<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/classes/cve-check.bbclass, branch thud</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=thud</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=thud'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2019-12-16T23:11:10+00:00</updated>
<entry>
<title>cve-check: fetch CVE data once at a time instead of in a single call</title>
<updated>2019-12-16T23:11:10+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2019-12-08T18:35:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=962cbc60d73c91b4d355a32327295fa2e1397dd9'/>
<id>urn:sha1:962cbc60d73c91b4d355a32327295fa2e1397dd9</id>
<content type='text'>
This code used to construct a single SQL statement that fetched the NVD data for
every CVE requested.  For recipes such as the kernel where there are over 2000
CVEs to report this can hit the variable count limit and the query fails with
"sqlite3.OperationalError: too many SQL variables".  The default limit is 999
variables, but some distributions such as Debian set the default to 250000.

As the NVD table has an index on the ID column, whilst requesting the data
CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time
different is insignificant: 0.05s verses 0.01s on my machine.

(From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99)

(From OE-Core rev: b52d6340acdad27d41caf057b78f181297a9a75e)

Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: neaten get_cve_info</title>
<updated>2019-12-16T23:11:10+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2019-12-08T18:35:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=51553d9da2ada4a912110d5ecd4b4bc5d020f80f'/>
<id>urn:sha1:51553d9da2ada4a912110d5ecd4b4bc5d020f80f</id>
<content type='text'>
Remove obsolete Python 2 code, and use convenience methods for neatness.

(From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff)

(From OE-Core rev: 1f3863bc31e03207856f55591cbf17543e188587)

Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: rewrite look to fix false negatives</title>
<updated>2019-12-16T23:11:10+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2019-12-08T18:35:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=1a09e2a3cf3efe67f2f01e1d1d8f65b5e337e3fb'/>
<id>urn:sha1:1a09e2a3cf3efe67f2f01e1d1d8f65b5e337e3fb</id>
<content type='text'>
A previous optimisation was premature and resulted in false-negatives in the report.

Rewrite the checking algorithm to first get the list of potential CVEs by
vendor:product, then iterate through every matching CPE for that CVE to
determine if the bounds match or not.  By doing this in two stages we can know
if we've checked every CPE, instead of accidentally breaking out of the scan too
early.

(From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69)

(From OE-Core rev: 541dc24d974d3e22c45a650c34298eebc45121e8)

Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: we don't actually need to unpack to check</title>
<updated>2019-12-16T23:11:10+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2019-12-08T18:35:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=e60099368b5698ea666a5f0de3fdbe35cbcdfeda'/>
<id>urn:sha1:e60099368b5698ea666a5f0de3fdbe35cbcdfeda</id>
<content type='text'>
The patch scanner works with patch files in the layer, not in the workdir, so it
doesn't need to unpack.

(From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17)

(From OE-Core rev: cbb5d26d88465c95a4a879f8635253259e8df0f0)

Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: failure to parse versions should be more visible</title>
<updated>2019-12-16T23:11:10+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2019-12-08T18:35:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f9b5a31a654baa7e9eb4ea960d1aeb246877da3f'/>
<id>urn:sha1:f9b5a31a654baa7e9eb4ea960d1aeb246877da3f</id>
<content type='text'>
(From OE-Core rev: 72f44bef3867295f73f8b91e17294b2876447c89)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: ensure all known CVEs are in the report</title>
<updated>2019-12-16T23:11:10+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2019-12-08T18:35:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=1675f9638ab6387f492cefa9eac106f627722e12'/>
<id>urn:sha1:1675f9638ab6387f492cefa9eac106f627722e12</id>
<content type='text'>
CVEs that are whitelisted or were not vulnerable when there are version
comparisons were not included in the report, so alter the logic to ensure that
all relevant CVEs are in the report for completeness.

(From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264)

(From OE-Core rev: 9d01a64844998d98fcfcebbe8580422094cd2dde)

Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: backport rewrite from master</title>
<updated>2019-12-16T23:11:10+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@intel.com</email>
</author>
<published>2019-12-08T18:35:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=593fe7e35267f665dbb37cc0abcc82be55ac67f8'/>
<id>urn:sha1:593fe7e35267f665dbb37cc0abcc82be55ac67f8</id>
<content type='text'>
As detailed at [1] the XML feeds provided by NIST are being discontinued on
October 9th 2019.  As cve-check-tool uses these feeds, cve-check.bbclass will be
inoperable after this date.

To ensure that cve-check continues working, backport the following commits from
master to move away from the unmaintained cve-check-tool to our own Python code
that fetches the JSON:

546d14135c5 cve-update-db: New recipe to update CVE database
bc144b028f6 cve-check: Remove dependency to cve-check-tool-native
7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name
3bf63bc6084 cve-check: Consider CVE that affects versions with less than operator
c0eabd30d7b cve-update-db: Use std library instead of urllib3
27eb839ee65 cve-check: be idiomatic
09be21f4d17 cve-update-db: Manage proxy if needed.
975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch
0325dd72714 cve-update-db: Catch request.urlopen errors.
4078da92b49 cve-check: Depends on cve-update-db-native
f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table
bc0195be1b1 cve-check: Update unpatched CVE matching
c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not loaded.
07bb8b25e17 cve-check: remove redundant readline CVE whitelisting
5388ed6d137 cve-check-tool: remove
270ac00cb43 cve-check.bbclass: initialize to_append
e6bf9000987 cve-check: allow comparison of Vendor as well as Product
91770338f76 cve-update-db-native: use SQL placeholders instead of format strings
7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
78de2cb39d7 cve-update-db-native: Remove hash column from database.
4b301030cf9 cve-update-db-native: use os.path.join instead of +
f0d822fad2a cve-update-db: actually inherit native
b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion
bb4e53af33d cve-update-db-native: improve metadata parsing
94227459792 cve-update-db-native: clean up JSON fetching
95438d52b73 cve-update-db-native: fix https proxy issues
1f9a963b9ff glibc: exclude child recipes from CVE scanning

[1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement

(From OE-Core rev: 8c87e78547c598cada1bce92e7b25d85b994e2eb)

(From OE-Core rev: beeed02f9831e75c3f773e44d7efc726f1ff859c)

Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
Signed-off-by: Armin Kuster &lt;akuster808@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: Allow multiple entries in CVE_PRODUCT</title>
<updated>2018-10-29T17:01:45+00:00</updated>
<author>
<name>Grygorii Tertychnyi</name>
<email>gtertych@cisco.com</email>
</author>
<published>2018-10-29T15:13:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=e93457c1511037a9ebac8e9794db65d9ff0113f4'/>
<id>urn:sha1:e93457c1511037a9ebac8e9794db65d9ff0113f4</id>
<content type='text'>
There are both "curl" and "libcurl" CPEs in NVD.
All "curl" CVEs are currently missing in the reports.

Hence, switch "CVE_PRODUCT" to a space separated list.
It is useful for recipes generating several packages,
that have different product names in NVD.

(From OE-Core rev: 404f75e026393ddc55da87f6f04fb1201cff4e11)

Signed-off-by: Grygorii Tertychnyi &lt;gtertych@cisco.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check.bbclass: do not download the CVE DB in package-specific tasks</title>
<updated>2018-08-15T20:45:58+00:00</updated>
<author>
<name>Konstantin Shemyak</name>
<email>konstantin.shemyak@ge.com</email>
</author>
<published>2018-08-13T07:23:28+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=f7e24cc377b00f2341cd3168bbd0201828547255'/>
<id>urn:sha1:f7e24cc377b00f2341cd3168bbd0201828547255</id>
<content type='text'>
Disable downloading of the vulnerability DB in do_check_cves() task.

When invoked in this task, cve-check-tool attempts re-download of the CVE DB
if the latter is older than certain threshold. While reasonable for a
stand-alone CVE checker, this behavior can cause errors in parallel builds
if the build time is longer than this threshold:
* Other tasks might be using the DB.
* Several packages can start the download of the same file at the same time.

This check is not really needed, as the DB has been downloaded by
cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build().
The DB will be at most (threshold + build_time) old.

(From OE-Core rev: 125789b6ee6d47ab84192230f63971c4e22418ba)

Signed-off-by: Konstantin Shemyak &lt;konstantin.shemyak@ge.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check.bbclass: detect CVE IDs listed on multiple lines</title>
<updated>2018-05-15T09:56:49+00:00</updated>
<author>
<name>Jon Szymaniak</name>
<email>jon.szymaniak.foss@gmail.com</email>
</author>
<published>2018-05-09T21:45:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=dd5bf3e4d2ad66d8572d622a147cea1a8fddb40d'/>
<id>urn:sha1:dd5bf3e4d2ad66d8572d622a147cea1a8fddb40d</id>
<content type='text'>
Some backported patches fix multiple CVEs and list the corresponding
identifiers on multiple lines, rather than on a single line.

cve-check.bbclass yields false positive warnings when CVE IDs are
presented on multiple lines because re.search() returns only
the first match.

An example of this behavior may be found when running do_cve_check() on
the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077
is reported to be patched by commit de57fd8, despite the patch including
fixes for a total of 9 CVEs.

This is resolved by iterating over all regular expression matches,
rather than just the first.

(From OE-Core rev: 8fb70ce2df66fc8404395ecbe66a75d0038f22dd)

Signed-off-by: Jon Szymaniak &lt;jon.szymaniak.foss@gmail.com&gt;
Signed-off-by: Ross Burton &lt;ross.burton@intel.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
