poky/meta/recipes-kernel/linux/generate-cve-exclusions.py - openbmc/openbmc - Gitiles

 #! /usr/bin/env python3

 # Generate granular CVE status metadata for a specific version of the kernel
 # using data from linuxkernelcves.com.
 #
 # SPDX-License-Identifier: GPL-2.0-only

 import argparse
 import datetime
 import json
 import pathlib
 import re

 from packaging.version import Version


 def parse_version(s):
     """
     Parse the version string and either return a packaging.version.Version, or
     None if the string was unset or "unk".
     """
     if s and s != "unk":
         # packaging.version.Version doesn't approve of versions like v5.12-rc1-dontuse
         s = s.replace("-dontuse", "")
         return Version(s)
     return None


 def main(argp=None):
     parser = argparse.ArgumentParser()
     parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/nluedtke/linux_kernel_cves")
     parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")

     args = parser.parse_args(argp)
     datadir = args.datadir
     version = args.version
     base_version = f"{version.major}.{version.minor}"

     with open(datadir / "data" / "kernel_cves.json", "r") as f:
         cve_data = json.load(f)

     with open(datadir / "data" / "stream_fixes.json", "r") as f:
         stream_data = json.load(f)

     print("# Auto-generated CVE metadata, DO NOT EDIT BY HAND.")
     print(f"# Generated at {datetime.datetime.now()} for version {version}")
     print()

     for cve, data in cve_data.items():
         if "affected_versions" not in data:
             print(f"# Skipping {cve}, no affected_versions")
             print()
             continue

         affected = data["affected_versions"]
         first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
         first_affected = parse_version(first_affected)
         last_affected = parse_version(last_affected)

         if not last_affected:
             print(f"# {cve} has no known resolution")
         elif first_affected and version < first_affected:
             print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
         elif last_affected < version:
             print(
                 f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version {last_affected}"'
             )
         else:
             if cve in stream_data:
                 backport_data = stream_data[cve]
                 if base_version in backport_data:
                     backport_ver = Version(backport_data[base_version]["fixed_version"])
                     if backport_ver < version:
                         print(
                             f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
                         )
                     else:
                         # TODO print a note that the kernel needs bumping
                         print(f"# {cve} needs backporting (fixed from {backport_ver})")
                 else:
                     print(f"# {cve} needs backporting (fixed from {last_affected})")
             else:
                 print(f"# {cve} needs backporting (fixed from {last_affected})")

         print()


 if __name__ == "__main__":
     main()
	#! /usr/bin/env python3

	# Generate granular CVE status metadata for a specific version of the kernel
	# using data from linuxkernelcves.com.
	#
	# SPDX-License-Identifier: GPL-2.0-only

	import argparse
	import datetime
	import json
	import pathlib
	import re

	from packaging.version import Version


	def parse_version(s):
	"""
	Parse the version string and either return a packaging.version.Version, or
	None if the string was unset or "unk".
	"""
	if s and s != "unk":
	# packaging.version.Version doesn't approve of versions like v5.12-rc1-dontuse
	s = s.replace("-dontuse", "")
	return Version(s)
	return None


	def main(argp=None):
	parser = argparse.ArgumentParser()
	parser.add_argument("datadir", type=pathlib.Path, help="Path to a clone of https://github.com/nluedtke/linux_kernel_cves")
	parser.add_argument("version", type=Version, help="Kernel version number to generate data for, such as 6.1.38")

	args = parser.parse_args(argp)
	datadir = args.datadir
	version = args.version
	base_version = f"{version.major}.{version.minor}"

	with open(datadir / "data" / "kernel_cves.json", "r") as f:
	cve_data = json.load(f)

	with open(datadir / "data" / "stream_fixes.json", "r") as f:
	stream_data = json.load(f)

	print("# Auto-generated CVE metadata, DO NOT EDIT BY HAND.")
	print(f"# Generated at {datetime.datetime.now()} for version {version}")
	print()

	for cve, data in cve_data.items():
	if "affected_versions" not in data:
	print(f"# Skipping {cve}, no affected_versions")
	print()
	continue

	affected = data["affected_versions"]
	first_affected, last_affected = re.search(r"(.+) to (.+)", affected).groups()
	first_affected = parse_version(first_affected)
	last_affected = parse_version(last_affected)

	if not last_affected:
	print(f"# {cve} has no known resolution")
	elif first_affected and version < first_affected:
	print(f'CVE_STATUS[{cve}] = "fixed-version: only affects {first_affected} onwards"')
	elif last_affected < version:
	print(
	f'CVE_STATUS[{cve}] = "fixed-version: Fixed after version {last_affected}"'
	)
	else:
	if cve in stream_data:
	backport_data = stream_data[cve]
	if base_version in backport_data:
	backport_ver = Version(backport_data[base_version]["fixed_version"])
	if backport_ver < version:
	print(
	f'CVE_STATUS[{cve}] = "cpe-stable-backport: Backported in {backport_ver}"'
	)
	else:
	# TODO print a note that the kernel needs bumping
	print(f"# {cve} needs backporting (fixed from {backport_ver})")
	else:
	print(f"# {cve} needs backporting (fixed from {last_affected})")
	else:
	print(f"# {cve} needs backporting (fixed from {last_affected})")

	print()


	if __name__ == "__main__":
	main()