cve-filter: Add class to filter cve files

This class is designed to filter CVEs (Common Vulnerabilities and Exposures) from CVE files. It should be used in conjunction with the cve-check class from the openembedded-core. Steps to Use This Class 1. Add the following lines to your distro configuration file: include conf/distro/include/cve-extra-exclusions.inc INHERIT += "cve-check" 2. Inherit the cve-filter class in the image recipe. -------- Configuration Variables ---------------------------- The cve-filter class provides several configurable variables: CVE_FILTER_PREVIOUS_FILE: Specifies the previous version of the CVE JSON file. If no file is provided, only the current file will be considered. Default: empty CVE_FILTER_PREVIOUS_VERSION: Specifies the distro version of the previous CVE JSON file. The CVE_FILTER_PREVIOUS_FILE must be defined, otherwise the value 0 will be used. Example: "1.0.0" Default: "0.0.0" CVE_FILTER_MARKDOWN_FILE_NAME: Specifies the name of the output Markdown file containing the list of detected CVEs. Default: "${IMAGE_NAME}.md" CVE_FILTER_IGNORED_CVES: Lists the CVEs that should be ignored by the filter. Example: "CVE-2017-6264 CVE-2023-1234" Default: empty The following files was added: - classes/cve-filter.bbclass - lib/ossystems/cve_filter.py - lib/ossystems/__init__.py Also, the following file was changed: - conf/layer.conf Signed-off-by: Rodrigo M. Duarte <[email protected]>
OSSystemsEmbeddedLinux · Jun 11, 2024 · 8fe7cdd · 8fe7cdd
1 parent 8086e5c
commit 8fe7cdd
Show file tree

Hide file tree

Showing 4 changed files with 446 additions and 0 deletions.
diff --git a/classes/cve-filter.bbclass b/classes/cve-filter.bbclass
@@ -0,0 +1,91 @@
+# Copyright (c) 2024 O.S. Systems Software LTDA.
+# Usage Instructions for the Yocto CVE Filter Class
+
+# This class is designed to filter CVEs (Common Vulnerabilities
+# and Exposures) from CVE files. It should be used in conjunction
+# with the cve-check class from the openembedded-core.
+
+# Steps to Use This Class
+
+# 1. Add the following lines to your distro configuration file:
+
+#    include conf/distro/include/cve-extra-exclusions.inc
+#    INHERIT += "cve-check"
+
+# 2. Inherit the cve-filter class in the image recipe.
+#
+# --------  Configuration Variables  ----------------------------
+
+# The cve-filter class provides several configurable variables:
+
+# CVE_FILTER_PREVIOUS_FILE: Specifies the previous version of 
+# the CVE JSON file. If no file is provided, only the current
+# file will be considered.
+# Default: empty
+
+# CVE_FILTER_PREVIOUS_VERSION: Specifies the distro version of
+# the previous CVE JSON file. The CVE_FILTER_PREVIOUS_FILE must
+# be defined, otherwise the value 0 will be used.
+# Example: "1.0.0"
+# Default: "0.0.0"
+
+# CVE_FILTER_MARKDOWN_FILE_NAME: Specifies the name of the 
+# output Markdown file containing the list of detected CVEs.
+# Default: "${IMAGE_NAME}.md"
+
+# CVE_FILTER_IGNORED_CVES: Lists the CVEs that should be ignored by the filter.
+# Example: "CVE-2017-6264 CVE-2023-1234"
+# Default: empty
+
+# Set the PATH to find the old CVE Json list
+CVE_FILTER_PREVIOUS_FILE ??= ""
+CVE_FILTER_PREVIOUS_VERSION ??= "0.0.0"
+
+CVE_FILTER_CURRENT_FILE = "${IMGDEPLOYDIR}/${IMAGE_NAME}.json"
+CVE_FILTER_CURRENT_VERSION = "${DISTRO_VERSION}"
+
+# Set the name of markdown output file
+CVE_FILTER_MARKDOWN_FILE_NAME ?= "${IMAGE_NAME}.md"
+CVE_FILTER_MARKDOWN_FILE = "${IMGDEPLOYDIR}/${CVE_FILTER_MARKDOWN_FILE_NAME}"
+
+# List of CVE should be ignored Eg: CVE-2023-1234
+CVE_FILTER_IGNORED_CVES ??= ""
+
+inherit python3native
+
+python do_cve_filter (){
+    from ossystems.cve_filter import Cve
+
+    previousFile = d.getVar("CVE_FILTER_PREVIOUS_FILE")
+    previousVersion = d.getVar("CVE_FILTER_PREVIOUS_VERSION")
+    cveIgnoreList = d.getVar("CVE_FILTER_IGNORED_CVES").split()
+
+    cve_prev = Cve()
+    cve_prev.setMarkdonFileName(d.getVar("CVE_FILTER_MARKDOWN_FILE"))
+    cve_curr = Cve()
+
+    if previousFile:
+        cve_prev.loadCVEfile(previousFile)
+        cve_prev.setCVEVersion(previousVersion)
+        cve_prev.setIgnoreCVEList(cveIgnoreList)
+        cve_prev.loadCVEData()
+    else:
+        bb.warn("Previous CVE File Not Defined!!!")
+
+    cve_curr.loadCVEfile(d.getVar("CVE_FILTER_CURRENT_FILE"))
+    cve_curr.setCVEVersion(d.getVar("CVE_FILTER_CURRENT_VERSION"))
+    cve_curr.setIgnoreCVEList(cveIgnoreList)
+    cve_curr.loadCVEData()
+    cve_prev.compareCVes(cve_curr)
+    bb.plain("DONE!!")
+}
+
+addtask cve_filter after do_image before do_image_complete
+
+IMAGE_POSTPROCESS_COMMAND += "link_cvefilter_markdownfile;"
+
+link_cvefilter_markdownfile () {
+    if [ -e "${CVE_FILTER_MARKDOWN_FILE}" ]; then
+        ln -sf ${CVE_FILTER_MARKDOWN_FILE_NAME} ${IMGDEPLOYDIR}/${IMAGE_LINK_NAME}.md
+    fi
+}
diff --git a/conf/layer.conf b/conf/layer.conf
@@ -9,6 +9,8 @@ BBFILE_COLLECTIONS += "ossystems-base"
 BBFILE_PATTERN_ossystems-base := "^${LAYERDIR}/"
 BBFILE_PRIORITY_ossystems-base = "8"
 
+addpylib ${LAYERDIR}/lib ossystems
+
 LAYERSERIES_COMPAT_ossystems-base = "scarthgap"
 
 LICENSE_PATH += "${LAYERDIR}/conf/licenses"

diff --git a/lib/ossystems/__init__.py b/lib/ossystems/__init__.py
@@ -0,0 +1,4 @@
+from pkgutil import extend_path
+__path__ = extend_path(__path__, __name__)
+
+BBIMPORTS = ["cve_filter"]