diff options
| author | Mikko Rapeli <mikko.rapeli@bmw.de> | 2017-09-04 09:22:14 +0300 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-09-05 15:01:02 +0100 |
| commit | beb089b23627f084695f17802ffc5af192bbdbee (patch) | |
| tree | 32f3df3f1932d68b019ee89b30d60d171ac7cec5 /meta/classes | |
| parent | f30adee451c28ffd19f30adb9bc88c76281a7ad5 (diff) | |
| download | poky-beb089b23627f084695f17802ffc5af192bbdbee.tar.gz | |
cve-check.bbclass: detect patched CVE's also from patch file names
While poky master branch has been fixed so that all CVE patch files have
the:
CVE: CVE-2017-1234556
strings in the patch comments, many older versions of poky and other meta
layers are not, but the CVE patches quite often have the CVE id in the
patch file name.
If the CVE: string also found, there are no duplicates in the report.
(From OE-Core rev: 5ee5b0c66627c9e974c838b86e2e659c2f601f2a)
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index f44bbed6ac..bc2f03f7dd 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -118,10 +118,24 @@ def get_patches_cves(d): | |||
| 118 | 118 | ||
| 119 | pn = d.getVar("PN") | 119 | pn = d.getVar("PN") |
| 120 | cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") | 120 | cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") |
| 121 | |||
| 122 | # Matches last CVE-1234-211432 in the file name, also if written | ||
| 123 | # with small letters. Not supporting multiple CVE id's in a single | ||
| 124 | # file name. | ||
| 125 | cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") | ||
| 126 | |||
| 121 | patched_cves = set() | 127 | patched_cves = set() |
| 122 | bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) | 128 | bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) |
| 123 | for url in src_patches(d): | 129 | for url in src_patches(d): |
| 124 | patch_file = bb.fetch.decodeurl(url)[2] | 130 | patch_file = bb.fetch.decodeurl(url)[2] |
| 131 | |||
| 132 | # Check patch file name for CVE ID | ||
| 133 | fname_match = cve_file_name_match.search(patch_file) | ||
| 134 | if fname_match: | ||
| 135 | cve = fname_match.group(1).upper() | ||
| 136 | patched_cves.add(cve) | ||
| 137 | bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) | ||
| 138 | |||
| 125 | with open(patch_file, "r", encoding="utf-8") as f: | 139 | with open(patch_file, "r", encoding="utf-8") as f: |
| 126 | try: | 140 | try: |
| 127 | patch_text = f.read() | 141 | patch_text = f.read() |
| @@ -140,7 +154,7 @@ def get_patches_cves(d): | |||
| 140 | for cve in cves.split(): | 154 | for cve in cves.split(): |
| 141 | bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) | 155 | bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) |
| 142 | patched_cves.add(cve) | 156 | patched_cves.add(cve) |
| 143 | else: | 157 | elif not fname_match: |
| 144 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) | 158 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) |
| 145 | 159 | ||
| 146 | return patched_cves | 160 | return patched_cves |