From: Khem Raj <raj.khem@gmail.com>
To: Mikko Rapeli <mikko.rapeli@linaro.org>,
openembedded-core@lists.openembedded.org
Subject: Re: [OE-core] [PATCH v2] cve-check.bbclass: support embedded SW components with different version number
Date: Fri, 20 Oct 2023 08:54:14 -0700 [thread overview]
Message-ID: <473e1fb5-60a3-40fb-859d-e8d5e7011b81@gmail.com> (raw)
In-Reply-To: <20231020074926.230734-1-mikko.rapeli@linaro.org>
[-- Attachment #1.1.1: Type: text/plain, Size: 9197 bytes --]
On 10/20/23 12:49 AM, Mikko Rapeli wrote:
> Many recipes embed other SW components. The name and version of the
> embedded SW component differs from the main recipe. To detect CVEs in the
> embedded SW component, it needs to be added to CVE_PRODUCT list using
> name of the SW product in CVE database or with "vendor:product" syntax.
> Then the version of the embedded SW component can be set using
> CVE_VERSION_product variable.
>
> For example in meta-arm, trusted-firmware-a embeds mbed_tls SW component.
> Thus trusted-firmware-a can add CVE_PRODUCT for it since CVE database
> uses product name "mbed_tls":
>
> CVE_PRODUCT += "mbed_tls"
>
> and set the version of mbed_tls:
>
> CVE_VERSION_mbed_tls = "2.28.4"
>
> (Real patches for both are a bit more complex due to conditional build
> enabling mbed_tls support and due to mbed_tls version being set in an
> .inc file.)
>
> Now trusted-firmware-a CVE check output shows:
>
> NOTE: recipe trusted-firmware-a-2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122-r0: task do_cve_check: Started
> WARNING: trusted-firmware-a-2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122-r0 do_cve_check: Found unpatched CVE (CVE-2021-36647 CVE-2021-43666 CVE-2021-45451 CVE-2023-43615), for more information check /home/builder/src/base/build/tmp/work/arm64-poky-linux/trusted-firmware-a/2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122/temp/cve.log
> NOTE: recipe trusted-firmware-a-2.9.0+gitd3e71ead6ea5bc3555ac90a446efec84ef6c6122-r0: task do_cve_check: Succeeded
>
> Here CVE-2023-43615 is a newly added and fixed CVE in version 2.28.5 and the CVEs
> from 2021 need to be checked but are likely fixed in 2.28.3 and newer 2.28.y releases.
>
> Note that CVE-2023-43615 does not impact trusted-firmware-a since it doesn't use
> TLS or null or RC4 ciphers, but I think it's a good idea to extend
> CVE checker for this use case. I hope the "CVE_VERSION_vendor:product"
> does not cause odd breakages.
>
This is a good improvement. There is one more kink to it, where the
vendored subpackage might be there in source but we might have
configured the recipe to use the system version of the package instead,
so how do we cater to such situation ?
> Signed-off-by: Mikko Rapeli <mikko.rapeli@linaro.org>
> ---
> meta/classes/create-spdx-2.2.bbclass | 2 +-
> meta/classes/cve-check.bbclass | 28 +++++++++++++++++++---------
> meta/lib/oe/cve_check.py | 5 ++---
> 3 files changed, 22 insertions(+), 13 deletions(-)
>
> v1: https://lists.openembedded.org/g/openembedded-core/message/189260
>
> v2: adapt SPDX too
>
> diff --git a/meta/classes/create-spdx-2.2.bbclass b/meta/classes/create-spdx-2.2.bbclass
> index b0aef80db1..5b842e67ee 100644
> --- a/meta/classes/create-spdx-2.2.bbclass
> +++ b/meta/classes/create-spdx-2.2.bbclass
> @@ -590,7 +590,7 @@ python do_create_spdx() {
> if patched_cves:
> recipe.sourceInfo = "CVEs fixed: " + patched_cves
>
> - cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
> + cpe_ids = oe.cve_check.get_cpe_ids(d, d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION"))
> if cpe_ids:
> for cpe_id in cpe_ids:
> cpe = oe.spdx.SPDXExternalReference()
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index b55f4299da..9c41d54188 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -309,7 +309,16 @@ def check_cves(d, patched_cves):
> # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
> if not products:
> return ([], [], [], [])
> - pv = d.getVar("CVE_VERSION").split("+git")[0]
> +
> + # Version is PV, CVE_VERSION or CVE_VERSION_%s where %s is one of the entries in CVE_PRODUCT.
> + # Enables checking embedded SW component CVEs provided that CVE_PRODUCT contains the embedded SW
> + # component and that version of that component is set via CVE_VERSION_embedded_component variable.
> + pv = {}
> + for product in products:
> + version = (d.getVar("CVE_VERSION_%s" % product) or "").split("+git")[0]
> + if version == "":
> + version = d.getVar("CVE_VERSION").split("+git")[0]
> + pv[product] = version
>
> # If the recipe has been skipped/ignored we return empty lists
> if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split():
> @@ -329,6 +338,7 @@ def check_cves(d, patched_cves):
>
> # For each of the known product names (e.g. curl has CPEs using curl and libcurl)...
> for product in products:
> + full_product = product
> cves_in_product = False
> if ":" in product:
> vendor, product = product.split(":", 1)
> @@ -341,7 +351,7 @@ def check_cves(d, patched_cves):
> cve = cverow[0]
>
> if cve in cve_ignore:
> - bb.note("%s-%s ignores %s" % (product, pv, cve))
> + bb.note("%s-%s ignores %s" % (product, pv[full_product], cve))
> cves_ignored.append(cve)
> continue
> elif cve in patched_cves:
> @@ -366,27 +376,27 @@ def check_cves(d, patched_cves):
> version_start = convert_cve_version(version_start)
> version_end = convert_cve_version(version_end)
>
> - if (operator_start == '=' and pv == version_start) or version_start == '-':
> + if (operator_start == '=' and pv[full_product] == version_start) or version_start == '-':
> vulnerable = True
> else:
> if operator_start:
> try:
> - vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix))
> - vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix))
> + vulnerable_start = (operator_start == '>=' and Version(pv[full_product],suffix) >= Version(version_start,suffix))
> + vulnerable_start |= (operator_start == '>' and Version(pv[full_product],suffix) > Version(version_start,suffix))
> except:
> bb.warn("%s: Failed to compare %s %s %s for %s" %
> - (product, pv, operator_start, version_start, cve))
> + (product, pv[full_product], operator_start, version_start, cve))
> vulnerable_start = False
> else:
> vulnerable_start = False
>
> if operator_end:
> try:
> - vulnerable_end = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) )
> - vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) )
> + vulnerable_end = (operator_end == '<=' and Version(pv[full_product],suffix) <= Version(version_end,suffix) )
> + vulnerable_end |= (operator_end == '<' and Version(pv[full_product],suffix) < Version(version_end,suffix) )
> except:
> bb.warn("%s: Failed to compare %s %s %s for %s" %
> - (product, pv, operator_end, version_end, cve))
> + (product, pv[full_product], operator_end, version_end, cve))
> vulnerable_end = False
> else:
> vulnerable_end = False
> diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
> index 3979d521d1..c3514f7a27 100644
> --- a/meta/lib/oe/cve_check.py
> +++ b/meta/lib/oe/cve_check.py
> @@ -140,15 +140,14 @@ def get_patched_cves(d):
> return patched_cves
>
>
> -def get_cpe_ids(cve_product, version):
> +def get_cpe_ids(d, cve_product, cve_version):
> """
> Get list of CPE identifiers for the given product and version
> """
>
> - version = version.split("+git")[0]
> -
> cpe_ids = []
> for product in cve_product.split():
> + version = (d.getVar("CVE_VERSION_%s" % product) or cve_version).split("+git")[0]
> # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
> # use wildcard for vendor.
> if ":" in product:
>
>
>
> -=-=-=-=-=-=-=-=-=-=-=-
> Links: You receive all messages sent to this group.
> View/Reply Online (#189501): https://lists.openembedded.org/g/openembedded-core/message/189501
> Mute This Topic: https://lists.openembedded.org/mt/102076964/1997914
> Group Owner: openembedded-core+owner@lists.openembedded.org
> Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [raj.khem@gmail.com]
> -=-=-=-=-=-=-=-=-=-=-=-
>
[-- Attachment #1.1.2: OpenPGP public key --]
[-- Type: application/pgp-keys, Size: 2613 bytes --]
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 203 bytes --]
next prev parent reply other threads:[~2023-10-20 15:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-20 7:49 [PATCH v2] cve-check.bbclass: support embedded SW components with different version number Mikko Rapeli
2023-10-20 15:54 ` Khem Raj [this message]
2023-10-26 7:24 ` [OE-core] " Mikko Rapeli
2023-10-26 7:33 ` Mikko Rapeli
2023-10-26 9:48 ` [OE-core] " Richard Purdie
2023-11-23 13:55 ` Ross Burton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=473e1fb5-60a3-40fb-859d-e8d5e7011b81@gmail.com \
--to=raj.khem@gmail.com \
--cc=mikko.rapeli@linaro.org \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.