diff options
Diffstat (limited to 'meta/classes/cve-check.bbclass')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 01b3637469..514897e8b8 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -52,17 +52,20 @@ python do_cve_check () { | |||
| 52 | """ | 52 | """ |
| 53 | 53 | ||
| 54 | if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): | 54 | if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): |
| 55 | patched_cves = get_patches_cves(d) | 55 | try: |
| 56 | patched, unpatched = check_cves(d, patched_cves) | 56 | patched_cves = get_patches_cves(d) |
| 57 | except FileNotFoundError: | ||
| 58 | bb.fatal("Failure in searching patches") | ||
| 59 | whitelisted, patched, unpatched = check_cves(d, patched_cves) | ||
| 57 | if patched or unpatched: | 60 | if patched or unpatched: |
| 58 | cve_data = get_cve_info(d, patched + unpatched) | 61 | cve_data = get_cve_info(d, patched + unpatched) |
| 59 | cve_write_data(d, patched, unpatched, cve_data) | 62 | cve_write_data(d, patched, unpatched, whitelisted, cve_data) |
| 60 | else: | 63 | else: |
| 61 | bb.note("No CVE database found, skipping CVE check") | 64 | bb.note("No CVE database found, skipping CVE check") |
| 62 | 65 | ||
| 63 | } | 66 | } |
| 64 | 67 | ||
| 65 | addtask cve_check before do_build | 68 | addtask cve_check before do_build after do_fetch |
| 66 | do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db" | 69 | do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db" |
| 67 | do_cve_check[nostamp] = "1" | 70 | do_cve_check[nostamp] = "1" |
| 68 | 71 | ||
| @@ -129,6 +132,10 @@ def get_patches_cves(d): | |||
| 129 | for url in src_patches(d): | 132 | for url in src_patches(d): |
| 130 | patch_file = bb.fetch.decodeurl(url)[2] | 133 | patch_file = bb.fetch.decodeurl(url)[2] |
| 131 | 134 | ||
| 135 | if not os.path.isfile(patch_file): | ||
| 136 | bb.error("File Not found: %s" % patch_file) | ||
| 137 | raise FileNotFoundError | ||
| 138 | |||
| 132 | # Check patch file name for CVE ID | 139 | # Check patch file name for CVE ID |
| 133 | fname_match = cve_file_name_match.search(patch_file) | 140 | fname_match = cve_file_name_match.search(patch_file) |
| 134 | if fname_match: | 141 | if fname_match: |
| @@ -172,13 +179,13 @@ def check_cves(d, patched_cves): | |||
| 172 | products = d.getVar("CVE_PRODUCT").split() | 179 | products = d.getVar("CVE_PRODUCT").split() |
| 173 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) | 180 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) |
| 174 | if not products: | 181 | if not products: |
| 175 | return ([], []) | 182 | return ([], [], []) |
| 176 | pv = d.getVar("CVE_VERSION").split("+git")[0] | 183 | pv = d.getVar("CVE_VERSION").split("+git")[0] |
| 177 | 184 | ||
| 178 | # If the recipe has been whitlisted we return empty lists | 185 | # If the recipe has been whitlisted we return empty lists |
| 179 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): | 186 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): |
| 180 | bb.note("Recipe has been whitelisted, skipping check") | 187 | bb.note("Recipe has been whitelisted, skipping check") |
| 181 | return ([], []) | 188 | return ([], [], []) |
| 182 | 189 | ||
| 183 | old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") | 190 | old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") |
| 184 | if old_cve_whitelist: | 191 | if old_cve_whitelist: |
| @@ -214,7 +221,7 @@ def check_cves(d, patched_cves): | |||
| 214 | (_, _, _, version_start, operator_start, version_end, operator_end) = row | 221 | (_, _, _, version_start, operator_start, version_end, operator_end) = row |
| 215 | #bb.debug(2, "Evaluating row " + str(row)) | 222 | #bb.debug(2, "Evaluating row " + str(row)) |
| 216 | 223 | ||
| 217 | if (operator_start == '=' and pv == version_start): | 224 | if (operator_start == '=' and pv == version_start) or version_start == '-': |
| 218 | vulnerable = True | 225 | vulnerable = True |
| 219 | else: | 226 | else: |
| 220 | if operator_start: | 227 | if operator_start: |
| @@ -256,7 +263,7 @@ def check_cves(d, patched_cves): | |||
| 256 | 263 | ||
| 257 | conn.close() | 264 | conn.close() |
| 258 | 265 | ||
| 259 | return (list(patched_cves), cves_unpatched) | 266 | return (list(cve_whitelist), list(patched_cves), cves_unpatched) |
| 260 | 267 | ||
| 261 | def get_cve_info(d, cves): | 268 | def get_cve_info(d, cves): |
| 262 | """ | 269 | """ |
| @@ -280,7 +287,7 @@ def get_cve_info(d, cves): | |||
| 280 | conn.close() | 287 | conn.close() |
| 281 | return cve_data | 288 | return cve_data |
| 282 | 289 | ||
| 283 | def cve_write_data(d, patched, unpatched, cve_data): | 290 | def cve_write_data(d, patched, unpatched, whitelisted, cve_data): |
| 284 | """ | 291 | """ |
| 285 | Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and | 292 | Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and |
| 286 | CVE manifest if enabled. | 293 | CVE manifest if enabled. |
| @@ -294,9 +301,11 @@ def cve_write_data(d, patched, unpatched, cve_data): | |||
| 294 | 301 | ||
| 295 | for cve in sorted(cve_data): | 302 | for cve in sorted(cve_data): |
| 296 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") | 303 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") |
| 297 | write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV") | 304 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) |
| 298 | write_string += "CVE: %s\n" % cve | 305 | write_string += "CVE: %s\n" % cve |
| 299 | if cve in patched: | 306 | if cve in whitelisted: |
| 307 | write_string += "CVE STATUS: Whitelisted\n" | ||
| 308 | elif cve in patched: | ||
| 300 | write_string += "CVE STATUS: Patched\n" | 309 | write_string += "CVE STATUS: Patched\n" |
| 301 | else: | 310 | else: |
| 302 | unpatched_cves.append(cve) | 311 | unpatched_cves.append(cve) |