cve-check-tool: backport a patch to make CVE checking work

CVE checking in OE didn't work as do_populate_cve_db failed with the following error message. [snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent Backport a patch to fix this error. (From OE-Core rev: ee55b5685aaa4be92d6d51f8641a559d4e34ce64) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chen Qi <Qi.Chen@windriver.com> 2017-05-08 11:12:11 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18 14:01:48 +0100
commit: ef506f58da3a95fba2696df749b2b81f9c118847 (patch)
tree: 85c09d7c2e96c8bb27f3944295760d98271cb8c4
parent: 1dda475da98835853a3500b616053f696b508210 (diff)
download: poky-ef506f58da3a95fba2696df749b2b81f9c118847.tar.gz
2 files changed, 53 insertions, 0 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index fcd3182931..1f906ee0a4 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -10,6 +10,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
           file://check-for-malloc_trim-before-using-it.patch \
           file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
           file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
+           file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
          "
 SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
new file mode 100644
index 0000000000..458c0cc84e
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
@@ -0,0 +1,52 @@
+From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
+From: Sergey Popovich <popovich_sergei@mail.ua>
+Date: Fri, 21 Apr 2017 07:32:23 -0700
+Subject: [PATCH] update: Compare computed vs expected sha256 digit string
+ ignoring case
+We produce sha256 digest string using %x snprintf()
+qualifier for each byte of digest which uses alphabetic
+characters from "a" to "f" in lower case to represent
+integer values from 10 to 15.
+Previously all of the NVD META files supply sha256
+digest string for corresponding XML file in lower case.
+However due to some reason this changed recently to
+provide digest digits in upper case causing fetched
+data consistency checks to fail. This prevents database
+from being updated periodically.
+While commit c4f6e94 (update: Do not treat sha256 failure
+as fatal if requested) adds useful option to skip
+digest validation at all and thus provides workaround for
+this situation, it might be unacceptable for some
+deployments where we need to ensure that downloaded
+data is consistent before start parsing it and update
+SQLite database.
+Use strcasecmp() to compare two digest strings case
+insensitively and addressing this case.
+Upstream-Status: Backport
+Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
+---
+ src/update.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/update.c b/src/update.c
+index 8588f38..3cc6b67 100644
+--- a/src/update.c
+++ b/src/update.c
+@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
+                 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
+         }
+ 
+-        ret = streq(csum_meta, csum_data);
+        ret = !strcasecmp(csum_meta, csum_data);
+ 
+ err_unmap:
+         munmap(buffer, length);
+-- 
+2.11.0
author	Chen Qi <Qi.Chen@windriver.com>	2017-05-08 11:12:11 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2017-05-18 14:01:48 +0100
commit	ef506f58da3a95fba2696df749b2b81f9c118847 (patch)
tree	85c09d7c2e96c8bb27f3944295760d98271cb8c4
parent	1dda475da98835853a3500b616053f696b508210 (diff)
download	poky-ef506f58da3a95fba2696df749b2b81f9c118847.tar.gz

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb index fcd3182931..1f906ee0a4 100644 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -10,6 +10,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
10	file://check-for-malloc_trim-before-using-it.patch \	10	file://check-for-malloc_trim-before-using-it.patch \
11	file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \	11	file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
12	file://0001-curl-allow-overriding-default-CA-certificate-file.patch \	12	file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
		13	file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
13	"	14	"
14		15
15	SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"	16	SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"


diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch new file mode 100644 index 0000000000..458c0cc84e --- /dev/null +++ b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
@@ -0,0 +1,52 @@
		1	From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
		2	From: Sergey Popovich <popovich_sergei@mail.ua>
		3	Date: Fri, 21 Apr 2017 07:32:23 -0700
		4	Subject: [PATCH] update: Compare computed vs expected sha256 digit string
		5	ignoring case
		6
		7	We produce sha256 digest string using %x snprintf()
		8	qualifier for each byte of digest which uses alphabetic
		9	characters from "a" to "f" in lower case to represent
		10	integer values from 10 to 15.
		11
		12	Previously all of the NVD META files supply sha256
		13	digest string for corresponding XML file in lower case.
		14
		15	However due to some reason this changed recently to
		16	provide digest digits in upper case causing fetched
		17	data consistency checks to fail. This prevents database
		18	from being updated periodically.
		19
		20	While commit c4f6e94 (update: Do not treat sha256 failure
		21	as fatal if requested) adds useful option to skip
		22	digest validation at all and thus provides workaround for
		23	this situation, it might be unacceptable for some
		24	deployments where we need to ensure that downloaded
		25	data is consistent before start parsing it and update
		26	SQLite database.
		27
		28	Use strcasecmp() to compare two digest strings case
		29	insensitively and addressing this case.
		30
		31	Upstream-Status: Backport
		32	Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
		33	---
		34	src/update.c \| 2 +-
		35	1 file changed, 1 insertion(+), 1 deletion(-)
		36
		37	diff --git a/src/update.c b/src/update.c
		38	index 8588f38..3cc6b67 100644
		39	--- a/src/update.c
		40	+++ b/src/update.c
		41	@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char meta, const char data)
		42	snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
		43	}
		44
		45	- ret = streq(csum_meta, csum_data);
		46	+ ret = !strcasecmp(csum_meta, csum_data);
		47
		48	err_unmap:
		49	munmap(buffer, length);
		50	--
		51	2.11.0
		52