git.ipfire.org Git - thirdparty/openembedded/openembedded-core-contrib.git/commit

author	Marta Rybczynska <rybczynska@gmail.com>
	Wed, 14 Aug 2024 05:30:37 +0000 (07:30 +0200)
committer	Richard Purdie <richard.purdie@linuxfoundation.org>
	Tue, 20 Aug 2024 13:11:57 +0000 (14:11 +0100)
commit	452e605b55ad61c08f4af7089a5a9c576ca28f7d
tree	6e22c0c673f67eb7e7c7dcc902a8a4a1f7b6561d	tree
parent	e1bf43561093b3b9215cde9e9f7d80b4ffcdc64e	commit \| diff

cve-check: annotate CVEs during analysis

Add status information for each CVE under analysis.

Previously the information passed between different function of the
cve-check class included only tables of patched, unpatched, ignored
vulnerabilities and the general status of the recipe.

The VEX work requires more information, and we need to pass them
between different functions, so that it can be enriched as the
analysis progresses. Instead of multiple tables, use a single one
with annotations for each CVE encountered. For example, a patched
CVE will have:

{"abbrev-status": "Patched", "status": "version-not-in-range"}

abbrev-status contains the general status (Patched, Unpatched,
Ignored and Unknown that will be added in the VEX code)
status contains more detailed information that can come from
CVE_STATUS and the analysis.

Additional fields of the annotation include for example the name
of the patch file fixing a given CVE.

We also use the annotation in CVE_STATUS to filter out entries
that do not apply to the given recipe

Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Samantha Jalabert <samantha.jalabert@syslinbit.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/classes/cve-check.bbclass		diff \| blob \| blame \| history
meta/lib/oe/cve_check.py		diff \| blob \| blame \| history