diff options
| author | Ross Burton <ross.burton@intel.com> | 2019-11-06 17:37:40 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-11-07 19:47:27 +0000 |
| commit | 9473adda8f09f8d4cfb474b4a579672edff72b7a (patch) | |
| tree | b6ed3b0d93f6322743a7c725b9156b39ff942c93 | |
| parent | a36130201b380db1a10935b92c90d99e4b553c73 (diff) | |
| download | poky-9473adda8f09f8d4cfb474b4a579672edff72b7a.tar.gz | |
cve-update-db-native: improve metadata parsing
The metadata parser is fragile: first it coerces a bytes() to a str() (so the
string is b'LastModifiedDate:2019...'), assumes the first line is the date, and
then uses a regex to parse (which then includes the trailing quote as part of
the date).
Clean this up by parsing the bytes as UTF-8 (ASCII is probably fine, but this is
safer), iterate through the lines and split on colons to find the right
key/value pair.
(From OE-Core rev: bb4e53af33d6ca1e9346464adbdc1b39c47530f3)
(From OE-Core rev: c718e073e8e9cd5df9e19dd02fcac2139758b5b7)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/recipes-core/meta/cve-update-db-native.bb | 18 |
1 files changed, 10 insertions, 8 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index a5d8e3210c..6907197044 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb | |||
| @@ -17,7 +17,7 @@ python do_populate_cve_db() { | |||
| 17 | Update NVD database with json data feed | 17 | Update NVD database with json data feed |
| 18 | """ | 18 | """ |
| 19 | 19 | ||
| 20 | import sqlite3, urllib, shutil, gzip, re | 20 | import sqlite3, urllib, shutil, gzip |
| 21 | from datetime import date | 21 | from datetime import date |
| 22 | 22 | ||
| 23 | BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-" | 23 | BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-" |
| @@ -47,13 +47,15 @@ python do_populate_cve_db() { | |||
| 47 | req = urllib.request.Request(meta_url) | 47 | req = urllib.request.Request(meta_url) |
| 48 | if proxy: | 48 | if proxy: |
| 49 | req.set_proxy(proxy, 'https') | 49 | req.set_proxy(proxy, 'https') |
| 50 | try: | 50 | with urllib.request.urlopen(req) as r: |
| 51 | with urllib.request.urlopen(req, timeout=1) as r: | 51 | for l in r.read().decode("utf-8").splitlines(): |
| 52 | date_line = str(r.read().splitlines()[0]) | 52 | key, value = l.split(":", 1) |
| 53 | last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1) | 53 | if key == "lastModifiedDate": |
| 54 | except: | 54 | last_modified = value |
| 55 | cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') | 55 | break |
| 56 | break | 56 | else: |
| 57 | bb.warn("Cannot parse CVE metadata, update failed") | ||
| 58 | return | ||
| 57 | 59 | ||
| 58 | # Compare with current db last modified date | 60 | # Compare with current db last modified date |
| 59 | c.execute("select DATE from META where YEAR = ?", (year,)) | 61 | c.execute("select DATE from META where YEAR = ?", (year,)) |