[poky][master][PATCH 2/3] cve-export.bbclass: Add a new class to get patched and ignored CVEs from the build

From: Akash Hadke <akash.hadke@kpit.com>
To: openembedded-core@lists.openembedded.org
Cc: ranjitsinh.rathod@kpit.com, Akash Hadke <hadkeakash4@gmail.com>
Subject: [poky][master][PATCH 2/3] cve-export.bbclass: Add a new class to get patched and ignored CVEs from the build
Date: Wed, 11 May 2022 16:36:12 +0200	[thread overview]
Message-ID: <20220511143613.25002-2-akash.hadke@kpit.com> (raw)
In-Reply-To: <20220511143613.25002-1-akash.hadke@kpit.com>

This class executes an anonymous function which sets the
below variables
  CVE_IGNORED = CVEs that are ignored in recipes
  CVE_PATCHED = CVEs that are fixed by applying patches

It does not consider CVEs that are ignored in
poky/meta/conf/distro/include/cve-extra-exclusions.inc
and only provide CVEs that are ignored in the recipe.

Default values are set for CVE_PRODUCT and CVE_VERSION
to BPN and PV respectively.

Considered setting these values so that anyone can get
below information about the CVE from the build.
  CVE_PRODUCT
  CVE_VERSION
  CVE_IGNORED
  CVE_PATCHED

Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Akash Hadke <hadkeakash4@gmail.com>
---
 meta/classes/cve-export.bbclass | 37 +++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 meta/classes/cve-export.bbclass

diff --git a/meta/classes/cve-export.bbclass b/meta/classes/cve-export.bbclass
new file mode 100644
index 0000000000..5ed5760970
--- /dev/null
+++ b/meta/classes/cve-export.bbclass
@@ -0,0 +1,37 @@
+# This class is used to get patched and ignored CVEs from the build
+#
+# To use this class inherit it in the local.conf file.
+#
+# It executes an anonymous function which sets below variables
+#
+# CVE_IGNORED = CVEs those are ignored in recipes
+# CVE_PATCHED = CVEs those are fixed by applying patches
+#
+# It does not consider all the CVEs that are ignored in
+# poky/meta/conf/distro/include/cve-extra-exclusions.inc
+# and only provide CVEs that are ignored in the recipe.
+#
+# The product name sets default to BPN and version sets default to
+# PV but it can be overriden per recipe, to get the value of
+# product and version use d.getVar()
+
+CVE_PRODUCT ??= "${BPN}"
+CVE_VERSION ??= "${PV}"
+CVE_CHECK_IGNORE ?= ""
+
+python __anonymous () {
+    import re
+    from oe.cve_check import get_patched_cves
+    from oe.cve_check import get_ignored_cves
+
+    # Check if cve-extra-exclusions.inc file is included or not
+    if re.search('cve-extra-exclusions.inc', d.getVar('BBINCLUDED')):
+        paths = d.getVar('PATH').split(':')
+        cves = d.getVar('CVE_CHECK_IGNORE').split()
+        ignored_cves = get_ignored_cves(paths, cves)
+    else:
+        ignored_cves = " ".join(d.getVar('CVE_CHECK_IGNORE'))
+
+    d.setVar('CVE_IGNORED', ignored_cves)
+    d.setVar('CVE_PATCHED', " ".join(get_patched_cves(d)))
+}
-- 
2.17.1


