cve-check: backport rewrite from master

As detailed at [1] the XML feeds provided by NIST are being discontinued on October 9th 2019. As cve-check-tool uses these feeds, cve-check.bbclass will be inoperable after this date. To ensure that cve-check continues working, backport the following commits from master to move away from the unmaintained cve-check-tool to our own Python code that fetches the JSON: 546d14135c5 cve-update-db: New recipe to update CVE database bc144b028f6 cve-check: Remove dependency to cve-check-tool-native 7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name 3bf63bc6084 cve-check: Consider CVE that affects versions with less than operator c0eabd30d7b cve-update-db: Use std library instead of urllib3 27eb839ee65 cve-check: be idiomatic 09be21f4d17 cve-update-db: Manage proxy if needed. 975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch 0325dd72714 cve-update-db: Catch request.urlopen errors. 4078da92b49 cve-check: Depends on cve-update-db-native f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table bc0195be1b1 cve-check: Update unpatched CVE matching c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not loaded. 07bb8b25e17 cve-check: remove redundant readline CVE whitelisting 5388ed6d137 cve-check-tool: remove 270ac00cb43 cve-check.bbclass: initialize to_append e6bf9000987 cve-check: allow comparison of Vendor as well as Product 91770338f76 cve-update-db-native: use SQL placeholders instead of format strings 7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST 78de2cb39d7 cve-update-db-native: Remove hash column from database. 4b301030cf9 cve-update-db-native: use os.path.join instead of + f0d822fad2a cve-update-db: actually inherit native b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion bb4e53af33d cve-update-db-native: improve metadata parsing 94227459792 cve-update-db-native: clean up JSON fetching 95438d52b73 cve-update-db-native: fix https proxy issues 1f9a963b9ff glibc: exclude child recipes from CVE scanning [1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement (From OE-Core rev: 8c87e78547c598cada1bce92e7b25d85b994e2eb) (From OE-Core rev: beeed02f9831e75c3f773e44d7efc726f1ff859c) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2019-12-08 20:35:47 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-12-16 23:11:10 +0000
commit: 593fe7e35267f665dbb37cc0abcc82be55ac67f8 (patch)
tree: 91bf149b019845a339354d9be48d4aed1b8b6c93 /meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
parent: 53acd121ab1097435812e3922bad7f8ff75f7107 (diff)
download: poky-593fe7e35267f665dbb37cc0abcc82be55ac67f8.tar.gz
1 files changed, 0 insertions, 52 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
deleted file mode 100644
index 458c0cc84e..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
-From: Sergey Popovich <popovich_sergei@mail.ua>
-Date: Fri, 21 Apr 2017 07:32:23 -0700
-Subject: [PATCH] update: Compare computed vs expected sha256 digit string
- ignoring case
-We produce sha256 digest string using %x snprintf()
-qualifier for each byte of digest which uses alphabetic
-characters from "a" to "f" in lower case to represent
-integer values from 10 to 15.
-Previously all of the NVD META files supply sha256
-digest string for corresponding XML file in lower case.
-However due to some reason this changed recently to
-provide digest digits in upper case causing fetched
-data consistency checks to fail. This prevents database
-from being updated periodically.
-While commit c4f6e94 (update: Do not treat sha256 failure
-as fatal if requested) adds useful option to skip
-digest validation at all and thus provides workaround for
-this situation, it might be unacceptable for some
-deployments where we need to ensure that downloaded
-data is consistent before start parsing it and update
-SQLite database.
-Use strcasecmp() to compare two digest strings case
-insensitively and addressing this case.
-Upstream-Status: Backport
-Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
---
- src/update.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/src/update.c b/src/update.c
-index 8588f38..3cc6b67 100644
--- a/src/update.c
-+++ b/src/update.c
-@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
-                 snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
-         }
- 
-        ret = streq(csum_meta, csum_data);
-+        ret = !strcasecmp(csum_meta, csum_data);
- 
- err_unmap:
-         munmap(buffer, length);
-- 
-2.11.0
author	Ross Burton <ross.burton@intel.com>	2019-12-08 20:35:47 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-12-16 23:11:10 +0000
commit	593fe7e35267f665dbb37cc0abcc82be55ac67f8 (patch)
tree	91bf149b019845a339354d9be48d4aed1b8b6c93 /meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch
parent	53acd121ab1097435812e3922bad7f8ff75f7107 (diff)
download	poky-593fe7e35267f665dbb37cc0abcc82be55ac67f8.tar.gz

diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch deleted file mode 100644 index 458c0cc84e..0000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch +++ /dev/null
@@ -1,52 +0,0 @@
1	From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
2	From: Sergey Popovich <popovich_sergei@mail.ua>
3	Date: Fri, 21 Apr 2017 07:32:23 -0700
4	Subject: [PATCH] update: Compare computed vs expected sha256 digit string
5	ignoring case
6
7	We produce sha256 digest string using %x snprintf()
8	qualifier for each byte of digest which uses alphabetic
9	characters from "a" to "f" in lower case to represent
10	integer values from 10 to 15.
11
12	Previously all of the NVD META files supply sha256
13	digest string for corresponding XML file in lower case.
14
15	However due to some reason this changed recently to
16	provide digest digits in upper case causing fetched
17	data consistency checks to fail. This prevents database
18	from being updated periodically.
19
20	While commit c4f6e94 (update: Do not treat sha256 failure
21	as fatal if requested) adds useful option to skip
22	digest validation at all and thus provides workaround for
23	this situation, it might be unacceptable for some
24	deployments where we need to ensure that downloaded
25	data is consistent before start parsing it and update
26	SQLite database.
27
28	Use strcasecmp() to compare two digest strings case
29	insensitively and addressing this case.
30
31	Upstream-Status: Backport
32	Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
33	---
34	src/update.c \| 2 +-
35	1 file changed, 1 insertion(+), 1 deletion(-)
36
37	diff --git a/src/update.c b/src/update.c
38	index 8588f38..3cc6b67 100644
39	--- a/src/update.c
40	+++ b/src/update.c
41	@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char meta, const char data)
42	snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
43	}
44
45	- ret = streq(csum_meta, csum_data);
46	+ ret = !strcasecmp(csum_meta, csum_data);
47
48	err_unmap:
49	munmap(buffer, length);
50	--
51	2.11.0
52