openembedded-core.git/meta/classes/cve-check.bbclass, branch thud Mirror of openembedded-core cve-check: Allow multiple entries in CVE_PRODUCT 2018-10-29T17:00:34+00:00 Grygorii Tertychnyi gtertych@cisco.com 2018-10-29T15:13:10+00:00 404f75e026393ddc55da87f6f04fb1201cff4e11 There are both "curl" and "libcurl" CPEs in NVD. All "curl" CVEs are currently missing in the reports. Hence, switch "CVE_PRODUCT" to a space separated list. It is useful for recipes generating several packages, that have different product names in NVD. Signed-off-by: Grygorii Tertychnyi <gtertych@cisco.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
There are both "curl" and "libcurl" CPEs in NVD.
All "curl" CVEs are currently missing in the reports.

Hence, switch "CVE_PRODUCT" to a space separated list.
It is useful for recipes generating several packages,
that have different product names in NVD.

Signed-off-by: Grygorii Tertychnyi <gtertych@cisco.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cve-check.bbclass: do not download the CVE DB in package-specific tasks 2018-08-15T20:45:10+00:00 Konstantin Shemyak konstantin.shemyak@ge.com 2018-08-13T07:23:28+00:00 125789b6ee6d47ab84192230f63971c4e22418ba Disable downloading of the vulnerability DB in do_check_cves() task. When invoked in this task, cve-check-tool attempts re-download of the CVE DB if the latter is older than certain threshold. While reasonable for a stand-alone CVE checker, this behavior can cause errors in parallel builds if the build time is longer than this threshold: * Other tasks might be using the DB. * Several packages can start the download of the same file at the same time. This check is not really needed, as the DB has been downloaded by cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build(). The DB will be at most (threshold + build_time) old. Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
Disable downloading of the vulnerability DB in do_check_cves() task.

When invoked in this task, cve-check-tool attempts re-download of the CVE DB
if the latter is older than certain threshold. While reasonable for a
stand-alone CVE checker, this behavior can cause errors in parallel builds
if the build time is longer than this threshold:
* Other tasks might be using the DB.
* Several packages can start the download of the same file at the same time.

This check is not really needed, as the DB has been downloaded by
cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build().
The DB will be at most (threshold + build_time) old.

Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cve-check.bbclass: detect CVE IDs listed on multiple lines 2018-05-15T09:00:29+00:00 Jon Szymaniak jon.szymaniak.foss@gmail.com 2018-05-09T21:45:10+00:00 8fb70ce2df66fc8404395ecbe66a75d0038f22dd Some backported patches fix multiple CVEs and list the corresponding identifiers on multiple lines, rather than on a single line. cve-check.bbclass yields false positive warnings when CVE IDs are presented on multiple lines because re.search() returns only the first match. An example of this behavior may be found when running do_cve_check() on the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077 is reported to be patched by commit de57fd8, despite the patch including fixes for a total of 9 CVEs. This is resolved by iterating over all regular expression matches, rather than just the first. Signed-off-by: Jon Szymaniak <jon.szymaniak.foss@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Some backported patches fix multiple CVEs and list the corresponding
identifiers on multiple lines, rather than on a single line.

cve-check.bbclass yields false positive warnings when CVE IDs are
presented on multiple lines because re.search() returns only
the first match.

An example of this behavior may be found when running do_cve_check() on
the wpa-supplicant recipe while in the rocko branch. Only CVE-2017-13077
is reported to be patched by commit de57fd8, despite the patch including
fixes for a total of 9 CVEs.

This is resolved by iterating over all regular expression matches,
rather than just the first.

Signed-off-by: Jon Szymaniak <jon.szymaniak.foss@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
cve-check-tool: correctly exported web proxies 2018-02-24T10:31:35+00:00 Konstantin Shemyak konstantin.shemyak@ge.com 2018-02-19T14:35:54+00:00 17db210975c740aff12732c511cf4fb32b507365 The binary 'cve-check-update' downloads the CVE database from the Internet. If the system is behind a web proxy, the download fails, as proxy-related variables are not exported. In turn, 'cve-check-tool' does not connect to the network and correspondingly does not need exported proxies. Exported all proxy-related environment variables to 'cve-check-update' and removed the unneeded export from 'cve-check-tool'. Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
The binary 'cve-check-update' downloads the CVE database from the Internet.
If the system is behind a web proxy, the download fails, as proxy-related
variables are not exported.
In turn, 'cve-check-tool' does not connect to the network and correspondingly
does not need exported proxies.

Exported all proxy-related environment variables to 'cve-check-update' and
removed the unneeded export from 'cve-check-tool'.

Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
cve-check: short-circuit checking if CVE_PRODUCT isn't set 2018-02-16T18:05:25+00:00 Ross Burton ross.burton@intel.com 2018-02-09T12:43:17+00:00 d1e7cb5c9e0d5d253b6bb5c968fa58944ea42d06 For some recipes is is meaningless to do a CVE check, for example packagegroups or images. Check that CVE_PRODUCT is set and short-circuit the scan if it isn't. Signed-off-by: Ross Burton <ross.burton@intel.com> 
For some recipes is is meaningless to do a CVE check, for example packagegroups
or images.  Check that CVE_PRODUCT is set and short-circuit the scan if it
isn't.

Signed-off-by: Ross Burton <ross.burton@intel.com>
cve-check: allow recipes to override their version 2018-02-16T18:05:25+00:00 Ross Burton ross.burton@intel.com 2018-02-09T12:37:08+00:00 36fbf96cf284acbc810ff3bf00702f1f82bc0da9 For reasons which I don't understand, the Berkeley DB tarball is version 5.3.28 but in CVE reports the version is 11.2.5.3.28. To handle this allow recipes to override their version as well as their name. Signed-off-by: Ross Burton <ross.burton@intel.com> 
For reasons which I don't understand, the Berkeley DB tarball is version 5.3.28
but in CVE reports the version is 11.2.5.3.28.

To handle this allow recipes to override their version as well as their name.

Signed-off-by: Ross Burton <ross.burton@intel.com>
cve-check: put log in T so it doesn't get deleted by rm_work 2018-02-16T18:05:25+00:00 Ross Burton ross.burton@intel.com 2018-02-08T22:14:58+00:00 4bbb8cd5f3943231ab5be0448d1b0d4a08341249 This is where the other task logs go, so it's a sensible place to put it. Signed-off-by: Ross Burton <ross.burton@intel.com> 
This is where the other task logs go, so it's a sensible place to put it.

Signed-off-by: Ross Burton <ross.burton@intel.com>
cve-check.bbclass: detect patched CVE's also from patch file names 2017-09-05T13:58:37+00:00 Mikko Rapeli mikko.rapeli@bmw.de 2017-09-04T06:22:14+00:00 5ee5b0c66627c9e974c838b86e2e659c2f601f2a While poky master branch has been fixed so that all CVE patch files have the: CVE: CVE-2017-1234556 strings in the patch comments, many older versions of poky and other meta layers are not, but the CVE patches quite often have the CVE id in the patch file name. If the CVE: string also found, there are no duplicates in the report. Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 
While poky master branch has been fixed so that all CVE patch files have
the:

CVE: CVE-2017-1234556

strings in the patch comments, many older versions of poky and other meta
layers are not, but the CVE patches quite often have the CVE id in the
patch file name.

If the CVE: string also found, there are no duplicates in the report.

Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
cve-check.bbclass: use "+git" as separator in PV instead of "git+" 2017-07-24T08:12:28+00:00 Mikko Rapeli mikko.rapeli@bmw.de 2017-07-20T13:23:11+00:00 db8815abe3db60b0510fb378bf6d82172c2f2768 PV is the recipe major version number. cve-check tries to map that to NVD database release versions of the component. If the recipe sources are taken from git, the PV can be automatically modified to include git details, but the syntax is like 233+gitAUTOINC+a1e2ef7ec9. In CVE checks we want to remove the git details and just use the major version information, in this example 233. Thus use "+git" as the separator and use the first part before the separator as SW product version number in CVE check. Fixes version number for e.g. systemd recipe. If systemd PV is 233+gitAUTOINC+a1e2ef7ec9 there will be no matches from CVE database where latest release mentioned is plain 233. If the filter is set to +git, then CVE PV is 233 and issues like this are detected by do_cve_check: https://nvd.nist.gov/vuln/detail/CVE-2017-1000082 Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> 
PV is the recipe major version number. cve-check tries to map that to
NVD database release versions of the component. If the recipe sources
are taken from git, the PV can be automatically modified to include
git details, but the syntax is like 233+gitAUTOINC+a1e2ef7ec9.
In CVE checks we want to remove the git details and just use the major
version information, in this example 233.

Thus use "+git" as the separator and use the first part before the separator
as SW product version number in CVE check.

Fixes version number for e.g. systemd recipe. If systemd PV is
233+gitAUTOINC+a1e2ef7ec9 there will be no matches from CVE database where
latest release mentioned is plain 233. If the filter is set to +git, then
CVE PV is 233 and issues like this are detected by do_cve_check:

https://nvd.nist.gov/vuln/detail/CVE-2017-1000082

Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
cve-check.bbclass: use weak assignment for default CVE_PRODUCT 2017-07-24T08:12:28+00:00 Mikko Rapeli mikko.rapeli@bmw.de 2017-07-20T13:23:09+00:00 74672a7de5ada45ab8e25b89cbdea3ec33b63b7f This way also bbclasses can override it. For example kernel.bbclass could set CVE_PRODUCT to linux_kernel for all users of the class which compile Linux kernels. Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> 
This way also bbclasses can override it. For example kernel.bbclass
could set CVE_PRODUCT to linux_kernel for all users of the class
which compile Linux kernels.

Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>