Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=zeus 2020-08-04T22:17:37+00:00 2020-08-04T22:17:37+00:00 Ralph Siemsen ralph.siemsen@linaro.org 2020-07-08T21:07:50+00:00 urn:sha1:6d936d8d3d49cca5ac3724efd2aa76ef4403789b In the generated cve.log files, include the epoch in the product version. This better matches how versions are displayed elsewhere, in particular the bb.warn("Found unpatched CVE...") that appears on the terminal when CVEs are found. (From OE-Core rev: 99f6de1c74b581054c74c6b4598a5d47facc9964) (From OE-Core rev: a8b69927485acbe504fcd75dc2cafc4c550cb66a) Signed-off-by: Ralph Siemsen <ralph.siemsen@linaro.org> (cherry picked from commit e1c3c0b6e5b01304e2127f5058986697e82adf93) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-08-04T22:17:37+00:00 Khem Raj raj.khem@gmail.com 2020-07-08T21:07:48+00:00 urn:sha1:46809da0bb0221ab96bde218a9398d58da38a4c0 Certain recipes e.g. bash readline ( from meta-gplv2 ) download patches instead of having them in metadata, this could fail cve_check ERROR: readline-5.2-r9 do_cve_check: File Not found: qemuarm/build/../downloads/readline52-001 This patch ensures that download is done before running CVE scan, even though these will be external patches and may not contain CVE tags as it expects, but it will fix the run failures as seen above (From OE-Core rev: dbf143d79476e54e8da93101fc16eaedeec88362) (From OE-Core rev: 4b65abc70e84187f666e2ea2ab4dcf6bf7216658) Signed-off-by: Khem Raj <raj.khem@gmail.com> (cherry picked from commit e406fcb6c609a0d2456d7da0d2406d2d9fa52dd2) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-04-29T15:11:56+00:00 Lee Chee Yang chee.yang.lee@intel.com 2020-03-31T07:26:03+00:00 urn:sha1:73738879a282e3a39c5753024ed363b27e704416 CPE version could be '-' to mean no version info. Current cve_check treat it as not valid and does not report these CVE but some of these could be a valid vulnerabilities. Since non-valid CVE can be whitelisted, so treat '-' as all version and report all these CVE to capture possible vulnerabilities. Non-valid CVE to be whitelisted separately. [YOCTO #13617] (From OE-Core rev: 1e8e188514584f9f972c0eb733c10a61853ec3d0) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c69ee3594079589d27c10db32bc288566ebde9ef) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-03-16T16:44:54+00:00 Chee Yang Lee chee.yang.lee@intel.com 2020-03-09T04:57:03+00:00 urn:sha1:c6f99b055ef6f47bedea0c1cf040e5fb69523eb9 fix below error for whitelisted recipe and recipe skip cve check. Error: The stack trace of python calls that resulted in this exception/failure was: File: 'exec_python_func() autogenerated', lineno: 2, function: <module> 0001: *** 0002:do_cve_check(d) 0003: File: '/poky-master/meta/classes/cve-check.bbclass', lineno: 59, function: do_cve_check 0055: try: 0056: patched_cves = get_patches_cves(d) 0057: except FileNotFoundError: 0058: bb.fatal("Failure in searching patches") *** 0059: whitelisted, patched, unpatched = check_cves(d, patched_cves) 0060: if patched or unpatched: 0061: cve_data = get_cve_info(d, patched + unpatched) 0062: cve_write_data(d, patched, unpatched, whitelisted, cve_data) 0063: else: Exception: ValueError: not enough values to unpack (expected 3, got 2) (From OE-Core rev: d8cfc309f9dd0dc8904ab18e5898770502ee2540) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 64a362bd2dd0b4f3165d5162adbc600826af66f8) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-03-16T16:44:54+00:00 Chee Yang Lee chee.yang.lee@intel.com 2020-03-06T02:27:26+00:00 urn:sha1:8b1eccc311640190a590510e338f6631ecc59392 change whitelisted CVE status from "Patched" to "Whitelisted". [Yocto #13687] (From OE-Core rev: 707b3a41b3cacfb7f1d1ed75f9a298ff4721735e) Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 181bdd670492525f9488d52c3ebb9a1b142e35ea) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-03-16T16:44:53+00:00 Armin Kuster akuster808@gmail.com 2019-12-11T16:16:04+00:00 urn:sha1:7d8d93cfb915cb4c9b855019dfc2bddc3918ebff With out these changes, a traceback displayed when a file is listed in the SRC_URI but the file does not exist. raise FileNotFoundError and print the patch then mark the task as failed. (From OE-Core rev: d313a5912d2ecbf7796e75ee7e7cd1d442b4fa40) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> (cherry picked from commit d4926c11a4ab9148bdb640a9367c9e1891491a5b) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-12-16T23:08:52+00:00 Niko Mauno niko.mauno@iki.fi 2019-12-14T06:15:05+00:00 urn:sha1:4065420e5b943de79db953045fbf33f6db1da0dc Switch to recently released version 1.1 of NVD CVE JSON feed, as in https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release it is mentioned that Due to changes required to support CVSS v3.1 scoring, the JSON vulnerability feeds must be modified. This will require the consumers of this data to update their internal processes. We will be providing the JSON 1.1 schema on the data feeds page and the information below to prepare for this transition. ... The JSON 1.1 data feeds will be available on September 9th, 2019. At that time the current JSON 1.0 data feeds will no longer available. This change was tested briefly by issuing 'bitbake core-image-minimal' with 'cve-check.bbclass' inherited via local.conf, and then comparing the content between the resulting two 'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not seem to contain any other change, except total of 167 entries like CVSS v3 BASE SCORE: 0.0 were replaced with similar 'CVSS v3 BASE SCORE:' entries which had scores that were greater than '0.0' (up to '9.8'). (From OE-Core rev: cc20e4d8ff2f3aa52a2658404af9a0ff358cc323) (From OE-Core rev: c92b8804d6e59b2707332859957f0e6a46db0a73) Signed-off-by: Niko Mauno <niko.mauno@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-25T21:37:40+00:00 Ross Burton ross.burton@intel.com 2019-11-24T23:50:15+00:00 urn:sha1:c1cbb6fd15b28adda0f743d390930bf5221842d7 This code used to construct a single SQL statement that fetched the NVD data for every CVE requested. For recipes such as the kernel where there are over 2000 CVEs to report this can hit the variable count limit and the query fails with "sqlite3.OperationalError: too many SQL variables". The default limit is 999 variables, but some distributions such as Debian set the default to 250000. As the NVD table has an index on the ID column, whilst requesting the data CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time different is insignificant: 0.05s verses 0.01s on my machine. (From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99) (From OE-Core rev: 3ded9a64c95ae02df7562fc69e2af08c150d2452) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-25T21:37:40+00:00 Ross Burton ross.burton@intel.com 2019-11-24T23:50:14+00:00 urn:sha1:1f4750c47fe2f2612f835b4808df72d8df3cd000 Remove obsolete Python 2 code, and use convenience methods for neatness. (From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff) (From OE-Core rev: 98162c04c877925c737674a1635b08cf998b92f5) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-25T21:37:40+00:00 Ross Burton ross.burton@intel.com 2019-11-24T23:50:13+00:00 urn:sha1:728f969be0017e491cef2bae54d7b226f4977252 A previous optimisation was premature and resulted in false-negatives in the report. Rewrite the checking algorithm to first get the list of potential CVEs by vendor:product, then iterate through every matching CPE for that CVE to determine if the bounds match or not. By doing this in two stages we can know if we've checked every CPE, instead of accidentally breaking out of the scan too early. (From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69) (From OE-Core rev: 0f42a1d4dbb74ab39e81449cf222302bcc04f7db) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>