From patchwork Wed Nov 6 15:37:43 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 178739 Delivered-To: patch@linaro.org Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp873652ilf; Wed, 6 Nov 2019 08:54:43 -0800 (PST) X-Google-Smtp-Source: APXvYqyU26ai5C205LV77yLtpnGYyVil/7Mqv2nqWXw37o8vBqU9FaLLlYIJvLGg/jfFEpgT6sCq X-Received: by 2002:a62:4dc6:: with SMTP id a189mr4548132pfb.71.1573059283827; Wed, 06 Nov 2019 08:54:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573059283; cv=none; d=google.com; s=arc-20160816; b=WmYQTZ1Kd+85rROZd5RqkX/Xh90NaEq9MAsPmzQgDZXXIJRPFsgRDOLADbCtfjCbt5 Dle2S+TYPjwtyyhg7117GMa19Y3FkkwKOMpy1DgETy/k1amD2xJySmcdxg3CY3sCCBcO uogt3HsUnjxlXQVqjI8z9i2OWV8BDW/+TbvEGzOTen/NmioggnRVlE1QZ5NlKbq4mKl6 plNMPXSqAhKvBckndl8LnKDLKFuOOvJG7BnYnQCInjWxVedTITFScHVc1hgz9lMM7jU2 rXDLwtz48G8N3XUAq7A/YknYWCF5gWNu7odaKpmjBYnwxvS3r85FzwoleRpX5LXBlH9U 5cEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:references :in-reply-to:message-id:date:to:from:dkim-signature:delivered-to; bh=TP+ftPmc1pbmKZcPBqPZpdxS78p0F5HqmD3RVqmxQQw=; b=nUjOgt1lJ3gtn/HDEqB2cWBnewlaDiq3DPZpb5N7/Op7oT6mdI/Au/ihyEmw5ocqGp ElFd9XL8TaFd1fHFBPFgQwauTnVwnkXqe4Y0WfVMCew1XkKTaRCgb/GVd7JivsGXSkej gi8LNFdA7j2m0ci5FzSkfny3BxNyIcwBAv/kJhv+udG8VjOR1NlpLnQq+WxYOkYQIXt6 NApoOj7fID9RONNrTykm/gv6AsFywKXjUDJOezGZtPI1Ii8uYdjtztLx6zJCk22kIPgl AiBKSVhfMMojARhtffostnuZJWAYMIu5nzttbn5E0KKupuJ3d07k++72fjWeNArAN83p qiWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@kapsi.fi header.s=20161220 header.b=mzU4Fcjl; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bmw.de Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id g5si11524375plq.202.2019.11.06.08.54.43; Wed, 06 Nov 2019 08:54:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@kapsi.fi header.s=20161220 header.b=mzU4Fcjl; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bmw.de Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id A31DF7F8A6; Wed, 6 Nov 2019 16:54:25 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail.kapsi.fi (mail.kapsi.fi [91.232.154.25]) by mail.openembedded.org (Postfix) with ESMTP id 965257F890 for ; Wed, 6 Nov 2019 15:38:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kapsi.fi; s=20161220; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=tdFatvKJdv+sHLX90Rez1O7FqZAZk2df9kIf94gIdcY=; b=mzU4FcjluIDRq7DaKA+yi9rCdb F7yoPc0ZwcEIJ/wva6/8165lY4CNMiuiS6rpbyRTEYRIDPjyDi+CI/w8k1HxJgqW68xZcpKENFXs1 GIacxrt0qX9M0vsRNb0lXlDmSw5snkBuTSrmPjsv21gBtsxmnOwxXTLBJeXf0sGaJl22jsDtLNy/W /kOcLhcJVNd0abX7x/JcnkY47lkZxjPXmuLnkYyAQ0BNQ+OKgG7l0wPFWdLwahM9ML4O5W7moDA5t uHndJ2BeNMF/ZATPyT2URX2jhVkFATYK6U1Ft9k83afffRawpXHl3g5GkuyuxDuqBIjJPTGD3fOBs fZOOD41w==; Received: from kapsi.fi ([91.232.154.11] helo=lakka.kapsi.fi) by mail.kapsi.fi with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1iSNOa-00009z-1p; Wed, 06 Nov 2019 17:38:56 +0200 Received: from mcfrisk by lakka.kapsi.fi with local (Exim 4.84_2) (envelope-from ) id 1iSNO6-0007Xe-3L; Wed, 06 Nov 2019 17:38:26 +0200 From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Date: Wed, 6 Nov 2019 17:37:43 +0200 Message-Id: X-Mailer: git-send-email 2.1.4 In-Reply-To: References: In-Reply-To: References: X-Rspam-Score: 6.0 (++++++) X-Rspam-Report: Action: add header Symbol: ARC_NA(0.00) Symbol: DMARC_POLICY_SOFTFAIL(0.10) Symbol: R_SPF_NEUTRAL(0.00) Symbol: FROM_HAS_DN(0.00) Symbol: TO_DN_SOME(0.00) Symbol: MULTIPLE_UNIQUE_HEADERS(4.89) Symbol: MIME_GOOD(-0.10) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: RCPT_COUNT_THREE(0.00) Symbol: RCVD_TLS_LAST(0.00) Symbol: MID_CONTAINS_FROM(1.00) Symbol: NEURAL_HAM(-0.00) Symbol: IP_SCORE(-0.15) Symbol: FORGED_SENDER(0.30) Symbol: R_DKIM_NA(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: FROM_NEQ_ENVFROM(0.00) Symbol: RCVD_COUNT_TWO(0.00) Message: (SPF): spf neutral Message-ID: d77be18c4f89e9b6ee1b22593a987da5c890df5d.1573047194.git.mikko.rapeli@bmw.de X-Rspam-Status: Yes X-Rspam-Bar: ++++++ X-SA-Exim-Connect-IP: 91.232.154.11 X-SA-Exim-Mail-From: mcfrisk@kapsi.fi X-SA-Exim-Scanned: No (on mail.kapsi.fi); SAEximRunCond expanded to false Subject: [OE-core] [PATCH RFC CFH][sumo 28/47] cve-check: ensure all known CVEs are in the report X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/classes/cve-check.bbclass | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index c00d291..f87bcc9 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -208,12 +208,14 @@ def check_cves(d, patched_cves): if cve in cve_whitelist: bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) + # TODO: this should be in the report as 'whitelisted' + patched_cves.add(cve) elif cve in patched_cves: bb.note("%s has been patched" % (cve)) else: to_append = False if (operator_start == '=' and pv == version_start): - cves_unpatched.append(cve) + to_append = True else: if operator_start: try: @@ -243,8 +245,11 @@ def check_cves(d, patched_cves): to_append = to_append_start or to_append_end if to_append: + bb.note("%s-%s is vulnerable to %s" % (product, pv, cve)) cves_unpatched.append(cve) - bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) + else: + bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) + patched_cves.add(cve) conn.close() return (list(patched_cves), cves_unpatched)