diff options
-rw-r--r-- | meta/classes/cve-check.bbclass | 13 | ||||
-rw-r--r-- | meta/recipes-core/meta/cve-update-db-native.bb | 51 |
2 files changed, 37 insertions, 27 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index c0d4e2a972..4fc4e545e4 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -290,7 +290,8 @@ def check_cves(d, patched_cves): | |||
290 | vendor = "%" | 290 | vendor = "%" |
291 | 291 | ||
292 | # Find all relevant CVE IDs. | 292 | # Find all relevant CVE IDs. |
293 | for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): | 293 | cve_cursor = conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)) |
294 | for cverow in cve_cursor: | ||
294 | cve = cverow[0] | 295 | cve = cverow[0] |
295 | 296 | ||
296 | if cve in cve_whitelist: | 297 | if cve in cve_whitelist: |
@@ -309,7 +310,8 @@ def check_cves(d, patched_cves): | |||
309 | vulnerable = False | 310 | vulnerable = False |
310 | ignored = False | 311 | ignored = False |
311 | 312 | ||
312 | for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)): | 313 | product_cursor = conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)) |
314 | for row in product_cursor: | ||
313 | (_, _, _, version_start, operator_start, version_end, operator_end) = row | 315 | (_, _, _, version_start, operator_start, version_end, operator_end) = row |
314 | #bb.debug(2, "Evaluating row " + str(row)) | 316 | #bb.debug(2, "Evaluating row " + str(row)) |
315 | if cve in cve_whitelist: | 317 | if cve in cve_whitelist: |
@@ -353,10 +355,12 @@ def check_cves(d, patched_cves): | |||
353 | bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) | 355 | bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) |
354 | cves_unpatched.append(cve) | 356 | cves_unpatched.append(cve) |
355 | break | 357 | break |
358 | product_cursor.close() | ||
356 | 359 | ||
357 | if not vulnerable: | 360 | if not vulnerable: |
358 | bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) | 361 | bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) |
359 | patched_cves.add(cve) | 362 | patched_cves.add(cve) |
363 | cve_cursor.close() | ||
360 | 364 | ||
361 | if not cves_in_product: | 365 | if not cves_in_product: |
362 | bb.note("No CVE records found for product %s, pn %s" % (product, pn)) | 366 | bb.note("No CVE records found for product %s, pn %s" % (product, pn)) |
@@ -378,14 +382,15 @@ def get_cve_info(d, cves): | |||
378 | conn = sqlite3.connect(db_file, uri=True) | 382 | conn = sqlite3.connect(db_file, uri=True) |
379 | 383 | ||
380 | for cve in cves: | 384 | for cve in cves: |
381 | for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)): | 385 | cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)) |
386 | for row in cursor: | ||
382 | cve_data[row[0]] = {} | 387 | cve_data[row[0]] = {} |
383 | cve_data[row[0]]["summary"] = row[1] | 388 | cve_data[row[0]]["summary"] = row[1] |
384 | cve_data[row[0]]["scorev2"] = row[2] | 389 | cve_data[row[0]]["scorev2"] = row[2] |
385 | cve_data[row[0]]["scorev3"] = row[3] | 390 | cve_data[row[0]]["scorev3"] = row[3] |
386 | cve_data[row[0]]["modified"] = row[4] | 391 | cve_data[row[0]]["modified"] = row[4] |
387 | cve_data[row[0]]["vector"] = row[5] | 392 | cve_data[row[0]]["vector"] = row[5] |
388 | 393 | cursor.close() | |
389 | conn.close() | 394 | conn.close() |
390 | return cve_data | 395 | return cve_data |
391 | 396 | ||
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index a49f446a53..85874ead01 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb | |||
@@ -65,9 +65,7 @@ python do_fetch() { | |||
65 | 65 | ||
66 | # Connect to database | 66 | # Connect to database |
67 | conn = sqlite3.connect(db_file) | 67 | conn = sqlite3.connect(db_file) |
68 | c = conn.cursor() | 68 | initialize_db(conn) |
69 | |||
70 | initialize_db(c) | ||
71 | 69 | ||
72 | with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: | 70 | with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: |
73 | total_years = date.today().year + 1 - YEAR_START | 71 | total_years = date.today().year + 1 - YEAR_START |
@@ -96,18 +94,20 @@ python do_fetch() { | |||
96 | return | 94 | return |
97 | 95 | ||
98 | # Compare with current db last modified date | 96 | # Compare with current db last modified date |
99 | c.execute("select DATE from META where YEAR = ?", (year,)) | 97 | cursor = conn.execute("select DATE from META where YEAR = ?", (year,)) |
100 | meta = c.fetchone() | 98 | meta = cursor.fetchone() |
99 | cursor.close() | ||
100 | |||
101 | if not meta or meta[0] != last_modified: | 101 | if not meta or meta[0] != last_modified: |
102 | # Clear products table entries corresponding to current year | 102 | # Clear products table entries corresponding to current year |
103 | c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)) | 103 | conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close() |
104 | 104 | ||
105 | # Update db with current year json file | 105 | # Update db with current year json file |
106 | try: | 106 | try: |
107 | response = urllib.request.urlopen(json_url) | 107 | response = urllib.request.urlopen(json_url) |
108 | if response: | 108 | if response: |
109 | update_db(c, gzip.decompress(response.read()).decode('utf-8')) | 109 | update_db(conn, gzip.decompress(response.read()).decode('utf-8')) |
110 | c.execute("insert or replace into META values (?, ?)", [year, last_modified]) | 110 | conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() |
111 | except urllib.error.URLError as e: | 111 | except urllib.error.URLError as e: |
112 | cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') | 112 | cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') |
113 | bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) | 113 | bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) |
@@ -125,21 +125,26 @@ do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" | |||
125 | do_fetch[file-checksums] = "" | 125 | do_fetch[file-checksums] = "" |
126 | do_fetch[vardeps] = "" | 126 | do_fetch[vardeps] = "" |
127 | 127 | ||
128 | def initialize_db(c): | 128 | def initialize_db(conn): |
129 | c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") | 129 | with conn: |
130 | c = conn.cursor() | ||
131 | |||
132 | c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") | ||
133 | |||
134 | c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ | ||
135 | SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") | ||
130 | 136 | ||
131 | c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ | 137 | c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ |
132 | SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") | 138 | VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ |
139 | VERSION_END TEXT, OPERATOR_END TEXT)") | ||
140 | c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);") | ||
133 | 141 | ||
134 | c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ | 142 | c.close() |
135 | VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ | ||
136 | VERSION_END TEXT, OPERATOR_END TEXT)") | ||
137 | c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);") | ||
138 | 143 | ||
139 | def parse_node_and_insert(c, node, cveId): | 144 | def parse_node_and_insert(conn, node, cveId): |
140 | # Parse children node if needed | 145 | # Parse children node if needed |
141 | for child in node.get('children', ()): | 146 | for child in node.get('children', ()): |
142 | parse_node_and_insert(c, child, cveId) | 147 | parse_node_and_insert(conn, child, cveId) |
143 | 148 | ||
144 | def cpe_generator(): | 149 | def cpe_generator(): |
145 | for cpe in node.get('cpe_match', ()): | 150 | for cpe in node.get('cpe_match', ()): |
@@ -196,9 +201,9 @@ def parse_node_and_insert(c, node, cveId): | |||
196 | # Save processing by representing as -. | 201 | # Save processing by representing as -. |
197 | yield [cveId, vendor, product, '-', '', '', ''] | 202 | yield [cveId, vendor, product, '-', '', '', ''] |
198 | 203 | ||
199 | c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()) | 204 | conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close() |
200 | 205 | ||
201 | def update_db(c, jsondata): | 206 | def update_db(conn, jsondata): |
202 | import json | 207 | import json |
203 | root = json.loads(jsondata) | 208 | root = json.loads(jsondata) |
204 | 209 | ||
@@ -222,12 +227,12 @@ def update_db(c, jsondata): | |||
222 | accessVector = accessVector or "UNKNOWN" | 227 | accessVector = accessVector or "UNKNOWN" |
223 | cvssv3 = 0.0 | 228 | cvssv3 = 0.0 |
224 | 229 | ||
225 | c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", | 230 | conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", |
226 | [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]) | 231 | [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() |
227 | 232 | ||
228 | configurations = elt['configurations']['nodes'] | 233 | configurations = elt['configurations']['nodes'] |
229 | for config in configurations: | 234 | for config in configurations: |
230 | parse_node_and_insert(c, config, cveId) | 235 | parse_node_and_insert(conn, config, cveId) |
231 | 236 | ||
232 | 237 | ||
233 | do_fetch[nostamp] = "1" | 238 | do_fetch[nostamp] = "1" |