diff options
Diffstat (limited to 'meta/lib/oe/cve_check.py')
-rw-r--r-- | meta/lib/oe/cve_check.py | 187 |
1 files changed, 186 insertions, 1 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ce755f940a..ed5c714cb8 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py | |||
@@ -1,3 +1,9 @@ | |||
1 | # | ||
2 | # Copyright OpenEmbedded Contributors | ||
3 | # | ||
4 | # SPDX-License-Identifier: MIT | ||
5 | # | ||
6 | |||
1 | import collections | 7 | import collections |
2 | import re | 8 | import re |
3 | import itertools | 9 | import itertools |
@@ -11,8 +17,13 @@ _Version = collections.namedtuple( | |||
11 | class Version(): | 17 | class Version(): |
12 | 18 | ||
13 | def __init__(self, version, suffix=None): | 19 | def __init__(self, version, suffix=None): |
20 | |||
21 | suffixes = ["alphabetical", "patch"] | ||
22 | |||
14 | if str(suffix) == "alphabetical": | 23 | if str(suffix) == "alphabetical": |
15 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" | 24 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" |
25 | elif str(suffix) == "patch": | ||
26 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" | ||
16 | else: | 27 | else: |
17 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" | 28 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" |
18 | regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) | 29 | regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) |
@@ -23,7 +34,7 @@ class Version(): | |||
23 | 34 | ||
24 | self._version = _Version( | 35 | self._version = _Version( |
25 | release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), | 36 | release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), |
26 | patch_l=match.group("patch_l") if str(suffix) == "alphabetical" and match.group("patch_l") else "", | 37 | patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "", |
27 | pre_l=match.group("pre_l"), | 38 | pre_l=match.group("pre_l"), |
28 | pre_v=match.group("pre_v") | 39 | pre_v=match.group("pre_v") |
29 | ) | 40 | ) |
@@ -58,3 +69,177 @@ def _cmpkey(release, patch_l, pre_l, pre_v): | |||
58 | else: | 69 | else: |
59 | _pre = float(pre_v) if pre_v else float('-inf') | 70 | _pre = float(pre_v) if pre_v else float('-inf') |
60 | return _release, _patch, _pre | 71 | return _release, _patch, _pre |
72 | |||
73 | |||
74 | def get_patched_cves(d): | ||
75 | """ | ||
76 | Get patches that solve CVEs using the "CVE: " tag. | ||
77 | """ | ||
78 | |||
79 | import re | ||
80 | import oe.patch | ||
81 | |||
82 | cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+") | ||
83 | |||
84 | # Matches the last "CVE-YYYY-ID" in the file name, also if written | ||
85 | # in lowercase. Possible to have multiple CVE IDs in a single | ||
86 | # file name, but only the last one will be detected from the file name. | ||
87 | # However, patch files contents addressing multiple CVE IDs are supported | ||
88 | # (cve_match regular expression) | ||
89 | cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) | ||
90 | |||
91 | patched_cves = set() | ||
92 | patches = oe.patch.src_patches(d) | ||
93 | bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) | ||
94 | for url in patches: | ||
95 | patch_file = bb.fetch.decodeurl(url)[2] | ||
96 | |||
97 | # Check patch file name for CVE ID | ||
98 | fname_match = cve_file_name_match.search(patch_file) | ||
99 | if fname_match: | ||
100 | cve = fname_match.group(1).upper() | ||
101 | patched_cves.add(cve) | ||
102 | bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) | ||
103 | |||
104 | # Remote patches won't be present and compressed patches won't be | ||
105 | # unpacked, so say we're not scanning them | ||
106 | if not os.path.isfile(patch_file): | ||
107 | bb.note("%s is remote or compressed, not scanning content" % patch_file) | ||
108 | continue | ||
109 | |||
110 | with open(patch_file, "r", encoding="utf-8") as f: | ||
111 | try: | ||
112 | patch_text = f.read() | ||
113 | except UnicodeDecodeError: | ||
114 | bb.debug(1, "Failed to read patch %s using UTF-8 encoding" | ||
115 | " trying with iso8859-1" % patch_file) | ||
116 | f.close() | ||
117 | with open(patch_file, "r", encoding="iso8859-1") as f: | ||
118 | patch_text = f.read() | ||
119 | |||
120 | # Search for one or more "CVE: " lines | ||
121 | text_match = False | ||
122 | for match in cve_match.finditer(patch_text): | ||
123 | # Get only the CVEs without the "CVE: " tag | ||
124 | cves = patch_text[match.start()+5:match.end()] | ||
125 | for cve in cves.split(): | ||
126 | bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) | ||
127 | patched_cves.add(cve) | ||
128 | text_match = True | ||
129 | |||
130 | if not fname_match and not text_match: | ||
131 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) | ||
132 | |||
133 | # Search for additional patched CVEs | ||
134 | for cve in (d.getVarFlags("CVE_STATUS") or {}): | ||
135 | decoded_status, _, _ = decode_cve_status(d, cve) | ||
136 | if decoded_status == "Patched": | ||
137 | bb.debug(2, "CVE %s is additionally patched" % cve) | ||
138 | patched_cves.add(cve) | ||
139 | |||
140 | return patched_cves | ||
141 | |||
142 | |||
143 | def get_cpe_ids(cve_product, version): | ||
144 | """ | ||
145 | Get list of CPE identifiers for the given product and version | ||
146 | """ | ||
147 | |||
148 | version = version.split("+git")[0] | ||
149 | |||
150 | cpe_ids = [] | ||
151 | for product in cve_product.split(): | ||
152 | # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not, | ||
153 | # use wildcard for vendor. | ||
154 | if ":" in product: | ||
155 | vendor, product = product.split(":", 1) | ||
156 | else: | ||
157 | vendor = "*" | ||
158 | |||
159 | cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version) | ||
160 | cpe_ids.append(cpe_id) | ||
161 | |||
162 | return cpe_ids | ||
163 | |||
164 | def cve_check_merge_jsons(output, data): | ||
165 | """ | ||
166 | Merge the data in the "package" property to the main data file | ||
167 | output | ||
168 | """ | ||
169 | if output["version"] != data["version"]: | ||
170 | bb.error("Version mismatch when merging JSON outputs") | ||
171 | return | ||
172 | |||
173 | for product in output["package"]: | ||
174 | if product["name"] == data["package"][0]["name"]: | ||
175 | bb.error("Error adding the same package %s twice" % product["name"]) | ||
176 | return | ||
177 | |||
178 | output["package"].append(data["package"][0]) | ||
179 | |||
180 | def update_symlinks(target_path, link_path): | ||
181 | """ | ||
182 | Update a symbolic link link_path to point to target_path. | ||
183 | Remove the link and recreate it if exist and is different. | ||
184 | """ | ||
185 | if link_path != target_path and os.path.exists(target_path): | ||
186 | if os.path.exists(os.path.realpath(link_path)): | ||
187 | os.remove(link_path) | ||
188 | os.symlink(os.path.basename(target_path), link_path) | ||
189 | |||
190 | |||
191 | def convert_cve_version(version): | ||
192 | """ | ||
193 | This function converts from CVE format to Yocto version format. | ||
194 | eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1 | ||
195 | |||
196 | Unless it is redefined using CVE_VERSION in the recipe, | ||
197 | cve_check uses the version in the name of the recipe (${PV}) | ||
198 | to check vulnerabilities against a CVE in the database downloaded from NVD. | ||
199 | |||
200 | When the version has an update, i.e. | ||
201 | "p1" in OpenSSH 8.3p1, | ||
202 | "-rc1" in linux kernel 6.2-rc1, | ||
203 | the database stores the version as version_update (8.3_p1, 6.2_rc1). | ||
204 | Therefore, we must transform this version before comparing to the | ||
205 | recipe version. | ||
206 | |||
207 | In this case, the parameter of the function is 8.3_p1. | ||
208 | If the version uses the Release Candidate format, "rc", | ||
209 | this function replaces the '_' by '-'. | ||
210 | If the version uses the Update format, "p", | ||
211 | this function removes the '_' completely. | ||
212 | """ | ||
213 | import re | ||
214 | |||
215 | matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version) | ||
216 | |||
217 | if not matches: | ||
218 | return version | ||
219 | |||
220 | version = matches.group(1) | ||
221 | update = matches.group(2) | ||
222 | |||
223 | if matches.group(3) == "rc": | ||
224 | return version + '-' + update | ||
225 | |||
226 | return version + update | ||
227 | |||
228 | def decode_cve_status(d, cve): | ||
229 | """ | ||
230 | Convert CVE_STATUS into status, detail and description. | ||
231 | """ | ||
232 | status = d.getVarFlag("CVE_STATUS", cve) | ||
233 | if not status: | ||
234 | return ("", "", "") | ||
235 | |||
236 | status_split = status.split(':', 1) | ||
237 | detail = status_split[0] | ||
238 | description = status_split[1].strip() if (len(status_split) > 1) else "" | ||
239 | |||
240 | status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) | ||
241 | if status_mapping is None: | ||
242 | bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) | ||
243 | status_mapping = "Unpatched" | ||
244 | |||
245 | return (status_mapping, detail, description) | ||