Does this mean we can delete the cve-check-tool recipe itself too? Ross
On Wed, 19 Jun 2019 at 15:03, Pierre Le Magourou <[email protected]> wrote: > > From: Pierre Le Magourou <[email protected]> > > Use the new update-cve-db recipe to update database. > > Signed-off-by: Pierre Le Magourou <[email protected]> > --- > meta/classes/cve-check.bbclass | 71 > ++++++++++++++++-------------------------- > 1 file changed, 26 insertions(+), 45 deletions(-) > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass > index 743bc08a4f..28619c7bd4 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}" > CVE_VERSION ??= "${PV}" > > CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" > -CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db" > +CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db" > > CVE_CHECK_LOG ?= "${T}/cve.log" > CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" > @@ -62,7 +62,7 @@ python do_cve_check () { > } > > addtask cve_check after do_unpack before do_build > -do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot > cve-check-tool-native:do_populate_cve_db" > +do_cve_check[depends] = "cve-update-db:do_populate_cve_db" > do_cve_check[nostamp] = "1" > > python cve_check_cleanup () { > @@ -163,61 +163,40 @@ def get_patches_cves(d): > > def check_cves(d, patched_cves): > """ > - Run cve-check-tool looking for patched and unpatched CVEs. > + Connect to the NVD database and find unpatched cves. > """ > - > import ast, csv, tempfile, subprocess, io > > - cves_patched = [] > cves_unpatched = [] > bpn = d.getVar("CVE_PRODUCT") > # If this has been unset then we're not scanning for CVEs here (for > example, image recipes) > if not bpn: > return ([], []) > pv = d.getVar("CVE_VERSION").split("+git")[0] > - cves = " ".join(patched_cves) > - cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") > cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) > - cve_cmd = "cve-check-tool" > - cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", > "-t", "faux", "-d", cve_db_dir] > > # If the recipe has been whitlisted we return empty lists > if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): > bb.note("Recipe has been whitelisted, skipping check") > return ([], []) > > - try: > - # Write the faux CSV file to be used with cve-check-tool > - fd, faux = tempfile.mkstemp(prefix="cve-faux-") > - with os.fdopen(fd, "w") as f: > - for pn in bpn.split(): > - f.write("%s,%s,%s,\n" % (pn, pv, cves)) > - cmd.append(faux) > - > - output = subprocess.check_output(cmd).decode("utf-8") > - bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output)) > - except subprocess.CalledProcessError as e: > - bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output)) > - finally: > - os.remove(faux) > - > - for row in csv.reader(io.StringIO(output)): > - # Third row has the unpatched CVEs > - if row[2]: > - for cve in row[2].split(): > - # Skip if the CVE has been whitlisted for the current version > - if pv in cve_whitelist.get(cve,[]): > - bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, > cve)) > - else: > - cves_unpatched.append(cve) > - bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, > cve)) > - # Fourth row has patched CVEs > - if row[3]: > - for cve in row[3].split(): > - cves_patched.append(cve) > - bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve)) > - > - return (cves_patched, cves_unpatched) > + import sqlite3 > + db_file = d.getVar("CVE_CHECK_DB_FILE") > + conn = sqlite3.connect(db_file) > + c = conn.cursor() > + query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS > '%s';" > + for row in c.execute(query % (bpn,pv)): > + cve = row[1] > + if pv in cve_whitelist.get(cve,[]): > + bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve)) > + elif cve in patched_cves: > + bb.note("%s has been patched" % (cve)) > + else: > + cves_unpatched.append(cve) > + bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve)) > + conn.close() > + > + return (list(patched_cves), cves_unpatched) > > def get_cve_info(d, cves): > """ > @@ -241,9 +220,10 @@ def get_cve_info(d, cves): > for row in cur.execute(query, tuple(cves)): > cve_data[row[0]] = {} > cve_data[row[0]]["summary"] = row[1] > - cve_data[row[0]]["score"] = row[2] > - cve_data[row[0]]["modified"] = row[3] > - cve_data[row[0]]["vector"] = row[4] > + cve_data[row[0]]["scorev2"] = row[2] > + cve_data[row[0]]["scorev3"] = row[3] > + cve_data[row[0]]["modified"] = row[4] > + cve_data[row[0]]["vector"] = row[5] > conn.close() > > return cve_data > @@ -270,7 +250,8 @@ def cve_write_data(d, patched, unpatched, cve_data): > unpatched_cves.append(cve) > write_string += "CVE STATUS: Unpatched\n" > write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] > - write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"] > + write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] > + write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] > write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] > write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) > > -- > 2.11.0 > > -- > _______________________________________________ > Openembedded-core mailing list > [email protected] > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
