Commit: 9b8be81eef93a8d4a33ce8c6ca291c9d4584d681 Author: Ray Molenkamp Date: Mon Oct 10 11:48:05 2022 -0600 Branches: master https://developer.blender.org/rB9b8be81eef93a8d4a33ce8c6ca291c9d4584d681
deps_builder: Add support for cve-bin-tool This change adds support for intels cve-bin-tool [1] in the deps builder. This adds 2 new targets to the builder that do not build automatically but can be build on demand when required. `make cve_check` will output to the console. `make cve_check_html` will output a html file that can be shared with other people. Requirements: - A working installation of cve-bin-tool on the system Not required but higly recommended: - Obtaining a key from the nvd [2] to speed up the database download. you can pass the key to cmake using `-DCVE_CHECK_NVD_KEY=your_api_key` [1] https://github.com/intel/cve-bin-tool [2] https://nvd.nist.gov/developers/request-an-api-key Reviewed By: brecht Differential Revision: https://developer.blender.org/D16160 =================================================================== M build_files/build_environment/CMakeLists.txt A build_files/build_environment/cmake/cve_check.cmake A build_files/build_environment/cmake/cve_check.csv.in M build_files/build_environment/cmake/versions.cmake =================================================================== diff --git a/build_files/build_environment/CMakeLists.txt b/build_files/build_environment/CMakeLists.txt index 03c85742ada..4f40f44ad18 100644 --- a/build_files/build_environment/CMakeLists.txt +++ b/build_files/build_environment/CMakeLists.txt @@ -176,3 +176,4 @@ if(UNIX AND NOT APPLE) endif() include(cmake/harvest.cmake) +include(cmake/cve_check.cmake) diff --git a/build_files/build_environment/cmake/cve_check.cmake b/build_files/build_environment/cmake/cve_check.cmake new file mode 100644 index 00000000000..dfb190bcffa --- /dev/null +++ b/build_files/build_environment/cmake/cve_check.cmake @@ -0,0 +1,73 @@ +# SPDX-License-Identifier: GPL-2.0-or-later + +# CVE Check requirements +# +# - A working installation of intels cve-bin-tool [1] has to be available in +# your path +# +# - Not strictly required, but highly recommended is obtaining a NVD key from +# nist since it significantly speeds up downloading/updating the required +# databases one can request a key on the following website: +# https://nvd.nist.gov/developers/request-an-api-key + +# Bill of Materials construction +# +# This constructs a CSV cve-bin-tool [1] can read and process. Sadly +# cve-bin-tool at this point does not take a list of CPE's and output a check +# based on that list. so we need to pick apart the CPE retrieve the vendor, +# product and version tokens and generate a CSV. +# +# [1] https://github.com/intel/cve-bin-tool + +# Because not all deps are downloaded (ie python packages) but can still have a +# xxx_CPE declared loop over all variables and look for variables ending in CPE. + +set(SBOMCONTENTS) +get_cmake_property(_variableNames VARIABLES) +foreach (_variableName ${_variableNames}) + if(_variableName MATCHES "CPE$") + string(REPLACE ":" ";" CPE_LIST ${${_variableName}}) + list(GET CPE_LIST 3 CPE_VENDOR) + list(GET CPE_LIST 4 CPE_NAME) + list(GET CPE_LIST 5 CPE_VERSION) + set(SBOMCONTENTS "${SBOMCONTENTS}${CPE_VENDOR},${CPE_NAME},${CPE_VERSION}\n") + endif() +endforeach() +configure_file(${CMAKE_SOURCE_DIR}/cmake/cve_check.csv.in ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv @ONLY) + +# Custom Targets +# +# This defines two new custom targets one could run in the build folder +# `cve_check` which will output the report to the console, and `cve_check_html` +# which will write out blender_dependencies.html in the build folder that one +# could share with other people or be used to get more information on the +# reported CVE's. +# +# cve-bin-tool takes data from the nist nvd database which rate limits +# unauthenticated requests to 1 requests per 6 seconds making the database +# download take "quite a bit" of time. +# +# When adding -DCVE_CHECK_NVD_KEY=your_api_key_here to your cmake invocation +# this key will be passed on to cve-bin-tool speeding up the process. +# +if(DEFINED CVE_CHECK_NVD_KEY) + set(NVD_ARGS --nvd-api-key ${CVE_CHECK_NVD_KEY}) +endif() + +# This will just report to the console +add_custom_target(cve_check + COMMAND cve-bin-tool + ${NVD_ARGS} + -i ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv + --affected-versions + SOURCES ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv +) + +# This will write out blender_dependencies.html +add_custom_target(cve_check_html + COMMAND cve-bin-tool + ${NVD_ARGS} + -i ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv + -f html + SOURCES ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv +) diff --git a/build_files/build_environment/cmake/cve_check.csv.in b/build_files/build_environment/cmake/cve_check.csv.in new file mode 100644 index 00000000000..6e7e8db5609 --- /dev/null +++ b/build_files/build_environment/cmake/cve_check.csv.in @@ -0,0 +1,2 @@ +vendor,product,version +@SBOMCONTENTS@ diff --git a/build_files/build_environment/cmake/versions.cmake b/build_files/build_environment/cmake/versions.cmake index 938ecd393dc..6e36db1e387 100644 --- a/build_files/build_environment/cmake/versions.cmake +++ b/build_files/build_environment/cmake/versions.cmake @@ -1,10 +1,19 @@ # SPDX-License-Identifier: GPL-2.0-or-later +# CPE's are used to identify dependencies, for more information on what they +# are please see https://nvd.nist.gov/products/cpe +# +# We use them in combination with cve-bin-tool to scan for known security issues. +# +# Not all of our dependencies are currently in the nvd database so not all +# dependencies have one assigned. + set(ZLIB_VERSION 1.2.12) set(ZLIB_URI https://zlib.net/zlib-${ZLIB_VERSION}.tar.gz) set(ZLIB_HASH 5fc414a9726be31427b440b434d05f78) set(ZLIB_HASH_TYPE MD5) set(ZLIB_FILE zlib-${ZLIB_VERSION}.tar.gz) +set(ZLIB_CPE "cpe:2.3:a:zlib:zlib:${ZLIB_VERSION}:*:*:*:*:*:*:*") set(OPENAL_VERSION 1.21.1) set(OPENAL_URI http://openal-soft.org/openal-releases/openal-soft-${OPENAL_VERSION}.tar.bz2) @@ -17,12 +26,14 @@ set(PNG_URI http://prdownloads.sourceforge.net/libpng/libpng-${PNG_VERSION}.tar. set(PNG_HASH 505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca) set(PNG_HASH_TYPE SHA256) set(PNG_FILE libpng-${PNG_VERSION}.tar.xz) +set(PNG_CPE "cpe:2.3:a:libpng:libpng:${PNG_VERSION}:*:*:*:*:*:*:*") set(JPEG_VERSION 2.1.3) set(JPEG_URI https://github.com/libjpeg-turbo/libjpeg-turbo/archive/${JPEG_VERSION}.tar.gz) set(JPEG_HASH 627b980fad0573e08e4c3b80b290fc91) set(JPEG_HASH_TYPE MD5) set(JPEG_FILE libjpeg-turbo-${JPEG_VERSION}.tar.gz) +set(JPEG_CPE "cpe:2.3:a:d.r.commander:libjpeg-turbo:${JPEG_VERSION}:*:*:*:*:*:*:*") set(BOOST_VERSION 1.78.0) set(BOOST_VERSION_SHORT 1.78) @@ -32,12 +43,14 @@ set(BOOST_URI https://boostorg.jfrog.io/artifactory/main/release/${BOOST_VERSION set(BOOST_HASH c2f6428ac52b0e5a3c9b2e1d8cc832b5) set(BOOST_HASH_TYPE MD5) set(BOOST_FILE boost_${BOOST_VERSION_NODOTS}.tar.gz) +set(BOOST_CPE "cpe:2.3:a:boost:boost:${BOOST_VERSION}:*:*:*:*:*:*:*") set(BLOSC_VERSION 1.21.1) set(BLOSC_URI https://github.com/Blosc/c-blosc/archive/v${BLOSC_VERSION}.tar.gz) set(BLOSC_HASH 134b55813b1dca57019d2a2dc1f7a923) set(BLOSC_HASH_TYPE MD5) set(BLOSC_FILE blosc-${BLOSC_VERSION}.tar.gz) +set(BLOSC_CPE "cpe:2.3:a:c-blosc2_project:c-blosc2:${BLOSC_VERSION}:*:*:*:*:*:*:*") set(PTHREADS_VERSION 3.0.0) set(PTHREADS_URI http://prdownloads.sourceforge.net/pthreads4w/pthreads4w-code-v${PTHREADS_VERSION}.zip) @@ -50,6 +63,7 @@ set(OPENEXR_URI https://github.com/AcademySoftwareFoundation/openexr/archive/v${ set(OPENEXR_HASH a92f38eedd43e56c0af56d4852506886) set(OPENEXR_HASH_TYPE MD5) set(OPENEXR_FILE openexr-${OPENEXR_VERSION}.tar.gz) +set(OPENEXR_CPE "cpe:2.3:a:openexr:openexr:${OPENEXR_VERSION}:*:*:*:*:*:*:*") set(IMATH_VERSION 3.1.5) set(IMATH_URI https://github.com/AcademySoftwareFoundation/Imath/archive/v${OPENEXR_VERSION}.tar.gz) @@ -79,6 +93,7 @@ set(FREETYPE_URI http://prdownloads.sourceforge.net/freetype/freetype-${FREETYPE set(FREETYPE_HASH bd4e3b007474319909a6b79d50908e85) set(FREETYPE_HASH_TYPE MD5) set(FREETYPE_FILE freetype-${FREETYPE_VERSION}.tar.gz) +SET(FREETYPE_CPE "cpe:2.3:a:freetype:freetype:${FREETYPE_VERSION}:*:*:*:*:*:*:*") set(EPOXY_VERSION 1.5.10) set(EPOXY_URI https://github.com/anholt/libepoxy/archive/refs/tags/${EPOXY_VERSION}.tar.gz) @@ -97,6 +112,7 @@ set(ALEMBIC_URI https://github.com/alembic/alembic/archive/${ALEMBIC_VERSION}.ta set(ALEMBIC_HASH 2cd8d6e5a3ac4a014e24a4b04f4fadf9) set(ALEMBIC_HASH_TYPE MD5) set(ALEMBIC_FILE alembic-${ALEMBIC_VERSION}.tar.gz) +SET(FREETYPE_CPE "cpe:2.3:a:freetype:freetype:${FREETYPE_VERSION}:*:*:*:*:*:*:*") set(OPENSUBDIV_VERSION v3_4_4) set(OPENSUBDIV_URI https://github.com/PixarAnimationStudios/OpenSubdiv/archive/${OPENSUBDIV_VERSION}.tar.gz) @@ -109,6 +125,7 @@ set(SDL_URI https://www.libsdl.org/release/SDL2-${SDL_VERSION}.tar.gz) set(SDL_HASH a53acc02e1cca98c4123229069b67c9e) set(SDL_HASH_TYPE MD5) set(SDL_FILE SDL2-${SDL_VERSION}.tar.gz) +set(SDL_CPE "cpe:2.3:a:libsdl:sdl:${SDL_VERSION}:*:*:*:*:*:*:*") set(OPENCOLLADA_VERSION v1.6.68) set(OPENCOLLADA_URI https://github.com/KhronosGroup/OpenCOLLADA/archive/${OPENCOLLADA_VERSION}.tar.gz) @@ -127,6 +144,7 @@ set(LLVM_URI https://github.com/llvm/llvm-project/releases/download/llvmorg-${LL set(LLVM_HASH 5a4fab4d7fc84aefffb118ac2c8a4fc0) set(LLVM_HASH_TYPE MD5) set(LLVM_FILE llvm-project-${LLVM_VERSION}.src.tar.xz) +set(LLVM_CPE "cpe:2.3:a:llvm:compiler:${LLVM_VERSION}:*:*:*:*:*:*:*") if(APPLE) # Cloth physics test is crashing due to this bug: @@ -154,6 +172,7 @@ set(FMT_URI https://github.com/fmtlib/fmt/archive/refs/tags/${FMT_VERSION}.tar.g set(FMT_HASH 7bce0e9e022e586b178b150002e7c2339994e3c2bbe44027e9abb0d60f9cce83) set(FMT_HASH_TYPE SHA256) set(FMT_FILE fmt-${FMT_VERSION}.tar.gz) +set(FMT_CPE "cpe:2.3:a:fmt:fmt:${FMT_VERSION}:*:*:*:*:*:*:*") # 0.6.2 is currently oiio's preferred version although never versions may be available. # the preferred version can be found in oiio's externalpackages.cmake @@ -168,6 +187,7 @@ set(TIFF_URI http://download.osgeo.org/libtiff/tiff-${TIFF_VERSION}.tar.gz) set(TIFF_HASH 376f17f189e9d02280dfe709b2b2bbea) set(TIFF_HASH_TYPE MD5) set(TIFF_FILE tiff-${TIFF_VERSION}.tar.gz) +set(TIFF_CPE "cpe:2.3:a:libtiff:libtiff:${TIFF_VERSION}:*:*:*:*:*:*:*") set(OSL_VERSION 1.11.17.0) set(OSL_URI https://github.com/imageworks/OpenShadingLanguage/archive/Release-${OSL_VERSION}.tar.gz) @@ -182,12 +202,15 @@ set(PYTHON_URI https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTH set(PYTHON_HASH 14e8c22458ed7779a1957b26cde01db9) set(PYTHON_HASH_TYPE MD5) set(PYTHON_FILE Python-${PYTHON_VERSION}.tar.xz) +set(PYTHON_CPE "cpe:2.3:a:python:python:${PYTHON_VERSION}:-:*:*:*:*:*:*") -set(TBB_VERSION 2020_U3) +set(TBB_YEAR 2020) +set(TBB_VERSION ${TBB_YEAR}_U3) set(TBB_URI https://github.com/oneapi-src/oneTBB/archive/${TBB_VERSION}.tar.gz) set(TBB_HASH 55ec8df6eae5ed6364a47f0e671e460c) set(TBB_HASH_TYPE MD5) set(TBB_FILE oneTBB-${TBB_VERSION}.tar.gz) +set(TBB_CPE "cpe:2.3:a:intel:threading_building_blocks:${TBB_YEAR}:*:*:*:*:*:*:*") set(OPENVDB_VERSION 9.0.0) set(OPENVDB_URI https://github.com/AcademySoftwareFoundation/openvdb/archive/v${OPENVDB_VERSION}.tar.gz) @@ -198,6 +221,7 @@ set(OPENVDB_FILE openvdb-${OPENVDB_VERSION}.tar.gz) set(IDNA_VERSION 3.3) set(CHARSET_NORMALIZER_VERSION 2.0.10) set(URLLIB3_VERSION 1.26.8) +set(URLLIB @@ Diff output truncated at 10240 characters. @@ _______________________________________________ Bf-blender-cvs mailing list [email protected] List details, subscription details or unsubscribe: https://lists.blender.org/mailman/listinfo/bf-blender-cvs
