cve-check: Fix false negative version issue

NVD DB store version and update in the same value, separated by '_'. The proposed patch check if the version from NVD DB contains a "_", ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison. [YOCTO #14127] Reviewed-by: Yoann CONGAL <yoann.congal@smile.fr> (From OE-Core rev: 7d00f6ec578084a0a0e5caf36241d53036d996c4) Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Geoffrey GIRY <geoffrey.giry@smile.fr> 2023-03-28 12:23:49 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2023-03-30 12:30:38 +0100
commit: 81740facf458a5a3326c0cfca20ebf75d8fe91d0 (patch)
tree: 7fd393837325a5d81c8fc38eeb5911c45c751ab2
parent: e8693364c59e627bf667c5ecc790beb2a59b6dd8 (diff)
download: poky-81740facf458a5a3326c0cfca20ebf75d8fe91d0.tar.gz
3 files changed, 62 insertions, 1 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 41fdf8363f..5e2da56046 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -260,7 +260,7 @@ def check_cves(d, patched_cves):
    """
    Connect to the NVD database and find unpatched cves.
    """
-    from oe.cve_check import Version
+    from oe.cve_check import Version, convert_cve_version
    pn = d.getVar("PN")
    real_pv = d.getVar("PV")
@@ -324,6 +324,9 @@ def check_cves(d, patched_cves):
                if cve in cve_ignore:
                    ignored = True
+                version_start = convert_cve_version(version_start)
+                version_end = convert_cve_version(version_end)
                if (operator_start == '=' and pv == version_start) or version_start == '-':
                    vulnerable = True
                else:
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index 4f1d80f050..dbaa0b373a 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -179,3 +179,42 @@ def update_symlinks(target_path, link_path):
        if os.path.exists(os.path.realpath(link_path)):
            os.remove(link_path)
        os.symlink(os.path.basename(target_path), link_path)
+def convert_cve_version(version):
+    """
+    This function converts from CVE format to Yocto version format.
+    eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
+    Unless it is redefined using CVE_VERSION in the recipe,
+    cve_check uses the version in the name of the recipe (${PV})
+    to check vulnerabilities against a CVE in the database downloaded from NVD.
+    When the version has an update, i.e.
+    "p1" in OpenSSH 8.3p1,
+    "-rc1" in linux kernel 6.2-rc1,
+    the database stores the version as version_update (8.3_p1, 6.2_rc1).
+    Therefore, we must transform this version before comparing to the
+    recipe version.
+    In this case, the parameter of the function is 8.3_p1.
+    If the version uses the Release Candidate format, "rc",
+    this function replaces the '_' by '-'.
+    If the version uses the Update format, "p",
+    this function removes the '_' completely.
+    """
+    import re
+    matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)
+    if not matches:
+        return version
+    version = matches.group(1)
+    update = matches.group(2)
+    if matches.group(3) == "rc":
+        return version + '-' + update
+    return version + update
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index ac47af1990..9534c9775c 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -54,6 +54,25 @@ class CVECheck(OESelftestTestCase):
        self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'")
+    def test_convert_cve_version(self):
+        from oe.cve_check import convert_cve_version
+        # Default format
+        self.assertEqual(convert_cve_version("8.3"), "8.3")
+        self.assertEqual(convert_cve_version(""), "")
+        # OpenSSL format version
+        self.assertEqual(convert_cve_version("1.1.1t"), "1.1.1t")
+        # OpenSSH format
+        self.assertEqual(convert_cve_version("8.3_p1"), "8.3p1")
+        self.assertEqual(convert_cve_version("8.3_p22"), "8.3p22")
+        # Linux kernel format
+        self.assertEqual(convert_cve_version("6.2_rc8"), "6.2-rc8")
+        self.assertEqual(convert_cve_version("6.2_rc31"), "6.2-rc31")
    def test_recipe_report_json(self):
        config = """
 INHERIT += "cve-check"
author	Geoffrey GIRY <geoffrey.giry@smile.fr>	2023-03-28 12:23:49 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2023-03-30 12:30:38 +0100
commit	81740facf458a5a3326c0cfca20ebf75d8fe91d0 (patch)
tree	7fd393837325a5d81c8fc38eeb5911c45c751ab2
parent	e8693364c59e627bf667c5ecc790beb2a59b6dd8 (diff)
download	poky-81740facf458a5a3326c0cfca20ebf75d8fe91d0.tar.gz

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 41fdf8363f..5e2da56046 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass
@@ -260,7 +260,7 @@ def check_cves(d, patched_cves):
260	"""	260	"""
261	Connect to the NVD database and find unpatched cves.	261	Connect to the NVD database and find unpatched cves.
262	"""	262	"""
263	from oe.cve_check import Version	263	from oe.cve_check import Version, convert_cve_version
264		264
265	pn = d.getVar("PN")	265	pn = d.getVar("PN")
266	real_pv = d.getVar("PV")	266	real_pv = d.getVar("PV")
@@ -324,6 +324,9 @@ def check_cves(d, patched_cves):
324	if cve in cve_ignore:	324	if cve in cve_ignore:
325	ignored = True	325	ignored = True
326		326
		327	version_start = convert_cve_version(version_start)
		328	version_end = convert_cve_version(version_end)
		329
327	if (operator_start == '=' and pv == version_start) or version_start == '-':	330	if (operator_start == '=' and pv == version_start) or version_start == '-':
328	vulnerable = True	331	vulnerable = True
329	else:	332	else:


diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 4f1d80f050..dbaa0b373a 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py
@@ -179,3 +179,42 @@ def update_symlinks(target_path, link_path):
179	if os.path.exists(os.path.realpath(link_path)):	179	if os.path.exists(os.path.realpath(link_path)):
180	os.remove(link_path)	180	os.remove(link_path)
181	os.symlink(os.path.basename(target_path), link_path)	181	os.symlink(os.path.basename(target_path), link_path)
		182
		183
		184	def convert_cve_version(version):
		185	"""
		186	This function converts from CVE format to Yocto version format.
		187	eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
		188
		189	Unless it is redefined using CVE_VERSION in the recipe,
		190	cve_check uses the version in the name of the recipe (${PV})
		191	to check vulnerabilities against a CVE in the database downloaded from NVD.
		192
		193	When the version has an update, i.e.
		194	"p1" in OpenSSH 8.3p1,
		195	"-rc1" in linux kernel 6.2-rc1,
		196	the database stores the version as version_update (8.3_p1, 6.2_rc1).
		197	Therefore, we must transform this version before comparing to the
		198	recipe version.
		199
		200	In this case, the parameter of the function is 8.3_p1.
		201	If the version uses the Release Candidate format, "rc",
		202	this function replaces the '_' by '-'.
		203	If the version uses the Update format, "p",
		204	this function removes the '_' completely.
		205	"""
		206	import re
		207
		208	matches = re.match('^([0-9.]+)_((p\|rc)[0-9]+)$', version)
		209
		210	if not matches:
		211	return version
		212
		213	version = matches.group(1)
		214	update = matches.group(2)
		215
		216	if matches.group(3) == "rc":
		217	return version + '-' + update
		218
		219	return version + update
		220


diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index ac47af1990..9534c9775c 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -54,6 +54,25 @@ class CVECheck(OESelftestTestCase):
54	self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'")	54	self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'")
55		55
56		56
		57	def test_convert_cve_version(self):
		58	from oe.cve_check import convert_cve_version
		59
		60	# Default format
		61	self.assertEqual(convert_cve_version("8.3"), "8.3")
		62	self.assertEqual(convert_cve_version(""), "")
		63
		64	# OpenSSL format version
		65	self.assertEqual(convert_cve_version("1.1.1t"), "1.1.1t")
		66
		67	# OpenSSH format
		68	self.assertEqual(convert_cve_version("8.3_p1"), "8.3p1")
		69	self.assertEqual(convert_cve_version("8.3_p22"), "8.3p22")
		70
		71	# Linux kernel format
		72	self.assertEqual(convert_cve_version("6.2_rc8"), "6.2-rc8")
		73	self.assertEqual(convert_cve_version("6.2_rc31"), "6.2-rc31")
		74
		75
57	def test_recipe_report_json(self):	76	def test_recipe_report_json(self):
58	config = """	77	config = """
59	INHERIT += "cve-check"	78	INHERIT += "cve-check"