diff options
| author | Geoffrey GIRY <geoffrey.giry@smile.fr> | 2023-03-28 12:23:49 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2023-03-30 12:30:38 +0100 |
| commit | 81740facf458a5a3326c0cfca20ebf75d8fe91d0 (patch) | |
| tree | 7fd393837325a5d81c8fc38eeb5911c45c751ab2 /meta/lib/oe | |
| parent | e8693364c59e627bf667c5ecc790beb2a59b6dd8 (diff) | |
| download | poky-81740facf458a5a3326c0cfca20ebf75d8fe91d0.tar.gz | |
cve-check: Fix false negative version issue
NVD DB store version and update in the same value, separated by '_'.
The proposed patch check if the version from NVD DB contains a "_",
ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
[YOCTO #14127]
Reviewed-by: Yoann CONGAL <yoann.congal@smile.fr>
(From OE-Core rev: 7d00f6ec578084a0a0e5caf36241d53036d996c4)
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib/oe')
| -rw-r--r-- | meta/lib/oe/cve_check.py | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 4f1d80f050..dbaa0b373a 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py | |||
| @@ -179,3 +179,42 @@ def update_symlinks(target_path, link_path): | |||
| 179 | if os.path.exists(os.path.realpath(link_path)): | 179 | if os.path.exists(os.path.realpath(link_path)): |
| 180 | os.remove(link_path) | 180 | os.remove(link_path) |
| 181 | os.symlink(os.path.basename(target_path), link_path) | 181 | os.symlink(os.path.basename(target_path), link_path) |
| 182 | |||
| 183 | |||
| 184 | def convert_cve_version(version): | ||
| 185 | """ | ||
| 186 | This function converts from CVE format to Yocto version format. | ||
| 187 | eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1 | ||
| 188 | |||
| 189 | Unless it is redefined using CVE_VERSION in the recipe, | ||
| 190 | cve_check uses the version in the name of the recipe (${PV}) | ||
| 191 | to check vulnerabilities against a CVE in the database downloaded from NVD. | ||
| 192 | |||
| 193 | When the version has an update, i.e. | ||
| 194 | "p1" in OpenSSH 8.3p1, | ||
| 195 | "-rc1" in linux kernel 6.2-rc1, | ||
| 196 | the database stores the version as version_update (8.3_p1, 6.2_rc1). | ||
| 197 | Therefore, we must transform this version before comparing to the | ||
| 198 | recipe version. | ||
| 199 | |||
| 200 | In this case, the parameter of the function is 8.3_p1. | ||
| 201 | If the version uses the Release Candidate format, "rc", | ||
| 202 | this function replaces the '_' by '-'. | ||
| 203 | If the version uses the Update format, "p", | ||
| 204 | this function removes the '_' completely. | ||
| 205 | """ | ||
| 206 | import re | ||
| 207 | |||
| 208 | matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version) | ||
| 209 | |||
| 210 | if not matches: | ||
| 211 | return version | ||
| 212 | |||
| 213 | version = matches.group(1) | ||
| 214 | update = matches.group(2) | ||
| 215 | |||
| 216 | if matches.group(3) == "rc": | ||
| 217 | return version + '-' + update | ||
| 218 | |||
| 219 | return version + update | ||
| 220 | |||