diff options
author | Joshua Watt <JPEWhacker@gmail.com> | 2022-07-08 13:47:36 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-07-16 06:52:48 +0100 |
commit | dee08141f250f078eb891080e11fef163cd056e1 (patch) | |
tree | 68f34d6ecd38e384301422b6b62b9b273e7ca1d2 | |
parent | 61023f9e61d6620c3b15f834df6a2e0ace2a5272 (diff) | |
download | poky-dee08141f250f078eb891080e11fef163cd056e1.tar.gz |
classes/cve-check: Move get_patches_cves to library
Moving the function will allow other classes to capture which CVEs have
been patched, in particular SBoM generation.
Also add a function to capture the CPE ID from the CVE Product and
Version
(From OE-Core rev: 75d34259a715120be1d023e4fd7b6b4b125f2443)
(From OE-Core rev: bba069463ca3813666d084643b0239b9af0199e1)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit fa6c07bc1a585f204dbdc28704f61448edb8fdc8)
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/classes/cve-check.bbclass | 62 | ||||
-rw-r--r-- | meta/lib/oe/cve_check.py | 82 |
2 files changed, 84 insertions, 60 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 1688fe2dfe..9eb9a95574 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -136,10 +136,11 @@ python do_cve_check () { | |||
136 | """ | 136 | """ |
137 | Check recipe for patched and unpatched CVEs | 137 | Check recipe for patched and unpatched CVEs |
138 | """ | 138 | """ |
139 | from oe.cve_check import get_patched_cves | ||
139 | 140 | ||
140 | if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): | 141 | if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): |
141 | try: | 142 | try: |
142 | patched_cves = get_patches_cves(d) | 143 | patched_cves = get_patched_cves(d) |
143 | except FileNotFoundError: | 144 | except FileNotFoundError: |
144 | bb.fatal("Failure in searching patches") | 145 | bb.fatal("Failure in searching patches") |
145 | whitelisted, patched, unpatched, status = check_cves(d, patched_cves) | 146 | whitelisted, patched, unpatched, status = check_cves(d, patched_cves) |
@@ -247,65 +248,6 @@ ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if | |||
247 | do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" | 248 | do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" |
248 | do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" | 249 | do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" |
249 | 250 | ||
250 | def get_patches_cves(d): | ||
251 | """ | ||
252 | Get patches that solve CVEs using the "CVE: " tag. | ||
253 | """ | ||
254 | |||
255 | import re | ||
256 | |||
257 | pn = d.getVar("PN") | ||
258 | cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") | ||
259 | |||
260 | # Matches the last "CVE-YYYY-ID" in the file name, also if written | ||
261 | # in lowercase. Possible to have multiple CVE IDs in a single | ||
262 | # file name, but only the last one will be detected from the file name. | ||
263 | # However, patch files contents addressing multiple CVE IDs are supported | ||
264 | # (cve_match regular expression) | ||
265 | |||
266 | cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") | ||
267 | |||
268 | patched_cves = set() | ||
269 | bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) | ||
270 | for url in src_patches(d): | ||
271 | patch_file = bb.fetch.decodeurl(url)[2] | ||
272 | |||
273 | if not os.path.isfile(patch_file): | ||
274 | bb.error("File Not found: %s" % patch_file) | ||
275 | raise FileNotFoundError | ||
276 | |||
277 | # Check patch file name for CVE ID | ||
278 | fname_match = cve_file_name_match.search(patch_file) | ||
279 | if fname_match: | ||
280 | cve = fname_match.group(1).upper() | ||
281 | patched_cves.add(cve) | ||
282 | bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) | ||
283 | |||
284 | with open(patch_file, "r", encoding="utf-8") as f: | ||
285 | try: | ||
286 | patch_text = f.read() | ||
287 | except UnicodeDecodeError: | ||
288 | bb.debug(1, "Failed to read patch %s using UTF-8 encoding" | ||
289 | " trying with iso8859-1" % patch_file) | ||
290 | f.close() | ||
291 | with open(patch_file, "r", encoding="iso8859-1") as f: | ||
292 | patch_text = f.read() | ||
293 | |||
294 | # Search for one or more "CVE: " lines | ||
295 | text_match = False | ||
296 | for match in cve_match.finditer(patch_text): | ||
297 | # Get only the CVEs without the "CVE: " tag | ||
298 | cves = patch_text[match.start()+5:match.end()] | ||
299 | for cve in cves.split(): | ||
300 | bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) | ||
301 | patched_cves.add(cve) | ||
302 | text_match = True | ||
303 | |||
304 | if not fname_match and not text_match: | ||
305 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) | ||
306 | |||
307 | return patched_cves | ||
308 | |||
309 | def check_cves(d, patched_cves): | 251 | def check_cves(d, patched_cves): |
310 | """ | 252 | """ |
311 | Connect to the NVD database and find unpatched cves. | 253 | Connect to the NVD database and find unpatched cves. |
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index b17390de90..a4b831831b 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py | |||
@@ -89,3 +89,85 @@ def update_symlinks(target_path, link_path): | |||
89 | if os.path.exists(os.path.realpath(link_path)): | 89 | if os.path.exists(os.path.realpath(link_path)): |
90 | os.remove(link_path) | 90 | os.remove(link_path) |
91 | os.symlink(os.path.basename(target_path), link_path) | 91 | os.symlink(os.path.basename(target_path), link_path) |
92 | |||
93 | def get_patched_cves(d): | ||
94 | """ | ||
95 | Get patches that solve CVEs using the "CVE: " tag. | ||
96 | """ | ||
97 | |||
98 | import re | ||
99 | import oe.patch | ||
100 | |||
101 | pn = d.getVar("PN") | ||
102 | cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") | ||
103 | |||
104 | # Matches the last "CVE-YYYY-ID" in the file name, also if written | ||
105 | # in lowercase. Possible to have multiple CVE IDs in a single | ||
106 | # file name, but only the last one will be detected from the file name. | ||
107 | # However, patch files contents addressing multiple CVE IDs are supported | ||
108 | # (cve_match regular expression) | ||
109 | |||
110 | cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") | ||
111 | |||
112 | patched_cves = set() | ||
113 | bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) | ||
114 | for url in oe.patch.src_patches(d): | ||
115 | patch_file = bb.fetch.decodeurl(url)[2] | ||
116 | |||
117 | if not os.path.isfile(patch_file): | ||
118 | bb.error("File Not found: %s" % patch_file) | ||
119 | raise FileNotFoundError | ||
120 | |||
121 | # Check patch file name for CVE ID | ||
122 | fname_match = cve_file_name_match.search(patch_file) | ||
123 | if fname_match: | ||
124 | cve = fname_match.group(1).upper() | ||
125 | patched_cves.add(cve) | ||
126 | bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) | ||
127 | |||
128 | with open(patch_file, "r", encoding="utf-8") as f: | ||
129 | try: | ||
130 | patch_text = f.read() | ||
131 | except UnicodeDecodeError: | ||
132 | bb.debug(1, "Failed to read patch %s using UTF-8 encoding" | ||
133 | " trying with iso8859-1" % patch_file) | ||
134 | f.close() | ||
135 | with open(patch_file, "r", encoding="iso8859-1") as f: | ||
136 | patch_text = f.read() | ||
137 | |||
138 | # Search for one or more "CVE: " lines | ||
139 | text_match = False | ||
140 | for match in cve_match.finditer(patch_text): | ||
141 | # Get only the CVEs without the "CVE: " tag | ||
142 | cves = patch_text[match.start()+5:match.end()] | ||
143 | for cve in cves.split(): | ||
144 | bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) | ||
145 | patched_cves.add(cve) | ||
146 | text_match = True | ||
147 | |||
148 | if not fname_match and not text_match: | ||
149 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) | ||
150 | |||
151 | return patched_cves | ||
152 | |||
153 | |||
154 | def get_cpe_ids(cve_product, version): | ||
155 | """ | ||
156 | Get list of CPE identifiers for the given product and version | ||
157 | """ | ||
158 | |||
159 | version = version.split("+git")[0] | ||
160 | |||
161 | cpe_ids = [] | ||
162 | for product in cve_product.split(): | ||
163 | # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not, | ||
164 | # use wildcard for vendor. | ||
165 | if ":" in product: | ||
166 | vendor, product = product.split(":", 1) | ||
167 | else: | ||
168 | vendor = "*" | ||
169 | |||
170 | cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*' | ||
171 | cpe_ids.append(cpe_id) | ||
172 | |||
173 | return cpe_ids | ||