classes/cve-check: Move get_patches_cves to library

Moving the function will allow other classes to capture which CVEs have been patched, in particular SBoM generation. Also add a function to capture the CPE ID from the CVE Product and Version (From OE-Core rev: 75d34259a715120be1d023e4fd7b6b4b125f2443) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joshua Watt <JPEWhacker@gmail.com> 2021-08-11 09:51:58 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-13 14:44:06 +0100
commit: fa6c07bc1a585f204dbdc28704f61448edb8fdc8 (patch)
tree: 19f6807449c6fc9893bede34fefffddce590800c /meta
parent: 3ae80177fb78799f6b42240a6ac8fb4753521aec (diff)
download: poky-fa6c07bc1a585f204dbdc28704f61448edb8fdc8.tar.gz
2 files changed, 85 insertions, 60 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 04d19f53fd..70d1988a70 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -94,10 +94,11 @@ python do_cve_check () {
    """
    Check recipe for patched and unpatched CVEs
    """
+    from oe.cve_check import get_patched_cves
    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
        try:
-            patched_cves = get_patches_cves(d)
+            patched_cves = get_patched_cves(d)
        except FileNotFoundError:
            bb.fatal("Failure in searching patches")
        whitelisted, patched, unpatched = check_cves(d, patched_cves)
@@ -156,65 +157,6 @@ python cve_check_write_rootfs_manifest () {
 ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
-def get_patches_cves(d):
-    """
-    Get patches that solve CVEs using the "CVE: " tag.
-    """
-    import re
-    pn = d.getVar("PN")
-    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
-    # Matches the last "CVE-YYYY-ID" in the file name, also if written
-    # in lowercase. Possible to have multiple CVE IDs in a single
-    # file name, but only the last one will be detected from the file name.
-    # However, patch files contents addressing multiple CVE IDs are supported
-    # (cve_match regular expression)
-    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
-    patched_cves = set()
-    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
-    for url in src_patches(d):
-        patch_file = bb.fetch.decodeurl(url)[2]
-        if not os.path.isfile(patch_file):
-            bb.error("File Not found: %s" % patch_file)
-            raise FileNotFoundError
-        # Check patch file name for CVE ID
-        fname_match = cve_file_name_match.search(patch_file)
-        if fname_match:
-            cve = fname_match.group(1).upper()
-            patched_cves.add(cve)
-            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
-        with open(patch_file, "r", encoding="utf-8") as f:
-            try:
-                patch_text = f.read()
-            except UnicodeDecodeError:
-                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
-                        " trying with iso8859-1" %  patch_file)
-                f.close()
-                with open(patch_file, "r", encoding="iso8859-1") as f:
-                    patch_text = f.read()
-        # Search for one or more "CVE: " lines
-        text_match = False
-        for match in cve_match.finditer(patch_text):
-            # Get only the CVEs without the "CVE: " tag
-            cves = patch_text[match.start()+5:match.end()]
-            for cve in cves.split():
-                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
-                patched_cves.add(cve)
-                text_match = True
-        if not fname_match and not text_match:
-            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
-    return patched_cves
 def check_cves(d, patched_cves):
    """
    Connect to the NVD database and find unpatched cves.
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index a1d7c292af..0302beeb4a 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -63,3 +63,86 @@ def _cmpkey(release, patch_l, pre_l, pre_v):
    else:
        _pre = float(pre_v) if pre_v else float('-inf')
    return _release, _patch, _pre
+def get_patched_cves(d):
+    """
+    Get patches that solve CVEs using the "CVE: " tag.
+    """
+    import re
+    import oe.patch
+    pn = d.getVar("PN")
+    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
+    # Matches the last "CVE-YYYY-ID" in the file name, also if written
+    # in lowercase. Possible to have multiple CVE IDs in a single
+    # file name, but only the last one will be detected from the file name.
+    # However, patch files contents addressing multiple CVE IDs are supported
+    # (cve_match regular expression)
+    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
+    patched_cves = set()
+    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
+    for url in oe.patch.src_patches(d):
+        patch_file = bb.fetch.decodeurl(url)[2]
+        if not os.path.isfile(patch_file):
+            bb.error("File Not found: %s" % patch_file)
+            raise FileNotFoundError
+        # Check patch file name for CVE ID
+        fname_match = cve_file_name_match.search(patch_file)
+        if fname_match:
+            cve = fname_match.group(1).upper()
+            patched_cves.add(cve)
+            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
+        with open(patch_file, "r", encoding="utf-8") as f:
+            try:
+                patch_text = f.read()
+            except UnicodeDecodeError:
+                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
+                        " trying with iso8859-1" %  patch_file)
+                f.close()
+                with open(patch_file, "r", encoding="iso8859-1") as f:
+                    patch_text = f.read()
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
+            # Get only the CVEs without the "CVE: " tag
+            cves = patch_text[match.start()+5:match.end()]
+            for cve in cves.split():
+                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
+                patched_cves.add(cve)
+                text_match = True
+        if not fname_match and not text_match:
+            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+    return patched_cves
+def get_cpe_ids(cve_product, version):
+    """
+    Get list of CPE identifiers for the given product and version
+    """
+    version = version.split("+git")[0]
+    cpe_ids = []
+    for product in cve_product.split():
+        # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
+        # use wildcard for vendor.
+        if ":" in product:
+            vendor, product = product.split(":", 1)
+        else:
+            vendor = "*"
+        cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*'
+        cpe_ids.append(cpe_id)
+    return cpe_ids
author	Joshua Watt <JPEWhacker@gmail.com>	2021-08-11 09:51:58 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-13 14:44:06 +0100
commit	fa6c07bc1a585f204dbdc28704f61448edb8fdc8 (patch)
tree	19f6807449c6fc9893bede34fefffddce590800c /meta
parent	3ae80177fb78799f6b42240a6ac8fb4753521aec (diff)
download	poky-fa6c07bc1a585f204dbdc28704f61448edb8fdc8.tar.gz

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 04d19f53fd..70d1988a70 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass
@@ -94,10 +94,11 @@ python do_cve_check () {
94	"""	94	"""
95	Check recipe for patched and unpatched CVEs	95	Check recipe for patched and unpatched CVEs
96	"""	96	"""
		97	from oe.cve_check import get_patched_cves
97		98
98	if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):	99	if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
99	try:	100	try:
100	patched_cves = get_patches_cves(d)	101	patched_cves = get_patched_cves(d)
101	except FileNotFoundError:	102	except FileNotFoundError:
102	bb.fatal("Failure in searching patches")	103	bb.fatal("Failure in searching patches")
103	whitelisted, patched, unpatched = check_cves(d, patched_cves)	104	whitelisted, patched, unpatched = check_cves(d, patched_cves)
@@ -156,65 +157,6 @@ python cve_check_write_rootfs_manifest () {
156	ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"	157	ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
157	do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"	158	do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
158		159
159	def get_patches_cves(d):
160	"""
161	Get patches that solve CVEs using the "CVE: " tag.
162	"""
163
164	import re
165
166	pn = d.getVar("PN")
167	cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
168
169	# Matches the last "CVE-YYYY-ID" in the file name, also if written
170	# in lowercase. Possible to have multiple CVE IDs in a single
171	# file name, but only the last one will be detected from the file name.
172	# However, patch files contents addressing multiple CVE IDs are supported
173	# (cve_match regular expression)
174
175	cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
176
177	patched_cves = set()
178	bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
179	for url in src_patches(d):
180	patch_file = bb.fetch.decodeurl(url)[2]
181
182	if not os.path.isfile(patch_file):
183	bb.error("File Not found: %s" % patch_file)
184	raise FileNotFoundError
185
186	# Check patch file name for CVE ID
187	fname_match = cve_file_name_match.search(patch_file)
188	if fname_match:
189	cve = fname_match.group(1).upper()
190	patched_cves.add(cve)
191	bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
192
193	with open(patch_file, "r", encoding="utf-8") as f:
194	try:
195	patch_text = f.read()
196	except UnicodeDecodeError:
197	bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
198	" trying with iso8859-1" % patch_file)
199	f.close()
200	with open(patch_file, "r", encoding="iso8859-1") as f:
201	patch_text = f.read()
202
203	# Search for one or more "CVE: " lines
204	text_match = False
205	for match in cve_match.finditer(patch_text):
206	# Get only the CVEs without the "CVE: " tag
207	cves = patch_text[match.start()+5:match.end()]
208	for cve in cves.split():
209	bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
210	patched_cves.add(cve)
211	text_match = True
212
213	if not fname_match and not text_match:
214	bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
215
216	return patched_cves
217
218	def check_cves(d, patched_cves):	160	def check_cves(d, patched_cves):
219	"""	161	"""
220	Connect to the NVD database and find unpatched cves.	162	Connect to the NVD database and find unpatched cves.


diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index a1d7c292af..0302beeb4a 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py
@@ -63,3 +63,86 @@ def _cmpkey(release, patch_l, pre_l, pre_v):
63	else:	63	else:
64	_pre = float(pre_v) if pre_v else float('-inf')	64	_pre = float(pre_v) if pre_v else float('-inf')
65	return _release, _patch, _pre	65	return _release, _patch, _pre
		66
		67
		68	def get_patched_cves(d):
		69	"""
		70	Get patches that solve CVEs using the "CVE: " tag.
		71	"""
		72
		73	import re
		74	import oe.patch
		75
		76	pn = d.getVar("PN")
		77	cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
		78
		79	# Matches the last "CVE-YYYY-ID" in the file name, also if written
		80	# in lowercase. Possible to have multiple CVE IDs in a single
		81	# file name, but only the last one will be detected from the file name.
		82	# However, patch files contents addressing multiple CVE IDs are supported
		83	# (cve_match regular expression)
		84
		85	cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
		86
		87	patched_cves = set()
		88	bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
		89	for url in oe.patch.src_patches(d):
		90	patch_file = bb.fetch.decodeurl(url)[2]
		91
		92	if not os.path.isfile(patch_file):
		93	bb.error("File Not found: %s" % patch_file)
		94	raise FileNotFoundError
		95
		96	# Check patch file name for CVE ID
		97	fname_match = cve_file_name_match.search(patch_file)
		98	if fname_match:
		99	cve = fname_match.group(1).upper()
		100	patched_cves.add(cve)
		101	bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
		102
		103	with open(patch_file, "r", encoding="utf-8") as f:
		104	try:
		105	patch_text = f.read()
		106	except UnicodeDecodeError:
		107	bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
		108	" trying with iso8859-1" % patch_file)
		109	f.close()
		110	with open(patch_file, "r", encoding="iso8859-1") as f:
		111	patch_text = f.read()
		112
		113	# Search for one or more "CVE: " lines
		114	text_match = False
		115	for match in cve_match.finditer(patch_text):
		116	# Get only the CVEs without the "CVE: " tag
		117	cves = patch_text[match.start()+5:match.end()]
		118	for cve in cves.split():
		119	bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
		120	patched_cves.add(cve)
		121	text_match = True
		122
		123	if not fname_match and not text_match:
		124	bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
		125
		126	return patched_cves
		127
		128
		129	def get_cpe_ids(cve_product, version):
		130	"""
		131	Get list of CPE identifiers for the given product and version
		132	"""
		133
		134	version = version.split("+git")[0]
		135
		136	cpe_ids = []
		137	for product in cve_product.split():
		138	# CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
		139	# use wildcard for vendor.
		140	if ":" in product:
		141	vendor, product = product.split(":", 1)
		142	else:
		143	vendor = "*"
		144
		145	cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:::::::*'
		146	cpe_ids.append(cpe_id)
		147
		148	return cpe_ids