From: Pierre Le Magourou <lemagoup@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: [meta-oe][PATCH 3/3] cve-check: Update unpatched CVE matching
Date: Thu, 4 Jul 2019 17:19:08 +0200 [thread overview]
Message-ID: <20190704151908.5094-3-lemagoup@gmail.com> (raw)
In-Reply-To: <20190704151908.5094-1-lemagoup@gmail.com>
From: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Now that cve-update-db added CPE information to NVD database. We can
check for unpatched versions with operators '<', '<=', '>', and '>='.
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
---
meta/classes/cve-check.bbclass | 54 +++++++++++++++++++++++++++++++-----------
1 file changed, 40 insertions(+), 14 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6ffa0c4688..ffd624333f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
-CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db"
+CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve.db"
CVE_CHECK_LOG ?= "${T}/cve.log"
CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
@@ -189,27 +189,53 @@ def check_cves(d, patched_cves):
conn = sqlite3.connect(db_file)
c = conn.cursor()
- query = """SELECT * FROM PRODUCTS WHERE
- (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
- (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
+ query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';"
+
for product in products:
for row in c.execute(query.format(product, pv)):
cve = row[1]
- version = row[4]
-
- try:
- discardVersion = LooseVersion(version) < LooseVersion(pv)
- except:
- discardVersion = True
+ version_start = row[4]
+ operator_start = row[5]
+ version_end = row[6]
+ operator_end = row[7]
if pv in cve_whitelist.get(cve, []):
bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
- elif discardVersion:
- bb.debug(2, "Do not consider version %s " % (version))
else:
- cves_unpatched.append(cve)
+ if (operator_start == '=' and pv == version_start):
+ cves_unpatched.append(cve)
+ else:
+ if operator_start:
+ try:
+ to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start))
+ to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start))
+ except:
+ bb.note("%s: Failed to compare %s %s %s for %s" %
+ (product, pv, operator_start, version_start, cve))
+ to_append_start = False
+ else:
+ to_append_start = False
+
+ if operator_end:
+ try:
+ to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end))
+ to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end))
+ except:
+ bb.note("%s: Failed to compare %s %s %s for %s" %
+ (product, pv, operator_end, version_end, cve))
+ to_append_end = False
+ else:
+ to_append_end = False
+
+ if operator_start and operator_end:
+ to_append = to_append_start and to_append_end
+ else:
+ to_append = to_append_start or to_append_end
+
+ if to_append:
+ cves_unpatched.append(cve)
bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
conn.close()
@@ -217,7 +243,7 @@ def check_cves(d, patched_cves):
def get_cve_info(d, cves):
"""
- Get CVE information from the database used by cve-check-tool.
+ Get CVE information from the database.
Unfortunately the only way to get CVE info is set the output to
html (hard to parse) or query directly the database.
--
2.11.0
next prev parent reply other threads:[~2019-07-04 15:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-04 15:19 [meta-oe][PATCH 1/3] cve-check: Depends on cve-update-db-native Pierre Le Magourou
2019-07-04 15:19 ` [meta-oe][PATCH 2/3] cve-update-db: Use NVD CPE data to populate PRODUCTS table Pierre Le Magourou
2019-07-04 15:19 ` Pierre Le Magourou [this message]
2019-07-04 15:30 ` ✗ patchtest: failure for "[meta-oe] cve-check: Depends o..." and 2 more Patchwork
2019-07-04 16:53 ` [meta-oe][PATCH 1/3] cve-check: Depends on cve-update-db-native Richard Purdie
2019-07-05 9:34 ` Pierre Le Magourou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190704151908.5094-3-lemagoup@gmail.com \
--to=lemagoup@gmail.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox