summaryrefslogtreecommitdiffstats
path: root/meta/classes/cve-check.bbclass
Commit message (Collapse)AuthorAgeFilesLines
* cve-update-db-native: Remove hash column from database.Pierre Le Magourou2019-07-191-6/+6
| | | | | | | | | | | | djb2 hash algorithm was found to do collisions, so the database was sometime missing data. Remove this hash mechanism, clear and populate elements from scratch in PRODUCTS table if the current year needs an update. (From OE-Core rev: 78de2cb39d74b030cd4ec811bf6f9a6daa003d19) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELISTPierre Le Magourou2019-07-191-11/+11
| | | | | | | | | | CVE_CHECK_WHITELIST does not contain version anymore, as it was not used. This variable should be set per recipe. (From OE-Core rev: 7069302a4ccbb5b72e1902f284cf078516fd7294) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: allow comparison of Vendor as well as ProductRoss Burton2019-07-181-4/+8
| | | | | | | | | | | | | | | | Some product names are too vague to be searched without also matching the vendor, for example Flex could be the parser compiler we ship, or Adobe Flex, or Apache Flex, or IBM Flex. If entries in CVE_PRODUCT contain a colon then split it as vendor:product to improve the search. Also don't use .format() to construct SQL as that can lead to security issues. Instead, use ? placeholders and lets sqlite3 handle the escaping. (From OE-Core rev: e6bf90009877d00243417898700d2320fd87b39c) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: initialize to_appendMikko Rapeli2019-07-181-0/+1
| | | | | | | | | | | Fixes build failure with core-image-minimal: Exception: UnboundLocalError: local variable 'to_append' referenced before assignment (From OE-Core rev: 270ac00cb43d0614dfe1c95f960c76e9e5fa20d4) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glibc: exclude child recipes from CVE scanningRoss Burton2019-07-171-3/+1
| | | | | | | | | | | | | | As glibc will be scanned for CVEs, we don't need to scan glibc-locale, glibc-mtrace, and glibc-scripts which are all separate recipes for technical reasons. Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the global whitelist. (From OE-Core rev: 1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: remove redundant readline CVE whitelistingRoss Burton2019-07-171-4/+9
| | | | | | | | | | | | CVE-2014-2524 is a readline CVE that was fixed in 6.3patch3 onwards, but the tooling wasn't able to detect this version. As we now ship readline 8 we don't need to manually whitelist it, and if we did then the whitelisting should be in the readline recipe. (From OE-Core rev: 07bb8b25e172aa5c8ae96b6e8eb4ac901b835219) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Update unpatched CVE matchingPierre Le Magourou2019-07-091-14/+40
| | | | | | | | | | Now that cve-update-db added CPE information to NVD database. We can check for unpatched versions with operators '<', '<=', '>', and '>='. (From OE-Core rev: bc0195be1b15bcffe60127bc5e8b7011a853c2ed) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Depends on cve-update-db-nativePierre Le Magourou2019-07-091-1/+1
| | | | | | | | | do_populate_cve_db is a native task. (From OE-Core rev: 4078da92b49946848cddebe1735f301af161e162) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db: Catch request.urlopen errors.Pierre Le Magourou2019-07-051-2/+3
| | | | | | | | | | | If the NVD url is not accessible, print a warning on top of the CVE report, and continue. The database will not be fully updated, but cve_check can still run on the previous database. (From OE-Core rev: 0325dd72714f0b447558084f481b77f0ec850eed) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: be idiomaticRoss Burton2019-06-271-8/+9
| | | | | | | | | | Instead of generating a series of indexes via range(len(list)), just iterate the list. (From OE-Core rev: 27eb839ee651c2d584db42d23bcf5dd764eb33f1) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Consider CVE that affects versions with less than operatorPierre Le Magourou2019-06-201-2/+14
| | | | | | | | | | | | | | In the NVD json CVE feed, affected versions can be strictly matched to a version, but they can also be matched with the operator '<='. Add a new condition in the sqlite query to match affected versions that are defined with the operator '<='. Then use LooseVersion to discard all versions that are not relevant. (From OE-Core rev: 3bf63bc60848d91e90c23f6d854d22b78832aa2d) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Manage CVE_PRODUCT with more than one namePierre Le Magourou2019-06-201-11/+14
| | | | | | | | | | In some rare cases (eg. curl recipe) the CVE_PRODUCT contains more than one name. (From OE-Core rev: 7f62a20b32a3d42f04ec58786a7d0db68ef1bb05) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Remove dependency to cve-check-tool-nativePierre Le Magourou2019-06-201-45/+26
| | | | | | | | | Use the new update-cve-db recipe to update database. (From OE-Core rev: bc144b028f6f51252f4359248f6921028bcb6780) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Allow multiple entries in CVE_PRODUCTGrygorii Tertychnyi2018-10-291-1/+2
| | | | | | | | | | | | | | There are both "curl" and "libcurl" CPEs in NVD. All "curl" CVEs are currently missing in the reports. Hence, switch "CVE_PRODUCT" to a space separated list. It is useful for recipes generating several packages, that have different product names in NVD. (From OE-Core rev: 404f75e026393ddc55da87f6f04fb1201cff4e11) Signed-off-by: Grygorii Tertychnyi <gtertych@cisco.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: do not download the CVE DB in package-specific tasksKonstantin Shemyak2018-08-151-1/+1
| | | | | | | | | | | | | | | | | | | | Disable downloading of the vulnerability DB in do_check_cves() task. When invoked in this task, cve-check-tool attempts re-download of the CVE DB if the latter is older than certain threshold. While reasonable for a stand-alone CVE checker, this behavior can cause errors in parallel builds if the build time is longer than this threshold: * Other tasks might be using the DB. * Several packages can start the download of the same file at the same time. This check is not really needed, as the DB has been downloaded by cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build(). The DB will be at most (threshold + build_time) old. (From OE-Core rev: 125789b6ee6d47ab84192230f63971c4e22418ba) Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: detect CVE IDs listed on multiple linesJon Szymaniak2018-05-151-4/+6
| | | | | | | | | | | | | | | | | | | | | | | Some backported patches fix multiple CVEs and list the corresponding identifiers on multiple lines, rather than on a single line. cve-check.bbclass yields false positive warnings when CVE IDs are presented on multiple lines because re.search() returns only the first match. An example of this behavior may be found when running do_cve_check() on the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077 is reported to be patched by commit de57fd8, despite the patch including fixes for a total of 9 CVEs. This is resolved by iterating over all regular expression matches, rather than just the first. (From OE-Core rev: 8fb70ce2df66fc8404395ecbe66a75d0038f22dd) Signed-off-by: Jon Szymaniak <jon.szymaniak.foss@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check-tool: correctly exported web proxiesKonstantin Shemyak2018-02-241-3/+0
| | | | | | | | | | | | | | | | | The binary 'cve-check-update' downloads the CVE database from the Internet. If the system is behind a web proxy, the download fails, as proxy-related variables are not exported. In turn, 'cve-check-tool' does not connect to the network and correspondingly does not need exported proxies. Exported all proxy-related environment variables to 'cve-check-update' and removed the unneeded export from 'cve-check-tool'. (From OE-Core rev: 17db210975c740aff12732c511cf4fb32b507365) Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: short-circuit checking if CVE_PRODUCT isn't setRoss Burton2018-02-161-0/+3
| | | | | | | | | | | For some recipes is is meaningless to do a CVE check, for example packagegroups or images. Check that CVE_PRODUCT is set and short-circuit the scan if it isn't. (From OE-Core rev: d1e7cb5c9e0d5d253b6bb5c968fa58944ea42d06) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: allow recipes to override their versionRoss Burton2018-02-161-1/+2
| | | | | | | | | | | | For reasons which I don't understand, the Berkeley DB tarball is version 5.3.28 but in CVE reports the version is 11.2.5.3.28. To handle this allow recipes to override their version as well as their name. (From OE-Core rev: 36fbf96cf284acbc810ff3bf00702f1f82bc0da9) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: put log in T so it doesn't get deleted by rm_workRoss Burton2018-02-161-4/+3
| | | | | | | | | This is where the other task logs go, so it's a sensible place to put it. (From OE-Core rev: 4bbb8cd5f3943231ab5be0448d1b0d4a08341249) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: detect patched CVE's also from patch file namesMikko Rapeli2017-09-051-1/+15
| | | | | | | | | | | | | | | | | | While poky master branch has been fixed so that all CVE patch files have the: CVE: CVE-2017-1234556 strings in the patch comments, many older versions of poky and other meta layers are not, but the CVE patches quite often have the CVE id in the patch file name. If the CVE: string also found, there are no duplicates in the report. (From OE-Core rev: 5ee5b0c66627c9e974c838b86e2e659c2f601f2a) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: use "+git" as separator in PV instead of "git+"Mikko Rapeli2017-07-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | PV is the recipe major version number. cve-check tries to map that to NVD database release versions of the component. If the recipe sources are taken from git, the PV can be automatically modified to include git details, but the syntax is like 233+gitAUTOINC+a1e2ef7ec9. In CVE checks we want to remove the git details and just use the major version information, in this example 233. Thus use "+git" as the separator and use the first part before the separator as SW product version number in CVE check. Fixes version number for e.g. systemd recipe. If systemd PV is 233+gitAUTOINC+a1e2ef7ec9 there will be no matches from CVE database where latest release mentioned is plain 233. If the filter is set to +git, then CVE PV is 233 and issues like this are detected by do_cve_check: https://nvd.nist.gov/vuln/detail/CVE-2017-1000082 (From OE-Core rev: db8815abe3db60b0510fb378bf6d82172c2f2768) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: use weak assignment for default CVE_PRODUCTMikko Rapeli2017-07-241-1/+1
| | | | | | | | | | | | This way also bbclasses can override it. For example kernel.bbclass could set CVE_PRODUCT to linux_kernel for all users of the class which compile Linux kernels. (From OE-Core rev: 74672a7de5ada45ab8e25b89cbdea3ec33b63b7f) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: add do_rootfs dependency on cve-checkPeter Marko2017-06-121-0/+1
| | | | | | | | | | | Since do_rootfs depends on cve-check results of all recipes, we need to recursively depend on recipe do_cve_check. (From OE-Core rev: a1af526e43cb476472a6203882c12deef297f542) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: do not parse error outputPeter Marko2017-06-121-1/+1
| | | | | | | | | | | | | Sometimes there are control messages in cve-check-tool printed to stderr. These lead to parsing error and thus failed build. This can happen for instance when cve database needs to be refreshed during build. (From OE-Core rev: 6d8a17f4c50be292990e37de65630a6b84466ee6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: clean cve-check recipe result before re-buildingPeter Marko2017-06-121-0/+5
| | | | | | | | | | | | If there is cve report for a recipe in previous build and there is no result for current one, old cves are kept in CVE_CHECK_DIR. This happens on version upgrade or when cve/recipe is whitelisted. (From OE-Core rev: 85b4941c71a0e3c08a8c48d52a94dfe2897d2c92) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: make warning contain CVE IDsChen Qi2017-05-181-4/+5
| | | | | | | | | | | | | | | | | When warning users about unpatched CVE, we'd better put CVE IDs into the warning message, so that it would be more straight forward for the user to know which CVEs are not patched. So instead of: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log. We should have: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log. (From OE-Core rev: ad46069e7b58f2fba373131716f28407816fa1a6) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: Fix dependenciesJussi Kukkonen2017-02-151-1/+1
| | | | | | | | | | | | | | With recipe-specific sysroots the cve_check task must depend on cve-check-tool-native:do_populate_sysroot to get the cve-check-tool binary into the recipe sysroot. A normal DEPENDS isn't used to avoid cyclic dependencies. (From OE-Core rev: bd60b1018bc0304bc928701e6d1090c8b1223616) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: remove True option to getVar callsJoshua Lock2016-12-161-23/+23
| | | | | | | | | | | | | getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) (From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: allow recipes to override the product nameRoss Burton2016-12-131-1/+5
| | | | | | | | | | | Add a new variable CVE_PRODUCT for the product name to look up in the NVD database. Default this to BPN, but allow recipes such as tiff (which is libtiff in NVD) to override it. (From OE-Core rev: ba330051570a4c991885ee726cb187e0c911bd4f) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: CVE-2014-2524 / readline v5.2André Draszik2016-11-151-1/+1
| | | | | | | | | | | | | | | | | Contrary to the CVE report, the vulnerable trace functions don't exist in readline v5.2 (which we keep for GPLv2+ purposes), they were added in readline v6.0 only - let's whitelist that CVE in order to avoid false positives. See also the discussion in https://patchwork.openembedded.org/patch/81765/ (From OE-Core rev: b881a288eec598002685f68da80a24e0478fa496) Signed-off-by: André Draszik <adraszik@tycoint.com> Reviewed-by: Lukasz Nowak <lnowak@tycoint.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove RM_OLD_IMAGE, it's no longer usefulJoshua Lock2016-10-151-2/+0
| | | | | | | | | | | | | | | | Since the move to put image deployment under sstate control in d54339d4b1a7e884de636f6325ca60409ebd95ff old images are automatically removed before a new image is deployed (the default behaviour of the sstate logic). RM_OLD_IMAGE is therefore no longer required to provide this behaviour, remove the variable and its users. (From OE-Core rev: 93631befe8b962bf99524746b49f4ebca336175c) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: Add classMariano Lopez2016-09-161-0/+267
This class adds a new task for all the recipes to use cve-check-tool in order to look for public CVEs affecting the packages generated. It is possible to use this class when building an image, building a recipe, or using the "world" or "universe" cases. In order to use this class it must be inherited and it will add the task automatically to every recipe. [YOCTO #7515] Co-authored by Ross Burton & Mariano Lopez (From OE-Core rev: d98338075ec3a66acb8828e74711550d53b4d91b) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>