diff options
Diffstat (limited to 'meta/lib/oe/cve_check.py')
-rw-r--r-- | meta/lib/oe/cve_check.py | 52 |
1 files changed, 45 insertions, 7 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 30fdc3e3dd..ed4af18ced 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -75,7 +75,7 @@ def cve_check_merge_jsons(output, data): for product in output["package"]: if product["name"] == data["package"][0]["name"]: - bb.error("Error adding the same package twice") + bb.error("Error adding the same package %s twice" % product["name"]) return output["package"].append(data["package"][0]) @@ -114,11 +114,6 @@ def get_patched_cves(d): for url in oe.patch.src_patches(d): patch_file = bb.fetch.decodeurl(url)[2] - # Remote compressed patches may not be unpacked, so silently ignore them - if not os.path.isfile(patch_file): - bb.warn("%s does not exist, cannot extract CVE list" % patch_file) - continue - # Check patch file name for CVE ID fname_match = cve_file_name_match.search(patch_file) if fname_match: @@ -126,6 +121,12 @@ def get_patched_cves(d): patched_cves.add(cve) bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + # Remote patches won't be present and compressed patches won't be + # unpacked, so say we're not scanning them + if not os.path.isfile(patch_file): + bb.note("%s is remote or compressed, not scanning content" % patch_file) + continue + with open(patch_file, "r", encoding="utf-8") as f: try: patch_text = f.read() @@ -168,7 +169,44 @@ def get_cpe_ids(cve_product, version): else: vendor = "*" - cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*' + cpe_id = 'cpe:2.3:a:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version) cpe_ids.append(cpe_id) return cpe_ids + +def convert_cve_version(version): + """ + This function converts from CVE format to Yocto version format. + eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1 + + Unless it is redefined using CVE_VERSION in the recipe, + cve_check uses the version in the name of the recipe (${PV}) + to check vulnerabilities against a CVE in the database downloaded from NVD. + + When the version has an update, i.e. + "p1" in OpenSSH 8.3p1, + "-rc1" in linux kernel 6.2-rc1, + the database stores the version as version_update (8.3_p1, 6.2_rc1). + Therefore, we must transform this version before comparing to the + recipe version. + + In this case, the parameter of the function is 8.3_p1. + If the version uses the Release Candidate format, "rc", + this function replaces the '_' by '-'. + If the version uses the Update format, "p", + this function removes the '_' completely. + """ + import re + + matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version) + + if not matches: + return version + + version = matches.group(1) + update = matches.group(2) + + if matches.group(3) == "rc": + return version + '-' + update + + return version + update |