[oe] [PATCH] cve-check.bbclass: detect patched CVE's also from patch file names

akuster808 akuster808 at gmail.com
Mon Sep 4 23:36:36 UTC 2017 

Mikko,

wrong ML. I think you want openembedded-core at lists.openembedded.org


-armin


On 09/01/2017 07:28 AM, Mikko Rapeli wrote:
> While poky master branch has been fixed so that all CVE patch files have
> the:
>
> CVE: CVE-2017-1234556
>
> strings in the patch comments, many older versions of poky and other meta
> layers are not, but the CVE patches quite often have the CVE id in the
> patch file name.
>
> If the CVE: string also found, there are no duplicates in the report.
>
> Signed-off-by: Mikko Rapeli <mikko.rapeli at bmw.de>
> ---
>   meta/classes/cve-check.bbclass | 16 +++++++++++++++-
>   1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index f44bbed..bc2f03f 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -118,10 +118,24 @@ def get_patches_cves(d):
>   
>       pn = d.getVar("PN")
>       cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
> +
> +    # Matches last CVE-1234-211432 in the file name, also if written
> +    # with small letters. Not supporting multiple CVE id's in a single
> +    # file name.
> +    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
> +
>       patched_cves = set()
>       bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
>       for url in src_patches(d):
>           patch_file = bb.fetch.decodeurl(url)[2]
> +
> +        # Check patch file name for CVE ID
> +        fname_match = cve_file_name_match.search(patch_file)
> +        if fname_match:
> +            cve = fname_match.group(1).upper()
> +            patched_cves.add(cve)
> +            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
> +
>           with open(patch_file, "r", encoding="utf-8") as f:
>               try:
>                   patch_text = f.read()
> @@ -140,7 +154,7 @@ def get_patches_cves(d):
>               for cve in cves.split():
>                   bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
>                   patched_cves.add(cve)
> -        else:
> +        elif not fname_match:
>               bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
>   
>       return patched_cves

More information about the Openembedded-devel mailing list