diff options
author | Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-06-19 15:59:40 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-06-19 23:08:59 +0100 |
commit | 3bf63bc60848d91e90c23f6d854d22b78832aa2d (patch) | |
tree | b8a0230a1766e2e71ec5b235704b217e5de07caf /meta/classes | |
parent | 7f62a20b32a3d42f04ec58786a7d0db68ef1bb05 (diff) | |
download | openembedded-core-contrib-3bf63bc60848d91e90c23f6d854d22b78832aa2d.tar.gz |
cve-check: Consider CVE that affects versions with less than operator
In the NVD json CVE feed, affected versions can be strictly matched to a
version, but they can also be matched with the operator '<='.
Add a new condition in the sqlite query to match affected versions that
are defined with the operator '<='. Then use LooseVersion to discard all
versions that are not relevant.
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
-rw-r--r-- | meta/classes/cve-check.bbclass | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index e7540b8c1f..379f7121cc 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -166,6 +166,7 @@ def check_cves(d, patched_cves): Connect to the NVD database and find unpatched cves. """ import ast, csv, tempfile, subprocess, io + from distutils.version import LooseVersion cves_unpatched = [] # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) @@ -186,14 +187,25 @@ def check_cves(d, patched_cves): conn = sqlite3.connect(db_file) c = conn.cursor() - query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" + query = """SELECT * FROM PRODUCTS WHERE + (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR + (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" for idx in range(len(bpn)): - for row in c.execute(query % (bpn[idx],pv)): + for row in c.execute(query.format(bpn[idx],pv)): cve = row[1] + version = row[4] + + try: + discardVersion = LooseVersion(version) < LooseVersion(pv) + except: + discardVersion = True + if pv in cve_whitelist.get(cve,[]): bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) elif cve in patched_cves: bb.note("%s has been patched" % (cve)) + elif discardVersion: + bb.debug(2, "Do not consider version %s " % (version)) else: cves_unpatched.append(cve) bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) |