolutely need to be considered, so I’d not recommend ignoring all native recipes. Ross
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 56ba8bceef..6d459642fe 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -100,6 +100,8 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= "" # Layers to be included CVE_CHECK_LAYER_INCLUDELIST ??= "" +# Classes to be excluded +CVE_CHECK_CLASS_EXCLUDELIST ??= "" # set to "alphabetical" for version using single alphabetical character as increment release CVE_VERSION_SUFFIX ??= "" @@ -466,6 +468,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split() report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1" @@ -475,6 +478,10 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): if include_layers and layer not in include_layers: return + for excluded in exclude_classes: + if bb.data.inherits_class(excluded, d): + return + # Early exit, the text format does not report packages without CVEs if not patched+unpatched+ignored: return @@ -581,6 +588,7 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split() report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1" @@ -590,6 +598,10 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): if include_layers and layer not in include_layers: return + for excluded in exclude_classes: + if bb.data.inherits_class(excluded, d): + return + unpatched_cves = [] product_data = []