summaryrefslogtreecommitdiffstats
path: root/meta/classes/cve-check.bbclass
Commit message (Collapse)AuthorAgeFilesLines
* cve-check: CPE version '-' as all versionLee Chee Yang2020-05-221-1/+1
| | | | | | | | | | | | | | | | | | | | | CPE version could be '-' to mean no version info. Current cve_check treat it as not valid and does not report these CVE but some of these could be a valid vulnerabilities. Since non-valid CVE can be whitelisted, so treat '-' as all version and report all these CVE to capture possible vulnerabilities. Non-valid CVE to be whitelisted separately. [YOCTO #13617] (From OE-Core rev: 1d06fedf46c8f67fccde7a00d7199d7052c33b30) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c69ee3594079589d27c10db32bc288566ebde9ef) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Switch to NVD CVE JSON feed version 1.1Niko Mauno2020-01-161-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Switch to recently released version 1.1 of NVD CVE JSON feed, as in https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release it is mentioned that Due to changes required to support CVSS v3.1 scoring, the JSON vulnerability feeds must be modified. This will require the consumers of this data to update their internal processes. We will be providing the JSON 1.1 schema on the data feeds page and the information below to prepare for this transition. ... The JSON 1.1 data feeds will be available on September 9th, 2019. At that time the current JSON 1.0 data feeds will no longer available. This change was tested briefly by issuing 'bitbake core-image-minimal' with 'cve-check.bbclass' inherited via local.conf, and then comparing the content between the resulting two 'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not seem to contain any other change, except total of 167 entries like CVSS v3 BASE SCORE: 0.0 were replaced with similar 'CVSS v3 BASE SCORE:' entries which had scores that were greater than '0.0' (up to '9.8'). (From OE-Core rev: cc20e4d8ff2f3aa52a2658404af9a0ff358cc323) (From OE-Core rev: 72c22b8791707480c380f49305c6d394578b2a4b) Signed-off-by: Niko Mauno <niko.mauno@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c92b8804d6e59b2707332859957f0e6a46db0a73) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: fetch CVE data once at a time instead of in a single callRoss Burton2020-01-161-10/+10
| | | | | | | | | | | | | | | | | | | | | This code used to construct a single SQL statement that fetched the NVD data for every CVE requested. For recipes such as the kernel where there are over 2000 CVEs to report this can hit the variable count limit and the query fails with "sqlite3.OperationalError: too many SQL variables". The default limit is 999 variables, but some distributions such as Debian set the default to 250000. As the NVD table has an index on the ID column, whilst requesting the data CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time different is insignificant: 0.05s verses 0.01s on my machine. (From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99) (From OE-Core rev: 0f5b748a5b7fec41bac16bbc1346230e86bb99e3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: neaten get_cve_infoRoss Burton2020-01-161-13/+5
| | | | | | | | | | | | | Remove obsolete Python 2 code, and use convenience methods for neatness. (From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff) (From OE-Core rev: 0ec6843bec3e817c3bc62d04adea5fd385307b32) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: rewrite look to fix false negativesRoss Burton2020-01-161-29/+34
| | | | | | | | | | | | | | | | | | | A previous optimisation was premature and resulted in false-negatives in the report. Rewrite the checking algorithm to first get the list of potential CVEs by vendor:product, then iterate through every matching CPE for that CVE to determine if the bounds match or not. By doing this in two stages we can know if we've checked every CPE, instead of accidentally breaking out of the scan too early. (From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69) (From OE-Core rev: 9948dd86d100bec56e22e6c0bbf4759925a4b306) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: we don't actually need to unpack to checkRoss Burton2020-01-161-2/+1
| | | | | | | | | | | | | | The patch scanner works with patch files in the layer, not in the workdir, so it doesn't need to unpack. (From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17) (From OE-Core rev: 8bfe83d53c39e4a88f808af617db7db091694841) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: failure to parse versions should be more visibleRoss Burton2020-01-161-2/+2
| | | | | | | | (From OE-Core rev: d1a16e6f0edda5d9f03191d187788fc8b666bd7f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: ensure all known CVEs are in the reportRoss Burton2020-01-161-2/+7
| | | | | | | | | | | | | | | CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) (From OE-Core rev: 430e95cd819577d4d71fe6d579a175b8776aa467) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: backport rewrite from masterRoss Burton2019-09-301-55/+87
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As detailed at [1] the XML feeds provided by NIST are being discontinued on October 9th 2019. As cve-check-tool uses these feeds, cve-check.bbclass will be inoperable after this date. To ensure that cve-check continues working, backport the following commits from master to move away from the unmaintained cve-check-tool to our own Python code that fetches the JSON: 546d14135c5 cve-update-db: New recipe to update CVE database bc144b028f6 cve-check: Remove dependency to cve-check-tool-native 7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name 3bf63bc6084 cve-check: Consider CVE that affects versions with less than operator c0eabd30d7b cve-update-db: Use std library instead of urllib3 27eb839ee65 cve-check: be idiomatic 09be21f4d17 cve-update-db: Manage proxy if needed. 975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch 0325dd72714 cve-update-db: Catch request.urlopen errors. 4078da92b49 cve-check: Depends on cve-update-db-native f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table bc0195be1b1 cve-check: Update unpatched CVE matching c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not loaded. 07bb8b25e17 cve-check: remove redundant readline CVE whitelisting 5388ed6d137 cve-check-tool: remove 270ac00cb43 cve-check.bbclass: initialize to_append e6bf9000987 cve-check: allow comparison of Vendor as well as Product 91770338f76 cve-update-db-native: use SQL placeholders instead of format strings 7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST 78de2cb39d7 cve-update-db-native: Remove hash column from database. 4b301030cf9 cve-update-db-native: use os.path.join instead of + f0d822fad2a cve-update-db: actually inherit native b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion bb4e53af33d cve-update-db-native: improve metadata parsing 94227459792 cve-update-db-native: clean up JSON fetching 95438d52b73 cve-update-db-native: fix https proxy issues 1f9a963b9ff glibc: exclude child recipes from CVE scanning [1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement (From OE-Core rev: 8c87e78547c598cada1bce92e7b25d85b994e2eb) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Allow multiple entries in CVE_PRODUCTGrygorii Tertychnyi2018-10-291-1/+2
| | | | | | | | | | | | | | There are both "curl" and "libcurl" CPEs in NVD. All "curl" CVEs are currently missing in the reports. Hence, switch "CVE_PRODUCT" to a space separated list. It is useful for recipes generating several packages, that have different product names in NVD. (From OE-Core rev: 404f75e026393ddc55da87f6f04fb1201cff4e11) Signed-off-by: Grygorii Tertychnyi <gtertych@cisco.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: do not download the CVE DB in package-specific tasksKonstantin Shemyak2018-08-151-1/+1
| | | | | | | | | | | | | | | | | | | | Disable downloading of the vulnerability DB in do_check_cves() task. When invoked in this task, cve-check-tool attempts re-download of the CVE DB if the latter is older than certain threshold. While reasonable for a stand-alone CVE checker, this behavior can cause errors in parallel builds if the build time is longer than this threshold: * Other tasks might be using the DB. * Several packages can start the download of the same file at the same time. This check is not really needed, as the DB has been downloaded by cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build(). The DB will be at most (threshold + build_time) old. (From OE-Core rev: 125789b6ee6d47ab84192230f63971c4e22418ba) Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: detect CVE IDs listed on multiple linesJon Szymaniak2018-05-151-4/+6
| | | | | | | | | | | | | | | | | | | | | | | Some backported patches fix multiple CVEs and list the corresponding identifiers on multiple lines, rather than on a single line. cve-check.bbclass yields false positive warnings when CVE IDs are presented on multiple lines because re.search() returns only the first match. An example of this behavior may be found when running do_cve_check() on the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077 is reported to be patched by commit de57fd8, despite the patch including fixes for a total of 9 CVEs. This is resolved by iterating over all regular expression matches, rather than just the first. (From OE-Core rev: 8fb70ce2df66fc8404395ecbe66a75d0038f22dd) Signed-off-by: Jon Szymaniak <jon.szymaniak.foss@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check-tool: correctly exported web proxiesKonstantin Shemyak2018-02-241-3/+0
| | | | | | | | | | | | | | | | | The binary 'cve-check-update' downloads the CVE database from the Internet. If the system is behind a web proxy, the download fails, as proxy-related variables are not exported. In turn, 'cve-check-tool' does not connect to the network and correspondingly does not need exported proxies. Exported all proxy-related environment variables to 'cve-check-update' and removed the unneeded export from 'cve-check-tool'. (From OE-Core rev: 17db210975c740aff12732c511cf4fb32b507365) Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: short-circuit checking if CVE_PRODUCT isn't setRoss Burton2018-02-161-0/+3
| | | | | | | | | | | For some recipes is is meaningless to do a CVE check, for example packagegroups or images. Check that CVE_PRODUCT is set and short-circuit the scan if it isn't. (From OE-Core rev: d1e7cb5c9e0d5d253b6bb5c968fa58944ea42d06) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: allow recipes to override their versionRoss Burton2018-02-161-1/+2
| | | | | | | | | | | | For reasons which I don't understand, the Berkeley DB tarball is version 5.3.28 but in CVE reports the version is 11.2.5.3.28. To handle this allow recipes to override their version as well as their name. (From OE-Core rev: 36fbf96cf284acbc810ff3bf00702f1f82bc0da9) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: put log in T so it doesn't get deleted by rm_workRoss Burton2018-02-161-4/+3
| | | | | | | | | This is where the other task logs go, so it's a sensible place to put it. (From OE-Core rev: 4bbb8cd5f3943231ab5be0448d1b0d4a08341249) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: detect patched CVE's also from patch file namesMikko Rapeli2017-09-051-1/+15
| | | | | | | | | | | | | | | | | | While poky master branch has been fixed so that all CVE patch files have the: CVE: CVE-2017-1234556 strings in the patch comments, many older versions of poky and other meta layers are not, but the CVE patches quite often have the CVE id in the patch file name. If the CVE: string also found, there are no duplicates in the report. (From OE-Core rev: 5ee5b0c66627c9e974c838b86e2e659c2f601f2a) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: use "+git" as separator in PV instead of "git+"Mikko Rapeli2017-07-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | PV is the recipe major version number. cve-check tries to map that to NVD database release versions of the component. If the recipe sources are taken from git, the PV can be automatically modified to include git details, but the syntax is like 233+gitAUTOINC+a1e2ef7ec9. In CVE checks we want to remove the git details and just use the major version information, in this example 233. Thus use "+git" as the separator and use the first part before the separator as SW product version number in CVE check. Fixes version number for e.g. systemd recipe. If systemd PV is 233+gitAUTOINC+a1e2ef7ec9 there will be no matches from CVE database where latest release mentioned is plain 233. If the filter is set to +git, then CVE PV is 233 and issues like this are detected by do_cve_check: https://nvd.nist.gov/vuln/detail/CVE-2017-1000082 (From OE-Core rev: db8815abe3db60b0510fb378bf6d82172c2f2768) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: use weak assignment for default CVE_PRODUCTMikko Rapeli2017-07-241-1/+1
| | | | | | | | | | | | This way also bbclasses can override it. For example kernel.bbclass could set CVE_PRODUCT to linux_kernel for all users of the class which compile Linux kernels. (From OE-Core rev: 74672a7de5ada45ab8e25b89cbdea3ec33b63b7f) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: add do_rootfs dependency on cve-checkPeter Marko2017-06-121-0/+1
| | | | | | | | | | | Since do_rootfs depends on cve-check results of all recipes, we need to recursively depend on recipe do_cve_check. (From OE-Core rev: a1af526e43cb476472a6203882c12deef297f542) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: do not parse error outputPeter Marko2017-06-121-1/+1
| | | | | | | | | | | | | Sometimes there are control messages in cve-check-tool printed to stderr. These lead to parsing error and thus failed build. This can happen for instance when cve database needs to be refreshed during build. (From OE-Core rev: 6d8a17f4c50be292990e37de65630a6b84466ee6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: clean cve-check recipe result before re-buildingPeter Marko2017-06-121-0/+5
| | | | | | | | | | | | If there is cve report for a recipe in previous build and there is no result for current one, old cves are kept in CVE_CHECK_DIR. This happens on version upgrade or when cve/recipe is whitelisted. (From OE-Core rev: 85b4941c71a0e3c08a8c48d52a94dfe2897d2c92) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: make warning contain CVE IDsChen Qi2017-05-181-4/+5
| | | | | | | | | | | | | | | | | When warning users about unpatched CVE, we'd better put CVE IDs into the warning message, so that it would be more straight forward for the user to know which CVEs are not patched. So instead of: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log. We should have: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log. (From OE-Core rev: ad46069e7b58f2fba373131716f28407816fa1a6) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: Fix dependenciesJussi Kukkonen2017-02-151-1/+1
| | | | | | | | | | | | | | With recipe-specific sysroots the cve_check task must depend on cve-check-tool-native:do_populate_sysroot to get the cve-check-tool binary into the recipe sysroot. A normal DEPENDS isn't used to avoid cyclic dependencies. (From OE-Core rev: bd60b1018bc0304bc928701e6d1090c8b1223616) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: remove True option to getVar callsJoshua Lock2016-12-161-23/+23
| | | | | | | | | | | | | getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) (From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: allow recipes to override the product nameRoss Burton2016-12-131-1/+5
| | | | | | | | | | | Add a new variable CVE_PRODUCT for the product name to look up in the NVD database. Default this to BPN, but allow recipes such as tiff (which is libtiff in NVD) to override it. (From OE-Core rev: ba330051570a4c991885ee726cb187e0c911bd4f) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: CVE-2014-2524 / readline v5.2André Draszik2016-11-151-1/+1
| | | | | | | | | | | | | | | | | Contrary to the CVE report, the vulnerable trace functions don't exist in readline v5.2 (which we keep for GPLv2+ purposes), they were added in readline v6.0 only - let's whitelist that CVE in order to avoid false positives. See also the discussion in https://patchwork.openembedded.org/patch/81765/ (From OE-Core rev: b881a288eec598002685f68da80a24e0478fa496) Signed-off-by: André Draszik <adraszik@tycoint.com> Reviewed-by: Lukasz Nowak <lnowak@tycoint.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove RM_OLD_IMAGE, it's no longer usefulJoshua Lock2016-10-151-2/+0
| | | | | | | | | | | | | | | | Since the move to put image deployment under sstate control in d54339d4b1a7e884de636f6325ca60409ebd95ff old images are automatically removed before a new image is deployed (the default behaviour of the sstate logic). RM_OLD_IMAGE is therefore no longer required to provide this behaviour, remove the variable and its users. (From OE-Core rev: 93631befe8b962bf99524746b49f4ebca336175c) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: Add classMariano Lopez2016-09-161-0/+267
This class adds a new task for all the recipes to use cve-check-tool in order to look for public CVEs affecting the packages generated. It is possible to use this class when building an image, building a recipe, or using the "world" or "universe" cases. In order to use this class it must be inherited and it will add the task automatically to every recipe. [YOCTO #7515] Co-authored by Ross Burton & Mariano Lopez (From OE-Core rev: d98338075ec3a66acb8828e74711550d53b4d91b) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>