[oe] [PATCH] cve-check.bbclass: detect patched CVE's also from patch file names
akuster808
akuster808 at gmail.com
Mon Sep 4 23:36:36 UTC 2017
Mikko,
wrong ML. I think you want openembedded-core at lists.openembedded.org
-armin
On 09/01/2017 07:28 AM, Mikko Rapeli wrote:
> While poky master branch has been fixed so that all CVE patch files have
> the:
>
> CVE: CVE-2017-1234556
>
> strings in the patch comments, many older versions of poky and other meta
> layers are not, but the CVE patches quite often have the CVE id in the
> patch file name.
>
> If the CVE: string also found, there are no duplicates in the report.
>
> Signed-off-by: Mikko Rapeli <mikko.rapeli at bmw.de>
> ---
> meta/classes/cve-check.bbclass | 16 +++++++++++++++-
> 1 file changed, 15 insertions(+), 1 deletion(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index f44bbed..bc2f03f 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -118,10 +118,24 @@ def get_patches_cves(d):
>
> pn = d.getVar("PN")
> cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
> +
> + # Matches last CVE-1234-211432 in the file name, also if written
> + # with small letters. Not supporting multiple CVE id's in a single
> + # file name.
> + cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
> +
> patched_cves = set()
> bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
> for url in src_patches(d):
> patch_file = bb.fetch.decodeurl(url)[2]
> +
> + # Check patch file name for CVE ID
> + fname_match = cve_file_name_match.search(patch_file)
> + if fname_match:
> + cve = fname_match.group(1).upper()
> + patched_cves.add(cve)
> + bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
> +
> with open(patch_file, "r", encoding="utf-8") as f:
> try:
> patch_text = f.read()
> @@ -140,7 +154,7 @@ def get_patches_cves(d):
> for cve in cves.split():
> bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
> patched_cves.add(cve)
> - else:
> + elif not fname_match:
> bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
>
> return patched_cves
More information about the Openembedded-devel
mailing list