1 files changed, 186 insertions, 1 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index ce755f940a..ed5c714cb8 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -1,3 +1,9 @@
+#
+# Copyright OpenEmbedded Contributors
+#
+# SPDX-License-Identifier: MIT
+#
 import collections
 import re
 import itertools
@@ -11,8 +17,13 @@ _Version = collections.namedtuple(
 class Version():
    def __init__(self, version, suffix=None):
+        suffixes = ["alphabetical", "patch"]
        if str(suffix) == "alphabetical":
            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+        elif str(suffix) == "patch":
+            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
        else:
            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
        regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
@@ -23,7 +34,7 @@ class Version():
        self._version = _Version(
            release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
-            patch_l=match.group("patch_l") if str(suffix) == "alphabetical" and match.group("patch_l") else "",
+            patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
            pre_l=match.group("pre_l"),
            pre_v=match.group("pre_v")
        )
@@ -58,3 +69,177 @@ def _cmpkey(release, patch_l, pre_l, pre_v):
    else:
        _pre = float(pre_v) if pre_v else float('-inf')
    return _release, _patch, _pre
+def get_patched_cves(d):
+    """
+    Get patches that solve CVEs using the "CVE: " tag.
+    """
+    import re
+    import oe.patch
+    cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+")
+    # Matches the last "CVE-YYYY-ID" in the file name, also if written
+    # in lowercase. Possible to have multiple CVE IDs in a single
+    # file name, but only the last one will be detected from the file name.
+    # However, patch files contents addressing multiple CVE IDs are supported
+    # (cve_match regular expression)
+    cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE)
+    patched_cves = set()
+    patches = oe.patch.src_patches(d)
+    bb.debug(2, "Scanning %d patches for CVEs" % len(patches))
+    for url in patches:
+        patch_file = bb.fetch.decodeurl(url)[2]
+        # Check patch file name for CVE ID
+        fname_match = cve_file_name_match.search(patch_file)
+        if fname_match:
+            cve = fname_match.group(1).upper()
+            patched_cves.add(cve)
+            bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file))
+        # Remote patches won't be present and compressed patches won't be
+        # unpacked, so say we're not scanning them
+        if not os.path.isfile(patch_file):
+            bb.note("%s is remote or compressed, not scanning content" % patch_file)
+            continue
+        with open(patch_file, "r", encoding="utf-8") as f:
+            try:
+                patch_text = f.read()
+            except UnicodeDecodeError:
+                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
+                        " trying with iso8859-1" %  patch_file)
+                f.close()
+                with open(patch_file, "r", encoding="iso8859-1") as f:
+                    patch_text = f.read()
+        # Search for one or more "CVE: " lines
+        text_match = False
+        for match in cve_match.finditer(patch_text):
+            # Get only the CVEs without the "CVE: " tag
+            cves = patch_text[match.start()+5:match.end()]
+            for cve in cves.split():
+                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
+                patched_cves.add(cve)
+                text_match = True
+        if not fname_match and not text_match:
+            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
+    # Search for additional patched CVEs
+    for cve in (d.getVarFlags("CVE_STATUS") or {}):
+        decoded_status, _, _ = decode_cve_status(d, cve)
+        if decoded_status == "Patched":
+            bb.debug(2, "CVE %s is additionally patched" % cve)
+            patched_cves.add(cve)
+    return patched_cves
+def get_cpe_ids(cve_product, version):
+    """
+    Get list of CPE identifiers for the given product and version
+    """
+    version = version.split("+git")[0]
+    cpe_ids = []
+    for product in cve_product.split():
+        # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
+        # use wildcard for vendor.
+        if ":" in product:
+            vendor, product = product.split(":", 1)
+        else:
+            vendor = "*"
+        cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version)
+        cpe_ids.append(cpe_id)
+    return cpe_ids
+def cve_check_merge_jsons(output, data):
+    """
+    Merge the data in the "package" property to the main data file
+    output
+    """
+    if output["version"] != data["version"]:
+        bb.error("Version mismatch when merging JSON outputs")
+        return
+    for product in output["package"]:
+        if product["name"] == data["package"][0]["name"]:
+            bb.error("Error adding the same package %s twice" % product["name"])
+            return
+    output["package"].append(data["package"][0])
+def update_symlinks(target_path, link_path):
+    """
+    Update a symbolic link link_path to point to target_path.
+    Remove the link and recreate it if exist and is different.
+    """
+    if link_path != target_path and os.path.exists(target_path):
+        if os.path.exists(os.path.realpath(link_path)):
+            os.remove(link_path)
+        os.symlink(os.path.basename(target_path), link_path)
+def convert_cve_version(version):
+    """
+    This function converts from CVE format to Yocto version format.
+    eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
+    Unless it is redefined using CVE_VERSION in the recipe,
+    cve_check uses the version in the name of the recipe (${PV})
+    to check vulnerabilities against a CVE in the database downloaded from NVD.
+    When the version has an update, i.e.
+    "p1" in OpenSSH 8.3p1,
+    "-rc1" in linux kernel 6.2-rc1,
+    the database stores the version as version_update (8.3_p1, 6.2_rc1).
+    Therefore, we must transform this version before comparing to the
+    recipe version.
+    In this case, the parameter of the function is 8.3_p1.
+    If the version uses the Release Candidate format, "rc",
+    this function replaces the '_' by '-'.
+    If the version uses the Update format, "p",
+    this function removes the '_' completely.
+    """
+    import re
+    matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)
+    if not matches:
+        return version
+    version = matches.group(1)
+    update = matches.group(2)
+    if matches.group(3) == "rc":
+        return version + '-' + update
+    return version + update
+def decode_cve_status(d, cve):
+    """
+    Convert CVE_STATUS into status, detail and description.
+    """
+    status = d.getVarFlag("CVE_STATUS", cve)
+    if not status:
+        return ("", "", "")
+    status_split = status.split(':', 1)
+    detail = status_split[0]
+    description = status_split[1].strip() if (len(status_split) > 1) else ""
+    status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
+    if status_mapping is None:
+        bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
+        status_mapping = "Unpatched"
+    return (status_mapping, detail, description)

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ce755f940a..ed5c714cb8 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py
@@ -1,3 +1,9 @@
		1	#
		2	# Copyright OpenEmbedded Contributors
		3	#
		4	# SPDX-License-Identifier: MIT
		5	#
		6
1	import collections	7	import collections
2	import re	8	import re
3	import itertools	9	import itertools
@@ -11,8 +17,13 @@ _Version = collections.namedtuple(
11	class Version():	17	class Version():
12		18
13	def __init__(self, version, suffix=None):	19	def __init__(self, version, suffix=None):
		20
		21	suffixes = ["alphabetical", "patch"]
		22
14	if str(suffix) == "alphabetical":	23	if str(suffix) == "alphabetical":
15	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""	24	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""
		25	elif str(suffix) == "patch":
		26	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<patch>[-_\.]?(p\|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""
16	else:	27	else:
17	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""	28	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""
18	regex = re.compile(r"^\s" + version_pattern + r"\s$", re.VERBOSE \| re.IGNORECASE)	29	regex = re.compile(r"^\s" + version_pattern + r"\s$", re.VERBOSE \| re.IGNORECASE)
@@ -23,7 +34,7 @@ class Version():
23		34
24	self._version = _Version(	35	self._version = _Version(
25	release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),	36	release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
26	patch_l=match.group("patch_l") if str(suffix) == "alphabetical" and match.group("patch_l") else "",	37	patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
27	pre_l=match.group("pre_l"),	38	pre_l=match.group("pre_l"),
28	pre_v=match.group("pre_v")	39	pre_v=match.group("pre_v")
29	)	40	)
@@ -58,3 +69,177 @@ def _cmpkey(release, patch_l, pre_l, pre_v):
58	else:	69	else:
59	_pre = float(pre_v) if pre_v else float('-inf')	70	_pre = float(pre_v) if pre_v else float('-inf')
60	return _release, _patch, _pre	71	return _release, _patch, _pre
		72
		73
		74	def get_patched_cves(d):
		75	"""
		76	Get patches that solve CVEs using the "CVE: " tag.
		77	"""
		78
		79	import re
		80	import oe.patch
		81
		82	cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+")
		83
		84	# Matches the last "CVE-YYYY-ID" in the file name, also if written
		85	# in lowercase. Possible to have multiple CVE IDs in a single
		86	# file name, but only the last one will be detected from the file name.
		87	# However, patch files contents addressing multiple CVE IDs are supported
		88	# (cve_match regular expression)
		89	cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE)
		90
		91	patched_cves = set()
		92	patches = oe.patch.src_patches(d)
		93	bb.debug(2, "Scanning %d patches for CVEs" % len(patches))
		94	for url in patches:
		95	patch_file = bb.fetch.decodeurl(url)[2]
		96
		97	# Check patch file name for CVE ID
		98	fname_match = cve_file_name_match.search(patch_file)
		99	if fname_match:
		100	cve = fname_match.group(1).upper()
		101	patched_cves.add(cve)
		102	bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file))
		103
		104	# Remote patches won't be present and compressed patches won't be
		105	# unpacked, so say we're not scanning them
		106	if not os.path.isfile(patch_file):
		107	bb.note("%s is remote or compressed, not scanning content" % patch_file)
		108	continue
		109
		110	with open(patch_file, "r", encoding="utf-8") as f:
		111	try:
		112	patch_text = f.read()
		113	except UnicodeDecodeError:
		114	bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
		115	" trying with iso8859-1" % patch_file)
		116	f.close()
		117	with open(patch_file, "r", encoding="iso8859-1") as f:
		118	patch_text = f.read()
		119
		120	# Search for one or more "CVE: " lines
		121	text_match = False
		122	for match in cve_match.finditer(patch_text):
		123	# Get only the CVEs without the "CVE: " tag
		124	cves = patch_text[match.start()+5:match.end()]
		125	for cve in cves.split():
		126	bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
		127	patched_cves.add(cve)
		128	text_match = True
		129
		130	if not fname_match and not text_match:
		131	bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
		132
		133	# Search for additional patched CVEs
		134	for cve in (d.getVarFlags("CVE_STATUS") or {}):
		135	decoded_status, _, _ = decode_cve_status(d, cve)
		136	if decoded_status == "Patched":
		137	bb.debug(2, "CVE %s is additionally patched" % cve)
		138	patched_cves.add(cve)
		139
		140	return patched_cves
		141
		142
		143	def get_cpe_ids(cve_product, version):
		144	"""
		145	Get list of CPE identifiers for the given product and version
		146	"""
		147
		148	version = version.split("+git")[0]
		149
		150	cpe_ids = []
		151	for product in cve_product.split():
		152	# CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
		153	# use wildcard for vendor.
		154	if ":" in product:
		155	vendor, product = product.split(":", 1)
		156	else:
		157	vendor = "*"
		158
		159	cpe_id = 'cpe:2.3::{}:{}:{}:::::::'.format(vendor, product, version)
		160	cpe_ids.append(cpe_id)
		161
		162	return cpe_ids
		163
		164	def cve_check_merge_jsons(output, data):
		165	"""
		166	Merge the data in the "package" property to the main data file
		167	output
		168	"""
		169	if output["version"] != data["version"]:
		170	bb.error("Version mismatch when merging JSON outputs")
		171	return
		172
		173	for product in output["package"]:
		174	if product["name"] == data["package"][0]["name"]:
		175	bb.error("Error adding the same package %s twice" % product["name"])
		176	return
		177
		178	output["package"].append(data["package"][0])
		179
		180	def update_symlinks(target_path, link_path):
		181	"""
		182	Update a symbolic link link_path to point to target_path.
		183	Remove the link and recreate it if exist and is different.
		184	"""
		185	if link_path != target_path and os.path.exists(target_path):
		186	if os.path.exists(os.path.realpath(link_path)):
		187	os.remove(link_path)
		188	os.symlink(os.path.basename(target_path), link_path)
		189
		190
		191	def convert_cve_version(version):
		192	"""
		193	This function converts from CVE format to Yocto version format.
		194	eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
		195
		196	Unless it is redefined using CVE_VERSION in the recipe,
		197	cve_check uses the version in the name of the recipe (${PV})
		198	to check vulnerabilities against a CVE in the database downloaded from NVD.
		199
		200	When the version has an update, i.e.
		201	"p1" in OpenSSH 8.3p1,
		202	"-rc1" in linux kernel 6.2-rc1,
		203	the database stores the version as version_update (8.3_p1, 6.2_rc1).
		204	Therefore, we must transform this version before comparing to the
		205	recipe version.
		206
		207	In this case, the parameter of the function is 8.3_p1.
		208	If the version uses the Release Candidate format, "rc",
		209	this function replaces the '_' by '-'.
		210	If the version uses the Update format, "p",
		211	this function removes the '_' completely.
		212	"""
		213	import re
		214
		215	matches = re.match('^([0-9.]+)_((p\|rc)[0-9]+)$', version)
		216
		217	if not matches:
		218	return version
		219
		220	version = matches.group(1)
		221	update = matches.group(2)
		222
		223	if matches.group(3) == "rc":
		224	return version + '-' + update
		225
		226	return version + update
		227
		228	def decode_cve_status(d, cve):
		229	"""
		230	Convert CVE_STATUS into status, detail and description.
		231	"""
		232	status = d.getVarFlag("CVE_STATUS", cve)
		233	if not status:
		234	return ("", "", "")
		235
		236	status_split = status.split(':', 1)
		237	detail = status_split[0]
		238	description = status_split[1].strip() if (len(status_split) > 1) else ""
		239
		240	status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
		241	if status_mapping is None:
		242	bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
		243	status_mapping = "Unpatched"
		244
		245	return (status_mapping, detail, description)