From patchwork Wed Jul 13 20:37:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10142 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82787C43334 for ; Wed, 13 Jul 2022 20:38:14 +0000 (UTC) Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) by mx.groups.io with SMTP id smtpd.web10.2218.1657744689760150011 for ; Wed, 13 Jul 2022 13:38:09 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=Y9cAns2e; spf=softfail (domain: sakoman.com, ip: 209.85.216.48, mailfrom: steve@sakoman.com) Received: by mail-pj1-f48.google.com with SMTP id x18-20020a17090a8a9200b001ef83b332f5so5740662pjn.0 for ; Wed, 13 Jul 2022 13:38:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=QUJI4BT1pZAwG9CFhfOzbU5O4Lam4IfUnhDold5p28g=; b=Y9cAns2e73WUWpg+th5r1+sfifFscdU9b31G1IvR3HR1YMj0v0ewJEujkVLecXzBbw ggTZJn2ZJ2WjfzrIQ48kDIvma0NwJt/zGIWdX6MPMxHakAb/FfIDXJ5ZECV2v7K2VlUO iFyEzofDe1bldKXM74GjI5aP5v8/fZ3osnZKEY0bfYlnK6IcNvd3wHluANxV/5BBdcB8 X5W+nW1imNbC2w+DySNazgoUrwS9mOpIyWHASeSprbT5vOmr2yyyadL2KYLYPLdFj09D nfxUgGa+rXXei06a4kA8KVbgLoRVYWRSrru65hhbx+xwMII2Sb5eisMZ6LutpyTqajD3 kCuQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=QUJI4BT1pZAwG9CFhfOzbU5O4Lam4IfUnhDold5p28g=; b=QqYRGuKoHo0CPm5+nB0JS9r+VlV3CQK6m5yKMamuZjlQS1u6gZMB4KPYWR5d83gDAC swFndGx0O6zqp2llzp5d+v3EHZLmxFJKL63yoPMk+5JCD+py6cKrGFV7IdOScQ3joaIe n6ajrkM2KdO6EcjfsRve2Iu96XDckIAVX8E+PD+87si0hQKvE5JHDYOmfYoklOE935nt yd8fyVUMeZgbLBC9AxiVoi4T3UxIqsjhQDzYvdmku19lVSNQZVBsjUsaGgvfnTcyRp2d rE00IlYh4NouaI8+4HBHQQetHLNWKDg9oyeyKxQrOkRDkKLjEq83fWGu02dk/AjV3HPI ezBw== X-Gm-Message-State: AJIora8WJj3fuXcvidT3LKhq3VF16sof40wQAQ2CVuSbzVrG/Oj5uiox wPOL5H9PuyXK/TYAt5ppyBHiCmT+NO6k/FjF X-Google-Smtp-Source: AGRyM1tT6wKYLAka8wl/qtCcbCToDfJfHMlU6VZR1RqEK8M1m2kD3F8clZhrkAnc98TG7AZn+EqMew== X-Received: by 2002:a17:90b:2bd3:b0:1ef:9ac7:d90c with SMTP id ru19-20020a17090b2bd300b001ef9ac7d90cmr5672963pjb.53.1657744688761; Wed, 13 Jul 2022 13:38:08 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id a13-20020a170902eccd00b001664d88aab3sm9231892plh.240.2022.07.13.13.38.07 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Jul 2022 13:38:08 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 1/3] openssl: security upgrade 1.1.1p to 1.1.1q Date: Wed, 13 Jul 2022 10:37:51 -1000 Message-Id: <6031eecee8ac8bed1c43a04ecf06ed08014346f2.1657739246.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Jul 2022 20:38:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167986 Fixed AES OCB failure to encrypt some bytes on 32-bit x86 platforms (CVE-2022-2097) Signed-off-by: Steve Sakoman --- .../openssl/{openssl_1.1.1p.bb => openssl_1.1.1q.bb} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename meta/recipes-connectivity/openssl/{openssl_1.1.1p.bb => openssl_1.1.1q.bb} (98%) diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1p.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1q.bb similarity index 98% rename from meta/recipes-connectivity/openssl/openssl_1.1.1p.bb rename to meta/recipes-connectivity/openssl/openssl_1.1.1q.bb index 8916218c33..139b7fe935 100644 --- a/meta/recipes-connectivity/openssl/openssl_1.1.1p.bb +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1q.bb @@ -24,7 +24,7 @@ SRC_URI_append_class-nativesdk = " \ file://environment.d-openssl.sh \ " -SRC_URI[sha256sum] = "bf61b62aaa66c7c7639942a94de4c9ae8280c08f17d4eac2e44644d9fc8ace6f" +SRC_URI[sha256sum] = "d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca" inherit lib_package multilib_header multilib_script ptest MULTILIB_SCRIPTS = "${PN}-bin:${bindir}/c_rehash" From patchwork Wed Jul 13 20:37:52 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10141 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 81AB7C433EF for ; Wed, 13 Jul 2022 20:38:14 +0000 (UTC) Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) by mx.groups.io with SMTP id smtpd.web10.2219.1657744692295054750 for ; Wed, 13 Jul 2022 13:38:12 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=R7A6a5VV; spf=softfail (domain: sakoman.com, ip: 209.85.215.174, mailfrom: steve@sakoman.com) Received: by mail-pg1-f174.google.com with SMTP id g4so11514668pgc.1 for ; Wed, 13 Jul 2022 13:38:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=rBomAr6TfPaeYIF2pT8qXXxSHgNEluPhSdt6rBE9YBw=; b=R7A6a5VViLf434ENU6J/1Go1jOIrYWg5kveudIvm0sqYeaqEmvC4l7c4ibuqqTvpIG yW6C2AaHO08yt0EHvnTMQHPw3i/cbn76AjSsMmHUodENU7mGlYW2t+02dkoihKOCRoox kuGrxGZ6kTrXPixMy15f6Sv0wST88M4tMIAkY9Hy1mQh3WFuDhQDOzOxUDhv76w/1+0d Uwtl1oPIVKcuSZslshIeNv/ARHwu4tSM3r+ws4ZfGfMqjjtk0UM1ZhQv8Evb1UbcTbfU c5GjYDOV4i4pwyDtAv8l+ec4H+WqJpJi4JsWvT/0tnH6fM3EpruI9f3EuGFGO9q9/VjN /M5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=rBomAr6TfPaeYIF2pT8qXXxSHgNEluPhSdt6rBE9YBw=; b=TBOZ7Uf9A2fv61FvNxcpCMqJcYVMI7Exco7nxMaCqw7hcuQ09ylpPBWb3LSYxo1Oag r38or1oSlExK0FHWej+k/1x6TnQlWJCVaIzcBgNQ1OHzo4UIk4M982hTRuoKTvwFFFpT qIMyyHgK4o/u76L4CUExz5IbAmYUpfRCcosTdxoGwis2Bkvwqx1GIKAdIpMf3sPJTEvf l01hXosdKfmqUIKNs6zB8RQh1MHWsyIOzj+RM5Zpe+Pyjfn7nw/2KQYcnzTJcbL4aMV5 ZJkMNIIhYTCKkOwRHsla64G4cbggQBe3vVbaGldH09WpZGc9Bp1uKzHZB6JwfPNdE7tD GtjA== X-Gm-Message-State: AJIora97IojnlUIkOoR4RmBmq30Lx6JP9JgAAlqGILDTGxMWYR51uDXv QNnpKl9zxPdkZ7XnAAaRWeT9ylLaV+/azeFj X-Google-Smtp-Source: AGRyM1sDsASbFDVRQlhMRggEc3ueXl3zyuv4d590T14nv8Hxuf0DCMWV4MlT6GJfN4jVAnXs9tEhgg== X-Received: by 2002:a05:6a00:e0e:b0:522:990c:ab60 with SMTP id bq14-20020a056a000e0e00b00522990cab60mr4866465pfb.8.1657744691173; Wed, 13 Jul 2022 13:38:11 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id a13-20020a170902eccd00b001664d88aab3sm9231892plh.240.2022.07.13.13.38.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Jul 2022 13:38:10 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 2/3] vim: upgrade to 9.0.0021 Date: Wed, 13 Jul 2022 10:37:52 -1000 Message-Id: <3230e5f734f69acfe05219da104e8818445c9eff.1657739246.git.steve@sakoman.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Jul 2022 20:38:14 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167987 From: Ross Burton This fixes the following CVEs: - CVE-2022-2257 - CVE-2022-2264 - CVE-2022-2284 - CVE-2022-2285 - CVE-2022-2286 - CVE-2022-2287 Signed-off-by: Ross Burton Signed-off-by: Richard Purdie (cherry picked from commit 03c044a81a76b7505b9d5bf0d936dde75b51905e) Signed-off-by: Steve Sakoman --- meta/recipes-support/vim/vim.inc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc index 84c2eed4c8..1893759ae9 100644 --- a/meta/recipes-support/vim/vim.inc +++ b/meta/recipes-support/vim/vim.inc @@ -21,8 +21,8 @@ SRC_URI = "git://github.com/vim/vim.git;branch=master;protocol=https \ file://racefix.patch \ " -PV .= ".0005" -SRCREV = "040674129f3382822eeb7b590380efa5228124a8" +PV .= ".0021" +SRCREV = "5e59ea54c0c37c2f84770f068d95280069828774" # Remove when 8.3 is out UPSTREAM_VERSION_UNKNOWN = "1" From patchwork Wed Jul 13 20:37:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve Sakoman X-Patchwork-Id: 10143 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6D6BBC433EF for ; Wed, 13 Jul 2022 20:38:24 +0000 (UTC) Received: from mail-pj1-f42.google.com (mail-pj1-f42.google.com [209.85.216.42]) by mx.groups.io with SMTP id smtpd.web11.2211.1657744695043330197 for ; Wed, 13 Jul 2022 13:38:15 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@sakoman-com.20210112.gappssmtp.com header.s=20210112 header.b=oDDuXh5n; spf=softfail (domain: sakoman.com, ip: 209.85.216.42, mailfrom: steve@sakoman.com) Received: by mail-pj1-f42.google.com with SMTP id p9so11533pjd.3 for ; Wed, 13 Jul 2022 13:38:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sakoman-com.20210112.gappssmtp.com; s=20210112; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=LzhsV3qQV6Ho2/EXHt7/ZEEfI9b1zHIIbhjeViTxO7c=; b=oDDuXh5nuVAvWx26CtrDnjw2uOAM+jtEl0fFMoPuQknbIys2YuOqnXIZrsuXwNQjb/ ISKU23/WUKyqM2YgeFtave1NAQWFqAewJdSvDCYT8JDSEtAWV3r74OslrEy8R7cAvp0z EJypcYHPQZNA2Z9xLODMJKl6XGzSva2hASJ3/0N+BJM56+M1OOcwX7xVS472xJIs5HZw EwPja6C058+ZHAxe8arWf+doDqY8nzKiZWSZJpNvysG99kRmjyN8UJVJ2K0v0ZpaWaFO Jqzz8bUw/UKWsZ9GIRTy5uiA8Bj23yfB9/ifE5nvSUCNMUvPJ1oWu9Iya4h7RmUernQ1 9XTQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=LzhsV3qQV6Ho2/EXHt7/ZEEfI9b1zHIIbhjeViTxO7c=; b=gEXCXt72INL1mRR6DTo3YUO1d9QujCVsnXiLOF9zDCHkdU+HCeHNPQWt4KOcivwjua C2ozJ0rhqBU0JJrQQAo9kanmvB+eim2++tUwuQVZUhIAG0tpk98q5RNpLEmnHwdj/yta g5yIEAe54vvzMOwlqoKG5U33i7XAju0B+wpt44uZ5Qb99DQa5YsnLnXk2eqtCasLd5uf WJZzzRhqWEBqp5fy21HUBrHYemRWWg/cmECbWnR5ILnc1JSrEh0j/XQ3c3lNtX/neryf YBMqFKKiZnJ1UxKumXgvMprWtzv9QyEL4K/ubBB2uxjqCInDYO7AYHCB4Nv1RlfCXfnm COsg== X-Gm-Message-State: AJIora9CnbR0Le+UFCrDA+WFQWXxqH5/rcnNb1n7qdxH3Hyi9ULuARmM R8pvTJfILVtsPVWr7Qo9kNEDlbJ+L6Zy0ytd X-Google-Smtp-Source: AGRyM1se3VRjp9qJL7Dcx88LWdx04PCVXqvCF/u9x8uHqjaNiV869Y+g4rCJ3oVsca0AnygP3J2exw== X-Received: by 2002:a17:903:2581:b0:16b:d5b5:413a with SMTP id jb1-20020a170903258100b0016bd5b5413amr4871754plb.62.1657744693848; Wed, 13 Jul 2022 13:38:13 -0700 (PDT) Received: from hexa.router0800d9.com (dhcp-72-253-6-214.hawaiiantel.net. [72.253.6.214]) by smtp.gmail.com with ESMTPSA id a13-20020a170902eccd00b001664d88aab3sm9231892plh.240.2022.07.13.13.38.12 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Jul 2022 13:38:12 -0700 (PDT) From: Steve Sakoman To: openembedded-core@lists.openembedded.org Subject: [OE-core][dunfell 3/3] classes/cve-check: Move get_patches_cves to library Date: Wed, 13 Jul 2022 10:37:53 -1000 Message-Id: X-Mailer: git-send-email 2.25.1 In-Reply-To: References: MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Wed, 13 Jul 2022 20:38:24 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/167988 From: Joshua Watt Moving the function will allow other classes to capture which CVEs have been patched, in particular SBoM generation. Also add a function to capture the CPE ID from the CVE Product and Version (From OE-Core rev: 75d34259a715120be1d023e4fd7b6b4b125f2443) Signed-off-by: Joshua Watt Signed-off-by: Alexandre Belloni Signed-off-by: Richard Purdie (cherry picked from commit fa6c07bc1a585f204dbdc28704f61448edb8fdc8) Signed-off-by: Akash Hadke Signed-off-by: Steve Sakoman --- meta/classes/cve-check.bbclass | 62 +------------------------ meta/lib/oe/cve_check.py | 82 ++++++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 60 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 1688fe2dfe..9eb9a95574 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -136,10 +136,11 @@ python do_cve_check () { """ Check recipe for patched and unpatched CVEs """ + from oe.cve_check import get_patched_cves if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): try: - patched_cves = get_patches_cves(d) + patched_cves = get_patched_cves(d) except FileNotFoundError: bb.fatal("Failure in searching patches") whitelisted, patched, unpatched, status = check_cves(d, patched_cves) @@ -247,65 +248,6 @@ ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" do_populate_sdk[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" -def get_patches_cves(d): - """ - Get patches that solve CVEs using the "CVE: " tag. - """ - - import re - - pn = d.getVar("PN") - cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") - - # Matches the last "CVE-YYYY-ID" in the file name, also if written - # in lowercase. Possible to have multiple CVE IDs in a single - # file name, but only the last one will be detected from the file name. - # However, patch files contents addressing multiple CVE IDs are supported - # (cve_match regular expression) - - cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") - - patched_cves = set() - bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) - for url in src_patches(d): - patch_file = bb.fetch.decodeurl(url)[2] - - if not os.path.isfile(patch_file): - bb.error("File Not found: %s" % patch_file) - raise FileNotFoundError - - # Check patch file name for CVE ID - fname_match = cve_file_name_match.search(patch_file) - if fname_match: - cve = fname_match.group(1).upper() - patched_cves.add(cve) - bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) - - with open(patch_file, "r", encoding="utf-8") as f: - try: - patch_text = f.read() - except UnicodeDecodeError: - bb.debug(1, "Failed to read patch %s using UTF-8 encoding" - " trying with iso8859-1" % patch_file) - f.close() - with open(patch_file, "r", encoding="iso8859-1") as f: - patch_text = f.read() - - # Search for one or more "CVE: " lines - text_match = False - for match in cve_match.finditer(patch_text): - # Get only the CVEs without the "CVE: " tag - cves = patch_text[match.start()+5:match.end()] - for cve in cves.split(): - bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) - patched_cves.add(cve) - text_match = True - - if not fname_match and not text_match: - bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) - - return patched_cves - def check_cves(d, patched_cves): """ Connect to the NVD database and find unpatched cves. diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index b17390de90..a4b831831b 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -89,3 +89,85 @@ def update_symlinks(target_path, link_path): if os.path.exists(os.path.realpath(link_path)): os.remove(link_path) os.symlink(os.path.basename(target_path), link_path) + +def get_patched_cves(d): + """ + Get patches that solve CVEs using the "CVE: " tag. + """ + + import re + import oe.patch + + pn = d.getVar("PN") + cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") + + # Matches the last "CVE-YYYY-ID" in the file name, also if written + # in lowercase. Possible to have multiple CVE IDs in a single + # file name, but only the last one will be detected from the file name. + # However, patch files contents addressing multiple CVE IDs are supported + # (cve_match regular expression) + + cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") + + patched_cves = set() + bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) + for url in oe.patch.src_patches(d): + patch_file = bb.fetch.decodeurl(url)[2] + + if not os.path.isfile(patch_file): + bb.error("File Not found: %s" % patch_file) + raise FileNotFoundError + + # Check patch file name for CVE ID + fname_match = cve_file_name_match.search(patch_file) + if fname_match: + cve = fname_match.group(1).upper() + patched_cves.add(cve) + bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + + with open(patch_file, "r", encoding="utf-8") as f: + try: + patch_text = f.read() + except UnicodeDecodeError: + bb.debug(1, "Failed to read patch %s using UTF-8 encoding" + " trying with iso8859-1" % patch_file) + f.close() + with open(patch_file, "r", encoding="iso8859-1") as f: + patch_text = f.read() + + # Search for one or more "CVE: " lines + text_match = False + for match in cve_match.finditer(patch_text): + # Get only the CVEs without the "CVE: " tag + cves = patch_text[match.start()+5:match.end()] + for cve in cves.split(): + bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) + patched_cves.add(cve) + text_match = True + + if not fname_match and not text_match: + bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) + + return patched_cves + + +def get_cpe_ids(cve_product, version): + """ + Get list of CPE identifiers for the given product and version + """ + + version = version.split("+git")[0] + + cpe_ids = [] + for product in cve_product.split(): + # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not, + # use wildcard for vendor. + if ":" in product: + vendor, product = product.split(":", 1) + else: + vendor = "*" + + cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*' + cpe_ids.append(cpe_id) + + return cpe_ids