1 files changed, 40 insertions, 14 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6ffa0c4688..ffd624333f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve.db"
 CVE_CHECK_LOG ?= "${T}/cve.log"
 CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -189,27 +189,53 @@ def check_cves(d, patched_cves):
    conn = sqlite3.connect(db_file)
    c = conn.cursor()
-    query = """SELECT * FROM PRODUCTS WHERE
+    query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';"
-               (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
-               (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
    for product in products:
        for row in c.execute(query.format(product, pv)):
            cve = row[1]
-            version = row[4]
+            version_start = row[4]
+            operator_start = row[5]
-            try:
+            version_end = row[6]
-                discardVersion = LooseVersion(version) < LooseVersion(pv)
+            operator_end = row[7]
-            except:
-                discardVersion = True
            if pv in cve_whitelist.get(cve, []):
                bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
            elif cve in patched_cves:
                bb.note("%s has been patched" % (cve))
-            elif discardVersion:
-                bb.debug(2, "Do not consider version %s " % (version))
            else:
-                cves_unpatched.append(cve)
+                if (operator_start == '=' and pv == version_start):
+                    cves_unpatched.append(cve)
+                else:
+                    if operator_start:
+                        try:
+                            to_append_start =  (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+                            to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+                        except:
+                            bb.note("%s: Failed to compare %s %s %s for %s" %
+                                    (product, pv, operator_start, version_start, cve))
+                            to_append_start = False
+                    else:
+                        to_append_start = False
+                    if operator_end:
+                        try:
+                            to_append_end  = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+                            to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+                        except:
+                            bb.note("%s: Failed to compare %s %s %s for %s" %
+                                    (product, pv, operator_end, version_end, cve))
+                            to_append_end = False
+                    else:
+                        to_append_end = False
+                    if operator_start and operator_end:
+                        to_append = to_append_start and to_append_end
+                    else:
+                        to_append = to_append_start or to_append_end
+                if to_append:
+                    cves_unpatched.append(cve)
                bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
    conn.close()
@@ -217,7 +243,7 @@ def check_cves(d, patched_cves):
 def get_cve_info(d, cves):
    """
-    Get CVE information from the database used by cve-check-tool.
+    Get CVE information from the database.
    Unfortunately the only way to get CVE info is set the output to
    html (hard to parse) or query directly the database.

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 6ffa0c4688..ffd624333f 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
26	CVE_VERSION ??= "${PV}"	26	CVE_VERSION ??= "${PV}"
27		27
28	CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"	28	CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
29	CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db"	29	CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve.db"
30		30
31	CVE_CHECK_LOG ?= "${T}/cve.log"	31	CVE_CHECK_LOG ?= "${T}/cve.log"
32	CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"	32	CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -189,27 +189,53 @@ def check_cves(d, patched_cves):
189	conn = sqlite3.connect(db_file)	189	conn = sqlite3.connect(db_file)
190	c = conn.cursor()	190	c = conn.cursor()
191		191
192	query = """SELECT * FROM PRODUCTS WHERE	192	query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';"
193	(PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR	193
194	(PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
195	for product in products:	194	for product in products:
196	for row in c.execute(query.format(product, pv)):	195	for row in c.execute(query.format(product, pv)):
197	cve = row[1]	196	cve = row[1]
198	version = row[4]	197	version_start = row[4]
199		198	operator_start = row[5]
200	try:	199	version_end = row[6]
201	discardVersion = LooseVersion(version) < LooseVersion(pv)	200	operator_end = row[7]
202	except:
203	discardVersion = True
204		201
205	if pv in cve_whitelist.get(cve, []):	202	if pv in cve_whitelist.get(cve, []):
206	bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))	203	bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
207	elif cve in patched_cves:	204	elif cve in patched_cves:
208	bb.note("%s has been patched" % (cve))	205	bb.note("%s has been patched" % (cve))
209	elif discardVersion:
210	bb.debug(2, "Do not consider version %s " % (version))
211	else:	206	else:
212	cves_unpatched.append(cve)	207	if (operator_start == '=' and pv == version_start):
		208	cves_unpatched.append(cve)
		209	else:
		210	if operator_start:
		211	try:
		212	to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
		213	to_append_start \|= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
		214	except:
		215	bb.note("%s: Failed to compare %s %s %s for %s" %
		216	(product, pv, operator_start, version_start, cve))
		217	to_append_start = False
		218	else:
		219	to_append_start = False
		220
		221	if operator_end:
		222	try:
		223	to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
		224	to_append_end \|= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
		225	except:
		226	bb.note("%s: Failed to compare %s %s %s for %s" %
		227	(product, pv, operator_end, version_end, cve))
		228	to_append_end = False
		229	else:
		230	to_append_end = False
		231
		232	if operator_start and operator_end:
		233	to_append = to_append_start and to_append_end
		234	else:
		235	to_append = to_append_start or to_append_end
		236
		237	if to_append:
		238	cves_unpatched.append(cve)
213	bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))	239	bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
214	conn.close()	240	conn.close()
215		241
@@ -217,7 +243,7 @@ def check_cves(d, patched_cves):
217		243
218	def get_cve_info(d, cves):	244	def get_cve_info(d, cves):
219	"""	245	"""
220	Get CVE information from the database used by cve-check-tool.	246	Get CVE information from the database.
221		247
222	Unfortunately the only way to get CVE info is set the output to	248	Unfortunately the only way to get CVE info is set the output to
223	html (hard to parse) or query directly the database.	249	html (hard to parse) or query directly the database.