Thanks for the information, can you send a patch? Alex
On Wed, 12 Oct 2022 at 09:25, Alberto Pianon <[email protected]> wrote: > > All, Marta, Richard, > > while implementing stats aggregation for CVE metadata in the Oniro > project, I encountered a severe issue in Yocto's CVE checker, apparently > due to this: > https://git.yoctoproject.org/poky/tree/meta/recipes-core/meta/cve-update-db-native.bb#n81 > > It appears that when cve-update-db-native fails to fetch some years of > NIST CVE db, it just issues a warning but goes on anyway. > > The result is that in some builds, randomly (depending on NIST webserver > timeouts or other connection problems), CVE db is not complete, so the > CVE check returns false negatives (i.e. no vulnerabilities found in some > components even if such vulnerabilities do exist) > > I ran into such problem because in Oniro we need aggregate data from > different builds for a large target matrix; I added a check to check > that CVE metadata for each component are the same in all builds, and it > failed, so I tried to figure out the cause and I found this: > > - in a build where cve-check found a vulnerability for acl: > $ sqlite3 build-linux-clang-qemuarm-efi/tmp/CVE_CHECK/nvdcve_1.1.db > sqlite> SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS "acl"; > CVE-2009-4411 > sqlite> > > - in another build where cve-check did not found any vulnerability for > the very same version of acl: > $ sqlite3 build-linux-clang-qemux86/tmp/CVE_CHECK/nvdcve_1.1.db > sqlite> SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS "acl"; > sqlite> > > so I listed both CVE db files in those two builds and this is what I > got: > > $ ls -ll build-linux-clang-qemuarm-efi/tmp/CVE_CHECK/nvdcve_1.1.db > build-linux-clang-qemux86/tmp/CVE_CHECK/nvdcve_1.1.db > -rw-r--r-- 1 ubuntu ubuntu 215093248 Oct 11 10:56 > build-linux-clang-qemuarm-efi/tmp/CVE_CHECK/nvdcve_1.1.db > -rw-r--r-- 1 ubuntu ubuntu 28672 Oct 11 10:00 > build-linux-clang-qemux86/tmp/CVE_CHECK/nvdcve_1.1.db > > The two CVE db files were fetched just about 1h apart, but the second > file is apparently incomplete. > > I checked the log for the second build, and I found this: > > WARNING: cve-update-db-native-1.0-r0 do_fetch: Failed to fetch CVE > data ([Errno 99] Cannot assign requested address) > NOTE: recipe cve-update-db-native-1.0-r0: task do_fetch: Succeeded > > Fetch fails, but do_fetch task succeeds. > > So I looked into the recipe's code, and I found this: > https://git.yoctoproject.org/poky/tree/meta/recipes-core/meta/cve-update-db-native.bb#n81 > > It iterates over NIST CVE db years, but if some year fail to download, > it goes on anyway, and it still merges the successful downloads into > nvdcve_1.1.db, without returning error. > > IMHO this is a severe issue because it may silently lead to false > negatives in the CVE check. If some downloads fail due to timeouts or > other connection problems, cve-check should retry a number of times, and > if any download still fails, cve-update-db-native do_fecth should fail, > and it turn all do_cve_check tasks should fail, since doing a CVE check > against a corrupted/incomplete CVE database is clearly useless > > Regards, > > Alberto > > >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#171657): https://lists.openembedded.org/g/openembedded-core/message/171657 Mute This Topic: https://lists.openembedded.org/mt/94276393/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
