diff options
Diffstat (limited to 'poky/meta/classes/cve-check.bbclass')
-rw-r--r-- | poky/meta/classes/cve-check.bbclass | 60 |
1 files changed, 37 insertions, 23 deletions
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 669da6c8e9..8086cf05e9 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -36,20 +36,26 @@ CVE_CHECK_SUMMARY_FILE_NAME ?= "cve-summary" CVE_CHECK_SUMMARY_FILE ?= "${CVE_CHECK_SUMMARY_DIR}/${CVE_CHECK_SUMMARY_FILE_NAME}" CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" +CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}" CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve" CVE_CHECK_COPY_FILES ??= "1" CVE_CHECK_CREATE_MANIFEST ??= "1" +CVE_CHECK_REPORT_PATCHED ??= "1" + # Whitelist for packages (PN) CVE_CHECK_PN_WHITELIST ?= "" # Whitelist for CVE. If a CVE is found, then it is considered patched. # The value is a string containing space separated CVE values: -# +# # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' -# +# CVE_CHECK_WHITELIST ?= "" +# set to "alphabetical" for version using single alphabetical character as increament release +CVE_VERSION_SUFFIX ??= "" + python cve_save_summary_handler () { import shutil import datetime @@ -118,7 +124,7 @@ python cve_check_write_rootfs_manifest () { import shutil if d.getVar("CVE_CHECK_COPY_FILES") == "1": - deploy_file = os.path.join(d.getVar("CVE_CHECK_DIR"), d.getVar("PN")) + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") if os.path.exists(deploy_file): bb.utils.remove(deploy_file) @@ -203,10 +209,11 @@ def check_cves(d, patched_cves): """ Connect to the NVD database and find unpatched cves. """ - from distutils.version import LooseVersion + from oe.cve_check import Version pn = d.getVar("PN") real_pv = d.getVar("PV") + suffix = d.getVar("CVE_VERSION_SUFFIX") cves_unpatched = [] # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) @@ -260,8 +267,8 @@ def check_cves(d, patched_cves): else: if operator_start: try: - vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) - vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) + vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix)) + vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) @@ -271,8 +278,8 @@ def check_cves(d, patched_cves): if operator_end: try: - vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) - vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) + vulnerable_end = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) ) + vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) ) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_end, version_end, cve)) @@ -328,18 +335,25 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): """ cve_file = d.getVar("CVE_CHECK_LOG") + fdir_name = d.getVar("FILE_DIRNAME") + layer = fdir_name.split("/")[-3] + nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" write_string = "" unpatched_cves = [] bb.utils.mkdirhier(os.path.dirname(cve_file)) for cve in sorted(cve_data): + is_patched = cve in patched + if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): + continue + write_string += "LAYER: %s\n" % layer write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve if cve in whitelisted: write_string += "CVE STATUS: Whitelisted\n" - elif cve in patched: + elif is_patched: write_string += "CVE STATUS: Patched\n" else: unpatched_cves.append(cve) @@ -353,20 +367,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): if unpatched_cves: bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) - with open(cve_file, "w") as f: - bb.note("Writing file %s with CVE information" % cve_file) - f.write(write_string) - - if d.getVar("CVE_CHECK_COPY_FILES") == "1": - cve_dir = d.getVar("CVE_CHECK_DIR") - bb.utils.mkdirhier(cve_dir) - deploy_file = os.path.join(cve_dir, d.getVar("PN")) - with open(deploy_file, "w") as f: + if write_string: + with open(cve_file, "w") as f: + bb.note("Writing file %s with CVE information" % cve_file) f.write(write_string) - if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": - cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") - bb.utils.mkdirhier(cvelogpath) + if d.getVar("CVE_CHECK_COPY_FILES") == "1": + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") + bb.utils.mkdirhier(os.path.dirname(deploy_file)) + with open(deploy_file, "w") as f: + f.write(write_string) + + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + bb.utils.mkdirhier(cvelogpath) - with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: - f.write("%s" % write_string) + with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: + f.write("%s" % write_string) |