diff options
author | Ross Burton <ross.burton@intel.com> | 2019-12-08 20:35:47 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-12-16 23:11:10 +0000 |
commit | 593fe7e35267f665dbb37cc0abcc82be55ac67f8 (patch) | |
tree | 91bf149b019845a339354d9be48d4aed1b8b6c93 /meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch | |
parent | 53acd121ab1097435812e3922bad7f8ff75f7107 (diff) | |
download | poky-593fe7e35267f665dbb37cc0abcc82be55ac67f8.tar.gz |
cve-check: backport rewrite from master
As detailed at [1] the XML feeds provided by NIST are being discontinued on
October 9th 2019. As cve-check-tool uses these feeds, cve-check.bbclass will be
inoperable after this date.
To ensure that cve-check continues working, backport the following commits from
master to move away from the unmaintained cve-check-tool to our own Python code
that fetches the JSON:
546d14135c5 cve-update-db: New recipe to update CVE database
bc144b028f6 cve-check: Remove dependency to cve-check-tool-native
7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name
3bf63bc6084 cve-check: Consider CVE that affects versions with less than operator
c0eabd30d7b cve-update-db: Use std library instead of urllib3
27eb839ee65 cve-check: be idiomatic
09be21f4d17 cve-update-db: Manage proxy if needed.
975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch
0325dd72714 cve-update-db: Catch request.urlopen errors.
4078da92b49 cve-check: Depends on cve-update-db-native
f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table
bc0195be1b1 cve-check: Update unpatched CVE matching
c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not loaded.
07bb8b25e17 cve-check: remove redundant readline CVE whitelisting
5388ed6d137 cve-check-tool: remove
270ac00cb43 cve-check.bbclass: initialize to_append
e6bf9000987 cve-check: allow comparison of Vendor as well as Product
91770338f76 cve-update-db-native: use SQL placeholders instead of format strings
7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
78de2cb39d7 cve-update-db-native: Remove hash column from database.
4b301030cf9 cve-update-db-native: use os.path.join instead of +
f0d822fad2a cve-update-db: actually inherit native
b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion
bb4e53af33d cve-update-db-native: improve metadata parsing
94227459792 cve-update-db-native: clean up JSON fetching
95438d52b73 cve-update-db-native: fix https proxy issues
1f9a963b9ff glibc: exclude child recipes from CVE scanning
[1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement
(From OE-Core rev: 8c87e78547c598cada1bce92e7b25d85b994e2eb)
(From OE-Core rev: beeed02f9831e75c3f773e44d7efc726f1ff859c)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch')
-rw-r--r-- | meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch deleted file mode 100644 index 458c0cc84e..0000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch +++ /dev/null | |||
@@ -1,52 +0,0 @@ | |||
1 | From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 | ||
2 | From: Sergey Popovich <popovich_sergei@mail.ua> | ||
3 | Date: Fri, 21 Apr 2017 07:32:23 -0700 | ||
4 | Subject: [PATCH] update: Compare computed vs expected sha256 digit string | ||
5 | ignoring case | ||
6 | |||
7 | We produce sha256 digest string using %x snprintf() | ||
8 | qualifier for each byte of digest which uses alphabetic | ||
9 | characters from "a" to "f" in lower case to represent | ||
10 | integer values from 10 to 15. | ||
11 | |||
12 | Previously all of the NVD META files supply sha256 | ||
13 | digest string for corresponding XML file in lower case. | ||
14 | |||
15 | However due to some reason this changed recently to | ||
16 | provide digest digits in upper case causing fetched | ||
17 | data consistency checks to fail. This prevents database | ||
18 | from being updated periodically. | ||
19 | |||
20 | While commit c4f6e94 (update: Do not treat sha256 failure | ||
21 | as fatal if requested) adds useful option to skip | ||
22 | digest validation at all and thus provides workaround for | ||
23 | this situation, it might be unacceptable for some | ||
24 | deployments where we need to ensure that downloaded | ||
25 | data is consistent before start parsing it and update | ||
26 | SQLite database. | ||
27 | |||
28 | Use strcasecmp() to compare two digest strings case | ||
29 | insensitively and addressing this case. | ||
30 | |||
31 | Upstream-Status: Backport | ||
32 | Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> | ||
33 | --- | ||
34 | src/update.c | 2 +- | ||
35 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
36 | |||
37 | diff --git a/src/update.c b/src/update.c | ||
38 | index 8588f38..3cc6b67 100644 | ||
39 | --- a/src/update.c | ||
40 | +++ b/src/update.c | ||
41 | @@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data) | ||
42 | snprintf(&csum_data[idx], len, "%02hhx", digest[i]); | ||
43 | } | ||
44 | |||
45 | - ret = streq(csum_meta, csum_data); | ||
46 | + ret = !strcasecmp(csum_meta, csum_data); | ||
47 | |||
48 | err_unmap: | ||
49 | munmap(buffer, length); | ||
50 | -- | ||
51 | 2.11.0 | ||
52 | |||