From 050a96fe030f5669898e8cc6589d37b1e3da365b Mon Sep 17 00:00:00 2001 From: Pierre Le Magourou Date: Thu, 18 Jul 2019 14:41:19 +0200 Subject: cve-update-db-native: Remove hash column from database. djb2 hash algorithm was found to do collisions, so the database was sometime missing data. Remove this hash mechanism, clear and populate elements from scratch in PRODUCTS table if the current year needs an update. (From OE-Core rev: 78de2cb39d74b030cd4ec811bf6f9a6daa003d19) Signed-off-by: Pierre Le Magourou Signed-off-by: Richard Purdie --- meta/recipes-core/meta/cve-update-db-native.bb | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) (limited to 'meta/recipes-core/meta') diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 72d1f48835..3519beae5f 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -30,7 +30,7 @@ python do_populate_cve_db() { YEAR_START = 2002 db_dir = d.getVar("DL_DIR") + '/CVE_CHECK' - db_file = db_dir + '/nvdcve.db' + db_file = db_dir + '/nvdcve_1.0.db' json_tmpfile = db_dir + '/nvd.json.gz' proxy = d.getVar("https_proxy") cve_f = open(d.getVar("TMPDIR") + '/cve_check', 'a') @@ -65,6 +65,10 @@ python do_populate_cve_db() { c.execute("select DATE from META where YEAR = ?", (year,)) meta = c.fetchone() if not meta or meta[0] != last_modified: + # Clear products table entries corresponding to current year + cve_year = 'CVE-' + str(year) + '%' + c.execute("delete from PRODUCTS where ID like ?", (cve_year,)) + # Update db with current year json file req = urllib.request.Request(json_url) if proxy: @@ -91,27 +95,16 @@ python do_populate_cve_db() { conn.close() } -# DJB2 hash algorithm -def hash_djb2(s): - hash = 5381 - for x in s: - hash = (( hash << 5) + hash) + ord(x) - - return hash & 0xFFFFFFFF - def initialize_db(c): c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") - c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (HASH INTEGER UNIQUE, ID TEXT, \ + c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ VERSION_END TEXT, OPERATOR_END TEXT)") def insert_elt(c, db_values): - product_str = db_values[0] + db_values[1] + db_values[2] + db_values[3] - hashstr = hash_djb2(product_str) - db_values.insert(0, hashstr) - query = "insert or replace into PRODUCTS values (?, ?, ?, ?, ?, ?, ?, ?)" + query = "insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)" c.execute(query, db_values) def parse_node_and_insert(c, node, cveId): -- cgit v1.2.3-54-g00ecf