diff options
| author | Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-11-06 17:37:27 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-11-07 19:47:26 +0000 |
| commit | 74b562e1cedc484cf417b98d67a5ee37a340dc3b (patch) | |
| tree | 73987c6c09a58ff0c4b8622f5ddbdc4bd17b8b7d /meta | |
| parent | 470ea72f1cfdf3702e933cf4c73e63da756b3981 (diff) | |
| download | poky-74b562e1cedc484cf417b98d67a5ee37a340dc3b.tar.gz | |
cve-check: Update unpatched CVE matching
Now that cve-update-db added CPE information to NVD database. We can
check for unpatched versions with operators '<', '<=', '>', and '>='.
(From OE-Core rev: bc0195be1b15bcffe60127bc5e8b7011a853c2ed)
(From OE-Core rev: 48793a3b74bfaa5ffe6191d21f64aef3720433db)
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 54 |
1 files changed, 40 insertions, 14 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 6ffa0c4688..ffd624333f 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}" | |||
| 26 | CVE_VERSION ??= "${PV}" | 26 | CVE_VERSION ??= "${PV}" |
| 27 | 27 | ||
| 28 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" | 28 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" |
| 29 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db" | 29 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve.db" |
| 30 | 30 | ||
| 31 | CVE_CHECK_LOG ?= "${T}/cve.log" | 31 | CVE_CHECK_LOG ?= "${T}/cve.log" |
| 32 | CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" | 32 | CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" |
| @@ -189,27 +189,53 @@ def check_cves(d, patched_cves): | |||
| 189 | conn = sqlite3.connect(db_file) | 189 | conn = sqlite3.connect(db_file) |
| 190 | c = conn.cursor() | 190 | c = conn.cursor() |
| 191 | 191 | ||
| 192 | query = """SELECT * FROM PRODUCTS WHERE | 192 | query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';" |
| 193 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR | 193 | |
| 194 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" | ||
| 195 | for product in products: | 194 | for product in products: |
| 196 | for row in c.execute(query.format(product, pv)): | 195 | for row in c.execute(query.format(product, pv)): |
| 197 | cve = row[1] | 196 | cve = row[1] |
| 198 | version = row[4] | 197 | version_start = row[4] |
| 199 | 198 | operator_start = row[5] | |
| 200 | try: | 199 | version_end = row[6] |
| 201 | discardVersion = LooseVersion(version) < LooseVersion(pv) | 200 | operator_end = row[7] |
| 202 | except: | ||
| 203 | discardVersion = True | ||
| 204 | 201 | ||
| 205 | if pv in cve_whitelist.get(cve, []): | 202 | if pv in cve_whitelist.get(cve, []): |
| 206 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) | 203 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) |
| 207 | elif cve in patched_cves: | 204 | elif cve in patched_cves: |
| 208 | bb.note("%s has been patched" % (cve)) | 205 | bb.note("%s has been patched" % (cve)) |
| 209 | elif discardVersion: | ||
| 210 | bb.debug(2, "Do not consider version %s " % (version)) | ||
| 211 | else: | 206 | else: |
| 212 | cves_unpatched.append(cve) | 207 | if (operator_start == '=' and pv == version_start): |
| 208 | cves_unpatched.append(cve) | ||
| 209 | else: | ||
| 210 | if operator_start: | ||
| 211 | try: | ||
| 212 | to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) | ||
| 213 | to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) | ||
| 214 | except: | ||
| 215 | bb.note("%s: Failed to compare %s %s %s for %s" % | ||
| 216 | (product, pv, operator_start, version_start, cve)) | ||
| 217 | to_append_start = False | ||
| 218 | else: | ||
| 219 | to_append_start = False | ||
| 220 | |||
| 221 | if operator_end: | ||
| 222 | try: | ||
| 223 | to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) | ||
| 224 | to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) | ||
| 225 | except: | ||
| 226 | bb.note("%s: Failed to compare %s %s %s for %s" % | ||
| 227 | (product, pv, operator_end, version_end, cve)) | ||
| 228 | to_append_end = False | ||
| 229 | else: | ||
| 230 | to_append_end = False | ||
| 231 | |||
| 232 | if operator_start and operator_end: | ||
| 233 | to_append = to_append_start and to_append_end | ||
| 234 | else: | ||
| 235 | to_append = to_append_start or to_append_end | ||
| 236 | |||
| 237 | if to_append: | ||
| 238 | cves_unpatched.append(cve) | ||
| 213 | bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) | 239 | bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) |
| 214 | conn.close() | 240 | conn.close() |
| 215 | 241 | ||
| @@ -217,7 +243,7 @@ def check_cves(d, patched_cves): | |||
| 217 | 243 | ||
| 218 | def get_cve_info(d, cves): | 244 | def get_cve_info(d, cves): |
| 219 | """ | 245 | """ |
| 220 | Get CVE information from the database used by cve-check-tool. | 246 | Get CVE information from the database. |
| 221 | 247 | ||
| 222 | Unfortunately the only way to get CVE info is set the output to | 248 | Unfortunately the only way to get CVE info is set the output to |
| 223 | html (hard to parse) or query directly the database. | 249 | html (hard to parse) or query directly the database. |