CVE checker finding 700+ CVEs for linux-tegra (most are false-positives)

[bhagen55]

I enabled the cve-check for my build recently and found that it spits out 700+ CVEs for the linux-tegra kernel. I am sure most of them are false positives.

Has anyone dealt with the CVE checker and this layer/kernel? Would rather not have to individually allowlist all of the entries if it can be avoided.

I am building off of recent master right now (honnister), rebased a few days ago.

Wondering if it is getting confused since the kernel is called linux-tegra rather than linux-yocto, although I have not tried building with linux-yocto to see if the problem exists there as well.

Here is the cve.log if anyone is curious. You can ctrl+f Unpatched.

[elPrac]

First, cve-checker will use the NIC database to create the report and will use the bitbake recipes for that so this bbclass will compare whatever you set as virtual/kernel against the CVE database, now, this doesn't means that all 700 CVEs applies to you because you don't use all the features or drivers that where reported for that kernel version. Also notice that from the report you will find not only kernel related CVEs, again cve-checker uses all bb-recipes so you will find CVEs for common packages like coreutils, more info here -> https://wiki.yoctoproject.org/wiki/Security

You can easily know if package CVEs applies to you because yo can compare against the pkg-manifest but for kernel I'm not sure if it exists something similar

[madisongh]

Yes, the cve-checker tool isn't necessarily definitive. For one thing, the database it uses (the National Vulnerability Database, or NVD) doesn't carry completely precise and accurate data for every package. For the Linux kernel in particular, it often doesn't reflect patches applied to the stable branches. There are other sites/tools you can consult to validate the reports you get from a cve-check run.

For instance, using a tool I have which uses the the Linux kernel CVEs database to check against the unpatched CVEs mentioned in the log you attached, I get:

Current branch: oe4t-patches-l4t-r32.6
Kernel version: 4.9.253
Applicable, patches available: 45
Applicable, outstanding:       73
Not applicable:                603

Even this report isn't completely accurate, as the database only knows about upstream patches applied to the linux-stable branches, and not any additional patches that NVIDIA or its upstream Android maintainers may have applied. So some of the remaining 118 CVEs may have been patched already. For the others, as @elPrac mentioned, you have to do some analysis to determine if the vulnerabilities are actually applicable based on your usage of the affected kernel subsystems.

[bhagen55]

Thanks for the info, understood regarding the CVE checker not being very effective with kernels.

Sounds like using a more kernel-specific CVE database is the way to go.