1 files changed, 153 insertions, 1 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index ce755f940a..ed4af18ced 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -11,8 +11,13 @@ _Version = collections.namedtuple(
 class Version():
    def __init__(self, version, suffix=None):
+        suffixes = ["alphabetical", "patch"]
        if str(suffix) == "alphabetical":
            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+        elif str(suffix) == "patch":
+            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
        else:
            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
        regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
@@ -23,7 +28,7 @@ class Version():
        self._version = _Version(
            release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
-            patch_l=match.group("patch_l") if str(suffix) == "alphabetical" and match.group("patch_l") else "",
+            patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
            pre_l=match.group("pre_l"),
            pre_v=match.group("pre_v")
        )
@@ -58,3 +63,150 @@ def _cmpkey(release, patch_l, pre_l, pre_v):
    else:
        _pre = float(pre_v) if pre_v else float('-inf')
    return _release, _patch, _pre
+def cve_check_merge_jsons(output, data):
+    """
+    Merge the data in the "package" property to the main data file
+    output
+    """
+    if output["version"] != data["version"]:
+        bb.error("Version mismatch when merging JSON outputs")
+        return
+    for product in output["package"]:
+        if product["name"] == data["package"][0]["name"]:
+            bb.error("Error adding the same package %s twice" % product["name"])
+            return
+    output["package"].append(data["package"][0])
+def update_symlinks(target_path, link_path):
+    """
+    Update a symbolic link link_path to point to target_path.
+    Remove the link and recreate it if exist and is different.
+    """
+    if link_path != target_path and os.path.exists(target_path):
+        if os.path.exists(os.path.realpath(link_path)):
+            os.remove(link_path)
+        os.symlink(os.path.basename(target_path), link_path)
+def get_patched_cves(d):
+    """
+    Get patches that solve CVEs using the "CVE: " tag.
+    """
+    import re
+    import oe.patch
+    pn = d.getVar("PN")
+    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
+    # Matches the last "CVE-YYYY-ID" in the file name, also if written
+    # in lowercase. Possible to have multiple CVE IDs in a single
+    # file name, but only the last one will be detected from the file name.
+    # However, patch files contents addressing multiple CVE IDs are supported
+    # (cve_match regular expression)
+    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
+    patched_cves = set()
+    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
+    for url in oe.patch.src_patches(d):
+        patch_file = bb.fetch.decodeurl(url)[2]
+        # Check patch file name for CVE ID
+        fname_match = cve_file_name_match.search(patch_file)
+        if fname_match:
+            cve = fname_match.group(1).upper()
+            patched_cves.add(cve)
+            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
+        # Remote patches won't be present and compressed patches won't be
+        # unpacked, so say we're not scanning them
+        if not os.path.isfile(patch_file):
+            bb.note("%s is remote or compressed, not scanning content" % patch_file)
+            continue
+        with open(patch_file, "r", encoding="utf-8") as f:
+            try:
+                patch_text = f.read()
+            except UnicodeDecodeError:
+                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
+                        " trying with iso8859-1" %  patch_file)
+                f.close()
+                with open(patch_file, "r", encoding="iso8859-1") as f:
+                    patch_text = f.read()
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
+            # Get only the CVEs without the "CVE: " tag
+            cves = patch_text[match.start()+5:match.end()]
+            for cve in cves.split():
+                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
+                patched_cves.add(cve)
+                text_match = True
+        if not fname_match and not text_match:
+            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+    return patched_cves
+def get_cpe_ids(cve_product, version):
+    """
+    Get list of CPE identifiers for the given product and version
+    """
+    version = version.split("+git")[0]
+    cpe_ids = []
+    for product in cve_product.split():
+        # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
+        # use wildcard for vendor.
+        if ":" in product:
+            vendor, product = product.split(":", 1)
+        else:
+            vendor = "*"
+        cpe_id = 'cpe:2.3:a:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version)
+        cpe_ids.append(cpe_id)
+    return cpe_ids
+def convert_cve_version(version):
+    """
+    This function converts from CVE format to Yocto version format.
+    eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
+    Unless it is redefined using CVE_VERSION in the recipe,
+    cve_check uses the version in the name of the recipe (${PV})
+    to check vulnerabilities against a CVE in the database downloaded from NVD.
+    When the version has an update, i.e.
+    "p1" in OpenSSH 8.3p1,
+    "-rc1" in linux kernel 6.2-rc1,
+    the database stores the version as version_update (8.3_p1, 6.2_rc1).
+    Therefore, we must transform this version before comparing to the
+    recipe version.
+    In this case, the parameter of the function is 8.3_p1.
+    If the version uses the Release Candidate format, "rc",
+    this function replaces the '_' by '-'.
+    If the version uses the Update format, "p",
+    this function removes the '_' completely.
+    """
+    import re
+    matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)
+    if not matches:
+        return version
+    version = matches.group(1)
+    update = matches.group(2)
+    if matches.group(3) == "rc":
+        return version + '-' + update
+    return version + update

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ce755f940a..ed4af18ced 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py
@@ -11,8 +11,13 @@ _Version = collections.namedtuple(
11	class Version():	11	class Version():
12		12
13	def __init__(self, version, suffix=None):	13	def __init__(self, version, suffix=None):
		14
		15	suffixes = ["alphabetical", "patch"]
		16
14	if str(suffix) == "alphabetical":	17	if str(suffix) == "alphabetical":
15	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""	18	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""
		19	elif str(suffix) == "patch":
		20	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<patch>[-_\.]?(p\|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""
16	else:	21	else:
17	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""	22	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""
18	regex = re.compile(r"^\s" + version_pattern + r"\s$", re.VERBOSE \| re.IGNORECASE)	23	regex = re.compile(r"^\s" + version_pattern + r"\s$", re.VERBOSE \| re.IGNORECASE)
@@ -23,7 +28,7 @@ class Version():
23		28
24	self._version = _Version(	29	self._version = _Version(
25	release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),	30	release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
26	patch_l=match.group("patch_l") if str(suffix) == "alphabetical" and match.group("patch_l") else "",	31	patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
27	pre_l=match.group("pre_l"),	32	pre_l=match.group("pre_l"),
28	pre_v=match.group("pre_v")	33	pre_v=match.group("pre_v")
29	)	34	)
@@ -58,3 +63,150 @@ def _cmpkey(release, patch_l, pre_l, pre_v):
58	else:	63	else:
59	_pre = float(pre_v) if pre_v else float('-inf')	64	_pre = float(pre_v) if pre_v else float('-inf')
60	return _release, _patch, _pre	65	return _release, _patch, _pre
		66
		67	def cve_check_merge_jsons(output, data):
		68	"""
		69	Merge the data in the "package" property to the main data file
		70	output
		71	"""
		72	if output["version"] != data["version"]:
		73	bb.error("Version mismatch when merging JSON outputs")
		74	return
		75
		76	for product in output["package"]:
		77	if product["name"] == data["package"][0]["name"]:
		78	bb.error("Error adding the same package %s twice" % product["name"])
		79	return
		80
		81	output["package"].append(data["package"][0])
		82
		83	def update_symlinks(target_path, link_path):
		84	"""
		85	Update a symbolic link link_path to point to target_path.
		86	Remove the link and recreate it if exist and is different.
		87	"""
		88	if link_path != target_path and os.path.exists(target_path):
		89	if os.path.exists(os.path.realpath(link_path)):
		90	os.remove(link_path)
		91	os.symlink(os.path.basename(target_path), link_path)
		92
		93	def get_patched_cves(d):
		94	"""
		95	Get patches that solve CVEs using the "CVE: " tag.
		96	"""
		97
		98	import re
		99	import oe.patch
		100
		101	pn = d.getVar("PN")
		102	cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
		103
		104	# Matches the last "CVE-YYYY-ID" in the file name, also if written
		105	# in lowercase. Possible to have multiple CVE IDs in a single
		106	# file name, but only the last one will be detected from the file name.
		107	# However, patch files contents addressing multiple CVE IDs are supported
		108	# (cve_match regular expression)
		109
		110	cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
		111
		112	patched_cves = set()
		113	bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
		114	for url in oe.patch.src_patches(d):
		115	patch_file = bb.fetch.decodeurl(url)[2]
		116
		117	# Check patch file name for CVE ID
		118	fname_match = cve_file_name_match.search(patch_file)
		119	if fname_match:
		120	cve = fname_match.group(1).upper()
		121	patched_cves.add(cve)
		122	bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
		123
		124	# Remote patches won't be present and compressed patches won't be
		125	# unpacked, so say we're not scanning them
		126	if not os.path.isfile(patch_file):
		127	bb.note("%s is remote or compressed, not scanning content" % patch_file)
		128	continue
		129
		130	with open(patch_file, "r", encoding="utf-8") as f:
		131	try:
		132	patch_text = f.read()
		133	except UnicodeDecodeError:
		134	bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
		135	" trying with iso8859-1" % patch_file)
		136	f.close()
		137	with open(patch_file, "r", encoding="iso8859-1") as f:
		138	patch_text = f.read()
		139
		140	# Search for one or more "CVE: " lines
		141	text_match = False
		142	for match in cve_match.finditer(patch_text):
		143	# Get only the CVEs without the "CVE: " tag
		144	cves = patch_text[match.start()+5:match.end()]
		145	for cve in cves.split():
		146	bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
		147	patched_cves.add(cve)
		148	text_match = True
		149
		150	if not fname_match and not text_match:
		151	bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
		152
		153	return patched_cves
		154
		155
		156	def get_cpe_ids(cve_product, version):
		157	"""
		158	Get list of CPE identifiers for the given product and version
		159	"""
		160
		161	version = version.split("+git")[0]
		162
		163	cpe_ids = []
		164	for product in cve_product.split():
		165	# CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
		166	# use wildcard for vendor.
		167	if ":" in product:
		168	vendor, product = product.split(":", 1)
		169	else:
		170	vendor = "*"
		171
		172	cpe_id = 'cpe:2.3:a:{}:{}:{}:::::::*'.format(vendor, product, version)
		173	cpe_ids.append(cpe_id)
		174
		175	return cpe_ids
		176
		177	def convert_cve_version(version):
		178	"""
		179	This function converts from CVE format to Yocto version format.
		180	eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
		181
		182	Unless it is redefined using CVE_VERSION in the recipe,
		183	cve_check uses the version in the name of the recipe (${PV})
		184	to check vulnerabilities against a CVE in the database downloaded from NVD.
		185
		186	When the version has an update, i.e.
		187	"p1" in OpenSSH 8.3p1,
		188	"-rc1" in linux kernel 6.2-rc1,
		189	the database stores the version as version_update (8.3_p1, 6.2_rc1).
		190	Therefore, we must transform this version before comparing to the
		191	recipe version.
		192
		193	In this case, the parameter of the function is 8.3_p1.
		194	If the version uses the Release Candidate format, "rc",
		195	this function replaces the '_' by '-'.
		196	If the version uses the Update format, "p",
		197	this function removes the '_' completely.
		198	"""
		199	import re
		200
		201	matches = re.match('^([0-9.]+)_((p\|rc)[0-9]+)$', version)
		202
		203	if not matches:
		204	return version
		205
		206	version = matches.group(1)
		207	update = matches.group(2)
		208
		209	if matches.group(3) == "rc":
		210	return version + '-' + update
		211
		212	return version + update