summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPierre Le Magourou <pierre.lemagourou@softbankrobotics.com>2019-11-06 17:37:27 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-07 19:47:26 +0000
commit74b562e1cedc484cf417b98d67a5ee37a340dc3b (patch)
tree73987c6c09a58ff0c4b8622f5ddbdc4bd17b8b7d
parent470ea72f1cfdf3702e933cf4c73e63da756b3981 (diff)
downloadpoky-74b562e1cedc484cf417b98d67a5ee37a340dc3b.tar.gz
cve-check: Update unpatched CVE matching
Now that cve-update-db added CPE information to NVD database. We can check for unpatched versions with operators '<', '<=', '>', and '>='. (From OE-Core rev: bc0195be1b15bcffe60127bc5e8b7011a853c2ed) (From OE-Core rev: 48793a3b74bfaa5ffe6191d21f64aef3720433db) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass54
1 files changed, 40 insertions, 14 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6ffa0c4688..ffd624333f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
26CVE_VERSION ??= "${PV}" 26CVE_VERSION ??= "${PV}"
27 27
28CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" 28CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
29CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db" 29CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve.db"
30 30
31CVE_CHECK_LOG ?= "${T}/cve.log" 31CVE_CHECK_LOG ?= "${T}/cve.log"
32CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" 32CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -189,27 +189,53 @@ def check_cves(d, patched_cves):
189 conn = sqlite3.connect(db_file) 189 conn = sqlite3.connect(db_file)
190 c = conn.cursor() 190 c = conn.cursor()
191 191
192 query = """SELECT * FROM PRODUCTS WHERE 192 query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';"
193 (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR 193
194 (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
195 for product in products: 194 for product in products:
196 for row in c.execute(query.format(product, pv)): 195 for row in c.execute(query.format(product, pv)):
197 cve = row[1] 196 cve = row[1]
198 version = row[4] 197 version_start = row[4]
199 198 operator_start = row[5]
200 try: 199 version_end = row[6]
201 discardVersion = LooseVersion(version) < LooseVersion(pv) 200 operator_end = row[7]
202 except:
203 discardVersion = True
204 201
205 if pv in cve_whitelist.get(cve, []): 202 if pv in cve_whitelist.get(cve, []):
206 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) 203 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
207 elif cve in patched_cves: 204 elif cve in patched_cves:
208 bb.note("%s has been patched" % (cve)) 205 bb.note("%s has been patched" % (cve))
209 elif discardVersion:
210 bb.debug(2, "Do not consider version %s " % (version))
211 else: 206 else:
212 cves_unpatched.append(cve) 207 if (operator_start == '=' and pv == version_start):
208 cves_unpatched.append(cve)
209 else:
210 if operator_start:
211 try:
212 to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
213 to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
214 except:
215 bb.note("%s: Failed to compare %s %s %s for %s" %
216 (product, pv, operator_start, version_start, cve))
217 to_append_start = False
218 else:
219 to_append_start = False
220
221 if operator_end:
222 try:
223 to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
224 to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
225 except:
226 bb.note("%s: Failed to compare %s %s %s for %s" %
227 (product, pv, operator_end, version_end, cve))
228 to_append_end = False
229 else:
230 to_append_end = False
231
232 if operator_start and operator_end:
233 to_append = to_append_start and to_append_end
234 else:
235 to_append = to_append_start or to_append_end
236
237 if to_append:
238 cves_unpatched.append(cve)
213 bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) 239 bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
214 conn.close() 240 conn.close()
215 241
@@ -217,7 +243,7 @@ def check_cves(d, patched_cves):
217 243
218def get_cve_info(d, cves): 244def get_cve_info(d, cves):
219 """ 245 """
220 Get CVE information from the database used by cve-check-tool. 246 Get CVE information from the database.
221 247
222 Unfortunately the only way to get CVE info is set the output to 248 Unfortunately the only way to get CVE info is set the output to
223 html (hard to parse) or query directly the database. 249 html (hard to parse) or query directly the database.