Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 1 | # |
| 2 | # Copyright OpenEmbedded Contributors |
| 3 | # |
| 4 | # SPDX-License-Identifier: MIT |
| 5 | # |
| 6 | |
Andrew Geissler | d1e8949 | 2021-02-12 15:35:20 -0600 | [diff] [blame] | 7 | import collections |
| 8 | import re |
| 9 | import itertools |
| 10 | import functools |
| 11 | |
| 12 | _Version = collections.namedtuple( |
| 13 | "_Version", ["release", "patch_l", "pre_l", "pre_v"] |
| 14 | ) |
| 15 | |
| 16 | @functools.total_ordering |
| 17 | class Version(): |
| 18 | |
| 19 | def __init__(self, version, suffix=None): |
Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 20 | |
| 21 | suffixes = ["alphabetical", "patch"] |
| 22 | |
Andrew Geissler | d1e8949 | 2021-02-12 15:35:20 -0600 | [diff] [blame] | 23 | if str(suffix) == "alphabetical": |
| 24 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" |
Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 25 | elif str(suffix) == "patch": |
| 26 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" |
Andrew Geissler | d1e8949 | 2021-02-12 15:35:20 -0600 | [diff] [blame] | 27 | else: |
| 28 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" |
| 29 | regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) |
| 30 | |
| 31 | match = regex.search(version) |
| 32 | if not match: |
| 33 | raise Exception("Invalid version: '{0}'".format(version)) |
| 34 | |
| 35 | self._version = _Version( |
| 36 | release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), |
Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 37 | patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "", |
Andrew Geissler | d1e8949 | 2021-02-12 15:35:20 -0600 | [diff] [blame] | 38 | pre_l=match.group("pre_l"), |
| 39 | pre_v=match.group("pre_v") |
| 40 | ) |
| 41 | |
| 42 | self._key = _cmpkey( |
| 43 | self._version.release, |
| 44 | self._version.patch_l, |
| 45 | self._version.pre_l, |
| 46 | self._version.pre_v |
| 47 | ) |
| 48 | |
| 49 | def __eq__(self, other): |
| 50 | if not isinstance(other, Version): |
| 51 | return NotImplemented |
| 52 | return self._key == other._key |
| 53 | |
| 54 | def __gt__(self, other): |
| 55 | if not isinstance(other, Version): |
| 56 | return NotImplemented |
| 57 | return self._key > other._key |
| 58 | |
| 59 | def _cmpkey(release, patch_l, pre_l, pre_v): |
| 60 | # remove leading 0 |
| 61 | _release = tuple( |
| 62 | reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release)))) |
| 63 | ) |
| 64 | |
| 65 | _patch = patch_l.upper() |
| 66 | |
| 67 | if pre_l is None and pre_v is None: |
| 68 | _pre = float('inf') |
| 69 | else: |
| 70 | _pre = float(pre_v) if pre_v else float('-inf') |
| 71 | return _release, _patch, _pre |
Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 72 | |
| 73 | |
| 74 | def get_patched_cves(d): |
| 75 | """ |
| 76 | Get patches that solve CVEs using the "CVE: " tag. |
| 77 | """ |
| 78 | |
| 79 | import re |
| 80 | import oe.patch |
| 81 | |
Patrick Williams | f52e3dd | 2024-01-26 13:04:43 -0600 | [diff] [blame] | 82 | cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+") |
Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 83 | |
| 84 | # Matches the last "CVE-YYYY-ID" in the file name, also if written |
| 85 | # in lowercase. Possible to have multiple CVE IDs in a single |
| 86 | # file name, but only the last one will be detected from the file name. |
| 87 | # However, patch files contents addressing multiple CVE IDs are supported |
| 88 | # (cve_match regular expression) |
Patrick Williams | f52e3dd | 2024-01-26 13:04:43 -0600 | [diff] [blame] | 89 | cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) |
Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 90 | |
| 91 | patched_cves = set() |
Patrick Williams | f52e3dd | 2024-01-26 13:04:43 -0600 | [diff] [blame] | 92 | patches = oe.patch.src_patches(d) |
| 93 | bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) |
| 94 | for url in patches: |
Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 95 | patch_file = bb.fetch.decodeurl(url)[2] |
| 96 | |
Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 97 | # Check patch file name for CVE ID |
| 98 | fname_match = cve_file_name_match.search(patch_file) |
| 99 | if fname_match: |
| 100 | cve = fname_match.group(1).upper() |
| 101 | patched_cves.add(cve) |
Patrick Williams | f52e3dd | 2024-01-26 13:04:43 -0600 | [diff] [blame] | 102 | bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) |
Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 103 | |
Patrick Williams | ac13d5f | 2023-11-24 18:59:46 -0600 | [diff] [blame] | 104 | # Remote patches won't be present and compressed patches won't be |
| 105 | # unpacked, so say we're not scanning them |
| 106 | if not os.path.isfile(patch_file): |
| 107 | bb.note("%s is remote or compressed, not scanning content" % patch_file) |
| 108 | continue |
| 109 | |
Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 110 | with open(patch_file, "r", encoding="utf-8") as f: |
| 111 | try: |
| 112 | patch_text = f.read() |
| 113 | except UnicodeDecodeError: |
| 114 | bb.debug(1, "Failed to read patch %s using UTF-8 encoding" |
| 115 | " trying with iso8859-1" % patch_file) |
| 116 | f.close() |
| 117 | with open(patch_file, "r", encoding="iso8859-1") as f: |
| 118 | patch_text = f.read() |
| 119 | |
| 120 | # Search for one or more "CVE: " lines |
| 121 | text_match = False |
| 122 | for match in cve_match.finditer(patch_text): |
| 123 | # Get only the CVEs without the "CVE: " tag |
| 124 | cves = patch_text[match.start()+5:match.end()] |
| 125 | for cve in cves.split(): |
| 126 | bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) |
| 127 | patched_cves.add(cve) |
| 128 | text_match = True |
| 129 | |
| 130 | if not fname_match and not text_match: |
| 131 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) |
| 132 | |
Andrew Geissler | 8f84068 | 2023-07-21 09:09:43 -0500 | [diff] [blame] | 133 | # Search for additional patched CVEs |
| 134 | for cve in (d.getVarFlags("CVE_STATUS") or {}): |
| 135 | decoded_status, _, _ = decode_cve_status(d, cve) |
| 136 | if decoded_status == "Patched": |
| 137 | bb.debug(2, "CVE %s is additionally patched" % cve) |
| 138 | patched_cves.add(cve) |
| 139 | |
Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 140 | return patched_cves |
| 141 | |
| 142 | |
| 143 | def get_cpe_ids(cve_product, version): |
| 144 | """ |
| 145 | Get list of CPE identifiers for the given product and version |
| 146 | """ |
| 147 | |
| 148 | version = version.split("+git")[0] |
| 149 | |
| 150 | cpe_ids = [] |
| 151 | for product in cve_product.split(): |
| 152 | # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not, |
| 153 | # use wildcard for vendor. |
| 154 | if ":" in product: |
| 155 | vendor, product = product.split(":", 1) |
| 156 | else: |
| 157 | vendor = "*" |
| 158 | |
Andrew Geissler | 5082cc7 | 2023-09-11 08:41:39 -0400 | [diff] [blame] | 159 | cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version) |
Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 160 | cpe_ids.append(cpe_id) |
| 161 | |
| 162 | return cpe_ids |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 163 | |
| 164 | def cve_check_merge_jsons(output, data): |
| 165 | """ |
| 166 | Merge the data in the "package" property to the main data file |
| 167 | output |
| 168 | """ |
| 169 | if output["version"] != data["version"]: |
| 170 | bb.error("Version mismatch when merging JSON outputs") |
| 171 | return |
| 172 | |
| 173 | for product in output["package"]: |
| 174 | if product["name"] == data["package"][0]["name"]: |
Patrick Williams | ac13d5f | 2023-11-24 18:59:46 -0600 | [diff] [blame] | 175 | bb.error("Error adding the same package %s twice" % product["name"]) |
Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 176 | return |
| 177 | |
| 178 | output["package"].append(data["package"][0]) |
Andrew Geissler | 78b7279 | 2022-06-14 06:47:25 -0500 | [diff] [blame] | 179 | |
| 180 | def update_symlinks(target_path, link_path): |
| 181 | """ |
| 182 | Update a symbolic link link_path to point to target_path. |
| 183 | Remove the link and recreate it if exist and is different. |
| 184 | """ |
| 185 | if link_path != target_path and os.path.exists(target_path): |
| 186 | if os.path.exists(os.path.realpath(link_path)): |
| 187 | os.remove(link_path) |
| 188 | os.symlink(os.path.basename(target_path), link_path) |
Andrew Geissler | fc113ea | 2023-03-31 09:59:46 -0500 | [diff] [blame] | 189 | |
| 190 | |
| 191 | def convert_cve_version(version): |
| 192 | """ |
| 193 | This function converts from CVE format to Yocto version format. |
| 194 | eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1 |
| 195 | |
| 196 | Unless it is redefined using CVE_VERSION in the recipe, |
| 197 | cve_check uses the version in the name of the recipe (${PV}) |
| 198 | to check vulnerabilities against a CVE in the database downloaded from NVD. |
| 199 | |
| 200 | When the version has an update, i.e. |
| 201 | "p1" in OpenSSH 8.3p1, |
| 202 | "-rc1" in linux kernel 6.2-rc1, |
| 203 | the database stores the version as version_update (8.3_p1, 6.2_rc1). |
| 204 | Therefore, we must transform this version before comparing to the |
| 205 | recipe version. |
| 206 | |
| 207 | In this case, the parameter of the function is 8.3_p1. |
| 208 | If the version uses the Release Candidate format, "rc", |
| 209 | this function replaces the '_' by '-'. |
| 210 | If the version uses the Update format, "p", |
| 211 | this function removes the '_' completely. |
| 212 | """ |
| 213 | import re |
| 214 | |
| 215 | matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version) |
| 216 | |
| 217 | if not matches: |
| 218 | return version |
| 219 | |
| 220 | version = matches.group(1) |
| 221 | update = matches.group(2) |
| 222 | |
| 223 | if matches.group(3) == "rc": |
| 224 | return version + '-' + update |
| 225 | |
| 226 | return version + update |
| 227 | |
Andrew Geissler | 8f84068 | 2023-07-21 09:09:43 -0500 | [diff] [blame] | 228 | def decode_cve_status(d, cve): |
| 229 | """ |
| 230 | Convert CVE_STATUS into status, detail and description. |
| 231 | """ |
| 232 | status = d.getVarFlag("CVE_STATUS", cve) |
Patrick Williams | f52e3dd | 2024-01-26 13:04:43 -0600 | [diff] [blame] | 233 | if not status: |
Andrew Geissler | 8f84068 | 2023-07-21 09:09:43 -0500 | [diff] [blame] | 234 | return ("", "", "") |
| 235 | |
| 236 | status_split = status.split(':', 1) |
| 237 | detail = status_split[0] |
| 238 | description = status_split[1].strip() if (len(status_split) > 1) else "" |
| 239 | |
| 240 | status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) |
| 241 | if status_mapping is None: |
Patrick Williams | f52e3dd | 2024-01-26 13:04:43 -0600 | [diff] [blame] | 242 | bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) |
Andrew Geissler | 8f84068 | 2023-07-21 09:09:43 -0500 | [diff] [blame] | 243 | status_mapping = "Unpatched" |
| 244 | |
| 245 | return (status_mapping, detail, description) |