mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-03-06 07:19:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
3664a232feb7dbe1bb19132a7d2d94d260fbf272
poky/meta/recipes-kernel/linux/generate-cve-exclusions.py
Ross Burton a105e7d254 linux/generate-cve-exclusions.py: fix comparison 
The backport detection logic didn't handle issues which were backported
to the current version.

(From OE-Core rev: 1c7b01627b47604744f723d5eeedd455df6307e2)

(From OE-Core rev: 568d65ccfb0e44ef3a40951d9da297036e7f345d)

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2023-08-22 15:13:54 +01:00

90 lines
3.1 KiB
Python
Executable File
Raw Blame History

#! /usr/bin/env python3
# Generate granular CVE status metadata for a specific version of the kernel
# using data from linuxkernelcves.com.
#
# SPDX-License-Identifier: GPL-2.0-only
import argparse
import datetime
import json
import pathlib
import re
from packaging.version import Version
def parse_version(s):
"""
Parse the version string and either return a packaging.version.Version, or
None if the string was unset or "unk".
"""
if s and s != "unk":
# packaging.version.Version doesn't approve of versions like v5.12-rc1-dontuse
s = s.replace("-dontuse", "")
return Version(s)
return None
def main(argp=None):
parser = argparse.ArgumentParser()
parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/nluedtke/linux_kernel_cves")
parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")
args = parser.parse_args(argp)
datadir = args.datadir
version = args.version
base_version = f"{version.major}.{version.minor}"
with open(datadir / "data" / "kernel_cves.json", "r") as f:
cve_data = json.load(f)
with open(datadir / "data" / "stream_fixes.json", "r") as f:
stream_data = json.load(f)
print("# Auto-generated CVE metadata, DO NOT EDIT BY HAND.")
print(f"# Generated at {datetime.datetime.now()} for version {version}")
print()
for cve, data in cve_data.items():
if "affected_versions" not in data:
print(f"# Skipping {cve}, no affected_versions")
print()
continue
affected = data["affected_versions"]
first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
first_affected = parse_version(first_affected)
last_affected = parse_version(last_affected)
if not last_affected:
print(f"# {cve} has no known resolution")
elif first_affected and version < first_affected:
print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
elif last_affected < version:
print(
f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version {last_affected}"'
)
else:
if cve in stream_data:
backport_data = stream_data[cve]
if base_version in backport_data:
backport_ver = Version(backport_data[base_version]["fixed_version"])
if backport_ver <= version:
print(
f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
)
else:
# TODO print a note that the kernel needs bumping
print(f"# {cve} needs backporting (fixed from {backport_ver})")
else:
print(f"# {cve} needs backporting (fixed from {last_affected})")
else:
print(f"# {cve} needs backporting (fixed from {last_affected})")
print()
if __name__ == "__main__":
main()
Reference in New Issue View Git Blame Copy Permalink