Re: [PATCH 3/3] cve-check.bbclass: Add class

Openembedded Core Discussions
 help / color / mirror / Atom feed

From: Mariano Lopez <mariano.lopez@linux.intel.com>
To: "Burton, Ross" <ross.burton@intel.com>
Cc: OE-core <openembedded-core@lists.openembedded.org>
Subject: Re: [PATCH 3/3] cve-check.bbclass: Add class
Date: Mon, 29 Feb 2016 14:06:02 -0600	[thread overview]
Message-ID: <56D4A4AA.6030404@linux.intel.com> (raw)
In-Reply-To: <CAJTo0LbFnPEtokmGTK6-UzdGSEfNUz+vaHB=WhHQBQCs1HLbJw@mail.gmail.com>

[-- Attachment #1: Type: text/plain, Size: 4391 bytes --]



On 02/29/2016 08:50 AM, Burton, Ross wrote:
> On 24 February 2016 at 15:27, <mariano.lopez@linux.intel.com 
> <mailto:mariano.lopez@linux.intel.com>> wrote:
>
>     +do_cve_check[depends] = "cve-check-tool-native:do_populate_cve_db"
>
>
>
> And cve-check-tool-native:do_populate_sysroot.

cve-check-tool-native:do_populate_cve_db depends on 
cve-check-tool-native:do_populate_sysroot, so adding it there would be 
redundant.
>
>     +def get_patches_cves(d):
>     +    """
>     +    Get patches that solve CVEs using the "CVE: " tag.
>     +    """
>     +
>     +    import re
>     +
>     +    pn = d.getVar("PN", True)
>     +    cve_match = re.compile("CVE:( CVE\-\d+\-\d+)+")
>
>
> How does this work as the backslashes are escaping the - and d and d?  
> Use r"" strings.

The backslashes just escape the "-", the "d" is the same as with the raw 
string. I don't really see the need to use r"" here.

>
>     +   patched_cves = set()
>     +    for url in src_patches(d):
>     +        patch_file = bb.fetch.decodeurl(url)[2]
>     +        with open(patch_file, "r") as f:
>     +            patch_text = f.read()
>     +
>     +        # Search for the "CVE: " line
>     +        match = cve_match.search(patch_text)
>     +        if match:
>     +            # Get only the CVEs without the "CVE: " tag
>     +            cves = patch_text[match.start()+5:match.end()]
>     +            for cve in cves.split():
>     +                patched_cves.add(cve)
>
>
> Breaks for patches such as this in glibc:
>
> meta/recipes-core/glibc/glibc/CVE-2015-9761_1.patch:CVE: CVE-2015-9761 
> patch #1
>
> I'd probably look for a line that starts with "CVE:" and the use 
> re.findall to find all strings matching r"CVE-\d{4}-\d+"

What do you mean by break? It does catch the CVE just fine, to test it 
just revert the glibc 2.23 update. I find cleaner to match the string in 
a single operation instead of searching for the tag line by line and 
then match the CVEs.

>     +def get_cve_info(d, cves):
>     +    """
>     +    Get CVE information from the database used by cve-check-tool.
>     +    """
>     +
>     +    try:
>     +        import sqlite3
>     +    except ImportError:
>     +        from pysqlite2 import dbapi2 as sqlite3
>
>
> Isn't the output from cve-check-tool good enough? Would it be nicer to 
> extend the log instead of assuming that the database format won't ever 
> change?

The output from cve-check-tool is only the CVE number, if that is good 
enough, the query to the database can be removed.

>
>     +def cve_write_data(d, patched, unpatched, cve_data):
>     +    """
>     +    Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
>     +    CVE manifest if enabled.
>     +    """
>     +
>     +    from bb.utils import mkdirhier
>     +
>     +    cve_file = d.getVar("CVE_CHECK_LOCAL_FILE", True)
>     +    nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
>     +    write_string = ""
>     +    mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR", True))
>     +
>     +    for cve in sorted(cve_data):
>     +        write_string += "PACKAGE NAME: %s\n" % d.getVar("PN", True)
>     +        write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV",
>     True)
>     +        write_string += "CVE: %s\n" % cve
>     +        if cve in patched:
>     +            write_string += "CVE STATUS: Patched\n"
>     +        else:
>     +            write_string += "CVE STATUS: Unpatched\n"
>     +            bb.warn("Found unpatched CVE, for more information
>     check %s" % cve_file)
>     +        write_string += "CVE SUMMARY: %s\n" %
>     cve_data[cve]["summary"]
>     +        write_string += "CVSS v2 BASE SCORE: %s\n" %
>     cve_data[cve]["score"]
>     +        write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
>     +        write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link,
>     cve)
>     +
>     +    with open(cve_file, "w") as f:
>     +        f.write(write_string)
>
>
> Just write to the file instead of to a temporary string.

The temporary string is used for other two files, one could be copied, 
but the other appends the string content.

>
> Ross

I have implemented the rest of the comments, just need your input before 
sending a new version.

Mariano

[-- Attachment #2: Type: text/html, Size: 9648 bytes --]

next prev parent reply	other threads:[~2016-02-29 20:05 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-24 15:27 [PATCH 0/3] Add initial capability to check CVEs for recipes mariano.lopez
2016-02-24 15:27 ` [PATCH 1/3] cve-check-tool: Add recipe mariano.lopez
2016-02-25  0:44   ` Burton, Ross
2016-02-24 15:27 ` [PATCH 2/3] cve-check-tool patch to allow select dir for the db mariano.lopez
2016-02-25 13:33   ` Burton, Ross
2016-02-25 14:46     ` Mariano Lopez
2016-02-24 15:27 ` [PATCH 3/3] cve-check.bbclass: Add class mariano.lopez
2016-02-29 14:50   ` Burton, Ross
2016-02-29 20:06     ` Mariano Lopez [this message]
2016-02-25 12:14 ` [PATCH 0/3] Add initial capability to check CVEs for recipes Mikko.Rapeli
2016-02-25 12:29   ` Mikko.Rapeli
2016-02-25 13:27     ` Mikko.Rapeli
2016-02-25 14:09       ` Mikko.Rapeli
2016-02-26  8:14         ` Mikko.Rapeli
2016-02-26 14:48           ` Mariano Lopez
2016-02-26 14:56             ` Mikko.Rapeli
2016-02-26 14:57               ` Mikko.Rapeli
2016-02-26 15:38                 ` Mariano Lopez
2016-02-29 14:17           ` Burton, Ross
2016-02-29 14:19             ` Mikko.Rapeli
2016-03-01 15:15               ` Mariano Lopez
2016-03-02  6:32                 ` Mikko.Rapeli
     [not found] ` <56CF2B81.4080500@mvista.com>
2016-02-25 17:22   ` Mariano Lopez

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=56D4A4AA.6030404@linux.intel.com \
    --to=mariano.lopez@linux.intel.com \
    --cc=openembedded-core@lists.openembedded.org \
    --cc=ross.burton@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox