[PATCH 1/2] cups: ignore CVE-2022-26691

[PATCH 1/2] cups: ignore CVE-2022-26691

[Ross Burton]

This is fixed in 2.4.2, which we have, but the complex CPE in that CVE
isn't parsed by cve-check correctly so it thinks that we're vulnerable.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/recipes-extended/cups/cups.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-extended/cups/cups.inc b/meta/recipes-extended/cups/cups.inc
index 8f2ad8a0098..45929807660 100644
--- a/meta/recipes-extended/cups/cups.inc
+++ b/meta/recipes-extended/cups/cups.inc
@@ -26,6 +26,8 @@ CVE_CHECK_IGNORE += "CVE-2008-1033"
 CVE_CHECK_IGNORE += "CVE-2009-0032"
 # This is an Ubuntu only issue.
 CVE_CHECK_IGNORE += "CVE-2018-6553"
+# This is fixed in 2.4.2 but the cve-check class still reports it
+CVE_CHECK_IGNORE += "CVE-2022-26691"
 
 LEAD_SONAME = "libcupsdriver.so"
 
-- 
2.25.1

[PATCH 2/2] cve-check: hook cleanup to the BuildCompleted event, not CookerExit

[Ross Burton]

The cve-check class writes temporary files to preserve state across the
build, and cleans them up in a CookerExit handler.

However, in memory-resident builds the cooker won't exit in between
builds, so the state isn't cleared and the CVE report generation fails:

NOTE: Generating JSON CVE summary
ERROR: Error adding the same package twice

Easily solved by hooking to BuildCompleted, instead of CookerExit.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/classes/cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 50b9247f464..da7f93371c0 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -166,7 +166,7 @@ python cve_check_cleanup () {
 }
 
 addhandler cve_check_cleanup
-cve_check_cleanup[eventmask] = "bb.cooker.CookerExit"
+cve_check_cleanup[eventmask] = "bb.event.BuildCompleted"
 
 python cve_check_write_rootfs_manifest () {
     """
-- 
2.25.1

Re: [OE-core] [PATCH 2/2] cve-check: hook cleanup to the BuildCompleted event, not CookerExit

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 708 bytes --]

On Wed, Jun 29, 2022 at 5:15 PM Ross Burton <ross.burton@arm.com> wrote:

> The cve-check class writes temporary files to preserve state across the
> build, and cleans them up in a CookerExit handler.
>
> However, in memory-resident builds the cooker won't exit in between
> builds, so the state isn't cleared and the CVE report generation fails:
>
> NOTE: Generating JSON CVE summary
> ERROR: Error adding the same package twice
>
> Easily solved by hooking to BuildCompleted, instead of CookerExit.
>
> Signed-off-by: Ross Burton <ross.burton@arm.com>
>

Sean, could you check if it is your case too? I'll be adding a more verbose
error message
so that we know which package it comes from.

Regards,
Marta

[-- Attachment #2: Type: text/html, Size: 1197 bytes --]

Re: [OE-core] [PATCH 2/2] cve-check: hook cleanup to the BuildCompleted event, not CookerExit

[Ross Burton]

> On 29 Jun 2022, at 16:19, Marta Rybczynska <rybczynska@gmail.com> wrote:
> Sean, could you check if it is your case too? I'll be adding a more verbose error message
> so that we know which package it comes from.

I actually think we should get rid of the index file entirely. Why can’t the big JSON file simply be all of the written JSON files merged together (by simply listing the directory contents)?

Ross

Re: [OE-core] [PATCH 2/2] cve-check: hook cleanup to the BuildCompleted event, not CookerExit

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1005 bytes --]

On Wed, Jun 29, 2022 at 5:45 PM Ross Burton <ross.burton@arm.com> wrote:

>
> > On 29 Jun 2022, at 16:19, Marta Rybczynska <rybczynska@gmail.com> wrote:
> > Sean, could you check if it is your case too? I'll be adding a more
> verbose error message
> > so that we know which package it comes from.
>
> I actually think we should get rid of the index file entirely. Why can’t
> the big JSON file simply be all of the written JSON files merged together
> (by simply listing the directory contents)?
>
> Without the index file I was running into the issue of merging fragment
files from different builds
in the same directory (different images, the world build etc). I can see
the following solutions:
1. Move the fragment files to a separate directory and remove it at the
build end. It would work if nobody if using fragment files.
2. Extract the complete list of the packages build in a different way and
get fragment files using that different list.

Opinions?

Regards,
Marta

[-- Attachment #2: Type: text/html, Size: 1667 bytes --]