[PATCH 4/4] cve-check: Consider CVE that affects versions with less than operator

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pierre Le Magourou <lemagoup@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 4/4] cve-check: Consider CVE that affects versions with less than operator
Date: Wed, 19 Jun 2019 15:59:40 +0200	[thread overview]
Message-ID: <20190619135940.18544-4-lemagoup@gmail.com> (raw)
In-Reply-To: <20190619135940.18544-1-lemagoup@gmail.com>

From: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>

In the NVD json CVE feed, affected versions can be strictly matched to a
version, but they can also be matched with the operator '<='.

Add a new condition in the sqlite query to match affected versions that
are defined with the operator '<='. Then use LooseVersion to discard all
versions that are not relevant.

Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
---
 meta/classes/cve-check.bbclass | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e7540b8c1f..379f7121cc 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -166,6 +166,7 @@ def check_cves(d, patched_cves):
     Connect to the NVD database and find unpatched cves.
     """
     import ast, csv, tempfile, subprocess, io
+    from distutils.version import LooseVersion
 
     cves_unpatched = []
     # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -186,14 +187,25 @@ def check_cves(d, patched_cves):
     conn = sqlite3.connect(db_file)
     c = conn.cursor()
 
-    query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"
+    query = """SELECT * FROM PRODUCTS WHERE
+               (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
+               (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
     for idx in range(len(bpn)):
-        for row in c.execute(query % (bpn[idx],pv)):
+        for row in c.execute(query.format(bpn[idx],pv)):
             cve = row[1]
+            version = row[4]
+
+            try:
+                discardVersion = LooseVersion(version) < LooseVersion(pv)
+            except:
+                discardVersion = True
+
             if pv in cve_whitelist.get(cve,[]):
                 bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
             elif cve in patched_cves:
                 bb.note("%s has been patched" % (cve))
+            elif discardVersion:
+                bb.debug(2, "Do not consider version %s " % (version))
             else:
                 cves_unpatched.append(cve)
                 bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))
-- 
2.11.0

next prev parent reply	other threads:[~2019-06-19 14:00 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-19 13:59 [PATCH 1/4] cve-update-db: New recipe to update CVE database Pierre Le Magourou
2019-06-19 13:59 ` [PATCH 2/4] cve-check: Remove dependency to cve-check-tool-native Pierre Le Magourou
2019-06-19 14:59   ` Burton, Ross
2019-06-19 15:58     ` Pierre Le Magourou
2019-06-19 13:59 ` [PATCH 3/4] cve-check: Manage CVE_PRODUCT with more than one name Pierre Le Magourou
2019-06-19 13:59 ` Pierre Le Magourou [this message]
2019-06-19 20:21 ` [PATCH 1/4] cve-update-db: New recipe to update CVE database Adrian Bunk
2019-06-20  9:36   ` Pierre Le Magourou
2019-06-21 11:03     ` Mikko.Rapeli
2019-06-21 11:42       ` Alexander Kanavin
2019-06-21 11:48         ` Mikko.Rapeli
2019-06-21 12:03           ` Alexander Kanavin
2019-06-21 12:15             ` Mikko.Rapeli
2019-06-21 12:29       ` Burton, Ross
2019-06-21 13:01         ` Mikko.Rapeli
2019-06-25  8:48           ` Pierre Le Magourou
2019-06-25 12:54             ` Burton, Ross
2019-06-24  8:32         ` Pierre Le Magourou
2019-06-24  9:46           ` Burton, Ross
2019-06-27  7:31 ` Richard Purdie
2019-06-27  9:10   ` Pierre Le Magourou

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e7540b8c1 dfblob:379f7121c )
 OR (
bs:"[PATCH 4/4] cve-check: Consider CVE that affects versions with less than operator" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190619135940.18544-4-lemagoup@gmail.com \
    --to=lemagoup@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.