[OE-core] [PATCH 3/3] cve-check.bbclass: Add class
Mariano Lopez
mariano.lopez at linux.intel.com
Mon Feb 29 20:06:02 UTC 2016
On 02/29/2016 08:50 AM, Burton, Ross wrote:
> On 24 February 2016 at 15:27, <mariano.lopez at linux.intel.com
> <mailto:mariano.lopez at linux.intel.com>> wrote:
>
> +do_cve_check[depends] = "cve-check-tool-native:do_populate_cve_db"
>
>
>
> And cve-check-tool-native:do_populate_sysroot.
cve-check-tool-native:do_populate_cve_db depends on
cve-check-tool-native:do_populate_sysroot, so adding it there would be
redundant.
>
> +def get_patches_cves(d):
> + """
> + Get patches that solve CVEs using the "CVE: " tag.
> + """
> +
> + import re
> +
> + pn = d.getVar("PN", True)
> + cve_match = re.compile("CVE:( CVE\-\d+\-\d+)+")
>
>
> How does this work as the backslashes are escaping the - and d and d?
> Use r"" strings.
The backslashes just escape the "-", the "d" is the same as with the raw
string. I don't really see the need to use r"" here.
>
> + patched_cves = set()
> + for url in src_patches(d):
> + patch_file = bb.fetch.decodeurl(url)[2]
> + with open(patch_file, "r") as f:
> + patch_text = f.read()
> +
> + # Search for the "CVE: " line
> + match = cve_match.search(patch_text)
> + if match:
> + # Get only the CVEs without the "CVE: " tag
> + cves = patch_text[match.start()+5:match.end()]
> + for cve in cves.split():
> + patched_cves.add(cve)
>
>
> Breaks for patches such as this in glibc:
>
> meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch:CVE: CVE-2015-9761
> patch #1
>
> I'd probably look for a line that starts with "CVE:" and the use
> re.findall to find all strings matching r"CVE-\d{4}-\d+"
What do you mean by break? It does catch the CVE just fine, to test it
just revert the glibc 2.23 update. I find cleaner to match the string in
a single operation instead of searching for the tag line by line and
then match the CVEs.
> +def get_cve_info(d, cves):
> + """
> + Get CVE information from the database used by cve-check-tool.
> + """
> +
> + try:
> + import sqlite3
> + except ImportError:
> + from pysqlite2 import dbapi2 as sqlite3
>
>
> Isn't the output from cve-check-tool good enough? Would it be nicer to
> extend the log instead of assuming that the database format won't ever
> change?
The output from cve-check-tool is only the CVE number, if that is good
enough, the query to the database can be removed.
>
> +def cve_write_data(d, patched, unpatched, cve_data):
> + """
> + Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
> + CVE manifest if enabled.
> + """
> +
> + from bb.utils import mkdirhier
> +
> + cve_file = d.getVar("CVE_CHECK_LOCAL_FILE", True)
> + nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
> + write_string = ""
> + mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR", True))
> +
> + for cve in sorted(cve_data):
> + write_string += "PACKAGE NAME: %s\n" % d.getVar("PN", True)
> + write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV",
> True)
> + write_string += "CVE: %s\n" % cve
> + if cve in patched:
> + write_string += "CVE STATUS: Patched\n"
> + else:
> + write_string += "CVE STATUS: Unpatched\n"
> + bb.warn("Found unpatched CVE, for more information
> check %s" % cve_file)
> + write_string += "CVE SUMMARY: %s\n" %
> cve_data[cve]["summary"]
> + write_string += "CVSS v2 BASE SCORE: %s\n" %
> cve_data[cve]["score"]
> + write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
> + write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link,
> cve)
> +
> + with open(cve_file, "w") as f:
> + f.write(write_string)
>
>
> Just write to the file instead of to a temporary string.
The temporary string is used for other two files, one could be copied,
but the other appends the string content.
>
> Ross
I have implemented the rest of the comments, just need your input before
sending a new version.
Mariano
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openembedded.org/pipermail/openembedded-core/attachments/20160229/1a5ef398/attachment-0002.html>
More information about the Openembedded-core
mailing list