On Wed, Jan 8, 2025 at 9:05 AM Hongxu Jia <[email protected]> wrote:
>
> Due to commit [cve-check: annotate CVEs during analysis][1] improved
> get_patched_cves to search for additional CVEs from CVE_STATUS which
> means the funciton get_patched_cves contains both of patched CVE and
> decoded_status
>
> This commit add function get_cves to use get_patched_cves in one place
> to add CVEs, and convert patched_cve to decoded_status:
>
> patched_cve["abbrev-status"] --> decoded_status["mapping"]
> patched_cve["status"] --> decoded_status["detail"]
> patched_cve["justification"] --> decoded_status["description"]
>
> Take recipe unzip for example, CVE-2015-1315 is patched in oe-core and
> is available in package SPDX
>
> oe-core$ grep "CVE-2015-1315" -rn meta
> meta/recipes-extended/unzip/unzip_6.0.bb:12:
> file://06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch \
> meta/recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch:6:CVE:
> CVE-2015-1315
>
> $ bitbake unzip
> $ vim tmp/deploy/spdx/3.0.1/core2-64/packages/package-unzip.spdx.json [2]
> ...
> {
> "type": "security_VexFixedVulnAssessmentRelationship",
> "spdxId":
> "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/47a621ef0550c7a6a1ed0507b0b8a7b7822447c2ff0995acc4b688eed1e1f1d0/vex-fixed/1aeb76ce6ca8dd91b12c18a11eeb964b";,
> "creationInfo": "_:CreationInfo1",
> "extension": [
> {
> "type": "https://rdf.openembedded.org/spdx/3.0/id-alias";,
> "https://rdf.openembedded.org/spdx/3.0/alias":
> "http://spdxdocs.org/openembedded-alias/by-doc-hash/22ab8d6eced4525f57bb861acc0fe983d8af5805dd97e702c22c1ffe04621cb2/unzip/UNIHASH/vex-fixed/1aeb76ce6ca8dd91b12c18a11eeb964b";
> }
> ],
> "from":
> "http://spdxdocs.org/openembedded-alias/by-doc-hash/539e1deec075c3a51b8c6975352b0a9ad320a130a4d7d516316b35994a830f93/unzip/UNIHASH/vulnerability/CVE-2015-1315";,
> "relationshipType": "fixedIn",
> "to": [
>
> "http://spdx.org/spdxdocs/unzip-d5d383ad-de07-5ac4-8814-3c95ed6bdaaa/47a621ef0550c7a6a1ed0507b0b8a7b7822447c2ff0995acc4b688eed1e1f1d0/package/unzip";
> ],
> "security_vexVersion": "1.0.0"
> },
> ...
>
> [1]
> https://git.openembedded.org/openembedded-core/commit/?id=452e605b55ad61c08f4af7089a5a9c576ca28f7d
> [2]
> https://spdx.github.io/spdx-spec/v3.0.1/model/Security/Classes/VexFixedVulnAssessmentRelationship/
>
> Signed-off-by: Hongxu Jia <[email protected]>
> ---
> meta/lib/oe/spdx30_tasks.py | 15 +++++++++++++--
> 1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py
> index c60c97896c..9baa40887b 100644
> --- a/meta/lib/oe/spdx30_tasks.py
> +++ b/meta/lib/oe/spdx30_tasks.py
> @@ -437,6 +437,17 @@ def set_purposes(d, element, *var_names,
> force_purposes=[]):
> getattr(oe.spdx30.software_SoftwarePurpose, p) for p in purposes[1:]
> ]
>
> +def get_cves(d):
> + cve_status = {}
> + patched_cves = oe.cve_check.get_patched_cves(d)
> + for cve, patched_cve in patched_cves.items():
> + cve_status[cve] = {
> + "mapping": patched_cve["abbrev-status"],
> + "detail": patched_cve["status"],
> + "description": patched_cve.get("justification", None)
> + }
I don't see any reason to map this to the old indexes; better to
update the code consuming it to use the new indexes instead.
> +
> + return cve_status
>
> def create_spdx(d):
> def set_var_field(var, obj, name, package=None):
> @@ -487,8 +498,8 @@ def create_spdx(d):
> # Add CVEs
> cve_by_status = {}
> if include_vex != "none":
> - for cve in d.getVarFlags("CVE_STATUS") or {}:
> - decoded_status = oe.cve_check.decode_cve_status(d, cve)
> + cve_data = get_cves(d)
> + for cve, decoded_status in cve_data.items():
>
> # If this CVE is fixed upstream, skip it unless all CVEs are
> # specified.
> --
> 2.25.1
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#210389):
https://lists.openembedded.org/g/openembedded-core/message/210389
Mute This Topic: https://lists.openembedded.org/mt/110498820/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
