oeqa/selftest/cve_check: rework test to new cve status handling

- After introducing the CVE_STATUS and CVE_CHECK_STATUSMAP flag
variables, CVEs could contain a more information for assigned statuses.
- Add an example conversion in logrotate recipe.

(From OE-Core rev: da1f34b58fd106a40c296b68daf8a7e5db354c9a)

Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>

meta/lib/oeqa/selftest/cases/cve_check.py

@@ -207,18 +207,34 @@ CVE_CHECK_REPORT_PATCHED = "1"
             self.assertEqual(len(report["package"]), 1)
             package = report["package"][0]
             self.assertEqual(package["name"], "logrotate")
-            found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+            found_cves = {}
+            for issue in package["issue"]:
+                found_cves[issue["id"]] = {
+                    "status" : issue["status"],
+                    "detail" : issue["detail"] if "detail" in issue else "",
+                    "description" : issue["description"] if "description" in issue else ""
+                }
             # m4 CVE should not be in logrotate
             self.assertNotIn("CVE-2008-1687", found_cves)
             # logrotate has both Patched and Ignored CVEs
             self.assertIn("CVE-2011-1098", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+            self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0)
+            self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0)
+            detail = "not-applicable-platform"
+            description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
             self.assertIn("CVE-2011-1548", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1548"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1548"]["description"], description)
             self.assertIn("CVE-2011-1549", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1549"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1549"]["description"], description)
             self.assertIn("CVE-2011-1550", found_cves)
-            self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+            self.assertEqual(found_cves["CVE-2011-1550"]["detail"], detail)
+            self.assertEqual(found_cves["CVE-2011-1550"]["description"], description)
 
         self.assertExists(summary_json)
         check_m4_json(summary_json)

meta/recipes-extended/logrotate/logrotate_3.21.0.bb

@@ -16,8 +16,9 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
 
 SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
 
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "not-applicable-platform: CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
 
 PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"