[OE-core] [PATCH 2/4] cve-check: Remove dependency to cve-check-tool-native
Burton, Ross
ross.burton at intel.com
Wed Jun 19 14:59:40 UTC 2019
Does this mean we can delete the cve-check-tool recipe itself too?
Ross
On Wed, 19 Jun 2019 at 15:03, Pierre Le Magourou <lemagoup at gmail.com> wrote:
>
> From: Pierre Le Magourou <pierre.lemagourou at softbankrobotics.com>
>
> Use the new update-cve-db recipe to update database.
>
> Signed-off-by: Pierre Le Magourou <pierre.lemagourou at softbankrobotics.com>
> ---
> meta/classes/cve-check.bbclass | 71 ++++++++++++++++--------------------------
> 1 file changed, 26 insertions(+), 45 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 743bc08a4f..28619c7bd4 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
> CVE_VERSION ??= "${PV}"
>
> CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
> -CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
> +CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db"
>
> CVE_CHECK_LOG ?= "${T}/cve.log"
> CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
> @@ -62,7 +62,7 @@ python do_cve_check () {
> }
>
> addtask cve_check after do_unpack before do_build
> -do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db"
> +do_cve_check[depends] = "cve-update-db:do_populate_cve_db"
> do_cve_check[nostamp] = "1"
>
> python cve_check_cleanup () {
> @@ -163,61 +163,40 @@ def get_patches_cves(d):
>
> def check_cves(d, patched_cves):
> """
> - Run cve-check-tool looking for patched and unpatched CVEs.
> + Connect to the NVD database and find unpatched cves.
> """
> -
> import ast, csv, tempfile, subprocess, io
>
> - cves_patched = []
> cves_unpatched = []
> bpn = d.getVar("CVE_PRODUCT")
> # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
> if not bpn:
> return ([], [])
> pv = d.getVar("CVE_VERSION").split("+git")[0]
> - cves = " ".join(patched_cves)
> - cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
> cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
> - cve_cmd = "cve-check-tool"
> - cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
>
> # If the recipe has been whitlisted we return empty lists
> if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
> bb.note("Recipe has been whitelisted, skipping check")
> return ([], [])
>
> - try:
> - # Write the faux CSV file to be used with cve-check-tool
> - fd, faux = tempfile.mkstemp(prefix="cve-faux-")
> - with os.fdopen(fd, "w") as f:
> - for pn in bpn.split():
> - f.write("%s,%s,%s,\n" % (pn, pv, cves))
> - cmd.append(faux)
> -
> - output = subprocess.check_output(cmd).decode("utf-8")
> - bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
> - except subprocess.CalledProcessError as e:
> - bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
> - finally:
> - os.remove(faux)
> -
> - for row in csv.reader(io.StringIO(output)):
> - # Third row has the unpatched CVEs
> - if row[2]:
> - for cve in row[2].split():
> - # Skip if the CVE has been whitlisted for the current version
> - if pv in cve_whitelist.get(cve,[]):
> - bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))
> - else:
> - cves_unpatched.append(cve)
> - bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))
> - # Fourth row has patched CVEs
> - if row[3]:
> - for cve in row[3].split():
> - cves_patched.append(cve)
> - bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve))
> -
> - return (cves_patched, cves_unpatched)
> + import sqlite3
> + db_file = d.getVar("CVE_CHECK_DB_FILE")
> + conn = sqlite3.connect(db_file)
> + c = conn.cursor()
> + query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"
> + for row in c.execute(query % (bpn,pv)):
> + cve = row[1]
> + if pv in cve_whitelist.get(cve,[]):
> + bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))
> + elif cve in patched_cves:
> + bb.note("%s has been patched" % (cve))
> + else:
> + cves_unpatched.append(cve)
> + bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))
> + conn.close()
> +
> + return (list(patched_cves), cves_unpatched)
>
> def get_cve_info(d, cves):
> """
> @@ -241,9 +220,10 @@ def get_cve_info(d, cves):
> for row in cur.execute(query, tuple(cves)):
> cve_data[row[0]] = {}
> cve_data[row[0]]["summary"] = row[1]
> - cve_data[row[0]]["score"] = row[2]
> - cve_data[row[0]]["modified"] = row[3]
> - cve_data[row[0]]["vector"] = row[4]
> + cve_data[row[0]]["scorev2"] = row[2]
> + cve_data[row[0]]["scorev3"] = row[3]
> + cve_data[row[0]]["modified"] = row[4]
> + cve_data[row[0]]["vector"] = row[5]
> conn.close()
>
> return cve_data
> @@ -270,7 +250,8 @@ def cve_write_data(d, patched, unpatched, cve_data):
> unpatched_cves.append(cve)
> write_string += "CVE STATUS: Unpatched\n"
> write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
> - write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
> + write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
> + write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
> write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
> write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
>
> --
> 2.11.0
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list