cve-check: Implement plugin style CVE check feature #578
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
masami256
changed the title
masami256
force-pushed
the
new-cve-check2
branch
2 times, most recently
from
78153e3 to
d4551f9
Compare
hiraku-wfs
reviewed
Jan 13, 2026
| SRC_URI:append:raspberrypi3bplus-64 = " file://raspberrypi3-64_defconfig" | ||
| SRC_URI:append:raspberrypi4b-64 = " file://raspberrypi4-64_defconfig" | ||
|
|
||
| EMLINUX_SOURCE_FROM="non-debian" |
Member
There was a problem hiding this comment.
Can you move this line into meta-emlinux/recipes-kernel/linux/includes/linux-cip-common.inc?
Contributor
Author
There was a problem hiding this comment.
Fixed. EMLINUX_SOURCE_FROM variable was moved to linux-cip-common.inc file.
masami256
force-pushed
the
new-cve-check2
branch
from
d4551f9 to
67bbc13
Compare
Add source-info.bbclass to create a JSON file which contains source package
information. This JSON file contains the following attributes:
- source_package_name
- source_from
The source_package_name attribute is automatically set from the ${PN} variable.
The source_from attribute is read from the ${EMLINUX_SOURCE_FROM} variable,
which should be defined in your recipe. For example, if the source code is
not a Debian source package, set it to "non-debian":
```
EMLINUX_SOURCE_FROM="non-debian"
```
Another example: if the DISTRO variable is "emlinux-bookworm" and the source code
is fetched from Debian Trixie, define the EMLINUX_SOURCE_FROM variable like this:
```
EMLINUX_SOURCE_FROM="trixie"
```
The source package information JSON file looks like the following format:
```
"emlinux-customization": {
"source_package_name": "emlinux-customization",
"source_from": "non-debian",
}
```
This JSON file is stored in the build/tmp/deploy/images/<MACHINE>/ directory.
The file name is all-source-info.json.
Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
masami256
force-pushed
the
new-cve-check2
branch
3 times, most recently
from
1ac34da to
1ca060f
Compare
masami256
changed the title
This change adds a plugin feature to the CVE check.
The plugin feature makes adding new CVE data sources easier than the
current implementation.
* Basic Specification
** Plugin directory and naming rule
Plugins are stored in scripts/lib/python/cve/plugin/ within a layer.
Plugin names should use the following format:
```
eml_cve_<your plugin name>_plugin.py
```
e.g. scripts/lib/python/cve/plugin/eml_cve_myplugin_plugin.py
** Import path
The plugin's base class and libraries are in meta-emlinux/scripts/lib/python,
so plugins need to import libraries from this directory.
For example, implementing your plugin must include the following line:
```
from lib.python.cve.plugin.eml_cve_plugin_base import EmlCvePlugin
```
** Plugin priority
Each plugin has its own priority number. For the priority number, 1 is the lowest.
This number is used to decide if a CVE is patched or unpatched if plugins
have different CVE check results. For example, if PLUGIN-A (priority 1)
states CVE-1111-1111 is patched but PLUGIN-B (priority 10) states it is
unpatched, we adopt PLUGIN-B's analysis result because PLUGIN-B has a higher
priority than PLUGIN-A.
** Base class
The EmlCvePlugin class is the base class for plugins.
This class contains two methods that plugins should implement:
- update_database
- run_check
The update_database function updates the CVE database. The run_check function
executes the CVE check and should return an instance of the
CveCheckResultList class, which stores the CVE analysis results.
** CVE check result
The CVE check result is stored in the CveCheckResult class.
This class stores the following data:
- CVE ID
- Source package name
- Patched/Unpatched status
The CveCheckResultList class stores CveCheckResult instances.
When creating an instance of CveCheckResult, you should add it to the
CveCheckResultList class.
** CVE vendor and product
CVE vendor and product information is stored in the CveProductList class.
To get this information, use the _get_cve_products_from_source_package_name
function in the EmlCvePlugin class.
You can use these data like this:
```
cve_product =
self._get_cve_products_from_source_package_name(src_pkg_name)
for cve_product in cve_products:
vendor = cve_product.vendor
product = cve_product.product
```
** Installed package information
Installed package information is stored in the PackageInfoList class.
This class is iterable and returns source package names.
```
for src_pkg_name in self.installed_packages:
data = self.installed_packages[src_pkg_name]
```
** Common library
Common functions are implemented in lib.py. One useful function
is the check_affected function, which checks if a given version is affected.
This function uses the LooseVersion class to compare versions.
** Logging
Add the following lines to your code to use the logger class:
```
import logging
logger = logging.getLogger("emlinux-cve-check")
```
* Improvements from current CVE check
** Support multiple types in the product list YAML file
The current CVE check feature supports the following format:
```
package:
- vendor
- product
```
The new CVE check feature supports dictionary style and lists containing
dictionaries:
```
packageA:
- vendor
- product
packageB:
-
vendor: vendor name
product: product name
-
vendor: another vendor name
product: another product name
```
In the yaml file, product attribute should exist but vendor attibute is
optional. This specification is based on poky's cve-check.bbclass.
** Add options for debugging
Checking CVEs with cve_check_ng.py takes command-line options similar to
cve_check.py. However, some options have been added for debugging:
- skip-update: Skips the database update process.
- target-source-package: Checks only the given source package.
- dpkg-status-file: Uses a specified .dpkg_status file instead of the
default file in the ${DEPLOY_DIR_IMAGE} directory.
Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
masami256
force-pushed
the
new-cve-check2
branch
from
1ca060f to
9186ef1
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains 2 commits.
First patch(Create source package information file) add a new class to make recipe source information.
Commit "Implement plugin architecture for CVE check" implement plugin style CVE check feature.
This cve-check feature is experimental so that current script name is cve_check_ng.py and cve check results are stored in tmp/deploy/cve/![]()
--/cve_check_ng directory.
Patch: Create source package information file
Add source-info.bbclass to create a JSON file which contains source package
information. This JSON file contains the following attributes:
The source_package_name attribute is automatically set from the ${PN} variable.
The source_from attribute is read from the ${EMLINUX_SOURCE_FROM} variable,
which should be defined in your recipe. For example, if the source code is
not a Debian source package, set it to "non-debian":
Another example: if the DISTRO variable is "emlinux-bookworm" and the source code
is fetched from Debian Trixie, define the EMLINUX_SOURCE_FROM variable like this:
The source package information JSON file looks like the following format:
This JSON file is stored in the build/tmp/deploy/images// directory.
The file name is all-source-info.json.
Patch: Implement plugin architecture for CVE check
This change adds a plugin feature to the CVE check.
The plugin feature makes adding new CVE data sources easier than the
current implementation.
** Plugin directory and naming rule
Plugins are stored in scripts/lib/python/cve/plugin/ within a layer.
Plugin names should use the following format:
e.g. scripts/lib/python/cve/plugin/eml_cve_myplugin_plugin.py
** Import path
The plugin's base class and libraries are in meta-emlinux/scripts/lib/python,
so plugins need to import libraries from this directory.
For example, implementing your plugin must include the following line:
** Plugin priority
Each plugin has its own priority number. For the priority number, 1 is the lowest.
This number is used to decide if a CVE is patched or unpatched if plugins
have different CVE check results. For example, if PLUGIN-A (priority 1)
states CVE-1111-1111 is patched but PLUGIN-B (priority 10) states it is
unpatched, we adopt PLUGIN-B's analysis result because PLUGIN-B has a higher
priority than PLUGIN-A.
** Base class
The EmlCvePlugin class is the base class for plugins.
This class contains two methods that plugins should implement:
The update_database function updates the CVE database. The run_check function
executes the CVE check and should return an instance of the
CveCheckResultList class, which stores the CVE analysis results.
** CVE check result
The CVE check result is stored in the CveCheckResult class.
This class stores the following data:
The CveCheckResultList class stores CveCheckResult instances.
When creating an instance of CveCheckResult, you should add it to the
CveCheckResultList class.
** CVE vendor and product
CVE vendor and product information is stored in the CveProductList class.
To get this information, use the _get_cve_products_from_source_package_name
function in the EmlCvePlugin class.
You can use these data like this:
** Installed package information
Installed package information is stored in the PackageInfoList class.
This class is iterable and returns source package names.
** Common library
Common functions are implemented in lib.py. One useful function
is the check_affected function, which checks if a given version is affected.
This function uses the LooseVersion class to compare versions.
** Logging
Add the following lines to your code to use the logger class:
** Support multiple types in the product list YAML file
The current CVE check feature supports the following format:
The new CVE check feature supports dictionary style and lists containing
dictionaries:
In the yaml file, product attribute should exist but vendor attibute is
optional. This specification is based on poky's cve-check.bbclass.
** Add options for debugging
Checking CVEs with cve_check_ng.py takes command-line options similar to
cve_check.py. However, some options have been added for debugging:
default file in the ${DEPLOY_DIR_IMAGE} directory.