* [master] [PATCH] cve-check: Add provision to exclude classes
@ 2024-03-03 17:53 dnagodra
2024-03-13 19:30 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
2024-03-15 16:08 ` [OE-core] " Ross Burton
0 siblings, 2 replies; 6+ messages in thread
From: dnagodra @ 2024-03-03 17:53 UTC (permalink / raw)
To: openembedded-core; +Cc: xe-linux-external, Dhairya Nagodra
From: Dhairya Nagodra <dnagodra@cisco.com>
- There are times when exluding a package that inherits a particular
class/classes may be desired.
- This provides the framework for that via the variable:
CVE_CHECK_CLASS_EXCLUDELIST
Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
---
meta/classes/cve-check.bbclass | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 56ba8bceef..6d459642fe 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -100,6 +100,8 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
# Layers to be included
CVE_CHECK_LAYER_INCLUDELIST ??= ""
+# Classes to be excluded
+CVE_CHECK_CLASS_EXCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
@@ -466,6 +468,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+ exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
@@ -475,6 +478,10 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
if include_layers and layer not in include_layers:
return
+ for excluded in exclude_classes:
+ if bb.data.inherits_class(excluded, d):
+ return
+
# Early exit, the text format does not report packages without CVEs
if not patched+unpatched+ignored:
return
@@ -581,6 +588,7 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+ exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
@@ -590,6 +598,10 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
if include_layers and layer not in include_layers:
return
+ for excluded in exclude_classes:
+ if bb.data.inherits_class(excluded, d):
+ return
+
unpatched_cves = []
product_data = []
--
2.35.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* RE: [master] [PATCH] cve-check: Add provision to exclude classes
2024-03-03 17:53 [master] [PATCH] cve-check: Add provision to exclude classes dnagodra
@ 2024-03-13 19:30 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
2024-03-15 16:08 ` [OE-core] " Ross Burton
1 sibling, 0 replies; 6+ messages in thread
From: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) @ 2024-03-13 19:30 UTC (permalink / raw)
To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco),
openembedded-core
Cc: xe-linux-external(mailer list)
A gentle reminder
>-----Original Message-----
>From: dnagodra@cisco.com <dnagodra@cisco.com>
>Sent: Sunday, March 3, 2024 11:23 PM
>To: openembedded-core@lists.openembedded.org
>Cc: xe-linux-external(mailer list) <xe-linux-external@cisco.com>; Dhairya
>Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) <dnagodra@cisco.com>
>Subject: [master] [PATCH] cve-check: Add provision to exclude classes
>
>From: Dhairya Nagodra <dnagodra@cisco.com>
>
>- There are times when exluding a package that inherits a particular
> class/classes may be desired.
>- This provides the framework for that via the variable:
> CVE_CHECK_CLASS_EXCLUDELIST
>
>Signed-off-by: Dhairya Nagodra <dnagodra@cisco.com>
>---
> meta/classes/cve-check.bbclass | 12 ++++++++++++
> 1 file changed, 12 insertions(+)
>
>diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
>index 56ba8bceef..6d459642fe 100644
>--- a/meta/classes/cve-check.bbclass
>+++ b/meta/classes/cve-check.bbclass
>@@ -100,6 +100,8 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
> # Layers to be included
> CVE_CHECK_LAYER_INCLUDELIST ??= ""
>
>+# Classes to be excluded
>+CVE_CHECK_CLASS_EXCLUDELIST ??= ""
>
> # set to "alphabetical" for version using single alphabetical character as
>increment release CVE_VERSION_SUFFIX ??= ""
>@@ -466,6 +468,7 @@ def cve_write_data_text(d, patched, unpatched,
>ignored, cve_data):
>
> include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
> exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
>+ exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
>
> report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
>
>@@ -475,6 +478,10 @@ def cve_write_data_text(d, patched, unpatched,
>ignored, cve_data):
> if include_layers and layer not in include_layers:
> return
>
>+ for excluded in exclude_classes:
>+ if bb.data.inherits_class(excluded, d):
>+ return
>+
> # Early exit, the text format does not report packages without CVEs
> if not patched+unpatched+ignored:
> return
>@@ -581,6 +588,7 @@ def cve_write_data_json(d, patched, unpatched,
>ignored, cve_data, cve_status):
>
> include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
> exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
>+ exclude_classes = d.getVar("CVE_CHECK_CLASS_EXCLUDELIST").split()
>
> report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"
>
>@@ -590,6 +598,10 @@ def cve_write_data_json(d, patched, unpatched,
>ignored, cve_data, cve_status):
> if include_layers and layer not in include_layers:
> return
>
>+ for excluded in exclude_classes:
>+ if bb.data.inherits_class(excluded, d):
>+ return
>+
> unpatched_cves = []
>
> product_data = []
>--
>2.35.6
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
2024-03-03 17:53 [master] [PATCH] cve-check: Add provision to exclude classes dnagodra
2024-03-13 19:30 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
@ 2024-03-15 16:08 ` Ross Burton
2024-03-15 19:52 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
1 sibling, 1 reply; 6+ messages in thread
From: Ross Burton @ 2024-03-15 16:08 UTC (permalink / raw)
To: dnagodra; +Cc: openembedded-core, xe-linux-external
On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org <dnagodra=cisco.com@lists.openembedded.org> wrote:
>
> From: Dhairya Nagodra <dnagodra@cisco.com>
>
> - There are times when exluding a package that inherits a particular
> class/classes may be desired.
> - This provides the framework for that via the variable:
> CVE_CHECK_CLASS_EXCLUDELIST
What’s the use-case for this? Note that you can control whether cve-check runs per-layer already, if that’s useful.
Ross
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
2024-03-15 16:08 ` [OE-core] " Ross Burton
@ 2024-03-15 19:52 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
2024-03-18 6:31 ` Mikko Rapeli
2024-03-18 17:02 ` Ross Burton
0 siblings, 2 replies; 6+ messages in thread
From: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) @ 2024-03-15 19:52 UTC (permalink / raw)
To: Ross Burton; +Cc: openembedded-core, xe-linux-external(mailer list)
>-----Original Message-----
>From: Ross Burton <Ross.Burton@arm.com>
>Sent: Friday, March 15, 2024 9:39 PM
>To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
><dnagodra@cisco.com>
>Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer
>list) <xe-linux-external@cisco.com>
>Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude
>classes
>
>On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org
><dnagodra=cisco.com@lists.openembedded.org> wrote:
>>
>> From: Dhairya Nagodra <dnagodra@cisco.com>
>>
>> - There are times when exluding a package that inherits a particular
>> class/classes may be desired.
>> - This provides the framework for that via the variable:
>> CVE_CHECK_CLASS_EXCLUDELIST
>
>What’s the use-case for this? Note that you can control whether cve-check
>runs per-layer already, if that’s useful.
Currently, the CVE report is generated for all packages associated with the build.
However, not all of them might be getting used in the target device.
The package associated with native, nativesdk, cross classes are examples of such.
This patch would provide a way to exclude these packages in the CVE report.
So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native",
The report would not have the entries for these packages:
gnupg-native, nasm-native, binutils-native (and so on)
This is helpful when one wants to concentrate their CVE fixing efforts to the
specific packages going into the target device.
Regards,
Dhairya
>
>Ross
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
2024-03-15 19:52 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
@ 2024-03-18 6:31 ` Mikko Rapeli
2024-03-18 17:02 ` Ross Burton
1 sibling, 0 replies; 6+ messages in thread
From: Mikko Rapeli @ 2024-03-18 6:31 UTC (permalink / raw)
To: dnagodra; +Cc: Ross Burton, openembedded-core, xe-linux-external(mailer list)
Hi,
On Fri, Mar 15, 2024 at 07:52:00PM +0000, Dhairya Nagodra via lists.openembedded.org wrote:
>
>
> >-----Original Message-----
> >From: Ross Burton <Ross.Burton@arm.com>
> >Sent: Friday, March 15, 2024 9:39 PM
> >To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
> ><dnagodra@cisco.com>
> >Cc: openembedded-core@lists.openembedded.org; xe-linux-external(mailer
> >list) <xe-linux-external@cisco.com>
> >Subject: Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude
> >classes
> >
> >On 3 Mar 2024, at 17:53, Dhairya Nagodra via lists.openembedded.org
> ><dnagodra=cisco.com@lists.openembedded.org> wrote:
> >>
> >> From: Dhairya Nagodra <dnagodra@cisco.com>
> >>
> >> - There are times when exluding a package that inherits a particular
> >> class/classes may be desired.
> >> - This provides the framework for that via the variable:
> >> CVE_CHECK_CLASS_EXCLUDELIST
> >
> >What’s the use-case for this? Note that you can control whether cve-check
> >runs per-layer already, if that’s useful.
>
> Currently, the CVE report is generated for all packages associated with the build.
> However, not all of them might be getting used in the target device.
> The package associated with native, nativesdk, cross classes are examples of such.
> This patch would provide a way to exclude these packages in the CVE report.
> So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native",
> The report would not have the entries for these packages:
> gnupg-native, nasm-native, binutils-native (and so on)
>
> This is helpful when one wants to concentrate their CVE fixing efforts to the
> specific packages going into the target device.
CVE check generates report summaries for all images already. Doesn't that cover this
usecase?
And many build tools end up talking to servers in the Internet so detecting
and fixing CVEs in them is also quite important.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [OE-core] [master] [PATCH] cve-check: Add provision to exclude classes
2024-03-15 19:52 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
2024-03-18 6:31 ` Mikko Rapeli
@ 2024-03-18 17:02 ` Ross Burton
1 sibling, 0 replies; 6+ messages in thread
From: Ross Burton @ 2024-03-18 17:02 UTC (permalink / raw)
To: Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
Cc: openembedded-core, xe-linux-external(mailer list)
On 15 Mar 2024, at 19:52, Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco) <dnagodra@cisco.com> wrote:
>> What’s the use-case for this? Note that you can control whether cve-check
>> runs per-layer already, if that’s useful.
>
> Currently, the CVE report is generated for all packages associated with the build.
> However, not all of them might be getting used in the target device.
> The package associated with native, nativesdk, cross classes are examples of such.
> This patch would provide a way to exclude these packages in the CVE report.
> So, if the variable is set like CVE_CHECK_CLASS_EXCLUDELIST = "native",
> The report would not have the entries for these packages:
> gnupg-native, nasm-native, binutils-native (and so on)
For this specific use-case I’d suggest filtering the JSON to remove all -native entries. Also as Mikko said, a CVE in gcc-cross would absolutely need to be considered, so I’d not recommend ignoring all native recipes.
Ross
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2024-03-18 17:02 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-03 17:53 [master] [PATCH] cve-check: Add provision to exclude classes dnagodra
2024-03-13 19:30 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
2024-03-15 16:08 ` [OE-core] " Ross Burton
2024-03-15 19:52 ` Dhairya Nagodra -X (dnagodra - E-INFO CHIPS INC at Cisco)
2024-03-18 6:31 ` Mikko Rapeli
2024-03-18 17:02 ` Ross Burton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.