cve-update-db-native: Remove hash column from database.

djb2 hash algorithm was found to do collisions, so the database was sometime missing data. Remove this hash mechanism, clear and populate elements from scratch in PRODUCTS table if the current year needs an update. (From OE-Core rev: 78de2cb39d74b030cd4ec811bf6f9a6daa003d19) (From OE-Core rev: e6541c6add1714938a81cca394886893cf24cdb0) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> 2019-11-06 17:37:36 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07 19:47:26 +0000
commit: 731e27f75eb513a064d9b074ed14497b40ffc729 (patch)
tree: 3286b166e65b2cf92c6ece6bc3fa6b9c2c435422
parent: 1fd5cfa59d191bd11cc57dffb6c6e381d6abac60 (diff)
download: poky-731e27f75eb513a064d9b074ed14497b40ffc729.tar.gz
2 files changed, 13 insertions, 20 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 512d4c7302..c00d2910be 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db"
 CVE_CHECK_LOG ?= "${T}/cve.log"
 CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -200,11 +200,11 @@ def check_cves(d, patched_cves):
            c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
        for row in c:
-            cve = row[1]
+            cve = row[0]
-            version_start = row[4]
+            version_start = row[3]
-            operator_start = row[5]
+            operator_start = row[4]
-            version_end = row[6]
+            version_end = row[5]
-            operator_end = row[7]
+            operator_end = row[6]
            if cve in cve_whitelist:
                bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index cd270443b1..af2946b5f8 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -25,7 +25,7 @@ python do_populate_cve_db() {
    YEAR_START = 2002
    db_dir = d.getVar("DL_DIR") + '/CVE_CHECK'
-    db_file = db_dir + '/nvdcve.db'
+    db_file = db_dir + '/nvdcve_1.0.db'
    json_tmpfile = db_dir + '/nvd.json.gz'
    proxy = d.getVar("https_proxy")
    cve_f = open(d.getVar("TMPDIR") + '/cve_check', 'a')
@@ -60,6 +60,10 @@ python do_populate_cve_db() {
        c.execute("select DATE from META where YEAR = ?", (year,))
        meta = c.fetchone()
        if not meta or meta[0] != last_modified:
+            # Clear products table entries corresponding to current year
+            cve_year = 'CVE-' + str(year) + '%'
+            c.execute("delete from PRODUCTS where ID like ?", (cve_year,))
            # Update db with current year json file
            req = urllib.request.Request(json_url)
            if proxy:
@@ -86,27 +90,16 @@ python do_populate_cve_db() {
    conn.close()
 }
-# DJB2 hash algorithm
-def hash_djb2(s):
-    hash = 5381
-    for x in s:
-        hash = (( hash << 5) + hash) + ord(x)
-    return hash & 0xFFFFFFFF
 def initialize_db(c):
    c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
    c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
        SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
-    c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (HASH INTEGER UNIQUE, ID TEXT, \
+    c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
        VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
        VERSION_END TEXT, OPERATOR_END TEXT)")
 def insert_elt(c, db_values):
-    product_str = db_values[0] + db_values[1] + db_values[2] + db_values[3]
+    query = "insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)"
-    hashstr = hash_djb2(product_str)
-    db_values.insert(0, hashstr)
-    query = "insert or replace into PRODUCTS values (?, ?, ?, ?, ?, ?, ?, ?)"
    c.execute(query, db_values)
 def parse_node_and_insert(c, node, cveId):
author	Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>	2019-11-06 17:37:36 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-11-07 19:47:26 +0000
commit	731e27f75eb513a064d9b074ed14497b40ffc729 (patch)
tree	3286b166e65b2cf92c6ece6bc3fa6b9c2c435422
parent	1fd5cfa59d191bd11cc57dffb6c6e381d6abac60 (diff)
download	poky-731e27f75eb513a064d9b074ed14497b40ffc729.tar.gz