aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPierre Le Magourou <pierre.lemagourou@softbankrobotics.com>2019-06-19 15:59:40 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-06-19 23:08:59 +0100
commit3bf63bc60848d91e90c23f6d854d22b78832aa2d (patch)
treeb8a0230a1766e2e71ec5b235704b217e5de07caf
parent7f62a20b32a3d42f04ec58786a7d0db68ef1bb05 (diff)
downloadopenembedded-core-contrib-3bf63bc60848d91e90c23f6d854d22b78832aa2d.tar.gz
openembedded-core-contrib-3bf63bc60848d91e90c23f6d854d22b78832aa2d.tar.bz2
openembedded-core-contrib-3bf63bc60848d91e90c23f6d854d22b78832aa2d.zip
cve-check: Consider CVE that affects versions with less than operator
In the NVD json CVE feed, affected versions can be strictly matched to a version, but they can also be matched with the operator '<='. Add a new condition in the sqlite query to match affected versions that are defined with the operator '<='. Then use LooseVersion to discard all versions that are not relevant. Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass16
1 files changed, 14 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e7540b8c1f6..379f7121cc1 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -166,6 +166,7 @@ def check_cves(d, patched_cves):
Connect to the NVD database and find unpatched cves.
"""
import ast, csv, tempfile, subprocess, io
+ from distutils.version import LooseVersion
cves_unpatched = []
# CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -186,14 +187,25 @@ def check_cves(d, patched_cves):
conn = sqlite3.connect(db_file)
c = conn.cursor()
- query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"
+ query = """SELECT * FROM PRODUCTS WHERE
+ (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
+ (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
for idx in range(len(bpn)):
- for row in c.execute(query % (bpn[idx],pv)):
+ for row in c.execute(query.format(bpn[idx],pv)):
cve = row[1]
+ version = row[4]
+
+ try:
+ discardVersion = LooseVersion(version) < LooseVersion(pv)
+ except:
+ discardVersion = True
+
if pv in cve_whitelist.get(cve,[]):
bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
+ elif discardVersion:
+ bb.debug(2, "Do not consider version %s " % (version))
else:
cves_unpatched.append(cve)
bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))