Add another comment to state what the data source for the CVE data was,
specifically the basename of the repository and the "git describe" output
of HEAD.
(From OE-Core rev: 5e66e2b79faec2285d249b16457ecc63c4042444)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Replace the term 'needs backporting' with 'may need backporting' in
generate-cve-exclusions.py when the checked kernel version may or may
not be in the vulnerable version range, thus making backporting
necessary only in the former case.
In tandem we regenerate the content of cve-exclusion_6.12.inc using
https://github.com/CVEProject/cvelistV5.git repository main branch at
git hash b20d0043711588b6409ae3118bc0510ab888c316 to keep the content
in sync with the script.
(From OE-Core rev: feb80e6be16f27611a018d0ef7841cbb466c47d1)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Amend the generate-cve-exclusions.py checking logic in part of the code
responsible for iterating the "affected" defaultStatus part of the JSON
structure in order to mitigate occurrences of false negatives in the
generated output, as well as occurrences of wrong reason for negative
result in case where the reason is actually that the checked kernel
version is in backport fix scope.
In tandem we regenerate the content of cve-exclusion_6.12.inc using
https://github.com/CVEProject/cvelistV5.git repository main branch at
git hash b20d0043711588b6409ae3118bc0510ab888c316 to keep the content
in sync with the script.
(From OE-Core rev: b1a5939535d67b9c0e6d8c2729cff9749a0ebaae)
Signed-off-by: Niko Mauno <niko.mauno@vaisala.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Stop shifting first_affected if backport is indicated. This does not
have effect on generated list, but makes the logic cleaner as it will
not shift it to "first affected on our branch" and also make it behave
like in defaultStatus==affected case.
Cc: daniel.turull@ericsson.com
(From OE-Core rev: dc1ecb69389dd79354084757ba6b9af0781afcc0)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Current code takes the first version found as "fixed-version".
That is not correct as it is almost always only the oldest backport.
Fix it by unconditionally shift the assigmnet of variable "fixed" so
that we take last instead of first version.
Cc: daniel.turull@ericsson.com
(From OE-Core rev: 68f8e58a249c8adef18e63f0841e8bfea16f354e)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
affected_versions in kernel_cves.json does not mean "first affected version
to last affected version" but actually "first affected version to fixed
version". Therefore, the variable names, conditional expressions, and
CVE_STATUS descriptions should be fixed.
For example, when the script was run against v6.1, if affected_versions was
"xxx to 6.1", the output was "cpe-stable-backport: Backported in 6.1", but
this should be "fixed-version: Fixed from version 6.1".
(From OE-Core rev: 2064b2f9b92e2dff45dab633598b5ed37145d0b6)
Signed-off-by: Yuta Hayama <hayama@lineo.co.jp>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Embed the version that this file was generated for in the include, and
compare it to the version that is being checked.
This should act as a reminder to update the file when the kernel is
upgraded.
(From OE-Core rev: 645066ecec0f52eac0225a144285f44882003856)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
The backport detection logic didn't handle issues which were backported
to the current version.
(From OE-Core rev: 1c7b01627b47604744f723d5eeedd455df6307e2)
(From OE-Core rev: 568d65ccfb0e44ef3a40951d9da297036e7f345d)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Instead of manually looking up new CVEs and determining what point
releases the fixes are incorporated into, add a script to generate the
CVE_STATUS data automatically.
First, note that this is very much an interim solution until the
cve-check class fetches data from www.linuxkernelcves.com directly.
The script should be passed the path to a local clone of the
linuxkernelcves repository[1] and the kernel version number. It will
then write to standard output the CVE_STATUS entries for every known
kernel CVE.
The script should be periodically reran as CVEs are backported and
kernels upgraded frequently.
[1] https://github.com/nluedtke/linux_kernel_cves
(From OE-Core rev: 8cb184f9de9b0ce5f465ea12ba24beafd6673f01)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
