linux/poky.git/meta/classes/cve-check.bbclass, branch master-next2

cve-update-db-native: Remove hash column from database.

2019-07-19T07:41:40+00:00

djb2 hash algorithm was found to do collisions, so the database was sometime missing data. Remove this hash mechanism, clear and populate elements from scratch in PRODUCTS table if the current year needs an update. (From OE-Core rev: 78de2cb39d74b030cd4ec811bf6f9a6daa003d19) Signed-off-by: Pierre Le Magourou Signed-off-by: Richard Purdie

cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST

2019-07-19T07:41:40+00:00

CVE_CHECK_WHITELIST does not contain version anymore, as it was not used. This variable should be set per recipe. (From OE-Core rev: 7069302a4ccbb5b72e1902f284cf078516fd7294) Signed-off-by: Pierre Le Magourou Signed-off-by: Richard Purdie

cve-check: allow comparison of Vendor as well as Product

2019-07-18T11:16:19+00:00

Some product names are too vague to be searched without also matching the vendor, for example Flex could be the parser compiler we ship, or Adobe Flex, or Apache Flex, or IBM Flex. If entries in CVE_PRODUCT contain a colon then split it as vendor:product to improve the search. Also don't use .format() to construct SQL as that can lead to security issues. Instead, use ? placeholders and lets sqlite3 handle the escaping. (From OE-Core rev: e6bf90009877d00243417898700d2320fd87b39c) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

cve-check.bbclass: initialize to_append

2019-07-18T11:16:19+00:00

Fixes build failure with core-image-minimal: Exception: UnboundLocalError: local variable 'to_append' referenced before assignment (From OE-Core rev: 270ac00cb43d0614dfe1c95f960c76e9e5fa20d4) Signed-off-by: Mikko Rapeli Signed-off-by: Richard Purdie

glibc: exclude child recipes from CVE scanning

2019-07-17T08:36:35+00:00

As glibc will be scanned for CVEs, we don't need to scan glibc-locale, glibc-mtrace, and glibc-scripts which are all separate recipes for technical reasons. Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the global whitelist. (From OE-Core rev: 1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

cve-check: remove redundant readline CVE whitelisting

2019-07-17T08:36:35+00:00

CVE-2014-2524 is a readline CVE that was fixed in 6.3patch3 onwards, but the tooling wasn't able to detect this version. As we now ship readline 8 we don't need to manually whitelist it, and if we did then the whitelisting should be in the readline recipe. (From OE-Core rev: 07bb8b25e172aa5c8ae96b6e8eb4ac901b835219) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

cve-check: Update unpatched CVE matching

2019-07-09T22:30:44+00:00

Now that cve-update-db added CPE information to NVD database. We can check for unpatched versions with operators '<', '<=', '>', and '>='. (From OE-Core rev: bc0195be1b15bcffe60127bc5e8b7011a853c2ed) Signed-off-by: Pierre Le Magourou Signed-off-by: Richard Purdie

cve-check: Depends on cve-update-db-native

2019-07-09T22:30:44+00:00

do_populate_cve_db is a native task. (From OE-Core rev: 4078da92b49946848cddebe1735f301af161e162) Signed-off-by: Pierre Le Magourou Signed-off-by: Richard Purdie

cve-update-db: Catch request.urlopen errors.

2019-07-05T11:00:20+00:00

If the NVD url is not accessible, print a warning on top of the CVE report, and continue. The database will not be fully updated, but cve_check can still run on the previous database. (From OE-Core rev: 0325dd72714f0b447558084f481b77f0ec850eed) Signed-off-by: Pierre Le Magourou Signed-off-by: Richard Purdie

cve-check: be idiomatic

2019-06-27T11:20:35+00:00

Instead of generating a series of indexes via range(len(list)), just iterate the list. (From OE-Core rev: 27eb839ee651c2d584db42d23bcf5dd764eb33f1) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie