diff options
| author | Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-11-06 17:37:19 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-11-07 19:47:26 +0000 |
| commit | 8bc6c65d862c080bdb95405ed5aea528dbcc2315 (patch) | |
| tree | 778b547c10f24b8361672780f9680756c3eb0ee8 /meta/classes | |
| parent | b409daad1d6c853690ae9ea75447cfac89033712 (diff) | |
| download | poky-8bc6c65d862c080bdb95405ed5aea528dbcc2315.tar.gz | |
cve-check: Consider CVE that affects versions with less than operator
In the NVD json CVE feed, affected versions can be strictly matched to a
version, but they can also be matched with the operator '<='.
Add a new condition in the sqlite query to match affected versions that
are defined with the operator '<='. Then use LooseVersion to discard all
versions that are not relevant.
(From OE-Core rev: 3bf63bc60848d91e90c23f6d854d22b78832aa2d)
(From OE-Core rev: 70046288894184477dcf6f7eba25b1994b88c8de)
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index e7540b8c1f..379f7121cc 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -166,6 +166,7 @@ def check_cves(d, patched_cves): | |||
| 166 | Connect to the NVD database and find unpatched cves. | 166 | Connect to the NVD database and find unpatched cves. |
| 167 | """ | 167 | """ |
| 168 | import ast, csv, tempfile, subprocess, io | 168 | import ast, csv, tempfile, subprocess, io |
| 169 | from distutils.version import LooseVersion | ||
| 169 | 170 | ||
| 170 | cves_unpatched = [] | 171 | cves_unpatched = [] |
| 171 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) | 172 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) |
| @@ -186,14 +187,25 @@ def check_cves(d, patched_cves): | |||
| 186 | conn = sqlite3.connect(db_file) | 187 | conn = sqlite3.connect(db_file) |
| 187 | c = conn.cursor() | 188 | c = conn.cursor() |
| 188 | 189 | ||
| 189 | query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" | 190 | query = """SELECT * FROM PRODUCTS WHERE |
| 191 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR | ||
| 192 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" | ||
| 190 | for idx in range(len(bpn)): | 193 | for idx in range(len(bpn)): |
| 191 | for row in c.execute(query % (bpn[idx],pv)): | 194 | for row in c.execute(query.format(bpn[idx],pv)): |
| 192 | cve = row[1] | 195 | cve = row[1] |
| 196 | version = row[4] | ||
| 197 | |||
| 198 | try: | ||
| 199 | discardVersion = LooseVersion(version) < LooseVersion(pv) | ||
| 200 | except: | ||
| 201 | discardVersion = True | ||
| 202 | |||
| 193 | if pv in cve_whitelist.get(cve,[]): | 203 | if pv in cve_whitelist.get(cve,[]): |
| 194 | bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) | 204 | bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) |
| 195 | elif cve in patched_cves: | 205 | elif cve in patched_cves: |
| 196 | bb.note("%s has been patched" % (cve)) | 206 | bb.note("%s has been patched" % (cve)) |
| 207 | elif discardVersion: | ||
| 208 | bb.debug(2, "Do not consider version %s " % (version)) | ||
| 197 | else: | 209 | else: |
| 198 | cves_unpatched.append(cve) | 210 | cves_unpatched.append(cve) |
| 199 | bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) | 211 | bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) |