diff options
author | Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-07-05 11:40:38 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-09 23:30:44 +0100 |
commit | 8073a9862e95947755861879ea19782316db5bc5 (patch) | |
tree | 782127eb5430470dcf35d17a91199c34ef9d37c6 /meta | |
parent | e7ee189c6a12adde665bbfc60292772d4b791c23 (diff) | |
download | poky-8073a9862e95947755861879ea19782316db5bc5.tar.gz |
cve-check: Update unpatched CVE matching
Now that cve-update-db added CPE information to NVD database. We can
check for unpatched versions with operators '<', '<=', '>', and '>='.
(From OE-Core rev: bc0195be1b15bcffe60127bc5e8b7011a853c2ed)
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/classes/cve-check.bbclass | 54 |
1 files changed, 40 insertions, 14 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 6ffa0c4688..ffd624333f 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}" | |||
26 | CVE_VERSION ??= "${PV}" | 26 | CVE_VERSION ??= "${PV}" |
27 | 27 | ||
28 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" | 28 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" |
29 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db" | 29 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve.db" |
30 | 30 | ||
31 | CVE_CHECK_LOG ?= "${T}/cve.log" | 31 | CVE_CHECK_LOG ?= "${T}/cve.log" |
32 | CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" | 32 | CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" |
@@ -189,27 +189,53 @@ def check_cves(d, patched_cves): | |||
189 | conn = sqlite3.connect(db_file) | 189 | conn = sqlite3.connect(db_file) |
190 | c = conn.cursor() | 190 | c = conn.cursor() |
191 | 191 | ||
192 | query = """SELECT * FROM PRODUCTS WHERE | 192 | query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';" |
193 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR | 193 | |
194 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" | ||
195 | for product in products: | 194 | for product in products: |
196 | for row in c.execute(query.format(product, pv)): | 195 | for row in c.execute(query.format(product, pv)): |
197 | cve = row[1] | 196 | cve = row[1] |
198 | version = row[4] | 197 | version_start = row[4] |
199 | 198 | operator_start = row[5] | |
200 | try: | 199 | version_end = row[6] |
201 | discardVersion = LooseVersion(version) < LooseVersion(pv) | 200 | operator_end = row[7] |
202 | except: | ||
203 | discardVersion = True | ||
204 | 201 | ||
205 | if pv in cve_whitelist.get(cve, []): | 202 | if pv in cve_whitelist.get(cve, []): |
206 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) | 203 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) |
207 | elif cve in patched_cves: | 204 | elif cve in patched_cves: |
208 | bb.note("%s has been patched" % (cve)) | 205 | bb.note("%s has been patched" % (cve)) |
209 | elif discardVersion: | ||
210 | bb.debug(2, "Do not consider version %s " % (version)) | ||
211 | else: | 206 | else: |
212 | cves_unpatched.append(cve) | 207 | if (operator_start == '=' and pv == version_start): |
208 | cves_unpatched.append(cve) | ||
209 | else: | ||
210 | if operator_start: | ||
211 | try: | ||
212 | to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) | ||
213 | to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) | ||
214 | except: | ||
215 | bb.note("%s: Failed to compare %s %s %s for %s" % | ||
216 | (product, pv, operator_start, version_start, cve)) | ||
217 | to_append_start = False | ||
218 | else: | ||
219 | to_append_start = False | ||
220 | |||
221 | if operator_end: | ||
222 | try: | ||
223 | to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) | ||
224 | to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) | ||
225 | except: | ||
226 | bb.note("%s: Failed to compare %s %s %s for %s" % | ||
227 | (product, pv, operator_end, version_end, cve)) | ||
228 | to_append_end = False | ||
229 | else: | ||
230 | to_append_end = False | ||
231 | |||
232 | if operator_start and operator_end: | ||
233 | to_append = to_append_start and to_append_end | ||
234 | else: | ||
235 | to_append = to_append_start or to_append_end | ||
236 | |||
237 | if to_append: | ||
238 | cves_unpatched.append(cve) | ||
213 | bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) | 239 | bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) |
214 | conn.close() | 240 | conn.close() |
215 | 241 | ||
@@ -217,7 +243,7 @@ def check_cves(d, patched_cves): | |||
217 | 243 | ||
218 | def get_cve_info(d, cves): | 244 | def get_cve_info(d, cves): |
219 | """ | 245 | """ |
220 | Get CVE information from the database used by cve-check-tool. | 246 | Get CVE information from the database. |
221 | 247 | ||
222 | Unfortunately the only way to get CVE info is set the output to | 248 | Unfortunately the only way to get CVE info is set the output to |
223 | html (hard to parse) or query directly the database. | 249 | html (hard to parse) or query directly the database. |