summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPierre Le Magourou <pierre.lemagourou@softbankrobotics.com>2019-11-06 17:37:19 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-07 19:47:26 +0000
commit8bc6c65d862c080bdb95405ed5aea528dbcc2315 (patch)
tree778b547c10f24b8361672780f9680756c3eb0ee8
parentb409daad1d6c853690ae9ea75447cfac89033712 (diff)
downloadpoky-8bc6c65d862c080bdb95405ed5aea528dbcc2315.tar.gz
cve-check: Consider CVE that affects versions with less than operator
In the NVD json CVE feed, affected versions can be strictly matched to a version, but they can also be matched with the operator '<='. Add a new condition in the sqlite query to match affected versions that are defined with the operator '<='. Then use LooseVersion to discard all versions that are not relevant. (From OE-Core rev: 3bf63bc60848d91e90c23f6d854d22b78832aa2d) (From OE-Core rev: 70046288894184477dcf6f7eba25b1994b88c8de) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass16
1 files changed, 14 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e7540b8c1f..379f7121cc 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -166,6 +166,7 @@ def check_cves(d, patched_cves):
166 Connect to the NVD database and find unpatched cves. 166 Connect to the NVD database and find unpatched cves.
167 """ 167 """
168 import ast, csv, tempfile, subprocess, io 168 import ast, csv, tempfile, subprocess, io
169 from distutils.version import LooseVersion
169 170
170 cves_unpatched = [] 171 cves_unpatched = []
171 # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) 172 # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -186,14 +187,25 @@ def check_cves(d, patched_cves):
186 conn = sqlite3.connect(db_file) 187 conn = sqlite3.connect(db_file)
187 c = conn.cursor() 188 c = conn.cursor()
188 189
189 query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" 190 query = """SELECT * FROM PRODUCTS WHERE
191 (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
192 (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
190 for idx in range(len(bpn)): 193 for idx in range(len(bpn)):
191 for row in c.execute(query % (bpn[idx],pv)): 194 for row in c.execute(query.format(bpn[idx],pv)):
192 cve = row[1] 195 cve = row[1]
196 version = row[4]
197
198 try:
199 discardVersion = LooseVersion(version) < LooseVersion(pv)
200 except:
201 discardVersion = True
202
193 if pv in cve_whitelist.get(cve,[]): 203 if pv in cve_whitelist.get(cve,[]):
194 bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) 204 bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
195 elif cve in patched_cves: 205 elif cve in patched_cves:
196 bb.note("%s has been patched" % (cve)) 206 bb.note("%s has been patched" % (cve))
207 elif discardVersion:
208 bb.debug(2, "Do not consider version %s " % (version))
197 else: 209 else:
198 cves_unpatched.append(cve) 210 cves_unpatched.append(cve)
199 bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) 211 bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))