[PATCH] Fix cve-check false negative

[PATCH] Fix cve-check false negative

[Geoffrey GIRY]

Fixes [YOCTO #14127]

NVD DB store version and update in the same value, separated by '_'.
The proposed patch check if the version from NVD DB contains a "_",
ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.

Reviewed-by: Yoann CONGAL <yoann.congal@smile.fr>
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
---
 meta/classes/cve-check.bbclass            |  5 ++-
 meta/lib/oe/cve_check.py                  | 39 +++++++++++++++++++++++
 meta/lib/oeqa/selftest/cases/cve_check.py | 19 +++++++++++
 3 files changed, 62 insertions(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 41fdf8363f..5e2da56046 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -260,7 +260,7 @@ def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
     """
-    from oe.cve_check import Version
+    from oe.cve_check import Version, convert_cve_version
 
     pn = d.getVar("PN")
     real_pv = d.getVar("PV")
@@ -324,6 +324,9 @@ def check_cves(d, patched_cves):
                 if cve in cve_ignore:
                     ignored = True
 
+                version_start = convert_cve_version(version_start)
+                version_end = convert_cve_version(version_end)
+
                 if (operator_start == '=' and pv == version_start) or version_start == '-':
                     vulnerable = True
                 else:
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index 4f1d80f050..dbaa0b373a 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -179,3 +179,42 @@ def update_symlinks(target_path, link_path):
         if os.path.exists(os.path.realpath(link_path)):
             os.remove(link_path)
         os.symlink(os.path.basename(target_path), link_path)
+
+
+def convert_cve_version(version):
+    """
+    This function converts from CVE format to Yocto version format.
+    eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
+
+    Unless it is redefined using CVE_VERSION in the recipe,
+    cve_check uses the version in the name of the recipe (${PV})
+    to check vulnerabilities against a CVE in the database downloaded from NVD.
+
+    When the version has an update, i.e.
+    "p1" in OpenSSH 8.3p1,
+    "-rc1" in linux kernel 6.2-rc1,
+    the database stores the version as version_update (8.3_p1, 6.2_rc1).
+    Therefore, we must transform this version before comparing to the
+    recipe version.
+
+    In this case, the parameter of the function is 8.3_p1.
+    If the version uses the Release Candidate format, "rc",
+    this function replaces the '_' by '-'.
+    If the version uses the Update format, "p",
+    this function removes the '_' completely.
+    """
+    import re
+
+    matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)
+
+    if not matches:
+        return version
+
+    version = matches.group(1)
+    update = matches.group(2)
+
+    if matches.group(3) == "rc":
+        return version + '-' + update
+
+    return version + update
+
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index ac47af1990..9534c9775c 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -54,6 +54,25 @@ class CVECheck(OESelftestTestCase):
         self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'")
 
 
+    def test_convert_cve_version(self):
+        from oe.cve_check import convert_cve_version
+
+        # Default format
+        self.assertEqual(convert_cve_version("8.3"), "8.3")
+        self.assertEqual(convert_cve_version(""), "")
+
+        # OpenSSL format version
+        self.assertEqual(convert_cve_version("1.1.1t"), "1.1.1t")
+
+        # OpenSSH format
+        self.assertEqual(convert_cve_version("8.3_p1"), "8.3p1")
+        self.assertEqual(convert_cve_version("8.3_p22"), "8.3p22")
+
+        # Linux kernel format
+        self.assertEqual(convert_cve_version("6.2_rc8"), "6.2-rc8")
+        self.assertEqual(convert_cve_version("6.2_rc31"), "6.2-rc31")
+
+
     def test_recipe_report_json(self):
         config = """
 INHERIT += "cve-check"
-- 
2.30.2

Re: [OE-core] [PATCH] Fix cve-check false negative

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 541 bytes --]

On Tue, Mar 28, 2023 at 12:24 PM Geoffrey GIRY <geoffrey.giry@smile.fr>
wrote:

> Fixes [YOCTO #14127]
>
> NVD DB store version and update in the same value, separated by '_'.
> The proposed patch check if the version from NVD DB contains a "_",
> ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
>
>
Thank you for the patch. Which layers (and world builds) have you verified
it with?
I'm asking because versioning is always a complicated problems with
frequent exceptions to all "rules".

Kind regards,
Marta

[-- Attachment #2: Type: text/html, Size: 1047 bytes --]

Re: [OE-core] [PATCH] Fix cve-check false negative

[Geoffrey GIRY]

Hello Marta,

We only tested core-image-minimal and some recipes that use the update
and release candidate formats (pX and -rcX)

Geoffrey GIRY
SMILE ECS - R&D Engineer

Le mer. 29 mars 2023 à 06:45, Marta Rybczynska <rybczynska@gmail.com> a écrit :
>
> On Tue, Mar 28, 2023 at 12:24 PM Geoffrey GIRY <geoffrey.giry@smile.fr> wrote:
>>
>> Fixes [YOCTO #14127]
>>
>> NVD DB store version and update in the same value, separated by '_'.
>> The proposed patch check if the version from NVD DB contains a "_",
>> ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
>>
>
> Thank you for the patch. Which layers (and world builds) have you verified it with?
> I'm asking because versioning is always a complicated problems with frequent exceptions to all "rules".
>
> Kind regards,
> Marta

Re: [OE-core] [PATCH] Fix cve-check false negative

[Marta Rybczynska]

[-- Attachment #1: Type: text/plain, Size: 1205 bytes --]

Hello Geoffrey,
Would it be possible to run it over the world build of oe-core and possibly
meta-oe ?

My build farm will be available only next week and I would like to know if
there are unexpected changes.

Kind regards,
Marta

On Wed, Mar 29, 2023 at 3:31 PM Geoffrey GIRY <geoffrey.giry@smile.fr>
wrote:

> Hello Marta,
>
> We only tested core-image-minimal and some recipes that use the update
> and release candidate formats (pX and -rcX)
>
> Geoffrey GIRY
> SMILE ECS - R&D Engineer
>
> Le mer. 29 mars 2023 à 06:45, Marta Rybczynska <rybczynska@gmail.com> a
> écrit :
> >
> > On Tue, Mar 28, 2023 at 12:24 PM Geoffrey GIRY <geoffrey.giry@smile.fr>
> wrote:
> >>
> >> Fixes [YOCTO #14127]
> >>
> >> NVD DB store version and update in the same value, separated by '_'.
> >> The proposed patch check if the version from NVD DB contains a "_",
> >> ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
> >>
> >
> > Thank you for the patch. Which layers (and world builds) have you
> verified it with?
> > I'm asking because versioning is always a complicated problems with
> frequent exceptions to all "rules".
> >
> > Kind regards,
> > Marta
>

[-- Attachment #2: Type: text/html, Size: 1825 bytes --]

Re: [OE-core] [PATCH] Fix cve-check false negative

[Alexandre Belloni]

Hello Marta,

On 31/03/2023 09:48:27+0200, Marta Rybczynska wrote:
> Hello Geoffrey,
> Would it be possible to run it over the world build of oe-core and possibly
> meta-oe ?
> 

It has already run successfully and is already merged.

> My build farm will be available only next week and I would like to know if
> there are unexpected changes.
> 
> Kind regards,
> Marta
> 
> On Wed, Mar 29, 2023 at 3:31 PM Geoffrey GIRY <geoffrey.giry@smile.fr>
> wrote:
> 
> > Hello Marta,
> >
> > We only tested core-image-minimal and some recipes that use the update
> > and release candidate formats (pX and -rcX)
> >
> > Geoffrey GIRY
> > SMILE ECS - R&D Engineer
> >
> > Le mer. 29 mars 2023 à 06:45, Marta Rybczynska <rybczynska@gmail.com> a
> > écrit :
> > >
> > > On Tue, Mar 28, 2023 at 12:24 PM Geoffrey GIRY <geoffrey.giry@smile.fr>
> > wrote:
> > >>
> > >> Fixes [YOCTO #14127]
> > >>
> > >> NVD DB store version and update in the same value, separated by '_'.
> > >> The proposed patch check if the version from NVD DB contains a "_",
> > >> ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
> > >>
> > >
> > > Thank you for the patch. Which layers (and world builds) have you
> > verified it with?
> > > I'm asking because versioning is always a complicated problems with
> > frequent exceptions to all "rules".
> > >
> > > Kind regards,
> > > Marta
> >

> 
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#179402): https://lists.openembedded.org/g/openembedded-core/message/179402
> Mute This Topic: https://lists.openembedded.org/mt/97902020/3617179
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [alexandre.belloni@bootlin.com]
> -=-=-=-=-=-=-=-=-=-=-=-
> 


-- 
Alexandre Belloni, co-owner and COO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

Re: [OE-core] [PATCH] Fix cve-check false negative

[Richard Purdie]

On Fri, 2023-03-31 at 10:59 +0200, Alexandre Belloni via
lists.openembedded.org wrote:
> Hello Marta,
> 
> On 31/03/2023 09:48:27+0200, Marta Rybczynska wrote:
> > Hello Geoffrey,
> > Would it be possible to run it over the world build of oe-core and possibly
> > meta-oe ?
> > 
> 
> It has already run successfully and is already merged.

It has merged but I think Marta's question is a valid one. The
autobuilder doesn't test this.

I'd note that our patchmetrics do for OE-Core:

https://autobuilder.yocto.io/pub/non-release/patchmetrics/cve-status-master.txt

and those don't look worse as a result. That doesn't cover meta-oe
though.

Cheers,

Richard

Re: [OE-core] [PATCH] Fix cve-check false negative

[Geoffrey GIRY]

Hello,

Marta Rybczynska wrote:
> Would it be possible to run it over the world build of oe-core and possibly meta-oe ?

I tried the following:

The command `bibake -c cve_check world` reports the same CVE with and
without the patch applied.
I did test for oe-core alone, and found the same results as the autobuilder.
I also did test with meta-oe and found the same result (many more CVE,
but the same appears with and without the patch).

Sincerely,
Geoffrey GIRY
SMILE ECS - R&D Engineer