From: Ross Burton <Ross.Burton@arm.com>
To: "rybczynska@gmail.com" <rybczynska@gmail.com>
Cc: Khem Raj <raj.khem@gmail.com>,
Richard Purdie <richard.purdie@linuxfoundation.org>,
Steve Sakoman <steve@sakoman.com>,
OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [oe] CVE-check failing on world with meta-openembedded: diff.gz file
Date: Wed, 27 Apr 2022 10:32:00 +0000 [thread overview]
Message-ID: <6D1CD0C3-16D0-4FB4-BEDF-FA6FDF94724C@arm.com> (raw)
In-Reply-To: <CAApg2=Rd7rBM_PaVEzt4K4vKd4AqVC1uA6yZJZrABFLFYNWrcQ@mail.gmail.com>
On 27 Apr 2022, at 08:14, Marta Rybczynska via lists.openembedded.org <rybczynska=gmail.com@lists.openembedded.org> wrote:
> I'm wondering if it makes sense to consider .diff.gz (or .patch.gz) files as patches for
> cve-check. They basically come directly from 3rd parties and it is quite unlikely to expect
> them to keep the CVE: tag. All the pieces of documentation I can find mention also only
> .patch files for CVEs, and not .patch.gz.
>
> This is tempting to remove the .gz handling here (for the cve-check) in my opinion.
>
> Also, since the commit f5f97d33a1703d75b9fd9760f2c7767081538e00, cve-check
> depends only on do_fetch.
The patch being a .patch.gz isn’t entirely relevant, it’s the fact that it’s a remote http: patch not a local file: patch which is causing the problem. The code uses the localpath, which only exists for remote URL after do_unpack.
There are three alternatives here:
1) Only consider local patches. Any remote patches won’t be scanned, but they don’t work anyway right now. This might mean the dependency on do_fetch can be dropped to speed up checking even further.
2) Change the task dependency to be on do_unpack instead of do_fetch. This will slow down processing if a build hasn’t already happened as tarballs will be unpacked, but remote files will be present for scanning then.
3) Try to be clever and manually call unpack on remote files. More complicated but preserves the speed.
I’m actually undecided over what the best solution is. Clearly we need some test cases for this code too.
Ross
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
next prev parent reply other threads:[~2022-04-27 10:32 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-22 9:07 CVE-check failing on world with meta-openembedded: diff.gz file Marta Rybczynska
2022-04-26 12:20 ` Marta Rybczynska
2022-04-26 16:09 ` Khem Raj
2022-04-27 7:14 ` Marta Rybczynska
2022-04-27 10:32 ` Ross Burton [this message]
2022-04-27 10:33 ` [oe] " Richard Purdie
2022-04-27 14:55 ` Khem Raj
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6D1CD0C3-16D0-4FB4-BEDF-FA6FDF94724C@arm.com \
--to=ross.burton@arm.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=raj.khem@gmail.com \
--cc=richard.purdie@linuxfoundation.org \
--cc=rybczynska@gmail.com \
--cc=steve@sakoman.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.