blob: 6d87d02ecbf382354f2c9d36b79e97ab5ad43503 [file] [log] [blame]
Andrew Geissler517393d2023-01-13 08:55:19 -06001.. SPDX-License-Identifier: CC-BY-SA-2.0-UK
2
3Checking for Vulnerabilities
4****************************
5
6Vulnerabilities in Poky and OE-Core
7===================================
8
9The Yocto Project has an infrastructure to track and address unfixed
10known security vulnerabilities, as tracked by the public
11:wikipedia:`Common Vulnerabilities and Exposures (CVE) <Common_Vulnerabilities_and_Exposures>`
12database.
13
14The Yocto Project maintains a `list of known vulnerabilities
15<https://autobuilder.yocto.io/pub/non-release/patchmetrics/>`__
16for packages in Poky and OE-Core, tracking the evolution of the number of
17unpatched CVEs and the status of patches. Such information is available for
18the current development version and for each supported release.
19
20Security is a process, not a product, and thus at any time, a number of security
21issues may be impacting Poky and OE-Core. It is up to the maintainers, users,
22contributors and anyone interested in the issues to investigate and possibly fix them by
23updating software components to newer versions or by applying patches to address them.
24It is recommended to work with Poky and OE-Core upstream maintainers and submit
25patches to fix them, see ":ref:`dev-manual/changes:submitting a change to the yocto project`" for details.
26
27Vulnerability check at build time
28=================================
29
30To enable a check for CVE security vulnerabilities using
31:ref:`ref-classes-cve-check` in the specific image or target you are building,
32add the following setting to your configuration::
33
34 INHERIT += "cve-check"
35
36The CVE database contains some old incomplete entries which have been
37deemed not to impact Poky or OE-Core. These CVE entries can be excluded from the
38check using build configuration::
39
40 include conf/distro/include/cve-extra-exclusions.inc
41
42With this CVE check enabled, BitBake build will try to map each compiled software component
43recipe name and version information to the CVE database and generate recipe and
44image specific reports. These reports will contain:
45
46- metadata about the software component like names and versions
47
48- metadata about the CVE issue such as description and NVD link
49
50- for each software component, a list of CVEs which are possibly impacting this version
51
52- status of each CVE: ``Patched``, ``Unpatched`` or ``Ignored``
53
54The status ``Patched`` means that a patch file to address the security issue has been
55applied. ``Unpatched`` status means that no patches to address the issue have been
56applied and that the issue needs to be investigated. ``Ignored`` means that after
57analysis, it has been deemed to ignore the issue as it for example affects
58the software component on a different operating system platform.
59
60After a build with CVE check enabled, reports for each compiled source recipe will be
61found in ``build/tmp/deploy/cve``.
62
63For example the CVE check report for the ``flex-native`` recipe looks like::
64
65 $ cat poky/build/tmp/deploy/cve/flex-native
66 LAYER: meta
67 PACKAGE NAME: flex-native
68 PACKAGE VERSION: 2.6.4
69 CVE: CVE-2016-6354
70 CVE STATUS: Patched
71 CVE SUMMARY: Heap-based buffer overflow in the yy_get_next_buffer function in Flex before 2.6.1 might allow context-dependent attackers to cause a denial of service or possibly execute arbitrary code via vectors involving num_to_read.
72 CVSS v2 BASE SCORE: 7.5
73 CVSS v3 BASE SCORE: 9.8
74 VECTOR: NETWORK
75 MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2016-6354
76
77 LAYER: meta
78 PACKAGE NAME: flex-native
79 PACKAGE VERSION: 2.6.4
80 CVE: CVE-2019-6293
81 CVE STATUS: Ignored
82 CVE SUMMARY: An issue was discovered in the function mark_beginning_as_normal in nfa.c in flex 2.6.4. There is a stack exhaustion problem caused by the mark_beginning_as_normal function making recursive calls to itself in certain scenarios involving lots of '*' characters. Remote attackers could leverage this vulnerability to cause a denial-of-service.
83 CVSS v2 BASE SCORE: 4.3
84 CVSS v3 BASE SCORE: 5.5
85 VECTOR: NETWORK
86 MORE INFORMATION: https://nvd.nist.gov/vuln/detail/CVE-2019-6293
87
88For images, a summary of all recipes included in the image and their CVEs is also
89generated in textual and JSON formats. These ``.cve`` and ``.json`` reports can be found
90in the ``tmp/deploy/images`` directory for each compiled image.
91
92At build time CVE check will also throw warnings about ``Unpatched`` CVEs::
93
94 WARNING: flex-2.6.4-r0 do_cve_check: Found unpatched CVE (CVE-2019-6293), for more information check /poky/build/tmp/work/core2-64-poky-linux/flex/2.6.4-r0/temp/cve.log
95 WARNING: libarchive-3.5.1-r0 do_cve_check: Found unpatched CVE (CVE-2021-36976), for more information check /poky/build/tmp/work/core2-64-poky-linux/libarchive/3.5.1-r0/temp/cve.log
96
97It is also possible to check the CVE status of individual packages as follows::
98
99 bitbake -c cve_check flex libarchive
100
101Fixing CVE product name and version mappings
102============================================
103
104By default, :ref:`ref-classes-cve-check` uses the recipe name :term:`BPN` as CVE
105product name when querying the CVE database. If this mapping contains false positives, e.g.
106some reported CVEs are not for the software component in question, or false negatives like
107some CVEs are not found to impact the recipe when they should, then the problems can be
108in the recipe name to CVE product mapping. These mapping issues can be fixed by setting
109the :term:`CVE_PRODUCT` variable inside the recipe. This defines the name of the software component in the
110upstream `NIST CVE database <https://nvd.nist.gov/>`__.
111
112The variable supports using vendor and product names like this::
113
114 CVE_PRODUCT = "flex_project:flex"
115
116In this example the vendor name used in the CVE database is ``flex_project`` and the
117product is ``flex``. With this setting the ``flex`` recipe only maps to this specific
118product and not products from other vendors with same name ``flex``.
119
120Similarly, when the recipe version :term:`PV` is not compatible with software versions used by
121the upstream software component releases and the CVE database, these can be fixed using
122the :term:`CVE_VERSION` variable.
123
124Note that if the CVE entries in the NVD database contain bugs or have missing or incomplete
125information, it is recommended to fix the information there directly instead of working
126around the issues possibly for a long time in Poky and OE-Core side recipes. Feedback to
127NVD about CVE entries can be provided through the `NVD contact form <https://nvd.nist.gov/info/contact-form>`__.
128
129Fixing vulnerabilities in recipes
130=================================
131
132If a CVE security issue impacts a software component, it can be fixed by updating to a newer
Patrick Williams2a254922023-08-11 09:48:11 -0500133version of the software component, by applying a patch or by marking it as patched via
134:term:`CVE_STATUS` variable flag. For Poky and OE-Core master branches, updating
Andrew Geissler517393d2023-01-13 08:55:19 -0600135to a newer software component release with fixes is the best option, but patches can be applied
136if releases are not yet available.
137
138For stable branches, it is preferred to apply patches for the issues. For some software
139components minor version updates can also be applied if they are backwards compatible.
140
141Here is an example of fixing CVE security issues with patch files,
142an example from the :oe_layerindex:`ffmpeg recipe</layerindex/recipe/47350>`::
143
144 SRC_URI = "https://www.ffmpeg.org/releases/${BP}.tar.xz \
145 file://0001-libavutil-include-assembly-with-full-path-from-sourc.patch \
146 file://fix-CVE-2020-20446.patch \
147 file://fix-CVE-2020-20453.patch \
148 file://fix-CVE-2020-22015.patch \
149 file://fix-CVE-2020-22021.patch \
150 file://fix-CVE-2020-22033-CVE-2020-22019.patch \
151 file://fix-CVE-2021-33815.patch \
152
153A good practice is to include the CVE identifier in both the patch file name
154and inside the patch file commit message using the format::
155
156 CVE: CVE-2020-22033
157
158CVE checker will then capture this information and change the CVE status to ``Patched``
159in the generated reports.
160
161If analysis shows that the CVE issue does not impact the recipe due to configuration, platform,
Patrick Williams2a254922023-08-11 09:48:11 -0500162version or other reasons, the CVE can be marked as ``Ignored`` by using
163the :term:`CVE_STATUS` variable flag with appropriate reason which is mapped to ``Ignored``.
Andrew Geissler517393d2023-01-13 08:55:19 -0600164As mentioned previously, if data in the CVE database is wrong, it is recommend to fix those
165issues in the CVE database directly.
166
167Recipes can be completely skipped by CVE check by including the recipe name in
168the :term:`CVE_CHECK_SKIP_RECIPE` variable.
169
170Implementation details
171======================
172
173Here's what the :ref:`ref-classes-cve-check` class does to find unpatched CVE IDs.
174
175First the code goes through each patch file provided by a recipe. If a valid CVE ID
176is found in the name of the file, the corresponding CVE is considered as patched.
177Don't forget that if multiple CVE IDs are found in the filename, only the last
178one is considered. Then, the code looks for ``CVE: CVE-ID`` lines in the patch
179file. The found CVE IDs are also considered as patched.
Patrick Williams2a254922023-08-11 09:48:11 -0500180Additionally ``CVE_STATUS`` variable flags are parsed for reasons mapped to ``Patched``
181and these are also considered as patched.
Andrew Geissler517393d2023-01-13 08:55:19 -0600182
183Then, the code looks up all the CVE IDs in the NIST database for all the
184products defined in :term:`CVE_PRODUCT`. Then, for each found CVE:
185
186- If the package name (:term:`PN`) is part of
187 :term:`CVE_CHECK_SKIP_RECIPE`, it is considered as ``Patched``.
188
Patrick Williams2a254922023-08-11 09:48:11 -0500189- If the CVE ID has status ``CVE_STATUS[<CVE ID>] = "ignored"`` or if it's set to
190 any reason which is mapped to status ``Ignored`` via ``CVE_CHECK_STATUSMAP``,
191 it is set as ``Ignored``.
Andrew Geissler517393d2023-01-13 08:55:19 -0600192
193- If the CVE ID is part of the patched CVE for the recipe, it is
194 already considered as ``Patched``.
195
196- Otherwise, the code checks whether the recipe version (:term:`PV`)
197 is within the range of versions impacted by the CVE. If so, the CVE
198 is considered as ``Unpatched``.
199
200The CVE database is stored in :term:`DL_DIR` and can be inspected using
201``sqlite3`` command as follows::
202
203 sqlite3 downloads/CVE_CHECK/nvdcve_1.1.db .dump | grep CVE-2021-37462
204
205When analyzing CVEs, it is recommended to:
206
207- study the latest information in `CVE database <https://nvd.nist.gov/vuln/search>`__.
208
209- check how upstream developers of the software component addressed the issue, e.g.
210 what patch was applied, which upstream release contains the fix.
211
212- check what other Linux distributions like `Debian <https://security-tracker.debian.org/tracker/>`__
213 did to analyze and address the issue.
214
215- follow security notices from other Linux distributions.
216
217- follow public `open source security mailing lists <https://oss-security.openwall.org/wiki/mailing-lists>`__ for
218 discussions and advance notifications of CVE bugs and software releases with fixes.
219