Repl deprecated CVE_CHECK_IGNORE with CVE_STATUS #6
Conversation
|
It is worth mentioning that currently any CVE information that is already provided in the form of |
|
Depends on resolving #7 |
Jasper-Ben
force-pushed
the
update-to-cve-check-upstream
branch
from
2b01947 to
3e962f5
Compare
Jasper-Ben
force-pushed
the
update-to-cve-check-upstream
branch
3 times, most recently
from
b9f65b5 to
b04d686
Compare
|
So theses changes should be applied only from scarthgap version, that's it ? |
Jasper-Ben
force-pushed
the
update-to-cve-check-upstream
branch
from
89ab9e6 to
f03314c
Compare
Kind of, yes. Basically, everything after kirkstone. So what I would do is create the branches called I would then merge this into main (which in the future should correspond to poky's master branch) and cherry-pick the commit into the scarthgap branch (and if applicable in all the other release branches between kirkstone and scarthgap). Then we need to roll out a fix to the main branch (again: which should correspond to poky master branch), since there was a breaking change in cve_check.py 9 days ago: https://git.yoctoproject.org/poky/commit/meta/lib/oe/cve_check.py?id=bf34db143956294d64998beb3a83f46c1e39d9d9 |
Jasper-Ben
force-pushed
the
update-to-cve-check-upstream
branch
from
f03314c to
8eb6a1e
Compare
|
I've pushed a few fixes and rebased on current main. Tested and works now with scarthgap 👍 For poky master needs a fix that I would then provide in a separate MR |
Yocto releases after Kirkstone have deprecated CVE_CHECK_IGNORE in favour of CVE_STATUS. Updating VEX handling of patched and ignored CVEs accordingly. CVE_STATUS will also provide additional details about a specific CVE's status, using the detail and description fields. Co-authored-by: Aoife Power <aoife.power@iris-sensing.com> Signed-off-by: Jasper Orschulko <jasper@fancydomain.eu>
Jasper-Ben
force-pushed
the
update-to-cve-check-upstream
branch
from
8eb6a1e to
671fa13
Compare
|
Here is an example vex built against the current scarthgap with these changes. As you can see we now also have fancy analysis descriptions where available :) |
|
TODO: for completeness sake we should also define layer depedencies and version compatibility in the layer conf. I'll take care of it tomorrow. When adding the commit to scarthgap (i.e. by cherry-pick) the layer compatibility will have to be adjusted. |
|
@loulou123546 I appended to the layer conf to define layer dependencies and compatible version. This does lead to a warning because we do not define any bb files but oh well. I think this is still better than not having these defined. I added the layer config as a separate commit so that you can easily cherry-pick and adjust for the kirkstone and scarthgap branches :) From my point of view this is ready to be merged now |
Yocto releases after Kirkstone have deprecated CVE_CHECK_IGNORE in favour of CVE_STATUS. Updating VEX handling of patched and ignored CVEs accordingly.
CVE_STATUS will also provide additional details about a specific CVE's
status, using the detail and description fields.
Attached is a vex for core-image-minimal, which has been created with this changeset:
vex.json
In order to continue support for kirkstone (an active LTS release) we would have to do one of the following before merging:
a) create release specific branches, like other OE repositories do (my preference)
b) copy the logic decode_cve_status from oe.cve_check into the bbclass
@loulou123546 WDYT?