From: Pierre Le Magourou <lemagoup@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: [meta-oe][PATCH 3/3] cve-check: Update unpatched CVE matching
Date: Thu, 4 Jul 2019 17:19:08 +0200 [thread overview]
Message-ID: <20190704151908.5094-3-lemagoup@gmail.com> (raw)
In-Reply-To: <20190704151908.5094-1-lemagoup@gmail.com>
From: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Now that cve-update-db added CPE information to NVD database. We can
check for unpatched versions with operators '<', '<=', '>', and '>='.
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
---
meta/classes/cve-check.bbclass | 54 +++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 14 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6ffa0c4688..ffd624333f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -189,27 +189,53 @@ def check_cves(d, patched_cves):
conn = sqlite3.connect(db_file)
c = conn.cursor()
- query = """SELECT * FROM PRODUCTS WHERE
- (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
- (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
+ query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';"
+
for product in products:
for row in c.execute(query.format(product, pv)):
cve = row[1]
- version = row[4]
-
- try:
- discardVersion = LooseVersion(version) < LooseVersion(pv)
- except:
- discardVersion = True
+ version_start = row[4]
+ operator_start = row[5]
+ version_end = row[6]
+ operator_end = row[7]
if pv in cve_whitelist.get(cve, []):
bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
- elif discardVersion:
- bb.debug(2, "Do not consider version %s " % (version))
else:
- cves_unpatched.append(cve)
+ if (operator_start == '=' and pv == version_start):
+ cves_unpatched.append(cve)
+ else:
+ if operator_start:
+ try:
+ to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+ to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+ except:
+ bb.note("%s: Failed to compare %s %s %s for %s" %
+ (product, pv, operator_start, version_start, cve))
+ to_append_start = False
+ else:
+ to_append_start = False
+
+ if operator_end:
+ try:
+ to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+ to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+ except:
+ bb.note("%s: Failed to compare %s %s %s for %s" %
+ (product, pv, operator_end, version_end, cve))
+ to_append_end = False
+ else:
+ to_append_end = False
+
+ if operator_start and operator_end:
+ to_append = to_append_start and to_append_end
+ else:
+ to_append = to_append_start or to_append_end
+
+ if to_append:
+ cves_unpatched.append(cve)
bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
conn.close()
@@ -217,7 +243,7 @@ def check_cves(d, patched_cves):
def get_cve_info(d, cves):
"""
- Get CVE information from the database used by cve-check-tool.
+ Get CVE information from the database.
Unfortunately the only way to get CVE info is set the output to
html (hard to parse) or query directly the database.
--
2.11.0
next prev parent reply other threads:[~2019-07-04 15:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-04 15:19 [meta-oe][PATCH 1/3] cve-check: Depends on cve-update-db-native Pierre Le Magourou
2019-07-04 15:19 ` [meta-oe][PATCH 2/3] cve-update-db: Use NVD CPE data to populate PRODUCTS table Pierre Le Magourou
2019-07-04 15:19 ` Pierre Le Magourou [this message]
2019-07-04 15:30 ` ✗ patchtest: failure for "[meta-oe] cve-check: Depends o..." and 2 more Patchwork
2019-07-04 16:53 ` [meta-oe][PATCH 1/3] cve-check: Depends on cve-update-db-native Richard Purdie
2019-07-05 9:34 ` Pierre Le Magourou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190704151908.5094-3-lemagoup@gmail.com \
--to=lemagoup@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.