From patchwork Wed Aug 14 05:30:35 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 47757 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 957DFC3DA4A for ; Wed, 14 Aug 2024 05:30:58 +0000 (UTC) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mx.groups.io with SMTP id smtpd.web11.91314.1723613454004368184 for ; Tue, 13 Aug 2024 22:30:54 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XuiHO3tH; spf=pass (domain: gmail.com, ip: 209.85.128.42, mailfrom: rybczynska@gmail.com) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-4280ca0791bso45689615e9.1 for ; Tue, 13 Aug 2024 22:30:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723613452; x=1724218252; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=KFhfJ14UFDZvHCsUjlN1yHS763nC7iRZetfFfaKxCa0=; b=XuiHO3tHDVrAlmTvkLl7IztTwkEoGoBimJKwyjtDIi/S7Oqd8gKt66h+XZ1ZsfKLDt UFukuDGWxXxaMxD7bnrv7isEASf2T5Q3rSMe+QN+hOO65xml2JOauk3yZJsUDW00tPAc rofTKDFF78BLBhboEi+UTDygTS7YLhzXPaNJKTtgyeIAJKw/dXIxwK3XpGkiwhKuEDvl RQBHsxQszNv27/IeZNGYEMPq04fVDTzyqks0jtkHkcDue6YB/hxNFmWPrgD/sLW4Uvyw e1UQZInEMm5QySbnRMIdcnxj9IlR2MjyAtCPqi2XriQt5FhlboebSWlu59cH14UhDMZK sJvg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723613452; x=1724218252; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=KFhfJ14UFDZvHCsUjlN1yHS763nC7iRZetfFfaKxCa0=; b=MLz9KNXPM1/OTGuunSznuyyxxbMtP71HPECuUbM2Smk+f4mBweKbhAz5jaZBE5KoIE 2iKAZ2xXz1XnRS73kkydXKTUuzv559PYaqJjznKcTa3A+y8A4fdRVCGsA8yRnHMFOamn aZnBhqDAMK1lPFrM09+nEdwv/KBBQJhcMa2Oe55TJDQP713rjl64ID4dlpcN3Y25CaKm K/6sUFGYGAR+RpuwXwEpFlUFjmvJDK+QScQb5Ks+aBAv0ZN/BCa0MHR8q7BZCRCliKUL YtFwipOIpaLlqslFFYs5brMBUm2UmwFwBiD4tDC9/m4hEnHhcsJucP/1/ZnKbvh+e5XO IAnA== X-Gm-Message-State: AOJu0YypKvWO769JSQacU6bEqkCTrB7VxALQfpP2sbeiJzw+JJ5IRNU7 7Nt7LNZUFZtvyCy7Iqc5Knnq4pDKu0Fw3TG/oiJnMdP9D6r3TM4mGl2NoQ== X-Google-Smtp-Source: AGHT+IGFyNbEepvdoLnrzo6lNSwT8sEgmugxa4ORHiJu06UrgwnU2LEk6jaFR1Jwftce0Uf3i1r28Q== X-Received: by 2002:a05:600c:3501:b0:426:6388:d59f with SMTP id 5b1f17b1804b1-429dd232bedmr10002425e9.1.1723613451243; Tue, 13 Aug 2024 22:30:51 -0700 (PDT) Received: from voyage.lan ([2a0d:3344:2311:d410:8c63:2ebf:4fe1:9568]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429ded4db0bsm8885525e9.32.2024.08.13.22.30.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Aug 2024 22:30:50 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska Subject: [PATCH v5][OE-core 1/7] cve-check: encode affected product/vendor in CVE_STATUS Date: Wed, 14 Aug 2024 07:30:35 +0200 Message-ID: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Aug 2024 05:30:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/203302 CVE_STATUS contains assesment of a given CVE, but until now it didn't have include the affected vendor/product. In the case of a global system include, that CVE_STATUS was visible in all recipes. This patch allows encoding of affected product/vendor to each CVE_STATUS assessment, also for groups. We can then filter them later and use only CVEs that correspond to the recipe. This is going to be used in meta/conf/distro/include/cve-extra-exclusions.inc and similar places. Signed-off-by: Marta Rybczynska --- meta/classes/cve-check.bbclass | 24 ++++++++++----------- meta/lib/oe/cve_check.py | 39 ++++++++++++++++++++++++++-------- meta/lib/oe/spdx30_tasks.py | 11 +++++----- 3 files changed, 48 insertions(+), 26 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index c946de29a4..bc35a1c53c 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -324,8 +324,8 @@ def check_cves(d, patched_cves): # Convert CVE_STATUS into ignored CVEs and check validity cve_ignore = [] for cve in (d.getVarFlags("CVE_STATUS") or {}): - decoded_status, _, _ = decode_cve_status(d, cve) - if decoded_status == "Ignored": + decoded_status = decode_cve_status(d, cve) + if 'mapping' in decoded_status and decoded_status['mapping'] == "Ignored": cve_ignore.append(cve) import sqlite3 @@ -507,11 +507,11 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve write_string += "CVE STATUS: %s\n" % status - _, detail, description = decode_cve_status(d, cve) - if detail: - write_string += "CVE DETAIL: %s\n" % detail - if description: - write_string += "CVE DESCRIPTION: %s\n" % description + status_details = decode_cve_status(d, cve) + if 'detail' in status_details: + write_string += "CVE DETAIL: %s\n" % status_details['detail'] + if 'description' in status_details: + write_string += "CVE DESCRIPTION: %s\n" % status_details['description'] write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] @@ -637,11 +637,11 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): "status" : status, "link": issue_link } - _, detail, description = decode_cve_status(d, cve) - if detail: - cve_item["detail"] = detail - if description: - cve_item["description"] = description + status_details = decode_cve_status(d, cve) + if 'detail' in status_details: + cve_item["detail"] = status_details['detail'] + if 'description' in status_details: + cve_item["description"] = status_details['description'] cve_list.append(cve_item) package_data["issue"] = cve_list diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ed5c714cb8..5edd34a2d9 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -132,8 +132,8 @@ def get_patched_cves(d): # Search for additional patched CVEs for cve in (d.getVarFlags("CVE_STATUS") or {}): - decoded_status, _, _ = decode_cve_status(d, cve) - if decoded_status == "Patched": + decoded_status = decode_cve_status(d, cve) + if 'mapping' in decoded_status and decoded_status['mapping'] == "Patched": bb.debug(2, "CVE %s is additionally patched" % cve) patched_cves.add(cve) @@ -227,19 +227,40 @@ def convert_cve_version(version): def decode_cve_status(d, cve): """ - Convert CVE_STATUS into status, detail and description. + Convert CVE_STATUS into status, vendor, product, detail and description. """ status = d.getVarFlag("CVE_STATUS", cve) if not status: - return ("", "", "") + return {} + + status_split = status.split(':', 5) + status_out = {} + status_out["detail"] = status_split[0] + product = "*" + vendor = "*" + description = "" + if len(status_split) >= 4 and status_split[1].strip() == "cpe": + # Both vendor and product are mandatory if cpe: present, the syntax is then: + # detail: cpe:vendor:product:description + vendor = status_split[2].strip() + product = status_split[3].strip() + description = status_split[4].strip() + elif len(status_split) >= 2 and status_split[1].strip() == "cpe": + # Malformed CPE + bb.warn('Invalid CPE information for CVE_STATUS[%s] = "%s", not setting CPE' % (detail, cve, status)) + else: + # Other case: no CPE, the syntax is then: + # detail: description + description = status_split[len(status_split)-1].strip() if (len(status_split) > 1) else "" - status_split = status.split(':', 1) - detail = status_split[0] - description = status_split[1].strip() if (len(status_split) > 1) else "" + status_out["vendor"] = vendor + status_out["product"] = product + status_out["description"] = description - status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) + status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", status_out['detail']) if status_mapping is None: bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) status_mapping = "Unpatched" + status_out["mapping"] = status_mapping - return (status_mapping, detail, description) + return status_out diff --git a/meta/lib/oe/spdx30_tasks.py b/meta/lib/oe/spdx30_tasks.py index 03dc47db02..4864d6252a 100644 --- a/meta/lib/oe/spdx30_tasks.py +++ b/meta/lib/oe/spdx30_tasks.py @@ -488,21 +488,22 @@ def create_spdx(d): cve_by_status = {} if include_vex != "none": for cve in d.getVarFlags("CVE_STATUS") or {}: - status, detail, description = oe.cve_check.decode_cve_status(d, cve) + decoded_status = oe.cve_check.decode_cve_status(d, cve) # If this CVE is fixed upstream, skip it unless all CVEs are # specified. - if include_vex != "all" and detail in ( + if include_vex != "all" and 'detail' in decoded_status and \ + decoded_status['detail'] in ( "fixed-version", "cpe-stable-backport", ): bb.debug(1, "Skipping %s since it is already fixed upstream" % cve) continue - cve_by_status.setdefault(status, {})[cve] = ( + cve_by_status.setdefault(decoded_status['mapping'], {})[cve] = ( build_objset.new_cve_vuln(cve), - detail, - description, + decoded_status['detail'], + decoded_status['description'], ) cpe_ids = oe.cve_check.get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION")) From patchwork Wed Aug 14 05:30:36 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 47758 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 766C2C531DC for ; Wed, 14 Aug 2024 05:31:08 +0000 (UTC) Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mx.groups.io with SMTP id smtpd.web10.91186.1723613458684079802 for ; Tue, 13 Aug 2024 22:30:59 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=EeaFizMs; spf=pass (domain: gmail.com, ip: 209.85.128.41, mailfrom: rybczynska@gmail.com) Received: by mail-wm1-f41.google.com with SMTP id 5b1f17b1804b1-426526d30aaso42935475e9.0 for ; Tue, 13 Aug 2024 22:30:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723613456; x=1724218256; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=OkTa/98hIRKPFlwAaDSDreK1dxQgWRupIXuqrodBqtI=; b=EeaFizMscKIeqCgZkgfejXRAvpkpLoazpZwmzsH85kaSEJ2x60XJX+XGg5ofYsBye+ DC3Vp8lCsWnH787XuuMSZBp+xF8LvPV3qHvdpxvVFFJn8dh9K5Wy4QU6WTo9Lbawtghy lSvtw0p15eC0lyr3NZEHSQ5rJrkZ75BWtGO6H9riCf82UlzWqsfdofVPhcnqiWYhSI1K I6PAXU9Y2bSIFOjUTGAWRZFCto0YwGlmMSbsfHH20cgN4ZTb9kgIOF04xVAO4afYdxbk YBVx3C/bBt5WtI73y6ibfKt0ejQklCjmnfbnvu3KQ7m0YifpJ+gwdNV8fQSFgNjxz8jG HQxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723613456; x=1724218256; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=OkTa/98hIRKPFlwAaDSDreK1dxQgWRupIXuqrodBqtI=; b=Y85paAKJm1ez8ZJr0r0gA+cJ4i6TMp3LcKb1WzFGzVTKQ7B/QrAX47bOIFDrphl2aq ryovys32ZBKb/SuhZbJm3w3HJY1FdHki06+Bq/XqH44YQBtXMpbyulK2+wCxyjgauWeL XAXHc8YV8El53Se5P+2yxQMEr4zJB0bUsTrEucgHLjObXHvptaD0oPWV1B2bdyQn2jK3 T7vyL/ZWKNJ8sS7CZAY29xKMnXKbZN9mLRND0MOFUjgEaMqHXp6tr8Xm1ItCXaihcjX9 FAUo3gtRia5mBXEqWwJ0fTbAyJsMLytOTLA0OQRgJ9Nwof3ZZyYhU8g0Usv2OkU4Cqy/ lyhg== X-Gm-Message-State: AOJu0YwoXGFUHExPo28ueVsM87wJgvOT6iw2/zOM6cRIcAluYIcDom6Y f/857XaWTCyojS0MfO2J6kDH8dDN0BwDYEGUAXAPg2dktYe0/0rJWMeyJw== X-Google-Smtp-Source: AGHT+IH1ScGQCxN5OTQbBXFns4fo/dfVfThu3L+XlhPNFLonghVZ9edCgChxEwL7yM2bj71DpJ+/JA== X-Received: by 2002:a05:600c:1c0a:b0:426:5d0d:a2c9 with SMTP id 5b1f17b1804b1-429dd23ba73mr11295505e9.10.1723613456017; Tue, 13 Aug 2024 22:30:56 -0700 (PDT) Received: from voyage.lan ([2a0d:3344:2311:d410:8c63:2ebf:4fe1:9568]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429ded4db0bsm8885525e9.32.2024.08.13.22.30.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Aug 2024 22:30:55 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska Subject: [PATCH v5][OE-core 2/7] cve-extra-inclusions: encode CPEs of affected packages Date: Wed, 14 Aug 2024 07:30:36 +0200 Message-ID: <20240814053041.4991-2-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> References: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Aug 2024 05:31:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/203303 Add the new cpe:vendor:product tagging to entries in cve-extra-inclusions, using product/vendor combinations that are already present in OE-core (usually there is no specific vendor). Signed-off-by: Marta Rybczynska --- .../distro/include/cve-extra-exclusions.inc | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/meta/conf/distro/include/cve-extra-exclusions.inc b/meta/conf/distro/include/cve-extra-exclusions.inc index fcef6a14fb..ffbbb7bef1 100644 --- a/meta/conf/distro/include/cve-extra-exclusions.inc +++ b/meta/conf/distro/include/cve-extra-exclusions.inc @@ -16,11 +16,11 @@ # # strace https://nvd.nist.gov/vuln/detail/CVE-2000-0006 -CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: CVE is more than 20 years old \ +CVE_STATUS[CVE-2000-0006] = "upstream-wontfix: cpe:*:strace: CVE is more than 20 years old \ with no resolution evident. Broken links in CVE database references make resolution impractical." # epiphany https://nvd.nist.gov/vuln/detail/CVE-2005-0238 -CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: \ +CVE_STATUS[CVE-2005-0238] = "upstream-wontfix: cpe:*:epiphany: \ The issue here is spoofing of domain names using characters from other character sets. \ There has been much discussion amongst the epiphany and webkit developers and \ whilst there are improvements about how domains are handled and displayed to the user \ @@ -28,7 +28,7 @@ there is unlikely ever to be a single fix to webkit or epiphany which addresses problem. There isn't any mitigation or fix or way to progress this further." # glibc https://nvd.nist.gov/vuln/detail/CVE-2010-4756 -CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: \ +CVE_STATUS[CVE-2010-4756] = "upstream-wontfix: cpe:*:glibc: \ Issue is memory exhaustion via glob() calls, e.g. from within an ftp server \ Best discussion in https://bugzilla.redhat.com/show_bug.cgi?id=681681 \ Upstream don't see it as a security issue, ftp servers shouldn't be passing \ @@ -38,7 +38,7 @@ this to libc glob. Upstream have no plans to add BSD's GLOB_LIMIT or similar." # go https://nvd.nist.gov/vuln/detail/CVE-2020-29511 CVE_STATUS_GROUPS += "CVE_STATUS_GO" CVE_STATUS_GO = "CVE-2020-29509 CVE-2020-29511" -CVE_STATUS_GO[status] = "not-applicable-config: \ +CVE_STATUS_GO[status] = "not-applicable-config: cpe:golang:go: \ The encoding/xml package in go can potentially be used for security exploits if not used correctly \ CVE applies to a netapp product as well as flagging a general issue. We don't ship anything \ exposing this interface in an exploitable way" @@ -50,7 +50,7 @@ CVE-2015-2656 CVE-2015-4754 CVE-2015-4764 CVE-2015-4774 CVE-2015-4775 CVE-2015-4 CVE-2015-4778 CVE-2015-4779 CVE-2015-4780 CVE-2015-4781 CVE-2015-4782 CVE-2015-4783 CVE-2015-4784 \ CVE-2015-4785 CVE-2015-4786 CVE-2015-4787 CVE-2015-4788 CVE-2015-4789 CVE-2015-4790 CVE-2016-0682 \ CVE-2016-0689 CVE-2016-0692 CVE-2016-0694 CVE-2016-3418 CVE-2020-2981" -CVE_STATUS_DB[status] = "upstream-wontfix: Since Oracle relicensed bdb, the open source community is slowly but surely \ +CVE_STATUS_DB[status] = "upstream-wontfix: cpe:*:berkeley_db: Since Oracle relicensed bdb, the open source community is slowly but surely \ replacing bdb with supported and open source friendly alternatives. As a result this CVE is unlikely to ever be fixed." # Kernel CVEs that are generic but can't be added to the kernel's hand-maintained cve-exclusion.inc @@ -60,25 +60,25 @@ replacing bdb with supported and open source friendly alternatives. As a result # For OE-Core our policy is to stay as close to the kernel stable releases as we can. This should # ensure the bulk of the major kernel CVEs are fixed and we don't dive into each individual issue # as the stable maintainers are much more able to do that. -CVE_STATUS[CVE-1999-0524] = "ignored: issue is that ICMP exists, can be filewalled if required" -CVE_STATUS[CVE-2008-4609] = "ignored: describes design flaws in TCP" -CVE_STATUS[CVE-2010-4563] = "ignored: low impact, only enables detection of hosts which are sniffing network traffic" -CVE_STATUS[CVE-2011-0640] = "ignored: requires physical access and any mitigation would mean USB is impractical to use" +CVE_STATUS[CVE-1999-0524] = "ignored: cpe:*:linux_kernel:issue is that ICMP exists, can be filewalled if required" +CVE_STATUS[CVE-2008-4609] = "ignored: cpe:*:linux_kernel:describes design flaws in TCP" +CVE_STATUS[CVE-2010-4563] = "ignored: cpe:*:linux_kernel:low impact, only enables detection of hosts which are sniffing network traffic" +CVE_STATUS[CVE-2011-0640] = "ignored: cpe:*:linux_kernel:requires physical access and any mitigation would mean USB is impractical to use" # qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2021-20255 -CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: \ +CVE_STATUS[CVE-2021-20255] = "upstream-wontfix: cpe:*:qemu: \ There was a proposed patch https://lists.gnu.org/archive/html/qemu-devel/2021-02/msg06098.html \ qemu maintainers say the patch is incorrect and should not be applied \ The issue is of low impact, at worst sitting in an infinite loop rather than exploitable." # qemu:qemu-native:qemu-system-native https://nvd.nist.gov/vuln/detail/CVE-2019-12067 -CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: \ +CVE_STATUS[CVE-2019-12067] = "upstream-wontfix: cpe:*:qemu: \ There was a proposed patch but rejected by upstream qemu. It is unclear if the issue can \ still be reproduced or where exactly any bug is. \ We'll pick up any fix when upstream accepts one." # nasm:nasm-native https://nvd.nist.gov/vuln/detail/CVE-2020-18974 -CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: \ +CVE_STATUS[CVE-2020-18974] = "upstream-wontfix: cpe:*:netwide_assembler: \ It is a fuzzing related buffer overflow. It is of low impact since most devices \ wouldn't expose an assembler. The upstream is inactive and there is little to be \ done about the bug, ignore from an OE perspective." From patchwork Wed Aug 14 05:30:37 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 47759 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75244C52D7D for ; Wed, 14 Aug 2024 05:31:08 +0000 (UTC) Received: from mail-wm1-f49.google.com (mail-wm1-f49.google.com [209.85.128.49]) by mx.groups.io with SMTP id smtpd.web11.91316.1723613464112514190 for ; Tue, 13 Aug 2024 22:31:04 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=PXppsIEZ; spf=pass (domain: gmail.com, ip: 209.85.128.49, mailfrom: rybczynska@gmail.com) Received: by mail-wm1-f49.google.com with SMTP id 5b1f17b1804b1-428119da952so43597105e9.0 for ; Tue, 13 Aug 2024 22:31:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723613462; x=1724218262; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=8iB11B6hiiGigDl8h9HpMai6QJhPHYn51EKS05IZ1yk=; b=PXppsIEZzl+E2794iTt6do7LpA4ZSRwbJRk1JmX2YLQaDcuHH1Km16ICd6+qVN+LmZ n2Aki3XduutzSbGK/kQ2oj/kIZlPE+dGaLOBMwH90mjtibwzt9uvRoXQFTojZipBopAV FLFnY/YYnTrp6PYf256ISfH+q246lFkxJ36aLKmEk1IqQn0sLhvGUh9rUs+NntDUQhOU a4wOvvOrLx7hCO1g75T90BxnKfuziT11Ya7F9mh0Kq8NAL14ihYVlZwCCPodJEcHegrG MJk2mCuSNUHD6xM90hpJsAKDH7Oohai7b9BzZeWWtAGwNgWwPItIXXHnJCw5ylrjTdG7 mvEg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723613462; x=1724218262; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8iB11B6hiiGigDl8h9HpMai6QJhPHYn51EKS05IZ1yk=; b=YFCQoqwNodWlUS5DE6m3m+tbOuYjzoblU9zXxtmIZyJksssqG1wPuwOEw4YZkI69AU PWql7n/GJJ6ibYHUvIXglBAJUOxUTgo1bpJ98TOnr12EL1yudPvXoUQQ6d2JcUatn+Je ipYOQWBABZt3XtpzgcaDIyTMplytQOBzDYo2ZoqK/eygLxSnqhwd0wq8OGWpHkReATPQ qwnoeWXRRtJcUF2kv3wYGJQMUX8BCoG+3DG1FG2shPbI0ElVFATMzgVBsR4iPEgkDEqv mYew42E6iB8xik3y/zMjKTnKlW3osYdkWLmHIGKf69UJ2X9Y7T0ZxZ37bPHjsTnqb7UW ZRMg== X-Gm-Message-State: AOJu0YzorDmy1BinTzFNFLEhn2XtxAOO+3ekNJ53lYSCcFOTzl6yg4XO 5Ejnaah/S8NqOc2sxWFThMtttCMQRhrbJbUeWAGwGzEcojtu6rYbjrZ50g== X-Google-Smtp-Source: AGHT+IHwwZ5n/FdWIq7yA46l+oep4LkIcJ7/omRTsoQ08b4eAP9GtiUb0HLki+eYVTt9MLmjRrinXw== X-Received: by 2002:a05:600c:5116:b0:426:5269:983a with SMTP id 5b1f17b1804b1-429dd22f20bmr11299685e9.8.1723613461779; Tue, 13 Aug 2024 22:31:01 -0700 (PDT) Received: from voyage.lan ([2a0d:3344:2311:d410:8c63:2ebf:4fe1:9568]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429ded4db0bsm8885525e9.32.2024.08.13.22.31.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Aug 2024 22:31:01 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska , Samantha Jalabert Subject: [PATCH v5][OE-core 3/7] cve-check: annotate CVEs during analysis Date: Wed, 14 Aug 2024 07:30:37 +0200 Message-ID: <20240814053041.4991-3-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> References: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Aug 2024 05:31:08 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/203304 Add status information for each CVE under analysis. Previously the information passed between different function of the cve-check class included only tables of patched, unpatched, ignored vulnerabilities and the general status of the recipe. The VEX work requires more information, and we need to pass them between different functions, so that it can be enriched as the analysis progresses. Instead of multiple tables, use a single one with annotations for each CVE encountered. For example, a patched CVE will have: {"abbrev-status": "Patched", "status": "version-not-in-range"} abbrev-status contains the general status (Patched, Unpatched, Ignored and Unknown that will be added in the VEX code) status contains more detailed information that can come from CVE_STATUS and the analysis. Additional fields of the annotation include for example the name of the patch file fixing a given CVE. We also use the annotation in CVE_STATUS to filter out entries that do not apply to the given recipe Signed-off-by: Marta Rybczynska Signed-off-by: Samantha Jalabert --- meta/classes/cve-check.bbclass | 208 +++++++++++++++++---------------- meta/lib/oe/cve_check.py | 35 +++++- 2 files changed, 139 insertions(+), 104 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index bc35a1c53c..0d7c8a5835 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -189,10 +189,10 @@ python do_cve_check () { patched_cves = get_patched_cves(d) except FileNotFoundError: bb.fatal("Failure in searching patches") - ignored, patched, unpatched, status = check_cves(d, patched_cves) - if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): - cve_data = get_cve_info(d, patched + unpatched + ignored) - cve_write_data(d, patched, unpatched, ignored, cve_data, status) + cve_data, status = check_cves(d, patched_cves) + if len(cve_data) or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): + get_cve_info(d, cve_data) + cve_write_data(d, cve_data, status) else: bb.note("No CVE database found, skipping CVE check") @@ -295,7 +295,51 @@ ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest ' if d do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" -def check_cves(d, patched_cves): +def cve_is_ignored(d, cve_data, cve): + if cve not in cve_data: + return False + if cve_data[cve]['abbrev-status'] == "Ignored": + return True + return False + +def cve_is_patched(d, cve_data, cve): + if cve not in cve_data: + return False + if cve_data[cve]['abbrev-status'] == "Patched": + return True + return False + +def cve_update(d, cve_data, cve, entry): + # If no entry, just add it + if cve not in cve_data: + cve_data[cve] = entry + return + # If we are updating, there might be change in the status + bb.debug("Trying CVE entry update for %s from %s to %s" % (cve, cve_data[cve]['abbrev-status'], entry['abbrev-status'])) + if cve_data[cve]['abbrev-status'] == "Unknown": + cve_data[cve] = entry + return + if cve_data[cve]['abbrev-status'] == entry['abbrev-status']: + return + # Update like in {'abbrev-status': 'Patched', 'status': 'version-not-in-range'} to {'abbrev-status': 'Unpatched', 'status': 'version-in-range'} + if entry['abbrev-status'] == "Unpatched" and cve_data[cve]['abbrev-status'] == "Patched": + if entry['status'] == "version-in-range" and cve_data[cve]['status'] == "version-not-in-range": + # New result from the scan, vulnerable + cve_data[cve] = entry + bb.debug("CVE entry %s update from Patched to Unpatched from the scan result" % cve) + return + if entry['abbrev-status'] == "Patched" and cve_data[cve]['abbrev-status'] == "Unpatched": + if entry['status'] == "version-not-in-range" and cve_data[cve]['status'] == "version-in-range": + # Range does not match the scan, but we already have a vulnerable match, ignore + bb.debug("CVE entry %s update from Patched to Unpatched from the scan result - not applying" % cve) + return + # If we have an "Ignored", it has a priority + if cve_data[cve]['abbrev-status'] == "Ignored": + bb.debug("CVE %s not updating because Ignored" % cve) + return + bb.warn("Unhandled CVE entry update for %s from %s to %s" % (cve, cve_data[cve], entry)) + +def check_cves(d, cve_data): """ Connect to the NVD database and find unpatched cves. """ @@ -305,28 +349,19 @@ def check_cves(d, patched_cves): real_pv = d.getVar("PV") suffix = d.getVar("CVE_VERSION_SUFFIX") - cves_unpatched = [] - cves_ignored = [] cves_status = [] cves_in_recipe = False # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) products = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) if not products: - return ([], [], [], []) + return ([], []) pv = d.getVar("CVE_VERSION").split("+git")[0] # If the recipe has been skipped/ignored we return empty lists if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split(): bb.note("Recipe has been skipped by cve-check") - return ([], [], [], []) - - # Convert CVE_STATUS into ignored CVEs and check validity - cve_ignore = [] - for cve in (d.getVarFlags("CVE_STATUS") or {}): - decoded_status = decode_cve_status(d, cve) - if 'mapping' in decoded_status and decoded_status['mapping'] == "Ignored": - cve_ignore.append(cve) + return ([], []) import sqlite3 db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") @@ -345,11 +380,10 @@ def check_cves(d, patched_cves): for cverow in cve_cursor: cve = cverow[0] - if cve in cve_ignore: + if cve_is_ignored(d, cve_data, cve): bb.note("%s-%s ignores %s" % (product, pv, cve)) - cves_ignored.append(cve) continue - elif cve in patched_cves: + elif cve_is_patched(d, cve_data, cve): bb.note("%s has been patched" % (cve)) continue # Write status once only for each product @@ -365,7 +399,7 @@ def check_cves(d, patched_cves): for row in product_cursor: (_, _, _, version_start, operator_start, version_end, operator_end) = row #bb.debug(2, "Evaluating row " + str(row)) - if cve in cve_ignore: + if cve_is_ignored(d, cve_data, cve): ignored = True version_start = convert_cve_version(version_start) @@ -404,16 +438,16 @@ def check_cves(d, patched_cves): if vulnerable: if ignored: bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv)) - cves_ignored.append(cve) + cve_update(d, cve_data, cve, {"abbrev-status": "Ignored"}) else: bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve)) - cves_unpatched.append(cve) + cve_update(d, cve_data, cve, {"abbrev-status": "Unpatched", "status": "version-in-range"}) break product_cursor.close() if not vulnerable: bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve)) - patched_cves.add(cve) + cve_update(d, cve_data, cve, {"abbrev-status": "Patched", "status": "version-not-in-range"}) cve_cursor.close() if not cves_in_product: @@ -421,48 +455,45 @@ def check_cves(d, patched_cves): cves_status.append([product, False]) conn.close() - diff_ignore = list(set(cve_ignore) - set(cves_ignored)) - if diff_ignore: - oe.qa.handle_error("cve_status_not_in_db", "Found CVE (%s) with CVE_STATUS set that are not found in database for this component" % " ".join(diff_ignore), d) if not cves_in_recipe: bb.note("No CVE records for products in recipe %s" % (pn)) - return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status) + return (cve_data, cves_status) -def get_cve_info(d, cves): +def get_cve_info(d, cve_data): """ Get CVE information from the database. """ import sqlite3 - cve_data = {} db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") conn = sqlite3.connect(db_file, uri=True) - for cve in cves: + for cve in cve_data: cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)) for row in cursor: - cve_data[row[0]] = {} - cve_data[row[0]]["summary"] = row[1] - cve_data[row[0]]["scorev2"] = row[2] - cve_data[row[0]]["scorev3"] = row[3] - cve_data[row[0]]["modified"] = row[4] - cve_data[row[0]]["vector"] = row[5] - cve_data[row[0]]["vectorString"] = row[6] + # The CVE itdelf has been added already + if row[0] not in cve_data: + bb.note("CVE record %s not present" % row[0]) + continue + #cve_data[row[0]] = {} + cve_data[row[0]]["NVD-summary"] = row[1] + cve_data[row[0]]["NVD-scorev2"] = row[2] + cve_data[row[0]]["NVD-scorev3"] = row[3] + cve_data[row[0]]["NVD-modified"] = row[4] + cve_data[row[0]]["NVD-vector"] = row[5] + cve_data[row[0]]["NVD-vectorString"] = row[6] cursor.close() conn.close() - return cve_data -def cve_write_data_text(d, patched, unpatched, ignored, cve_data): +def cve_write_data_text(d, cve_data): """ Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and CVE manifest if enabled. """ - from oe.cve_check import decode_cve_status - cve_file = d.getVar("CVE_CHECK_LOG") fdir_name = d.getVar("FILE_DIRNAME") layer = fdir_name.split("/")[-3] @@ -479,7 +510,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): return # Early exit, the text format does not report packages without CVEs - if not patched+unpatched+ignored: + if not len(cve_data): return nvd_link = "https://nvd.nist.gov/vuln/detail/" @@ -488,36 +519,29 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): bb.utils.mkdirhier(os.path.dirname(cve_file)) for cve in sorted(cve_data): - is_patched = cve in patched - is_ignored = cve in ignored - - status = "Unpatched" - if (is_patched or is_ignored) and not report_all: + if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"): continue - if is_ignored: - status = "Ignored" - elif is_patched: - status = "Patched" - else: - # default value of status is Unpatched - unpatched_cves.append(cve) - write_string += "LAYER: %s\n" % layer write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve - write_string += "CVE STATUS: %s\n" % status - status_details = decode_cve_status(d, cve) - if 'detail' in status_details: - write_string += "CVE DETAIL: %s\n" % status_details['detail'] - if 'description' in status_details: - write_string += "CVE DESCRIPTION: %s\n" % status_details['description'] - write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] - write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] - write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] - write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] - write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"] + write_string += "CVE STATUS: %s\n" % cve_data[cve]["abbrev-status"] + + if 'status' in cve_data[cve]: + write_string += "CVE DETAIL: %s\n" % cve_data[cve]["status"] + if 'justification' in cve_data[cve]: + write_string += "CVE DESCRIPTION: %s\n" % cve_data[cve]["justification"] + + if "NVD-summary" in cve_data[cve]: + write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["NVD-summary"] + write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev2"] + write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["NVD-scorev3"] + write_string += "VECTOR: %s\n" % cve_data[cve]["NVD-vector"] + write_string += "VECTORSTRING: %s\n" % cve_data[cve]["NVD-vectorString"] + write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) + if cve_data[cve]["abbrev-status"] == "Unpatched": + unpatched_cves.append(cve) if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) @@ -569,13 +593,11 @@ def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_fi with open(index_path, "a+") as f: f.write("%s\n" % fragment_path) -def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): +def cve_write_data_json(d, cve_data, cve_status): """ Prepare CVE data for the JSON format, then write it. """ - from oe.cve_check import decode_cve_status - output = {"version":"1", "package": []} nvd_link = "https://nvd.nist.gov/vuln/detail/" @@ -593,8 +615,6 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): if include_layers and layer not in include_layers: return - unpatched_cves = [] - product_data = [] for s in cve_status: p = {"product": s[0], "cvesInRecord": "Yes"} @@ -609,39 +629,31 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): "version" : package_version, "products": product_data } + cve_list = [] for cve in sorted(cve_data): - is_patched = cve in patched - is_ignored = cve in ignored - status = "Unpatched" - if (is_patched or is_ignored) and not report_all: + if not report_all and (cve_data[cve]["abbrev-status"] == "Patched" or cve_data[cve]["abbrev-status"] == "Ignored"): continue - if is_ignored: - status = "Ignored" - elif is_patched: - status = "Patched" - else: - # default value of status is Unpatched - unpatched_cves.append(cve) - issue_link = "%s%s" % (nvd_link, cve) cve_item = { "id" : cve, - "summary" : cve_data[cve]["summary"], - "scorev2" : cve_data[cve]["scorev2"], - "scorev3" : cve_data[cve]["scorev3"], - "vector" : cve_data[cve]["vector"], - "vectorString" : cve_data[cve]["vectorString"], - "status" : status, - "link": issue_link + "status" : cve_data[cve]["abbrev-status"], + "link": issue_link, } - status_details = decode_cve_status(d, cve) - if 'detail' in status_details: - cve_item["detail"] = status_details['detail'] - if 'description' in status_details: - cve_item["description"] = status_details['description'] + if 'NVD-summary' in cve_data[cve]: + cve_item["summary"] = cve_data[cve]["NVD-summary"] + cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] + cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] + cve_item["vector"] = cve_data[cve]["NVD-vector"] + cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] + if 'status' in cve_data[cve]: + cve_item["detail"] = cve_data[cve]["status"] + if 'justification' in cve_data[cve]: + cve_item["description"] = cve_data[cve]["justification"] + if 'resource' in cve_data[cve]: + cve_item["patch-file"] = cve_data[cve]["resource"] cve_list.append(cve_item) package_data["issue"] = cve_list @@ -653,12 +665,12 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file) -def cve_write_data(d, patched, unpatched, ignored, cve_data, status): +def cve_write_data(d, cve_data, status): """ Write CVE data in each enabled format. """ if d.getVar("CVE_CHECK_FORMAT_TEXT") == "1": - cve_write_data_text(d, patched, unpatched, ignored, cve_data) + cve_write_data_text(d, cve_data) if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": - cve_write_data_json(d, patched, unpatched, ignored, cve_data, status) + cve_write_data_json(d, cve_data, status) diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 5edd34a2d9..487f30dc25 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -88,7 +88,7 @@ def get_patched_cves(d): # (cve_match regular expression) cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) - patched_cves = set() + patched_cves = {} patches = oe.patch.src_patches(d) bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) for url in patches: @@ -98,7 +98,7 @@ def get_patched_cves(d): fname_match = cve_file_name_match.search(patch_file) if fname_match: cve = fname_match.group(1).upper() - patched_cves.add(cve) + patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file} bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) # Remote patches won't be present and compressed patches won't be @@ -124,7 +124,7 @@ def get_patched_cves(d): cves = patch_text[match.start()+5:match.end()] for cve in cves.split(): bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) - patched_cves.add(cve) + patched_cves[cve] = {"abbrev-status": "Patched", "status": "fix-file-included", "resource": patch_file} text_match = True if not fname_match and not text_match: @@ -133,9 +133,15 @@ def get_patched_cves(d): # Search for additional patched CVEs for cve in (d.getVarFlags("CVE_STATUS") or {}): decoded_status = decode_cve_status(d, cve) - if 'mapping' in decoded_status and decoded_status['mapping'] == "Patched": - bb.debug(2, "CVE %s is additionally patched" % cve) - patched_cves.add(cve) + products = d.getVar("CVE_PRODUCT") + if has_cve_product_match(decoded_status, products) == True: + patched_cves[cve] = { + "abbrev-status": decoded_status["mapping"], + "status": decoded_status["detail"], + "justification": decoded_status["description"], + "affected-vendor": decoded_status["vendor"], + "affected-product": decoded_status["product"] + } return patched_cves @@ -264,3 +270,20 @@ def decode_cve_status(d, cve): status_out["mapping"] = status_mapping return status_out + +def has_cve_product_match(detailed_status, products): + """ + Check product/vendor match between detailed_status from decode_cve_status and a string of + products (like from CVE_PRODUCT) + """ + for product in products.split(): + vendor = "*" + if ":" in product: + vendor, product = product.split(":", 1) + + if (vendor == detailed_status["vendor"] or detailed_status["vendor"] == "*") and \ + (product == detailed_status["product"] or detailed_status["product"] == "*"): + return True + + #if no match, return False + return False From patchwork Wed Aug 14 05:30:38 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 47762 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 709B3C52D7D for ; Wed, 14 Aug 2024 05:31:18 +0000 (UTC) Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) by mx.groups.io with SMTP id smtpd.web11.91317.1723613469043482384 for ; Tue, 13 Aug 2024 22:31:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=nAxEpa1G; spf=pass (domain: gmail.com, ip: 209.85.167.42, mailfrom: rybczynska@gmail.com) Received: by mail-lf1-f42.google.com with SMTP id 2adb3069b0e04-52f025ab3a7so3130602e87.2 for ; Tue, 13 Aug 2024 22:31:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723613467; x=1724218267; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bCFDlrASHkZw6WssTjjSvadGWOfkJn96f0OhZ8GIQjw=; b=nAxEpa1GKmA0b+9S9JXghBW5mfOe6F9uWNUM6tMvKruhF8h+P8ItHN2ydA56e1U3zO BcA9UGXHDB0lpIFm4EjLMOF+cdEC6tkQyF0c7m1cCCqACRQRFZ/SSLy+VkkkGlESLbcG gpp+rrjyUUhumpF08++6U/fET8LKzDz9PxKKpzcsUa+raHIb840zCyF/Eok8R7v4NdYY l926DHiD3R2FY7k8dakdaATpCfYMphLD1nrSvNZuN+EUMZ2F1lVdVt5laeUoMTYLPPLy CQVxQWkKgtln+lF53sOiSVsl025XUZxGe4Lr5+HP7XtqyS83PzgcrZVq1yNx38Kv5TDi 5bhg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723613467; x=1724218267; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bCFDlrASHkZw6WssTjjSvadGWOfkJn96f0OhZ8GIQjw=; b=KG/ataTaTobWN5teyhA4fItVO1TNsjSHGKfvH9/F1G05dob24Lk49s5qnEws6cQZNa hT8nCZ9OIfwXTOMG4TxYU04rvs2b3BGOqNXNMsBoN7xAX6GN8gqyLQVPo8oCTPFfRKwT lb/LqUYuVPXbyQN0oA8vWHB2wbbAhj40kmzM7FR4IUIBPI8mUCvuB6i0uEqGHXA9pPWs QlfNZMg8cQnxRmssK0L589gwXeLWLtwbYSAmcyVMVpzUwRBnQKesBXMMMlSO5LwxiX2y csq5YFxZyG3/bBR46KZpu91CiFUFu0R+Tf40eb+ZfWJS7o0X2LMrL0h2iFujYjXeZFnq sHXw== X-Gm-Message-State: AOJu0Yxv/RiqlJGyT5pv5d6Eq+OvcOPNtCKc7cKr9SVxooJsHM3HQbRc l184Q30EYo0uODSmcPWx9nexbRNsfBkiJNllCgeS5mvrcK35FbGD8LpqMg== X-Google-Smtp-Source: AGHT+IFICCCmawR+wizzJxE+34B9B38SYHEeEjCb0okhVvLBxn9sn3FbkeKhGJCcvdQh3m5FHRCxDA== X-Received: by 2002:a05:6512:2821:b0:52f:1a0:b49 with SMTP id 2adb3069b0e04-532eda81b09mr919121e87.31.1723613466095; Tue, 13 Aug 2024 22:31:06 -0700 (PDT) Received: from voyage.lan ([2a0d:3344:2311:d410:8c63:2ebf:4fe1:9568]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429ded4db0bsm8885525e9.32.2024.08.13.22.31.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Aug 2024 22:31:05 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Samantha Jalabert , Marta Rybczynska Subject: [PATCH v5][OE-core 4/7] cve_check: Update selftest with new status detail Date: Wed, 14 Aug 2024 07:30:38 +0200 Message-ID: <20240814053041.4991-4-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> References: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Aug 2024 05:31:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/203305 From: Samantha Jalabert Signed-off-by: Samantha Jalabert Signed-off-by: Marta Rybczynska --- meta/lib/oeqa/selftest/cases/cve_check.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index 60cecd1328..a40272c919 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -217,9 +217,10 @@ CVE_CHECK_REPORT_PATCHED = "1" # m4 CVE should not be in logrotate self.assertNotIn("CVE-2008-1687", found_cves) # logrotate has both Patched and Ignored CVEs + detail = "version-not-in-range" self.assertIn("CVE-2011-1098", found_cves) self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched") - self.assertEqual(len(found_cves["CVE-2011-1098"]["detail"]), 0) + self.assertEqual(found_cves["CVE-2011-1098"]["detail"], detail) self.assertEqual(len(found_cves["CVE-2011-1098"]["description"]), 0) detail = "not-applicable-platform" description = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used" From patchwork Wed Aug 14 05:30:39 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 47761 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81087C3DA4A for ; Wed, 14 Aug 2024 05:31:18 +0000 (UTC) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mx.groups.io with SMTP id smtpd.web11.91318.1723613472027553550 for ; Tue, 13 Aug 2024 22:31:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=fMOrVe08; spf=pass (domain: gmail.com, ip: 209.85.128.54, mailfrom: rybczynska@gmail.com) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-428e3129851so45611485e9.3 for ; Tue, 13 Aug 2024 22:31:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723613470; x=1724218270; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dyADFcLlUlLB78t0HCcebY7mck6pLa6VvZwbvV4MTMQ=; b=fMOrVe08V9hk58ka73ynbByimnlSq4jRNY8HlSDnfl9u7Za10hh/pHavNzPT5FqGka 8I0jB2oqLLA+lo145DgpIk+uWVfunnIFo37+G5/qMtutlNIOyPXqG8QdXBqahHFfGDSJ 688PZZIejNiECvhP1uuAAhUIK/MHRCn+6RHGQ373vfDLFz2eh2RcHMPnRSPUItNMCBD6 /c3JSuePmp2nIUPnZCqYEiZrxZ6hiDKrBP+4fV0Jq4Cz+f6MqB4e5noIw+onpFylJjpJ iwBD0NN1Leq2ufCSm/Xrno4Kl3neLlAdnD/XgJzj/NmxyE6YTToakfJRCKNG+eT2zppN MFGQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723613470; x=1724218270; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dyADFcLlUlLB78t0HCcebY7mck6pLa6VvZwbvV4MTMQ=; b=rw3RAs46i9apzA9dByKaJngbQEm/d9vCexp7rVS+a3cS/6mQFelzR9NH88q8pa0yR7 8dZFro/Iv9xoNxKWEpTRftXx27mqiNnEPRMbA6MGIay7MvL2WAm9qVLka+EPZzYv8OPT 88uDVOzdx1fAiJ2fP5i7IzD1kzv167XtIWwqk4yJibI9LDesMah6J8K2U/LDWrEB9UCl BOTTWpNPOn4YxHEf7IqNbJbkMCDhN0QUy4f7AVJ2q/vsBpoI5LLb5rgv39xR8dMzY6EZ wtNs3gZzvJeJm3ub0pKimWlERNRhBtRY2VbvkrAaoMi/TTLPaWZwH+Fruw4S/VAHoRhX gMSQ== X-Gm-Message-State: AOJu0Yx8YuU/eieiye57A7KEtEeaZM+8t4CGodO+AFHe6mlpvaXfaCDx 0Vrt0vEQVzS3GfYpubZ9krNZpL0ilQTXo+hd97x+cjPAqPzgISp1Yyg9Sw== X-Google-Smtp-Source: AGHT+IHfYKrR+sjSaWF1BNFK8YvdTLTmeJgd1nNG/phX8AL0YxQ8W5OcZsR//qblJdG5saxMcHf2Kw== X-Received: by 2002:a05:600c:3595:b0:428:ea8e:b48a with SMTP id 5b1f17b1804b1-429dd232b87mr10214565e9.8.1723613469424; Tue, 13 Aug 2024 22:31:09 -0700 (PDT) Received: from voyage.lan ([2a0d:3344:2311:d410:8c63:2ebf:4fe1:9568]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429ded4db0bsm8885525e9.32.2024.08.13.22.31.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Aug 2024 22:31:08 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska , Samantha Jalabert Subject: [PATCH v5][OE-core 5/7] vex.bbclass: add a new class Date: Wed, 14 Aug 2024 07:30:39 +0200 Message-ID: <20240814053041.4991-5-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> References: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Aug 2024 05:31:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/203306 The "vex" class generates the minimum information that is necessary for VEX generation by an external CVE checking tool. It is a drop-in replacement of "cve-check". It uses the same variables from recipes to make the migration and backporting easier. The goal of this class is to allow generation of the CVE list of an image or distribution on-demand, including the latest information from vulnerability databases. Vulnerability data changes every day, so a status generated at build becomes out-of-date very soon. Research done for this work shows that the current VEX formats (CSAF and OpenVEX) do not provide enough information to generate such rolling information. Instead, we extract the needed data from recipe annotations (package names, CPEs, versions, CVE patches applied...) and store for later use in the format that is an extension of the CVE-check JSON output format. This output can be then used (separately or with SPDX of the same build) by an external tool to generate the vulnerability annotation and VEX statements in standard formats. Signed-off-by: Marta Rybczynska Signed-off-by: Samantha Jalabert --- meta/classes/vex.bbclass | 310 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 310 insertions(+) create mode 100644 meta/classes/vex.bbclass diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass new file mode 100644 index 0000000000..bb16e2a529 --- /dev/null +++ b/meta/classes/vex.bbclass @@ -0,0 +1,310 @@ +# +# Copyright OpenEmbedded Contributors +# +# SPDX-License-Identifier: MIT +# + +# This class is used to generate metadata needed by external +# tools to check for vulnerabilities, for example CVEs. +# +# In order to use this class just inherit the class in the +# local.conf file and it will add the generate_vex task for +# every recipe. If an image is build it will generate a report +# in DEPLOY_DIR_IMAGE for all the packages used, it will also +# generate a file for all recipes used in the build. +# +# Variables use CVE_CHECK prefix to keep compatibility with +# the cve-check class +# +# Example: +# bitbake -c generate_vex openssl +# bitbake core-image-sato +# bitbake -k -c generate_vex universe +# +# The product name that the CVE database uses defaults to BPN, but may need to +# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff). +CVE_PRODUCT ??= "${BPN}" +CVE_VERSION ??= "${PV}" + +CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve" + +CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json" +CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt" + +CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" +CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json" +CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.json" + +# Skip CVE Check for packages (PN) +CVE_CHECK_SKIP_RECIPE ?= "" + +# Replace NVD DB check status for a given CVE. Each of CVE has to be mentioned +# separately with optional detail and description for this status. +# +# CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows" +# CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally" +# +# Settings the same status and reason for multiple CVEs is possible +# via CVE_STATUS_GROUPS variable. +# +# CVE_STATUS_GROUPS = "CVE_STATUS_WIN CVE_STATUS_PATCHED" +# +# CVE_STATUS_WIN = "CVE-1234-0001 CVE-1234-0003" +# CVE_STATUS_WIN[status] = "not-applicable-platform: Issue only applies on Windows" +# CVE_STATUS_PATCHED = "CVE-1234-0002 CVE-1234-0004" +# CVE_STATUS_PATCHED[status] = "fixed-version: Fixed externally" +# +# All possible CVE statuses could be found in cve-check-map.conf +# CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" +# CVE_CHECK_STATUSMAP[fixed-version] = "Patched" +# +# CVE_CHECK_IGNORE is deprecated and CVE_STATUS has to be used instead. +# Keep CVE_CHECK_IGNORE until other layers migrate to new variables +CVE_CHECK_IGNORE ?= "" + +# Layers to be excluded +CVE_CHECK_LAYER_EXCLUDELIST ??= "" + +# Layers to be included +CVE_CHECK_LAYER_INCLUDELIST ??= "" + + +# set to "alphabetical" for version using single alphabetical character as increment release +CVE_VERSION_SUFFIX ??= "" + +python () { + if bb.data.inherits_class("cve-check", d): + raise bb.parse.SkipRecipe("Skipping recipe: found incompatible combination of cve-check and vex enabled at the same time.") + + # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS + cve_check_ignore = d.getVar("CVE_CHECK_IGNORE") + if cve_check_ignore: + bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS") + for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split(): + d.setVarFlag("CVE_STATUS", cve, "ignored") + + # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once + for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split(): + cve_group = d.getVar(cve_status_group) + if cve_group is not None: + for cve in cve_group.split(): + d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) + else: + bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) +} + +def generate_json_report(d, out_path, link_path): + if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")): + import json + from oe.cve_check import cve_check_merge_jsons, update_symlinks + + bb.note("Generating JSON CVE summary") + index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH") + summary = {"version":"1", "package": []} + with open(index_file) as f: + filename = f.readline() + while filename: + with open(filename.rstrip()) as j: + data = json.load(j) + cve_check_merge_jsons(summary, data) + filename = f.readline() + + summary["package"].sort(key=lambda d: d['name']) + + with open(out_path, "w") as f: + json.dump(summary, f, indent=2) + + update_symlinks(out_path, link_path) + +python vex_save_summary_handler () { + import shutil + import datetime + from oe.cve_check import update_symlinks + + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + + bb.utils.mkdirhier(cvelogpath) + timestamp = datetime.datetime.now().strftime('%Y%m%d%H%M%S') + + json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON")) + json_summary_name = os.path.join(cvelogpath, "cve-summary-%s.json" % (timestamp)) + generate_json_report(d, json_summary_name, json_summary_link_name) + bb.plain("Complete CVE JSON report summary created at: %s" % json_summary_link_name) +} + +addhandler vex_save_summary_handler +vex_save_summary_handler[eventmask] = "bb.event.BuildCompleted" + +python do_generate_vex () { + """ + Generate metadata needed for vulnerability checking for + the current recipe + """ + from oe.cve_check import get_patched_cves + + try: + patched_cves = get_patched_cves(d) + cves_status = [] + products = d.getVar("CVE_PRODUCT").split() + for product in products: + if ":" in product: + _, product = product.split(":", 1) + cves_status.append([product, False]) + + except FileNotFoundError: + bb.fatal("Failure in searching patches") + + cve_write_data_json(d, patched_cves, cves_status) +} + +addtask generate_vex before do_build + +python vex_cleanup () { + """ + Delete the file used to gather all the CVE information. + """ + bb.utils.remove(e.data.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")) +} + +addhandler vex_cleanup +vex_cleanup[eventmask] = "bb.event.BuildCompleted" + +python vex_write_rootfs_manifest () { + """ + Create VEX/CVE manifest when building an image + """ + + import json + from oe.rootfs import image_list_installed_packages + from oe.cve_check import cve_check_merge_jsons, update_symlinks + + deploy_file_json = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + if os.path.exists(deploy_file_json): + bb.utils.remove(deploy_file_json) + + # Create a list of relevant recipies + recipies = set() + for pkg in list(image_list_installed_packages(d)): + pkg_info = os.path.join(d.getVar('PKGDATA_DIR'), + 'runtime-reverse', pkg) + pkg_data = oe.packagedata.read_pkgdatafile(pkg_info) + recipies.add(pkg_data["PN"]) + + bb.note("Writing rootfs VEX manifest") + deploy_dir = d.getVar("IMGDEPLOYDIR") + link_name = d.getVar("IMAGE_LINK_NAME") + + json_data = {"version":"1", "package": []} + text_data = "" + + save_pn = d.getVar("PN") + + for pkg in recipies: + # To be able to use the CVE_CHECK_RECIPE_FILE_JSON variable we have to evaluate + # it with the different PN names set each time. + d.setVar("PN", pkg) + + pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + if os.path.exists(pkgfilepath): + with open(pkgfilepath) as j: + data = json.load(j) + cve_check_merge_jsons(json_data, data) + + d.setVar("PN", save_pn) + + link_path = os.path.join(deploy_dir, "%s.json" % link_name) + manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON") + + with open(manifest_name, "w") as f: + json.dump(json_data, f, indent=2) + + update_symlinks(manifest_name, link_path) + bb.plain("Image VEX JSON report stored in: %s" % manifest_name) +} + +ROOTFS_POSTPROCESS_COMMAND:prepend = "vex_write_rootfs_manifest; " +do_rootfs[recrdeptask] += "do_generate_vex " +do_populate_sdk[recrdeptask] += "do_generate_vex " + +def cve_write_data_json(d, cve_data, cve_status): + """ + Prepare CVE data for the JSON format, then write it. + Done for each recipe. + """ + + from oe.cve_check import get_cpe_ids + import json + + output = {"version":"1", "package": []} + nvd_link = "https://nvd.nist.gov/vuln/detail/" + + fdir_name = d.getVar("FILE_DIRNAME") + layer = fdir_name.split("/")[-3] + + include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() + exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + + if exclude_layers and layer in exclude_layers: + return + + if include_layers and layer not in include_layers: + return + + product_data = [] + for s in cve_status: + p = {"product": s[0], "cvesInRecord": "Yes"} + if s[1] == False: + p["cvesInRecord"] = "No" + product_data.append(p) + product_data = list({p['product']:p for p in product_data}.values()) + + package_version = "%s%s" % (d.getVar("EXTENDPE"), d.getVar("PV")) + cpes = get_cpe_ids(d.getVar("CVE_PRODUCT"), d.getVar("CVE_VERSION")) + package_data = { + "name" : d.getVar("PN"), + "layer" : layer, + "version" : package_version, + "products": product_data, + "cpes": cpes + } + + cve_list = [] + + for cve in sorted(cve_data): + issue_link = "%s%s" % (nvd_link, cve) + + cve_item = { + "id" : cve, + "status" : cve_data[cve]["abbrev-status"], + "link": issue_link, + } + if 'NVD-summary' in cve_data[cve]: + cve_item["summary"] = cve_data[cve]["NVD-summary"] + cve_item["scorev2"] = cve_data[cve]["NVD-scorev2"] + cve_item["scorev3"] = cve_data[cve]["NVD-scorev3"] + cve_item["vector"] = cve_data[cve]["NVD-vector"] + cve_item["vectorString"] = cve_data[cve]["NVD-vectorString"] + if 'status' in cve_data[cve]: + cve_item["detail"] = cve_data[cve]["status"] + if 'justification' in cve_data[cve]: + cve_item["description"] = cve_data[cve]["justification"] + if 'resource' in cve_data[cve]: + cve_item["patch-file"] = cve_data[cve]["resource"] + cve_list.append(cve_item) + + package_data["issue"] = cve_list + output["package"].append(package_data) + + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + + write_string = json.dumps(output, indent=2) + + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + index_path = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH") + bb.utils.mkdirhier(cvelogpath) + fragment_file = os.path.basename(deploy_file) + fragment_path = os.path.join(cvelogpath, fragment_file) + with open(fragment_path, "w") as f: + f.write(write_string) + with open(index_path, "a+") as f: + f.write("%s\n" % fragment_path) From patchwork Wed Aug 14 05:30:40 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 47760 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7310EC531DC for ; Wed, 14 Aug 2024 05:31:18 +0000 (UTC) Received: from mail-lj1-f180.google.com (mail-lj1-f180.google.com [209.85.208.180]) by mx.groups.io with SMTP id smtpd.web10.91194.1723613475826112814 for ; Tue, 13 Aug 2024 22:31:16 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=f0hz/Tkw; spf=pass (domain: gmail.com, ip: 209.85.208.180, mailfrom: rybczynska@gmail.com) Received: by mail-lj1-f180.google.com with SMTP id 38308e7fff4ca-2f1a7faa4d5so57563321fa.3 for ; Tue, 13 Aug 2024 22:31:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723613473; x=1724218273; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=jiI9KetorS/9A07ChLdSkFBO47gtER30WpzVa4qfC3k=; b=f0hz/TkwbIeDoFZdgcmrBAC81131al/h/x4MubcS05Pnk8AOA56w3CsHTWEdbtaq9u /8es+lhMILCdr0iqe4v/7tKpmOWhZNOKXUPu5qDrfUDT3QICOiJQ/kKZ0V14zdFo+zTg 6bHyiiF07kITMZz97/xIuiPvStzjf2fKCWtKXhG90ACFYbvRFZU4KLFSii459dGaHtZ6 8IJCSQhcob+JRLmZbvR74vnuRm4fKhnjEKGYQUY32GoUpEHgxNgYFMPCf5Qq0rn+A2XQ eIDBzpLskRX/HPm/5eSXGc/slCc+pD7XeyH8Q3bvNMsz9rSwS1JLrAtYeq3v9xIBW3UB TkRA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723613473; x=1724218273; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=jiI9KetorS/9A07ChLdSkFBO47gtER30WpzVa4qfC3k=; b=JgNWmSaLiI52T7WLDNnA6G9ICyKuPBW37qvNtHhTQSAGs1KG/O5DAlnGg8a7eylRbA Y/0tuR6eeO6c3oVyypHBSIuJDPyvpxj83RXw9qAwQTN9CWeJWGQO1ONnc4VpXXhKA4nV Zq3aWSd3uJRU6MUr7LzXFqfk/XjMlWmx/WeXixE4MlDO+wykhspyu2xEvfnX0W8wHDPL uydSjtYHIQvUD26Hp1z9vZDMqbAe2sOIUN81+HC1KYDPgBytMH9bjHhbpRKjMqmMhDSm H5JcFegw3EnKIzGmKFK/Xg0PbkT0gK1VE6dzNpuXlc/Ss3SvNKc3BdovGE/aabffOLSb UZug== X-Gm-Message-State: AOJu0Yy8G1qIJecHlGrS2aFnho8PEtMJ0qWeCX9jin2Ivi9IDXTKAmrN zOHoDi33/fkuOWdQila1kkF63IAqj7/j9YEG0wQ9enTA/m1obkhjUkOVVQ== X-Google-Smtp-Source: AGHT+IGpIR/5EUCZqi08h9Q5wejbHikn9NhlxUk9eAn5y69NF8JXaxFmqDXmsi+cPATilWD8yA6djA== X-Received: by 2002:a2e:bc0d:0:b0:2ef:23ec:9353 with SMTP id 38308e7fff4ca-2f3aa2f7eeamr9531581fa.38.1723613473225; Tue, 13 Aug 2024 22:31:13 -0700 (PDT) Received: from voyage.lan ([2a0d:3344:2311:d410:8c63:2ebf:4fe1:9568]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429ded4db0bsm8885525e9.32.2024.08.13.22.31.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Aug 2024 22:31:12 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska , Samantha Jalabert Subject: [PATCH v5][OE-core 6/7] cve-check-map: add new statuses Date: Wed, 14 Aug 2024 07:30:40 +0200 Message-ID: <20240814053041.4991-6-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> References: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Aug 2024 05:31:18 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/203307 Add 'fix-file-included', 'version-not-in-range' and 'version-in-range' generated by the cve-check. 'fix-file-included' means that a fix file for the CVE has been located. 'version-not-in-range' means that the product version has been found outside of the vulnerable range. 'version-in-range' means that the product version has been found inside of the vulnerable range. Signed-off-by: Marta Rybczynska Signed-off-by: Samantha Jalabert --- meta/conf/cve-check-map.conf | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/meta/conf/cve-check-map.conf b/meta/conf/cve-check-map.conf index 17b0f15571..ac956379d1 100644 --- a/meta/conf/cve-check-map.conf +++ b/meta/conf/cve-check-map.conf @@ -8,11 +8,17 @@ CVE_CHECK_STATUSMAP[backported-patch] = "Patched" CVE_CHECK_STATUSMAP[cpe-stable-backport] = "Patched" # use when NVD DB does not mention correct version or does not mention any verion at all CVE_CHECK_STATUSMAP[fixed-version] = "Patched" +# use when a fix file has been included (set automatically) +CVE_CHECK_STATUSMAP[fix-file-included] = "Patched" +# do not use directly: automatic scan reports version number NOT in the vulnerable range (set automatically) +CVE_CHECK_STATUSMAP[version-not-in-range] = "Patched" # used internally by this class if CVE vulnerability is detected which is not marked as fixed or ignored CVE_CHECK_STATUSMAP[unpatched] = "Unpatched" # use when CVE is confirmed by upstream but fix is still not available CVE_CHECK_STATUSMAP[vulnerable-investigating] = "Unpatched" +# do not use directly: automatic scan reports version number IS in the vulnerable range (set automatically) +CVE_CHECK_STATUSMAP[version-in-range] = "Unpatched" # used for migration from old concept, do not use for new vulnerabilities CVE_CHECK_STATUSMAP[ignored] = "Ignored" @@ -26,3 +32,6 @@ CVE_CHECK_STATUSMAP[not-applicable-config] = "Ignored" CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored" # use when upstream acknowledged the vulnerability but does not plan to fix it CVE_CHECK_STATUSMAP[upstream-wontfix] = "Ignored" + +# use when it is impossible to conclude if the vulnerability is present or not +CVE_CHECK_STATUSMAP[unknown] = "Unknown" From patchwork Wed Aug 14 05:30:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marta Rybczynska X-Patchwork-Id: 47763 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 793B0C3DA4A for ; Wed, 14 Aug 2024 05:31:28 +0000 (UTC) Received: from mail-wm1-f51.google.com (mail-wm1-f51.google.com [209.85.128.51]) by mx.groups.io with SMTP id smtpd.web10.91198.1723613478890733466 for ; Tue, 13 Aug 2024 22:31:19 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@gmail.com header.s=20230601 header.b=LQo80/xX; spf=pass (domain: gmail.com, ip: 209.85.128.51, mailfrom: rybczynska@gmail.com) Received: by mail-wm1-f51.google.com with SMTP id 5b1f17b1804b1-427fc97a88cso47753935e9.0 for ; Tue, 13 Aug 2024 22:31:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723613477; x=1724218277; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=mV8V9GpN1Xk8jp5yOEE5dnOpWXhvIng7mNImWdmsJRc=; b=LQo80/xXmvVMLNDy0DGUX/WwMs1XuWZXnPxofioEtS7RJtUgg5Qg2lPofo7Lu01bhQ GsCCUuKxskKg0rQGyNx6D9HZ94axieCHHgPjhg7ORd6GTZet4HQHxv9wLddUUREIn7FP OqFgJa5vrv1fIv5ZcxC1M1uIH+l7nFtEWdAEQgxIWYdMHj/yMqUV2irdN3W2Hpo43ktJ NdyNrl56nWTNzmQ6WFjuA9iIV2faUPQLPSIZiNMXrJKK29qfzcrSHVGLdk74QnMT2wVF XL3neccr5ukF3bqMka8OtcTO118sI1/Bb58tqhBh9rlyw8WEXUqRy/1H4gI0tRfQhGIF ubQA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723613477; x=1724218277; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=mV8V9GpN1Xk8jp5yOEE5dnOpWXhvIng7mNImWdmsJRc=; b=A4NOnPJ1mwFFFEUFMS76OX3DNHi/3gcvT9QbS+E1V23chZDM08XepYCI5qqp0X7cg+ 5aIREED/5dg5txcMB/8k/m96p7EUxGbCQF4dNM0IhlwX7bPlzW2FoYr98TBej6x/X/Pu wLrgFl4+7F67IGQu+VAB6A/bpnDBaiO9NpkfC7NtckGG277lnCbPuZSyORdAdy/Bz0ll 2cu1FE/g8r0suTv8IURWblUnkP03PBae75LdV2BWJT6DVpqfiipFvafsmmCj1JtQ/GBV wRgmJwCrZxQi7T7oocHxLMrHBv0aU2GlqWJbplj0D0wEnmkZCtSyDC1J3EbvOcaBYqPs 1zFg== X-Gm-Message-State: AOJu0Yxh0vwhu3XPfdP7h0sTRnbFUFzhmxiMN+2sb1lzwW3dXENiczYj onBi2uMmQVU6k314K6gVPigt9U9RO82CNJmhSUgOgZkdIB7KjeAy7vH4Vg== X-Google-Smtp-Source: AGHT+IHjRYtCzDaPcDZt5nfiIvgSHmPz79Gi1cTl/ivGEB2ChBLfiLimuxEWjdS1AhAEGr3upE28+w== X-Received: by 2002:a05:600c:4e93:b0:426:6ee7:c05a with SMTP id 5b1f17b1804b1-429dd236620mr9996975e9.15.1723613476746; Tue, 13 Aug 2024 22:31:16 -0700 (PDT) Received: from voyage.lan ([2a0d:3344:2311:d410:8c63:2ebf:4fe1:9568]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-429ded4db0bsm8885525e9.32.2024.08.13.22.31.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Aug 2024 22:31:16 -0700 (PDT) From: Marta Rybczynska X-Google-Original-From: Marta Rybczynska To: openembedded-core@lists.openembedded.org Cc: Marta Rybczynska Subject: [PATCH v5][OE-core 7/7] selftest: add test_product_match Date: Wed, 14 Aug 2024 07:30:41 +0200 Message-ID: <20240814053041.4991-7-marta.rybczynska@syslinbit.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> References: <20240814053041.4991-1-marta.rybczynska@syslinbit.com> MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 14 Aug 2024 05:31:28 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/203308 CVECheck.test_product_match tests has_cve_product_match() Signed-off-by: Marta Rybczynska --- meta/lib/oeqa/selftest/cases/cve_check.py | 48 +++++++++++++++++++++++ 1 file changed, 48 insertions(+) diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py index a40272c919..3dd3e89d3e 100644 --- a/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/meta/lib/oeqa/selftest/cases/cve_check.py @@ -72,6 +72,54 @@ class CVECheck(OESelftestTestCase): self.assertEqual(convert_cve_version("6.2_rc8"), "6.2-rc8") self.assertEqual(convert_cve_version("6.2_rc31"), "6.2-rc31") + def test_product_match(self): + from oe.cve_check import has_cve_product_match + + status = {} + status["detail"] = "ignored" + status["vendor"] = "*" + status["product"] = "*" + status["description"] = "" + status["mapping"] = "" + + self.assertEqual(has_cve_product_match(status, "some_vendor:some_product"), True) + self.assertEqual(has_cve_product_match(status, "*:*"), True) + self.assertEqual(has_cve_product_match(status, "some_product"), True) + self.assertEqual(has_cve_product_match(status, "glibc"), True) + self.assertEqual(has_cve_product_match(status, "glibca"), True) + self.assertEqual(has_cve_product_match(status, "aglibc"), True) + self.assertEqual(has_cve_product_match(status, "*"), True) + self.assertEqual(has_cve_product_match(status, "aglibc glibc test:test"), True) + + status["product"] = "glibc" + self.assertEqual(has_cve_product_match(status, "some_vendor:some_product"), False) + # The CPE in the recipe must be defined, no * accepted + self.assertEqual(has_cve_product_match(status, "*:*"), False) + self.assertEqual(has_cve_product_match(status, "*"), False) + self.assertEqual(has_cve_product_match(status, "some_product"), False) + self.assertEqual(has_cve_product_match(status, "glibc"), True) + self.assertEqual(has_cve_product_match(status, "glibca"), False) + self.assertEqual(has_cve_product_match(status, "aglibc"), False) + self.assertEqual(has_cve_product_match(status, "some_vendor:glibc"), True) + self.assertEqual(has_cve_product_match(status, "some_vendor:glibc test"), True) + self.assertEqual(has_cve_product_match(status, "test some_vendor:glibc"), True) + + status["vendor"] = "glibca" + status["product"] = "glibc" + self.assertEqual(has_cve_product_match(status, "some_vendor:some_product"), False) + # The CPE in the recipe must be defined, no * accepted + self.assertEqual(has_cve_product_match(status, "*:*"), False) + self.assertEqual(has_cve_product_match(status, "*"), False) + self.assertEqual(has_cve_product_match(status, "some_product"), False) + self.assertEqual(has_cve_product_match(status, "glibc"), False) + self.assertEqual(has_cve_product_match(status, "glibca"), False) + self.assertEqual(has_cve_product_match(status, "aglibc"), False) + self.assertEqual(has_cve_product_match(status, "some_vendor:glibc"), False) + self.assertEqual(has_cve_product_match(status, "glibca:glibc"), True) + self.assertEqual(has_cve_product_match(status, "test:test glibca:glibc"), True) + self.assertEqual(has_cve_product_match(status, "test glibca:glibc"), True) + self.assertEqual(has_cve_product_match(status, "glibca:glibc test"), True) + def test_recipe_report_json(self): config = """