diff options
author | Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-07-05 11:40:37 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-09 23:27:37 +0100 |
commit | f7676e9a38d595564922e5f59acbc69c2109a78f (patch) | |
tree | 2187913f454f6fd7566bd9f3d9f22d63440d1c9d /meta/recipes-core/meta | |
parent | 4078da92b49946848cddebe1735f301af161e162 (diff) | |
download | openembedded-core-contrib-f7676e9a38d595564922e5f59acbc69c2109a78f.tar.gz |
cve-update-db: Use NVD CPE data to populate PRODUCTS table
Instead of using expanded list of affected versions that is not
reliable, use the 'cpe_match' node in the 'configurations' json node.
For cve-check to correctly match affected CVE, the sqlite database need to
contain operator_start, operator_end and the corresponding versions fields.
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core/meta')
-rw-r--r-- | meta/recipes-core/meta/cve-update-db-native.bb | 88 |
1 files changed, 74 insertions, 14 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index ae8f1a958b..d658c7bfea 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -25,7 +25,7 @@ python do_populate_cve_db() { YEAR_START = 2002 db_dir = d.getVar("DL_DIR") + '/CVE_CHECK' - db_file = db_dir + '/nvd-json.db' + db_file = db_dir + '/nvdcve.db' json_tmpfile = db_dir + '/nvd.json.gz' proxy = d.getVar("https_proxy") cve_f = open(d.getVar("TMPDIR") + '/cve_check', 'a') @@ -99,9 +99,76 @@ def initialize_db(c): c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (HASH INTEGER UNIQUE, ID TEXT, \ - VENDOR TEXT, PRODUCT TEXT, VERSION TEXT, OPERATOR TEXT)") - c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_IDX ON PRODUCTS \ - (PRODUCT, VERSION)") + VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ + VERSION_END TEXT, OPERATOR_END TEXT)") + +def insert_elt(c, db_values): + product_str = db_values[0] + db_values[1] + db_values[2] + db_values[3] + hashstr = hash_djb2(product_str) + db_values.insert(0, hashstr) + query = "insert or replace into PRODUCTS values (?, ?, ?, ?, ?, ?, ?, ?)" + c.execute(query, db_values) + +def parse_node_and_insert(c, node, cveId): + # Parse children node if needed + try: + for child in node['children']: + parse_node_and_insert(c, child, cveId) + except: + pass + + # Exit if the cpe_match node does not exists + try: + cpe_match = node['cpe_match'] + except: + return + + for cpe in cpe_match: + if not cpe['vulnerable']: + return + cpe23 = cpe['cpe23Uri'].split(':') + vendor = cpe23[3] + product = cpe23[4] + version = cpe23[5] + + if version != '*': + # Version is defined, this is a '=' match + db_values = [cveId, vendor, product, version, '=', '', ''] + insert_elt(c, db_values) + else: + # Parse start version, end version and operators + op_start = '' + op_end = '' + v_start = '' + v_end = '' + + try: + if cpe['versionStartIncluding']: + op_start = '>=' + v_start = cpe['versionStartIncluding'] + except: + pass + try: + if cpe['versionStartExcluding']: + op_start = '>' + v_start = cpe['versionStartExcluding'] + except: + pass + try: + if cpe['versionEndIncluding']: + op_end = '<=' + v_end = cpe['versionEndIncluding'] + except: + pass + try: + if cpe['versionEndExcluding']: + op_end = '<' + v_end = cpe['versionEndExcluding'] + except: + pass + + db_values = [cveId, vendor, product, v_start, op_start, v_end, op_end] + insert_elt(c, db_values) def update_db(c, json_filename): import json @@ -125,16 +192,9 @@ def update_db(c, json_filename): c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]) - for vendor in elt['cve']['affects']['vendor']['vendor_data']: - for product in vendor['product']['product_data']: - for version in product['version']['version_data']: - product_str = cveId+vendor['vendor_name']+product['product_name']+version['version_value'] - hashstr = hash_djb2(product_str) - c.execute("insert or replace into PRODUCTS values (?, ?, ?, ?, ?, ?)", - [ hashstr, cveId, vendor['vendor_name'], - product['product_name'], version['version_value'], - version['version_affected']]) - + configurations = elt['configurations']['nodes'] + for config in configurations: + parse_node_and_insert(c, config, cveId) addtask do_populate_cve_db before do_fetch |