From patchwork Thu Feb 13 05:57:50 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marta Rybczynska <rybczynska@gmail.com>
X-Patchwork-Id: 57227
Return-Path: <rybczynska@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BF149C021A7
	for <webhook@archiver.kernel.org>; Thu, 13 Feb 2025 05:58:48 +0000 (UTC)
Received: from mail-wr1-f48.google.com (mail-wr1-f48.google.com
 [209.85.221.48])
 by mx.groups.io with SMTP id smtpd.web10.5172.1739426318330215830
 for <openembedded-core@lists.openembedded.org>;
 Wed, 12 Feb 2025 21:58:38 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=bN5dcAAF;
 spf=pass (domain: gmail.com, ip: 209.85.221.48,
 mailfrom: rybczynska@gmail.com)
Received: by mail-wr1-f48.google.com with SMTP id
 ffacd0b85a97d-38dd93ace00so189034f8f.1
        for <openembedded-core@lists.openembedded.org>;
 Wed, 12 Feb 2025 21:58:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1739426316; x=1740031116;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=22MGEjVUnib3qBnu3OtOlTLrtmi4xoabRXyk8/fmWaw=;
        b=bN5dcAAFX6Fnx01XWsvEt66Bhzm2pEBm+pN8UPjXriCDZpfeaBXh+rCaqYro8YMjNb
         tzDnJr1rpjoRZc5E0fScxQrBRf4ZEH7d7Sc+Qj5HODQ+gvQa1LN922QaBcZwoTEhd1pY
         qDdwnMvda13/uzvUSYCBOYPhzKUyWLYZ/guZnClNT1jcVIOsSPiKUnlWh+4hJmCjyyWd
         46bL1FW3aZhYYBg4SshqDf8g+p1+ihJAf41g5aUdDA4EgMsNOycgFHFQ0YB5hgw+k6Vy
         oofOOjG3GZOV3R5MKuX8zB9nt489XuwDoFFkZ5D3SXl+kr5SauXqQXf2JCao/qEbQjAh
         9VUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739426316; x=1740031116;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=22MGEjVUnib3qBnu3OtOlTLrtmi4xoabRXyk8/fmWaw=;
        b=NneG+6tvUzhikMsbum5XJJKuTl5e6wm3QEUf+Evc2hKi73NL3f1/xxLEScJgrck9Oo
         LCyg5RcLBigLkoJP4WYp/AQ5LX52gDhoaM448aiNoJQRvWyvXPmkNcWGwdE+hQjojf62
         W/QoA1pbT1KeG1vtasrCrFITsXYCCm+Yj73EiwxU+LHQCfMFyG87yQuvPqkQIxszwIUG
         i1MQG7RzEhJ9EGkeORWdG6JBzi/KRIR1Pt4094talY9p77j92XifJdXQvfBVkeFb7MLK
         y1/5KAmwWOgf0K3Ae2SikxT46wUec1lT7JhjPxWetO6wb8UL0ozjYlR/u+yQy69PKK8H
         tgMg==
X-Gm-Message-State: AOJu0YwoOD4yS779Fek2AspDegNhlLp63EO43us2CDD7UknP0g+C3khk
	7l67ktDtG8qfE0YpD6jmzNJCAIj4QLU60VdB3v3at2i5JrIj6bAwJD8zpg==
X-Gm-Gg: ASbGncu1hkv8qcG6sqh3ziAhU93KehvZZJCoLIiLZExaA/UiUtNtLBvt6oQGZhmqkpb
	pYsApSHSdGzv0SeB3YFylx68JB3M9B4gep0iqTYyJuOqfShwe8RFby8/dKT7KIccVLS4V7EwWen
	/LpbkTbN3u9MT/GT85CSESwgg6GJkYDD307/XHnoqn0cSxhERUlq0gHHWoTNTYn9iOk1GUN4JCZ
	jw1D9F/di8O+uOEMPfZDIMh7EEq3RPAHqCFO/1ZT3tIPRL2zhZuazgqtaTNzLbfZgqIQRdbcD8M
	jU+hqUIAMywe6R8cObgBHn/6mVY=
X-Google-Smtp-Source: 
 AGHT+IGOtgiMY0otmN5J1o+l8hKn1sXNFAnJ9SlRR1tm+GoyADobAzdE7c0Hnn1E8p7WwmFZNWyXHg==
X-Received: by 2002:a5d:47ca:0:b0:38f:23f9:b367 with SMTP id
 ffacd0b85a97d-38f23f9b430mr1878243f8f.23.1739426315861;
        Wed, 12 Feb 2025 21:58:35 -0800 (PST)
Received: from voyage.lan ([2a0d:3341:cd51:2e10:d277:cf7f:82d1:a7d])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-439617fc885sm7466515e9.9.2025.02.12.21.58.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 12 Feb 2025 21:58:34 -0800 (PST)
From: Marta Rybczynska <rybczynska@gmail.com>
X-Google-Original-From: Marta Rybczynska <marta.rybczynska@ygreky.com>
To: openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
Subject: [PATCH v4][OE-core 1/4] cve-update-db-native: restore
Date: Thu, 13 Feb 2025 06:57:50 +0100
Message-ID: <20250213055811.6873-2-marta.rybczynska@ygreky.com>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20250213055811.6873-1-marta.rybczynska@ygreky.com>
References: <20250213055811.6873-1-marta.rybczynska@ygreky.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 13 Feb 2025 05:58:48 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211291

Restore cve-update-db from kirkstone

Use cve-update-db-native.bb from OE 8c10f4a4dc12f65212576e6e568fa4369014aaa0

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 .../recipes-core/meta/cve-update-db-native.bb | 291 ++++++++++++++++++
 1 file changed, 291 insertions(+)
 create mode 100644 meta/recipes-core/meta/cve-update-db-native.bb

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
new file mode 100644
index 0000000000..e042e67b09
--- /dev/null
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -0,0 +1,291 @@
+SUMMARY = "Updates the NVD CVE database"
+LICENSE = "MIT"
+
+INHIBIT_DEFAULT_DEPS = "1"
+
+inherit native
+
+deltask do_unpack
+deltask do_patch
+deltask do_configure
+deltask do_compile
+deltask do_install
+deltask do_populate_sysroot
+
+NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
+# CVE database update interval, in seconds. By default: once a day (24*60*60).
+# Use 0 to force the update
+# Use a negative value to skip the update
+CVE_DB_UPDATE_INTERVAL ?= "86400"
+
+# Timeout for blocking socket operations, such as the connection attempt.
+CVE_SOCKET_TIMEOUT ?= "60"
+
+CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db"
+
+python () {
+    if not bb.data.inherits_class("cve-check", d):
+        raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
+}
+
+python do_fetch() {
+    """
+    Update NVD database with json data feed
+    """
+    import bb.utils
+    import bb.progress
+    import shutil
+
+    bb.utils.export_proxies(d)
+
+    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_dir = os.path.dirname(db_file)
+    db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
+
+    cleanup_db_download(db_file, db_tmp_file)
+
+    # The NVD database changes once a day, so no need to update more frequently
+    # Allow the user to force-update
+    try:
+        import time
+        update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+        if update_interval < 0:
+            bb.note("CVE database update skipped")
+            return
+        if time.time() - os.path.getmtime(db_file) < update_interval:
+            bb.debug(2, "Recently updated, skipping")
+            return
+
+    except OSError:
+        pass
+
+    bb.utils.mkdirhier(db_dir)
+    if os.path.exists(db_file):
+        shutil.copy2(db_file, db_tmp_file)
+
+    if update_db_file(db_tmp_file, d) == True:
+        # Update downloaded correctly, can swap files
+        shutil.move(db_tmp_file, db_file)
+    else:
+        # Update failed, do not modify the database
+        bb.note("CVE database update failed")
+        os.remove(db_tmp_file)
+}
+
+do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+do_fetch[file-checksums] = ""
+do_fetch[vardeps] = ""
+
+def cleanup_db_download(db_file, db_tmp_file):
+    """
+    Cleanup the download space from possible failed downloads
+    """
+
+    # Clean up the updates done on the main file
+    # Remove it only if a journal file exists - it means a complete re-download
+    if os.path.exists("{0}-journal".format(db_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_file))
+
+        if os.path.exists(db_file):
+            os.remove(db_file)
+
+    # Clean-up the temporary file downloads, we can remove both journal
+    # and the temporary database
+    if os.path.exists("{0}-journal".format(db_tmp_file)):
+        # If a journal is present the last update might have been interrupted. In that case,
+        # just wipe any leftovers and force the DB to be recreated.
+        os.remove("{0}-journal".format(db_tmp_file))
+
+    if os.path.exists(db_tmp_file):
+        os.remove(db_tmp_file)
+
+def update_db_file(db_tmp_file, d):
+    """
+    Update the given database file
+    """
+    import bb.utils, bb.progress
+    from datetime import date
+    import urllib, gzip, sqlite3
+
+    YEAR_START = 2002
+    cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
+
+    # Connect to database
+    conn = sqlite3.connect(db_tmp_file)
+    initialize_db(conn)
+
+    with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f:
+        total_years = date.today().year + 1 - YEAR_START
+        for i, year in enumerate(range(YEAR_START, date.today().year + 1)):
+            bb.debug(2, "Updating %d" % year)
+            ph.update((float(i + 1) / total_years) * 100)
+            year_url = (d.getVar('NVDCVE_URL')) + str(year)
+            meta_url = year_url + ".meta"
+            json_url = year_url + ".json.gz"
+
+            # Retrieve meta last modified date
+            try:
+                response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout)
+            except urllib.error.URLError as e:
+                cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
+                bb.warn("Failed to fetch CVE data (%s)" % e)
+                import socket
+                result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP)
+                bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result)))
+                return False
+
+            if response:
+                for l in response.read().decode("utf-8").splitlines():
+                    key, value = l.split(":", 1)
+                    if key == "lastModifiedDate":
+                        last_modified = value
+                        break
+                else:
+                    bb.warn("Cannot parse CVE metadata, update failed")
+                    return False
+
+            # Compare with current db last modified date
+            cursor = conn.execute("select DATE from META where YEAR = ?", (year,))
+            meta = cursor.fetchone()
+            cursor.close()
+
+            if not meta or meta[0] != last_modified:
+                bb.debug(2, "Updating entries")
+                # Clear products table entries corresponding to current year
+                conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close()
+
+                # Update db with current year json file
+                try:
+                    response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
+                    if response:
+                        update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
+                    conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()
+                except urllib.error.URLError as e:
+                    cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+                    bb.warn("Cannot parse CVE data (%s), update failed" % e.reason)
+                    return False
+            else:
+                bb.debug(2, "Already up to date (last modified %s)" % last_modified)
+            # Update success, set the date to cve_check file.
+            if year == date.today().year:
+                cve_f.write('CVE database update : %s\n\n' % date.today())
+
+        conn.commit()
+        conn.close()
+        return True
+
+def initialize_db(conn):
+    with conn:
+        c = conn.cursor()
+
+        c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
+            SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+
+        c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
+            VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
+            VERSION_END TEXT, OPERATOR_END TEXT)")
+        c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);")
+
+        c.close()
+
+def parse_node_and_insert(conn, node, cveId):
+    # Parse children node if needed
+    for child in node.get('children', ()):
+        parse_node_and_insert(conn, child, cveId)
+
+    def cpe_generator():
+        for cpe in node.get('cpe_match', ()):
+            if not cpe['vulnerable']:
+                return
+            cpe23 = cpe.get('cpe23Uri')
+            if not cpe23:
+                return
+            cpe23 = cpe23.split(':')
+            if len(cpe23) < 6:
+                return
+            vendor = cpe23[3]
+            product = cpe23[4]
+            version = cpe23[5]
+
+            if cpe23[6] == '*' or cpe23[6] == '-':
+                version_suffix = ""
+            else:
+                version_suffix = "_" + cpe23[6]
+
+            if version != '*' and version != '-':
+                # Version is defined, this is a '=' match
+                yield [cveId, vendor, product, version + version_suffix, '=', '', '']
+            elif version == '-':
+                # no version information is available
+                yield [cveId, vendor, product, version, '', '', '']
+            else:
+                # Parse start version, end version and operators
+                op_start = ''
+                op_end = ''
+                v_start = ''
+                v_end = ''
+
+                if 'versionStartIncluding' in cpe:
+                    op_start = '>='
+                    v_start = cpe['versionStartIncluding']
+
+                if 'versionStartExcluding' in cpe:
+                    op_start = '>'
+                    v_start = cpe['versionStartExcluding']
+
+                if 'versionEndIncluding' in cpe:
+                    op_end = '<='
+                    v_end = cpe['versionEndIncluding']
+
+                if 'versionEndExcluding' in cpe:
+                    op_end = '<'
+                    v_end = cpe['versionEndExcluding']
+
+                if op_start or op_end or v_start or v_end:
+                    yield [cveId, vendor, product, v_start, op_start, v_end, op_end]
+                else:
+                    # This is no version information, expressed differently.
+                    # Save processing by representing as -.
+                    yield [cveId, vendor, product, '-', '', '', '']
+
+    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
+
+def update_db(conn, jsondata):
+    import json
+    root = json.loads(jsondata)
+
+    for elt in root['CVE_Items']:
+        if not elt['impact']:
+            continue
+
+        accessVector = None
+        cveId = elt['cve']['CVE_data_meta']['ID']
+        cveDesc = elt['cve']['description']['description_data'][0]['value']
+        date = elt['lastModifiedDate']
+        try:
+            accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
+            cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
+        except KeyError:
+            cvssv2 = 0.0
+        try:
+            accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector']
+            cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
+        except KeyError:
+            accessVector = accessVector or "UNKNOWN"
+            cvssv3 = 0.0
+
+        conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
+
+        configurations = elt['configurations']['nodes']
+        for config in configurations:
+            parse_node_and_insert(conn, config, cveId)
+
+
+do_fetch[nostamp] = "1"
+
+EXCLUDE_FROM_WORLD = "1"

From patchwork Thu Feb 13 05:57:51 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marta Rybczynska <rybczynska@gmail.com>
X-Patchwork-Id: 57226
Return-Path: <rybczynska@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C12E5C021A9
	for <webhook@archiver.kernel.org>; Thu, 13 Feb 2025 05:58:48 +0000 (UTC)
Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com
 [209.85.221.41])
 by mx.groups.io with SMTP id smtpd.web11.4979.1739426322705982244
 for <openembedded-core@lists.openembedded.org>;
 Wed, 12 Feb 2025 21:58:43 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=BaDJBvom;
 spf=pass (domain: gmail.com, ip: 209.85.221.41,
 mailfrom: rybczynska@gmail.com)
Received: by mail-wr1-f41.google.com with SMTP id
 ffacd0b85a97d-38dc0cd94a6so207207f8f.0
        for <openembedded-core@lists.openembedded.org>;
 Wed, 12 Feb 2025 21:58:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1739426320; x=1740031120;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=AcRIcyCk+vo/IMPLlKy7KfwP1ZM+IGvXXxVqSEGK18g=;
        b=BaDJBvomioZxuV038HPMz+EifOLgyxXEevWUxYX5UNbfhgluHnYgL3HRXu9GBhGw7D
         fRmbYceSdqMSGul5xr+EiEk++J9L/UjYupmEVtWOYdVI5boWchyt2ERKUITGbRPr0dia
         k99d6QYv2iJfiUoSzVdb2mq922od7PpWVDOG3GcXxarfOcv9Q33L08VkeqyoJ4oAZMnd
         0rv5ozJwyYqf69aXcAm6U/szLYK5JMRPf74PbuWwObeW9ITfZJPxfAhzbCTAb+eJ41Hz
         odpWKXjml4ioEg0kX9HXQ1DIfTGqZo3fKeaIsgMN9DkDPAU37oA2HtG8lBg+eAD6ZzOS
         ejFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739426320; x=1740031120;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=AcRIcyCk+vo/IMPLlKy7KfwP1ZM+IGvXXxVqSEGK18g=;
        b=QzcajYx1K7zf8rrWVqf6WlhTKR4bjh7utLMn9Dpc/dRRqY4nKPQZztkFX3WiDy/1rm
         mOedE6011fXP/zDBoAmPATjUgyg/VsrkroVQwd80W7ZBD720cMRGGWLaImFs2KJKpDQj
         q195xkvliF9ioSBkoY0xwEcdF3O3wneXD0yLRB9GXT440FSBJ9Bw3Ax+xMLBo80aLfQY
         vUBti8nY+MOyxpLXFSMH0ICkItYqzgItLWTVznj7veirzOd1F18Ax4Qp5D04YbBE/Bjx
         Tkgdl3XtujaUl2ovL4+LwVQGQQ7QBIFMVRtrnrBiupkgjfEqEwN7BNiln1ZRK/KzqKGb
         RVGw==
X-Gm-Message-State: AOJu0YwQHUk4GLIEO19qMFngdot3x8W1A9cez/Qu/WqpjYGF5AZybSTD
	MNXjK/h7QOtRajI+FMp337rR7HRkQN9lUsOUC0yQIOY0I6eMmmm9gGOiuA==
X-Gm-Gg: ASbGnctUs+6yhcw1TS7XYJ/Z3xq8UoCA4GY8P3MsRk4EhM9U61RDfIQFIpq/lSnPBcV
	7cR9rRSkMOMbmusLzVLFQk5an7xmD4nIir+9WMioQGQWddUJnVF5383IN3nICkQ5UeFq0GiobN7
	4K64ug2h36sfKzdPPurf4qt3TQ95mk03Rm7Ofzo2s60RxyS5b+iZayWfcHHTHfuYepkpwSYdahE
	E9tp6q/ZJYVmXo8vJ2r4l5yLoAgWLjS/Ga/2Qqk4Ii1WycKuJZNtSSU5YaYXK4wcTK0GBbpzATl
	WrtxLRINNa2jy3e0xndZw9eIvh0=
X-Google-Smtp-Source: 
 AGHT+IFzqeR/1CVF7embi4A6vNXAyprkZtifvDjVmG7Ys0jSeEa/KkJo9UZD8B7ZS2KGoXAwXluD1A==
X-Received: by 2002:adf:f38f:0:b0:38f:2407:103e with SMTP id
 ffacd0b85a97d-38f244fcb0amr1118731f8f.30.1739426320336;
        Wed, 12 Feb 2025 21:58:40 -0800 (PST)
Received: from voyage.lan ([2a0d:3341:cd51:2e10:d277:cf7f:82d1:a7d])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-439617fc885sm7466515e9.9.2025.02.12.21.58.37
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 12 Feb 2025 21:58:38 -0800 (PST)
From: Marta Rybczynska <rybczynska@gmail.com>
X-Google-Original-From: Marta Rybczynska <marta.rybczynska@ygreky.com>
To: openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
Subject: [PATCH v4][OE-core 2/4] cve-update-db-native: update structure
Date: Thu, 13 Feb 2025 06:57:51 +0100
Message-ID: <20250213055811.6873-3-marta.rybczynska@ygreky.com>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20250213055811.6873-1-marta.rybczynska@ygreky.com>
References: <20250213055811.6873-1-marta.rybczynska@ygreky.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 13 Feb 2025 05:58:48 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211292

Update the database structure and tasks to fit the current YP master.
This means:
- add the unpack task
- update the database structure (CVSS, vector string)
- use the temporary database in the same directory as the download

However, the old feed does not include CVSS4

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 .../recipes-core/meta/cve-update-db-native.bb | 28 ++++++++++++++-----
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index e042e67b09..3a9d43943c 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -5,7 +5,6 @@ INHIBIT_DEFAULT_DEPS = "1"
 
 inherit native
 
-deltask do_unpack
 deltask do_patch
 deltask do_configure
 deltask do_compile
@@ -21,7 +20,10 @@ CVE_DB_UPDATE_INTERVAL ?= "86400"
 # Timeout for blocking socket operations, such as the connection attempt.
 CVE_SOCKET_TIMEOUT ?= "60"
 
-CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db"
+CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK2/${CVE_CHECK_DB_FILENAME}"
+CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock"
+
+CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DLDIR_FILE}.tmp"
 
 python () {
     if not bb.data.inherits_class("cve-check", d):
@@ -38,7 +40,7 @@ python do_fetch() {
 
     bb.utils.export_proxies(d)
 
-    db_file = d.getVar("CVE_CHECK_DB_FILE")
+    db_file = d.getVar("CVE_CHECK_DB_DLDIR_FILE")
     db_dir = os.path.dirname(db_file)
     db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
 
@@ -72,10 +74,16 @@ python do_fetch() {
         os.remove(db_tmp_file)
 }
 
-do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
+do_fetch[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK}"
 do_fetch[file-checksums] = ""
 do_fetch[vardeps] = ""
 
+python do_unpack() {
+    import shutil
+    shutil.copyfile(d.getVar("CVE_CHECK_DB_DLDIR_FILE"), d.getVar("CVE_CHECK_DB_FILE"))
+}
+do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} ${CVE_CHECK_DB_FILE_LOCK}"
+
 def cleanup_db_download(db_file, db_tmp_file):
     """
     Cleanup the download space from possible failed downloads
@@ -183,7 +191,7 @@ def initialize_db(conn):
         c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
 
         c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
-            SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
+            SCOREV2 TEXT, SCOREV3 TEXT, SCOREV4 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)")
 
         c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
             VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
@@ -263,23 +271,29 @@ def update_db(conn, jsondata):
             continue
 
         accessVector = None
+        vectorString = None
+        cvssv2 = 0.0
+        cvssv3 = 0.0
+        cvssv4 = 0.0
         cveId = elt['cve']['CVE_data_meta']['ID']
         cveDesc = elt['cve']['description']['description_data'][0]['value']
         date = elt['lastModifiedDate']
         try:
             accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
+            vectorString = elt['impact']['baseMetricV2']['cvssV2']['vectorString']
             cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
         except KeyError:
             cvssv2 = 0.0
         try:
             accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector']
+            vectorString = vectorString or elt['impact']['baseMetricV3']['cvssV3']['vectorString']
             cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
         except KeyError:
             accessVector = accessVector or "UNKNOWN"
             cvssv3 = 0.0
 
-        conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
-                [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close()
+        conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()
 
         configurations = elt['configurations']['nodes']
         for config in configurations:

From patchwork Thu Feb 13 05:57:52 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marta Rybczynska <rybczynska@gmail.com>
X-Patchwork-Id: 57229
Return-Path: <rybczynska@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id C1775C021A9
	for <webhook@archiver.kernel.org>; Thu, 13 Feb 2025 05:58:58 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.web11.4980.1739426329993198788
 for <openembedded-core@lists.openembedded.org>;
 Wed, 12 Feb 2025 21:58:50 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=bPg3PSHy;
 spf=pass (domain: gmail.com, ip: 209.85.128.44,
 mailfrom: rybczynska@gmail.com)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-439554db49dso5277185e9.1
        for <openembedded-core@lists.openembedded.org>;
 Wed, 12 Feb 2025 21:58:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1739426328; x=1740031128;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ImzEIZMVYsw73I8woBiZAyXCzlhVSqvB5yaZOPjjxDY=;
        b=bPg3PSHyhMioJH30/qQrb+TGrlLaa1OHKwMw4LdoIxdA45eav8hah2q5Ls/DwP7azZ
         NOb695I5AQWlA5ysIuHxpI+UFSO1090cNVcDic4put+apcVxwyFgC4nOq6W1erJ+I1tj
         pt+NxmJ69By45Qktv2hHST88YuGxGAZgo9fDd91xjG1g9sKjwvE1htEkiV+vw+gsgLYh
         NuRmNiCr05qge1ZYlmKQllNtaPrPWFaQrlz+ZZJ9aNSBbGRhvnJCBh/mzEpVclzxcF6k
         vsyw47or+5g745TWmWxvGOSDaflBf+YJ3mK62RzIfx/Hq5s3Ozw4ta/u46NvY+Ql5+eo
         I2VQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739426328; x=1740031128;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ImzEIZMVYsw73I8woBiZAyXCzlhVSqvB5yaZOPjjxDY=;
        b=ocQLyKkOOFalLmEIj407PrZgRPUe7VBdcFoHtg2UlZE89IfZy53ukAcwxu7TWUW8WV
         qxrLTgWm8mNERSFQx8KYnw0KkA0Hzame0PFxEXZb+4y0RZvOzUzQz88r+pfCrJO1ph7a
         jC+JiwaTfqrYGSIYaO7SWXYg5scsxHL7cZX23xWbsmvY4gOO55itIJUDXsvWtuy3+bvN
         l9tbLEZaMsrkUbidLC3tqxCUAdfEzzh1L5lKhlnLPhbg44EODChAfvrjUYLReCjNfNCx
         1U0UsgiBUlxlVdZe9TL+TICMmtdc5cmzGUdizFU7l6voAMH2Y5aBAmZPPX/R09XjvG6A
         sp2Q==
X-Gm-Message-State: AOJu0YxszkU3KRj02Kp4ki3c0d0iBWp3A+bQnXv6rosHdx8A+wbSgiEm
	OYXeQEmkaiJcdr4U2XbJTLug0rValvud//ypHBChLIcVIILRZkI3N86cyQ==
X-Gm-Gg: ASbGncvUAYOe3cXwDCxtRgolut2o3DFzyUriIw2KPPNAXTRAWHCxxX+N8DweFLv0Kl6
	uNcdpn6dLK8GCSsrl3XAVnvQv6FP3V1c9AsknqkRBWh0VQqdMnDM6X0BeGpisJE0BWX7FSyA6wL
	fLTfkA44QY93R3aJKfdXYWGZ8JhT1KOSIaoIPs5+Cg5ev2pTgLFLeIUUsgDrjKhtuYegT4vMtN7
	7jz2ijcfTjTCUffoP97b17VSCzJVrCojG71Xs8WFrDz6fZKyA4QXceu+2YwoCEWFWNnpsl9XSSr
	649iVqkI8Sbzqombr7NRksOATlY=
X-Google-Smtp-Source: 
 AGHT+IHvBjYRzQOiNx/krqcFXQg+p/Hg//5QGgTwf/AR4bC93SUekkBKC2dp6+OqQSxvuF7mEd8PQA==
X-Received: by 2002:a05:600c:1909:b0:439:4a1f:cf8e with SMTP id
 5b1f17b1804b1-439580d5f07mr64864605e9.0.1739426327803;
        Wed, 12 Feb 2025 21:58:47 -0800 (PST)
Received: from voyage.lan ([2a0d:3341:cd51:2e10:d277:cf7f:82d1:a7d])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-439617fc885sm7466515e9.9.2025.02.12.21.58.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 12 Feb 2025 21:58:46 -0800 (PST)
From: Marta Rybczynska <rybczynska@gmail.com>
X-Google-Original-From: Marta Rybczynska <marta.rybczynska@ygreky.com>
To: openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
Subject: [PATCH v4][OE-core 3/4] cve-update-db-native: add the fkie source
Date: Thu, 13 Feb 2025 06:57:52 +0100
Message-ID: <20250213055811.6873-4-marta.rybczynska@ygreky.com>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20250213055811.6873-1-marta.rybczynska@ygreky.com>
References: <20250213055811.6873-1-marta.rybczynska@ygreky.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 13 Feb 2025 05:58:58 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211293

Add support for FKIE-CAD reconstruction of NVD feed from
https://github.com/fkie-cad/nvd-json-data-feeds

We download this feed directly from github releases.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 .../recipes-core/meta/cve-update-db-native.bb | 126 ++++++++++++++++--
 1 file changed, 113 insertions(+), 13 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 3a9d43943c..792252f510 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -12,6 +12,8 @@ deltask do_install
 deltask do_populate_sysroot
 
 NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
+FKIE_URL ?= "https://github.com/fkie-cad/nvd-json-data-feeds/releases/latest/download/CVE-"
+
 # CVE database update interval, in seconds. By default: once a day (24*60*60).
 # Use 0 to force the update
 # Use a negative value to skip the update
@@ -109,6 +111,30 @@ def cleanup_db_download(db_file, db_tmp_file):
     if os.path.exists(db_tmp_file):
         os.remove(db_tmp_file)
 
+def db_file_names(d, year, is_nvd):
+    if is_nvd:
+        year_url = d.getVar('NVDCVE_URL') + str(year)
+        meta_url = year_url + ".meta"
+        json_url = year_url + ".json.gz"
+        return json_url, meta_url
+    year_url = d.getVar('FKIE_URL') + str(year)
+    meta_url = year_url + ".meta"
+    json_url = year_url + ".json.xz"
+    return json_url, meta_url
+
+def host_db_name(d, is_nvd):
+    if is_nvd:
+        return "nvd.nist.gov"
+    return "github.com"
+
+def db_decompress(d, data, is_nvd):
+    import gzip, lzma
+
+    if is_nvd:
+        return gzip.decompress(data).decode('utf-8')
+    # otherwise
+    return lzma.decompress(data)
+
 def update_db_file(db_tmp_file, d):
     """
     Update the given database file
@@ -119,6 +145,7 @@ def update_db_file(db_tmp_file, d):
 
     YEAR_START = 2002
     cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
+    is_nvd = d.getVar("NVD_DB_VERSION") == "NVD1"
 
     # Connect to database
     conn = sqlite3.connect(db_tmp_file)
@@ -129,9 +156,7 @@ def update_db_file(db_tmp_file, d):
         for i, year in enumerate(range(YEAR_START, date.today().year + 1)):
             bb.debug(2, "Updating %d" % year)
             ph.update((float(i + 1) / total_years) * 100)
-            year_url = (d.getVar('NVDCVE_URL')) + str(year)
-            meta_url = year_url + ".meta"
-            json_url = year_url + ".json.gz"
+            json_url, meta_url = db_file_names(d, year, is_nvd)
 
             # Retrieve meta last modified date
             try:
@@ -140,7 +165,7 @@ def update_db_file(db_tmp_file, d):
                 cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
                 bb.warn("Failed to fetch CVE data (%s)" % e)
                 import socket
-                result = socket.getaddrinfo("nvd.nist.gov", 443, proto=socket.IPPROTO_TCP)
+                result = socket.getaddrinfo(host_db_name(d, is_nvd), 443, proto=socket.IPPROTO_TCP)
                 bb.warn("Host IPs are %s" % (", ".join(t[4][0] for t in result)))
                 return False
 
@@ -168,7 +193,7 @@ def update_db_file(db_tmp_file, d):
                 try:
                     response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
                     if response:
-                        update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
+                        update_db(d, conn, db_decompress(d, response.read(), is_nvd))
                     conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()
                 except urllib.error.URLError as e:
                     cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
@@ -200,16 +225,22 @@ def initialize_db(conn):
 
         c.close()
 
-def parse_node_and_insert(conn, node, cveId):
+def parse_node_and_insert(conn, node, cveId, is_nvd):
     # Parse children node if needed
     for child in node.get('children', ()):
-        parse_node_and_insert(conn, child, cveId)
+        parse_node_and_insert(conn, child, cveId, is_nvd)
+
+    def cpe_generator(is_nvd):
+        match_string = "cpeMatch"
+        cpe_string = 'criteria'
+        if is_nvd:
+            match_string = "cpe_match"
+            cpe_string = 'cpe23Uri'
 
-    def cpe_generator():
-        for cpe in node.get('cpe_match', ()):
+        for cpe in node.get(match_string, ()):
             if not cpe['vulnerable']:
                 return
-            cpe23 = cpe.get('cpe23Uri')
+            cpe23 = cpe.get(cpe_string)
             if not cpe23:
                 return
             cpe23 = cpe23.split(':')
@@ -260,9 +291,9 @@ def parse_node_and_insert(conn, node, cveId):
                     # Save processing by representing as -.
                     yield [cveId, vendor, product, '-', '', '', '']
 
-    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close()
+    conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator(is_nvd)).close()
 
-def update_db(conn, jsondata):
+def update_db_nvdjson(conn, jsondata):
     import json
     root = json.loads(jsondata)
 
@@ -297,8 +328,77 @@ def update_db(conn, jsondata):
 
         configurations = elt['configurations']['nodes']
         for config in configurations:
-            parse_node_and_insert(conn, config, cveId)
+            parse_node_and_insert(conn, config, cveId, True)
+
+def update_db_fkie(conn, jsondata):
+    import json
+    root = json.loads(jsondata)
+
+    for elt in root['cve_items']:
+        if not 'vulnStatus' in elt or elt['vulnStatus'] == 'Rejected':
+            continue
+
+        if not 'configurations' in elt:
+            continue
+
+        accessVector = None
+        vectorString = None
+        cvssv2 = 0.0
+        cvssv3 = 0.0
+        cvssv4 = 0.0
+        cveId = elt['id']
+        cveDesc = elt['descriptions'][0]['value']
+        date = elt['lastModified']
+        try:
+            for m in elt['metrics']['cvssMetricV2']:
+                if m['type'] == 'Primary':
+                    accessVector = m['cvssData']['accessVector']
+                    vectorString = m['cvssData']['vectorString']
+                    cvssv2 = m['cvssData']['baseScore']
+        except KeyError:
+            cvssv2 = 0.0
+        try:
+            for m in elt['metrics']['cvssMetricV30']:
+                if m['type'] == 'Primary':
+                    accessVector = m['cvssData']['accessVector']
+                    vectorString = m['cvssData']['vectorString']
+                    cvssv3 = m['cvssData']['baseScore']
+        except KeyError:
+            accessVector = accessVector or "UNKNOWN"
+            cvssv3 = 0.0
+        try:
+            for m in elt['metrics']['cvssMetricV31']:
+                if m['type'] == 'Primary':
+                    accessVector = m['cvssData']['accessVector']
+                    vectorString = m['cvssData']['vectorString']
+                    cvssv3 = m['cvssData']['baseScore']
+        except KeyError:
+            accessVector = accessVector or "UNKNOWN"
+            cvssv3 = 0.0
+        try:
+            for m in elt['metrics']['cvssMetricV40']:
+                if m['type'] == 'Primary':
+                    accessVector = m['cvssData']['accessVector']
+                    vectorString = m['cvssData']['vectorString']
+                    cvssv4 = m['cvssData']['baseScore']
+        except KeyError:
+            accessVector = accessVector or "UNKNOWN"
+            cvssv4 = 0.0
 
+        conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?, ?)",
+                [cveId, cveDesc, cvssv2, cvssv3, cvssv4, date, accessVector, vectorString]).close()
+
+        for config in elt['configurations']:
+            # This is suboptimal as it doesn't handle AND/OR and negate, but is better than nothing
+            for node in config["nodes"]:
+                parse_node_and_insert(conn, node, cveId, False)
+
+
+def update_db(d, conn, jsondata):
+    if (d.getVar("NVD_DB_VERSION") == "FKIE"):
+        return update_db_fkie(conn, jsondata)
+    else:
+        return update_db_nvdjson(conn, jsondata)
 
 do_fetch[nostamp] = "1"
 

From patchwork Thu Feb 13 05:57:53 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Marta Rybczynska <rybczynska@gmail.com>
X-Patchwork-Id: 57228
Return-Path: <rybczynska@gmail.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org
 (localhost.localdomain [127.0.0.1])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BFB56C021A8
	for <webhook@archiver.kernel.org>; Thu, 13 Feb 2025 05:58:58 +0000 (UTC)
Received: from mail-wm1-f44.google.com (mail-wm1-f44.google.com
 [209.85.128.44])
 by mx.groups.io with SMTP id smtpd.web11.4984.1739426336025609707
 for <openembedded-core@lists.openembedded.org>;
 Wed, 12 Feb 2025 21:58:56 -0800
Authentication-Results: mx.groups.io;
 dkim=pass header.i=@gmail.com header.s=20230601 header.b=CRIla/yC;
 spf=pass (domain: gmail.com, ip: 209.85.128.44,
 mailfrom: rybczynska@gmail.com)
Received: by mail-wm1-f44.google.com with SMTP id
 5b1f17b1804b1-4394a0c65fcso4904405e9.1
        for <openembedded-core@lists.openembedded.org>;
 Wed, 12 Feb 2025 21:58:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1739426334; x=1740031134;
 darn=lists.openembedded.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=YJ7sNtiDCiqs+PM/kP6I5gdURYbIXXqI8SshTgYSEC0=;
        b=CRIla/yCRMYvkxHgwEMVwwPcuNYoOl1FmZkByMMkCSwN10dmkNyN4QjZF7Yn4SHMCr
         kumZFkkdmENIa/q1gW+bDDuC7S4mVYFqW3YuYYAeZrDVU7A6nvUlzAPboQjSDDhlzjMw
         DGpj1nQewuX98iZU8RN/661DkaeOLXF4RXnst+UxhSPZxbHNvurPsdn/4lsAx96oHxjt
         0swI/8vjomUlXaqBqSAlV0yLkjXlV8brWHoqUGChUdYHZcqZ9y1lELGU9gLmq8IN6GE0
         AW2eOODNJJFy+23XrjEZ2xV5i/ZPXGpLYXs0fwJayuM8Rk8ShXBfTmNGUH7UTxWekDRN
         MBFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1739426334; x=1740031134;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=YJ7sNtiDCiqs+PM/kP6I5gdURYbIXXqI8SshTgYSEC0=;
        b=JdyT5u+T94VeTYbfQHC8UsQNixQWEGPO6Qp1m+ikoKu7lSH1xPA5MF29otcy2kjKkk
         HcOumYwwyIeWu7Q+ZxTUkLDDtVOsnRjDQoFFnJIhvC70vegwf4U4c1Zn8gRT0DJ7YmOr
         1DMCWkufD/rvzKVKthuysfoKuGOJ06R803FqlF5uUFqOo8o5x/oD8U/Sa+LnYaaCftcc
         th/MdPXOlBNRe+snhV6FqWUFKKLJXCKoN52UdBk6cnsBufxTTJuH0XWTBH+Nw39GqqYn
         AcNZhvtr15iuZIWetoK94M+18XV9KuRu9A5KpZwUvhT8XS0qg53jh/J5ncSQSmQQnZC3
         Gc/w==
X-Gm-Message-State: AOJu0YzPN5+7d4ayq+PhSlEpd3OCrgdT1hqByFSEBWCwyu3517AT+2If
	pB8QlYsPg8FLG1S3THgtYvw7arBQvEDRg0rHLiJxt4YglkbvTfRt0dyh/g==
X-Gm-Gg: ASbGncvqKqiBbINflt18cFmP5TCcF+F5Sz939NJlQIHFzs+Gl+xCnVMyuX0Ij/bU2vT
	HuLMfAMdUBerA9E7WyVxNoymQC88ogcA89Ex9XK/lj0o475ugy0U1Rkxq7nW9zbvjS/FCQMoCJD
	4Iv46VTr6FQy4tHv4YQEyAHet9czEguq5DYwCiCWYoR32HjA62DCCsiC07xHrZDyb+hA313c0JW
	3JIUkxO5x+aQLYoXS8dRdWeWBFmaeBoJSOni8Tng6KVgn/ICZuH5NLFhxPbbP/8bU1nvniXAMFk
	KiHzmuGlwH1pEr7SBNLhEiTxiws=
X-Google-Smtp-Source: 
 AGHT+IEB7xWhf2/3RSsw3A8dAberG3y2ss34doxB20J3clH40PJnAcs2ayrS9GEwFHFo+YAVuFlsHw==
X-Received: by 2002:a5d:5109:0:b0:385:ee3f:5cbf with SMTP id
 ffacd0b85a97d-38f244e536emr1422620f8f.20.1739426333681;
        Wed, 12 Feb 2025 21:58:53 -0800 (PST)
Received: from voyage.lan ([2a0d:3341:cd51:2e10:d277:cf7f:82d1:a7d])
        by smtp.gmail.com with ESMTPSA id
 5b1f17b1804b1-439617fc885sm7466515e9.9.2025.02.12.21.58.51
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 12 Feb 2025 21:58:53 -0800 (PST)
From: Marta Rybczynska <rybczynska@gmail.com>
X-Google-Original-From: Marta Rybczynska <marta.rybczynska@ygreky.com>
To: openembedded-core@lists.openembedded.org
Cc: Marta Rybczynska <marta.rybczynska@ygreky.com>
Subject: [PATCH v4][OE-core 4/4] cve-check: allow feed choice
Date: Thu, 13 Feb 2025 06:57:53 +0100
Message-ID: <20250213055811.6873-5-marta.rybczynska@ygreky.com>
X-Mailer: git-send-email 2.45.2
In-Reply-To: <20250213055811.6873-1-marta.rybczynska@ygreky.com>
References: <20250213055811.6873-1-marta.rybczynska@ygreky.com>
MIME-Version: 1.0
List-Id: <openembedded-core.lists.openembedded.org>
X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by
 aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for
 <openembedded-core@lists.openembedded.org>; Thu, 13 Feb 2025 05:58:58 -0000
X-Groupsio-URL: 
 https://lists.openembedded.org/g/openembedded-core/message/211294

Allow choice of one of three feeds and update task dependencies
accordingly. All feeds contain data from NVD and are stored in
different files.

Set the NVD_DB_VERSION variable to choose feed:
NVD2 (default) - the NVD feed with API version 2
NVD1 - the NVD JSON feed (deprecated)
FKIE - the FKIE-CAD feed reconstruction

In case of malformed database feed name, we default to NVD2 and show
an error.

Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
---
 meta/classes/cve-check.bbclass | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 6e10dd915a..90097cfde8 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -31,7 +31,12 @@
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
-CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db"
+# Possible database sources: NVD1, NVD2, FKIE
+NVD_DB_VERSION ?= "NVD2"
+
+# Use different file names for each database source, as they synchronize at different moments, so may be slightly different
+CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'nvdcve_1-3.db' if d.getVar('NVD_DB_VERSION') == 'NVD1' else 'nvdfkie_1-1.db'}"
+CVE_CHECK_DB_FETCHER ?= "${@'cve-update-nvd2-native' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'cve-update-db-native'}"
 CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
 CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
@@ -114,6 +119,11 @@ python () {
                 d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status"))
         else:
             bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group)
+
+    nvd_database_type = d.getVar("NVD_DB_VERSION")
+    if nvd_database_type not in ("NVD1", "NVD2", "FKIE"):
+        bb.erroronce("Malformed NVD_DB_VERSION, must be one of: NVD1, NVD2, FKIE. Defaulting to NVD2")
+        d.setVar("NVD_DB_VERSION", "NVD2")
 }
 
 def generate_json_report(d, out_path, link_path):
@@ -182,7 +192,7 @@ python do_cve_check () {
 }
 
 addtask cve_check before do_build
-do_cve_check[depends] = "cve-update-nvd2-native:do_unpack"
+do_cve_check[depends] = "${CVE_CHECK_DB_FETCHER}:do_unpack"
 do_cve_check[nostamp] = "1"
 
 python cve_check_cleanup () {