Re: [PATCH 3/3] cve-check.bbclass: Add class

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Mariano Lopez <mariano.lopez@linux.intel.com>
To: "Burton, Ross" <ross.burton@intel.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 3/3] cve-check.bbclass: Add class
Date: Mon, 29 Feb 2016 14:06:02 -0600	[thread overview]
Message-ID: <56D4A4AA.6030404@linux.intel.com> (raw)
In-Reply-To: <CAJTo0LbFnPEtokmGTK6-UzdGSEfNUz+vaHB=WhHQBQCs1HLbJw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4391 bytes --]



On 02/29/2016 08:50 AM, Burton, Ross wrote:
> On 24 February 2016 at 15:27, <mariano.lopez@linux.intel.com 
> <mailto:mariano.lopez@linux.intel.com>> wrote:
>
>     +do_cve_check[depends] = "cve-check-tool-native:do_populate_cve_db"
>
>
>
> And cve-check-tool-native:do_populate_sysroot.

cve-check-tool-native:do_populate_cve_db depends on 
cve-check-tool-native:do_populate_sysroot, so adding it there would be 
redundant.
>
>     +def get_patches_cves(d):
>     +    """
>     +    Get patches that solve CVEs using the "CVE: " tag.
>     +    """
>     +
>     +    import re
>     +
>     +    pn = d.getVar("PN", True)
>     +    cve_match = re.compile("CVE:( CVE\-\d+\-\d+)+")
>
>
> How does this work as the backslashes are escaping the - and d and d?  
> Use r"" strings.

The backslashes just escape the "-", the "d" is the same as with the raw 
string. I don't really see the need to use r"" here.

>
>     +   patched_cves = set()
>     +    for url in src_patches(d):
>     +        patch_file = bb.fetch.decodeurl(url)[2]
>     +        with open(patch_file, "r") as f:
>     +            patch_text = f.read()
>     +
>     +        # Search for the "CVE: " line
>     +        match = cve_match.search(patch_text)
>     +        if match:
>     +            # Get only the CVEs without the "CVE: " tag
>     +            cves = patch_text[match.start()+5:match.end()]
>     +            for cve in cves.split():
>     +                patched_cves.add(cve)
>
>
> Breaks for patches such as this in glibc:
>
> meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch:CVE: CVE-2015-9761 
> patch #1
>
> I'd probably look for a line that starts with "CVE:" and the use 
> re.findall to find all strings matching r"CVE-\d{4}-\d+"

What do you mean by break? It does catch the CVE just fine, to test it 
just revert the glibc 2.23 update. I find cleaner to match the string in 
a single operation instead of searching for the tag line by line and 
then match the CVEs.

>     +def get_cve_info(d, cves):
>     +    """
>     +    Get CVE information from the database used by cve-check-tool.
>     +    """
>     +
>     +    try:
>     +        import sqlite3
>     +    except ImportError:
>     +        from pysqlite2 import dbapi2 as sqlite3
>
>
> Isn't the output from cve-check-tool good enough? Would it be nicer to 
> extend the log instead of assuming that the database format won't ever 
> change?

The output from cve-check-tool is only the CVE number, if that is good 
enough, the query to the database can be removed.

>
>     +def cve_write_data(d, patched, unpatched, cve_data):
>     +    """
>     +    Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
>     +    CVE manifest if enabled.
>     +    """
>     +
>     +    from bb.utils import mkdirhier
>     +
>     +    cve_file = d.getVar("CVE_CHECK_LOCAL_FILE", True)
>     +    nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
>     +    write_string = ""
>     +    mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR", True))
>     +
>     +    for cve in sorted(cve_data):
>     +        write_string += "PACKAGE NAME: %s\n" % d.getVar("PN", True)
>     +        write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV",
>     True)
>     +        write_string += "CVE: %s\n" % cve
>     +        if cve in patched:
>     +            write_string += "CVE STATUS: Patched\n"
>     +        else:
>     +            write_string += "CVE STATUS: Unpatched\n"
>     +            bb.warn("Found unpatched CVE, for more information
>     check %s" % cve_file)
>     +        write_string += "CVE SUMMARY: %s\n" %
>     cve_data[cve]["summary"]
>     +        write_string += "CVSS v2 BASE SCORE: %s\n" %
>     cve_data[cve]["score"]
>     +        write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
>     +        write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link,
>     cve)
>     +
>     +    with open(cve_file, "w") as f:
>     +        f.write(write_string)
>
>
> Just write to the file instead of to a temporary string.

The temporary string is used for other two files, one could be copied, 
but the other appends the string content.

>
> Ross

I have implemented the rest of the comments, just need your input before 
sending a new version.

Mariano

[-- Attachment #2: Type: text/html, Size: 9648 bytes --]

next prev parent reply	other threads:[~2016-02-29 20:05 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-24 15:27 [PATCH 0/3] Add initial capability to check CVEs for recipes mariano.lopez
2016-02-24 15:27 ` [PATCH 1/3] cve-check-tool: Add recipe mariano.lopez
2016-02-25  0:44   ` Burton, Ross
2016-02-24 15:27 ` [PATCH 2/3] cve-check-tool patch to allow select dir for the db mariano.lopez
2016-02-25 13:33   ` Burton, Ross
2016-02-25 14:46     ` Mariano Lopez
2016-02-24 15:27 ` [PATCH 3/3] cve-check.bbclass: Add class mariano.lopez
2016-02-29 14:50   ` Burton, Ross
2016-02-29 20:06     ` Mariano Lopez [this message]
2016-02-25 12:14 ` [PATCH 0/3] Add initial capability to check CVEs for recipes Mikko.Rapeli
2016-02-25 12:29   ` Mikko.Rapeli
2016-02-25 13:27     ` Mikko.Rapeli
2016-02-25 14:09       ` Mikko.Rapeli
2016-02-26  8:14         ` Mikko.Rapeli
2016-02-26 14:48           ` Mariano Lopez
2016-02-26 14:56             ` Mikko.Rapeli
2016-02-26 14:57               ` Mikko.Rapeli
2016-02-26 15:38                 ` Mariano Lopez
2016-02-29 14:17           ` Burton, Ross
2016-02-29 14:19             ` Mikko.Rapeli
2016-03-01 15:15               ` Mariano Lopez
2016-03-02  6:32                 ` Mikko.Rapeli
     [not found] ` <56CF2B81.4080500@mvista.com>
2016-02-25 17:22   ` Mariano Lopez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56D4A4AA.6030404@linux.intel.com \
    --to=mariano.lopez@linux.intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=ross.burton@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.