linux-yocto: add script to generate kernel CVE_STATUS entries

Instead of manually looking up new CVEs and determining what point releases the fixes are incorporated into, add a script to generate the CVE_STATUS data automatically. First, note that this is very much an interim solution until the cve-check class fetches data from www.linuxkernelcves.com directly. The script should be passed the path to a local clone of the linuxkernelcves repository[1] and the kernel version number. It will then write to standard output the CVE_STATUS entries for every known kernel CVE. The script should be periodically reran as CVEs are backported and kernels upgraded frequently. [1] https://github.com/nluedtke/linux_kernel_cves (From OE-Core rev: 8cb184f9de9b0ce5f465ea12ba24beafd6673f01) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-23 09:32:17 +02:00 · 2023-08-07 15:45:29 +01:00
parent 6c03509349
commit 04a4bac6d2
3 changed files with 10023 additions and 605 deletions
--- a/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.1.inc
--- a/meta/recipes-kernel/linux/cve-exclusion_6.4.inc
+++ b/meta/recipes-kernel/linux/cve-exclusion_6.4.inc
--- a/meta/recipes-kernel/linux/generate-cve-exclusions.py
+++ b/meta/recipes-kernel/linux/generate-cve-exclusions.py
@@ -0,0 +1,89 @@
+#! /usr/bin/env python3
+
+# Generate granular CVE status metadata for a specific version of the kernel
+# using data from linuxkernelcves.com.
+#
+# SPDX-License-Identifier: GPL-2.0-only
+
+import argparse
+import datetime
+import json
+import pathlib
+import re
+
+from packaging.version import Version
+
+
+def parse_version(s):
+    """
+    Parse the version string and either return a packaging.version.Version, or
+    None if the string was unset or "unk".
+    """
+    if s and s != "unk":
+        # packaging.version.Version doesn't approve of versions like v5.12-rc1-dontuse
+        s = s.replace("-dontuse", "")
+        return Version(s)
+    return None
+
+
+def main(argp=None):
+    parser = argparse.ArgumentParser()
+    parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/nluedtke/linux_kernel_cves")
+    parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
+
+    args = parser.parse_args(argp)
+    datadir = args.datadir
+    version = args.version
+    base_version = f"{version.major}.{version.minor}"
+
+    with open(datadir / "data" / "kernel_cves.json", "r") as f:
+        cve_data = json.load(f)
+
+    with open(datadir / "data" / "stream_fixes.json", "r") as f:
+        stream_data = json.load(f)
+
+    print("# Auto-generated CVE metadata, DO NOT EDIT BY HAND.")
+    print(f"# Generated at {datetime.datetime.now()} for version {version}")
+    print()
+
+    for cve, data in cve_data.items():
+        if "affected_versions" not in data:
+            print(f"# Skipping {cve}, no affected_versions")
+            print()
+            continue
+
+        affected = data["affected_versions"]
+        first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
+        first_affected = parse_version(first_affected)
+        last_affected = parse_version(last_affected)
+
+        if not last_affected:
+            print(f"# {cve} has no known resolution")
+        elif first_affected and version < first_affected:
+            print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
+        elif last_affected < version:
+            print(
+                f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version {last_affected}"'
+            )
+        else:
+            if cve in stream_data:
+                backport_data = stream_data[cve]
+                if base_version in backport_data:
+                    backport_ver = Version(backport_data[base_version]["fixed_version"])
+                    if backport_ver < version:
+                        print(
+                            f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
+                        )
+                    else:
+                        # TODO print a note that the kernel needs bumping
+                        print(f"# {cve} needs backporting (fixed from {backport_ver})")
+                else:
+                    print(f"# {cve} needs backporting (fixed from {last_affected})")
+            else:
+                print(f"# {cve} needs backporting (fixed from {last_affected})")
+
+        print()
+
+
+if __name__ == "__main__":
+    main()