[oe-commits] [openembedded-core] 06/49: cve-check: Consider CVE that affects versions with less than operator

git at git.openembedded.org git at git.openembedded.org
Wed Nov 6 20:44:53 UTC 2019 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch sumo-next
in repository openembedded-core.

commit 70046288894184477dcf6f7eba25b1994b88c8de
Author: Pierre Le Magourou <pierre.lemagourou at softbankrobotics.com>
AuthorDate: Wed Nov 6 17:37:19 2019 +0200

    cve-check: Consider CVE that affects versions with less than operator
    
    In the NVD json CVE feed, affected versions can be strictly matched to a
    version, but they can also be matched with the operator '<='.
    
    Add a new condition in the sqlite query to match affected versions that
    are defined with the operator '<='. Then use LooseVersion to discard all
    versions that are not relevant.
    
    (From OE-Core rev: 3bf63bc60848d91e90c23f6d854d22b78832aa2d)
    
    Signed-off-by: Pierre Le Magourou <pierre.lemagourou at softbankrobotics.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 meta/classes/cve-check.bbclass | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e7540b8..379f712 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -166,6 +166,7 @@ def check_cves(d, patched_cves):
     Connect to the NVD database and find unpatched cves.
     """
     import ast, csv, tempfile, subprocess, io
+    from distutils.version import LooseVersion
 
     cves_unpatched = []
     # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -186,14 +187,25 @@ def check_cves(d, patched_cves):
     conn = sqlite3.connect(db_file)
     c = conn.cursor()
 
-    query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"
+    query = """SELECT * FROM PRODUCTS WHERE
+               (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
+               (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
     for idx in range(len(bpn)):
-        for row in c.execute(query % (bpn[idx],pv)):
+        for row in c.execute(query.format(bpn[idx],pv)):
             cve = row[1]
+            version = row[4]
+
+            try:
+                discardVersion = LooseVersion(version) < LooseVersion(pv)
+            except:
+                discardVersion = True
+
             if pv in cve_whitelist.get(cve,[]):
                 bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
             elif cve in patched_cves:
                 bb.note("%s has been patched" % (cve))
+            elif discardVersion:
+                bb.debug(2, "Do not consider version %s " % (version))
             else:
                 cves_unpatched.append(cve)
                 bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list