All of lore.kernel.org
 help / color / mirror / Atom feed
* [[PATCH] cve-check.bbclass: allow skiping non pbn
@ 2021-02-14 23:20 akuster
  2021-02-15  7:51 ` [OE-core] " Mikko Rapeli
  0 siblings, 1 reply; 3+ messages in thread
From: akuster @ 2021-02-14 23:20 UTC (permalink / raw)
  To: openembedded-core

I don't see the point in logging native, nativesdk etc.
The bottom line is the BPN has the issue.

Allow folks to filter out those other package name variations via
CVE_CHECK_MANIFEST_FILTER

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/classes/cve-check.bbclass | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 112ee3379d3..0d33d5a530c 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -59,6 +59,7 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
 # Layers to be included 
 CVE_CHECK_LAYER_INCLUDELIST ??= ""
 
+CVE_CHECK_MANIFEST_FILTER ??="0"
 
 # set to "alphabetical" for version using single alphabetical character as increament release
 CVE_VERSION_SUFFIX ??= ""
@@ -96,6 +97,13 @@ python do_cve_check () {
     """
 
     if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
+        if d.getVar("CVE_CHECK_MANIFEST_FILTER") == "1":
+            # drop native, nativesdk, cross, etc
+            bpn = d.getVar("BPN")
+            pn = d.getVar("PN")
+            if bpn != pn:
+               return
+
         try:
             patched_cves = get_patches_cves(d)
         except FileNotFoundError:
@@ -164,6 +172,7 @@ def get_patches_cves(d):
     import re
 
     pn = d.getVar("PN")
+
     cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
 
     # Matches last CVE-1234-211432 in the file name, also if written
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [OE-core] [[PATCH] cve-check.bbclass: allow skiping non pbn
  2021-02-14 23:20 [[PATCH] cve-check.bbclass: allow skiping non pbn akuster
@ 2021-02-15  7:51 ` Mikko Rapeli
  2021-02-15 17:00   ` akuster
  0 siblings, 1 reply; 3+ messages in thread
From: Mikko Rapeli @ 2021-02-15  7:51 UTC (permalink / raw)
  To: akuster808; +Cc: openembedded-core

Hi,

On Sun, Feb 14, 2021 at 11:20:27PM +0000, akuster wrote:
> I don't see the point in logging native, nativesdk etc.
> The bottom line is the BPN has the issue.

While I agree to some part and do alot of:

$ cd build/tmp/deploy/cve
$ less $( grep -l Unpatched * | \
egrep -v -- '-native|-nativesdk|-cross-|-crosssdk' )

I do find that fixing build tooling CVEs is a good idea since
they downloads stuff from the Internet.

Hence I'm not sure I like this filter. Maybe at least
rename CVE_CHECK_MANIFEST_FILTER to CVE_CHECK_FILTER_BUILD_TOOLS
which makes this a bit more clear.

Cheers,

-Mikko

> Allow folks to filter out those other package name variations via
> CVE_CHECK_MANIFEST_FILTER
> 
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> ---
>  meta/classes/cve-check.bbclass | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 112ee3379d3..0d33d5a530c 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -59,6 +59,7 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
>  # Layers to be included 
>  CVE_CHECK_LAYER_INCLUDELIST ??= ""
>
> +CVE_CHECK_MANIFEST_FILTER ??="0"
>
>  # set to "alphabetical" for version using single alphabetical character as increament release
>  CVE_VERSION_SUFFIX ??= ""
> @@ -96,6 +97,13 @@ python do_cve_check () {
>      """
>
>      if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
> +        if d.getVar("CVE_CHECK_MANIFEST_FILTER") == "1":
> +            # drop native, nativesdk, cross, etc
> +            bpn = d.getVar("BPN")
> +            pn = d.getVar("PN")
> +            if bpn != pn:
> +               return
> +
>          try:
>              patched_cves = get_patches_cves(d)
>          except FileNotFoundError:
> @@ -164,6 +172,7 @@ def get_patches_cves(d):
>      import re
>
>      pn = d.getVar("PN")
> +
>      cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
>
>      # Matches last CVE-1234-211432 in the file name, also if written
> -- 
> 2.25.1
> 

> 
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [OE-core] [[PATCH] cve-check.bbclass: allow skiping non pbn
  2021-02-15  7:51 ` [OE-core] " Mikko Rapeli
@ 2021-02-15 17:00   ` akuster
  0 siblings, 0 replies; 3+ messages in thread
From: akuster @ 2021-02-15 17:00 UTC (permalink / raw)
  To: Mikko.Rapeli; +Cc: openembedded-core



On 2/14/21 11:51 PM, Mikko.Rapeli@bmw.de wrote:
> Hi,
>
> On Sun, Feb 14, 2021 at 11:20:27PM +0000, akuster wrote:
>> I don't see the point in logging native, nativesdk etc.
>> The bottom line is the BPN has the issue.
> While I agree to some part and do alot of:
>
> $ cd build/tmp/deploy/cve
> $ less $( grep -l Unpatched * | \
> egrep -v -- '-native|-nativesdk|-cross-|-crosssdk' )
We appear to generate a lot of redundant information.
>
> I do find that fixing build tooling CVEs is a good idea since
> they downloads stuff from the Internet.
>
> Hence I'm not sure I like this filter. Maybe at least
> rename CVE_CHECK_MANIFEST_FILTER to CVE_CHECK_FILTER_BUILD_TOOLS
> which makes this a bit more clear.
Yeah, I wasn't all the keen on the name either.  Thanks for the input

thanks,
Armin
>
> Cheers,
>
> -Mikko
>
>> Allow folks to filter out those other package name variations via
>> CVE_CHECK_MANIFEST_FILTER
>>
>> Signed-off-by: Armin Kuster <akuster808@gmail.com>
>> ---
>>  meta/classes/cve-check.bbclass | 9 +++++++++
>>  1 file changed, 9 insertions(+)
>>
>> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
>> index 112ee3379d3..0d33d5a530c 100644
>> --- a/meta/classes/cve-check.bbclass
>> +++ b/meta/classes/cve-check.bbclass
>> @@ -59,6 +59,7 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
>>  # Layers to be included 
>>  CVE_CHECK_LAYER_INCLUDELIST ??= ""
>>
>> +CVE_CHECK_MANIFEST_FILTER ??="0"
>>
>>  # set to "alphabetical" for version using single alphabetical character as increament release
>>  CVE_VERSION_SUFFIX ??= ""
>> @@ -96,6 +97,13 @@ python do_cve_check () {
>>      """
>>
>>      if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
>> +        if d.getVar("CVE_CHECK_MANIFEST_FILTER") == "1":
>> +            # drop native, nativesdk, cross, etc
>> +            bpn = d.getVar("BPN")
>> +            pn = d.getVar("PN")
>> +            if bpn != pn:
>> +               return
>> +
>>          try:
>>              patched_cves = get_patches_cves(d)
>>          except FileNotFoundError:
>> @@ -164,6 +172,7 @@ def get_patches_cves(d):
>>      import re
>>
>>      pn = d.getVar("PN")
>> +
>>      cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
>>
>>      # Matches last CVE-1234-211432 in the file name, also if written
>> -- 
>> 2.25.1
>>
>> 
>>



^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-15 17:00 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-14 23:20 [[PATCH] cve-check.bbclass: allow skiping non pbn akuster
2021-02-15  7:51 ` [OE-core] " Mikko Rapeli
2021-02-15 17:00   ` akuster

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.