diff options
Diffstat (limited to 'meta/classes/cve-check.bbclass')
-rw-r--r-- | meta/classes/cve-check.bbclass | 44 |
1 files changed, 36 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 25cefda92e..112ee3379d 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -53,6 +53,16 @@ CVE_CHECK_PN_WHITELIST ?= "" | |||
53 | # | 53 | # |
54 | CVE_CHECK_WHITELIST ?= "" | 54 | CVE_CHECK_WHITELIST ?= "" |
55 | 55 | ||
56 | # Layers to be excluded | ||
57 | CVE_CHECK_LAYER_EXCLUDELIST ??= "" | ||
58 | |||
59 | # Layers to be included | ||
60 | CVE_CHECK_LAYER_INCLUDELIST ??= "" | ||
61 | |||
62 | |||
63 | # set to "alphabetical" for version using single alphabetical character as increament release | ||
64 | CVE_VERSION_SUFFIX ??= "" | ||
65 | |||
56 | python cve_save_summary_handler () { | 66 | python cve_save_summary_handler () { |
57 | import shutil | 67 | import shutil |
58 | import datetime | 68 | import datetime |
@@ -206,7 +216,11 @@ def check_cves(d, patched_cves): | |||
206 | """ | 216 | """ |
207 | Connect to the NVD database and find unpatched cves. | 217 | Connect to the NVD database and find unpatched cves. |
208 | """ | 218 | """ |
209 | from distutils.version import LooseVersion | 219 | from oe.cve_check import Version |
220 | |||
221 | pn = d.getVar("PN") | ||
222 | real_pv = d.getVar("PV") | ||
223 | suffix = d.getVar("CVE_VERSION_SUFFIX") | ||
210 | 224 | ||
211 | cves_unpatched = [] | 225 | cves_unpatched = [] |
212 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) | 226 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) |
@@ -217,7 +231,7 @@ def check_cves(d, patched_cves): | |||
217 | pv = d.getVar("CVE_VERSION").split("+git")[0] | 231 | pv = d.getVar("CVE_VERSION").split("+git")[0] |
218 | 232 | ||
219 | # If the recipe has been whitlisted we return empty lists | 233 | # If the recipe has been whitlisted we return empty lists |
220 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): | 234 | if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split(): |
221 | bb.note("Recipe has been whitelisted, skipping check") | 235 | bb.note("Recipe has been whitelisted, skipping check") |
222 | return ([], [], []) | 236 | return ([], [], []) |
223 | 237 | ||
@@ -260,8 +274,8 @@ def check_cves(d, patched_cves): | |||
260 | else: | 274 | else: |
261 | if operator_start: | 275 | if operator_start: |
262 | try: | 276 | try: |
263 | vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) | 277 | vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix)) |
264 | vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) | 278 | vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix)) |
265 | except: | 279 | except: |
266 | bb.warn("%s: Failed to compare %s %s %s for %s" % | 280 | bb.warn("%s: Failed to compare %s %s %s for %s" % |
267 | (product, pv, operator_start, version_start, cve)) | 281 | (product, pv, operator_start, version_start, cve)) |
@@ -271,8 +285,8 @@ def check_cves(d, patched_cves): | |||
271 | 285 | ||
272 | if operator_end: | 286 | if operator_end: |
273 | try: | 287 | try: |
274 | vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) | 288 | vulnerable_end = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) ) |
275 | vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) | 289 | vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) ) |
276 | except: | 290 | except: |
277 | bb.warn("%s: Failed to compare %s %s %s for %s" % | 291 | bb.warn("%s: Failed to compare %s %s %s for %s" % |
278 | (product, pv, operator_end, version_end, cve)) | 292 | (product, pv, operator_end, version_end, cve)) |
@@ -286,12 +300,12 @@ def check_cves(d, patched_cves): | |||
286 | vulnerable = vulnerable_start or vulnerable_end | 300 | vulnerable = vulnerable_start or vulnerable_end |
287 | 301 | ||
288 | if vulnerable: | 302 | if vulnerable: |
289 | bb.note("%s-%s is vulnerable to %s" % (product, pv, cve)) | 303 | bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) |
290 | cves_unpatched.append(cve) | 304 | cves_unpatched.append(cve) |
291 | break | 305 | break |
292 | 306 | ||
293 | if not vulnerable: | 307 | if not vulnerable: |
294 | bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) | 308 | bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) |
295 | # TODO: not patched but not vulnerable | 309 | # TODO: not patched but not vulnerable |
296 | patched_cves.add(cve) | 310 | patched_cves.add(cve) |
297 | 311 | ||
@@ -327,7 +341,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | |||
327 | CVE manifest if enabled. | 341 | CVE manifest if enabled. |
328 | """ | 342 | """ |
329 | 343 | ||
344 | |||
330 | cve_file = d.getVar("CVE_CHECK_LOG") | 345 | cve_file = d.getVar("CVE_CHECK_LOG") |
346 | fdir_name = d.getVar("FILE_DIRNAME") | ||
347 | layer = fdir_name.split("/")[-3] | ||
348 | |||
349 | include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() | ||
350 | exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() | ||
351 | |||
352 | if exclude_layers and layer in exclude_layers: | ||
353 | return | ||
354 | |||
355 | if include_layers and layer not in include_layers: | ||
356 | return | ||
357 | |||
331 | nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" | 358 | nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" |
332 | write_string = "" | 359 | write_string = "" |
333 | unpatched_cves = [] | 360 | unpatched_cves = [] |
@@ -337,6 +364,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | |||
337 | is_patched = cve in patched | 364 | is_patched = cve in patched |
338 | if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): | 365 | if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): |
339 | continue | 366 | continue |
367 | write_string += "LAYER: %s\n" % layer | ||
340 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") | 368 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") |
341 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) | 369 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) |
342 | write_string += "CVE: %s\n" % cve | 370 | write_string += "CVE: %s\n" % cve |