blob: 522fd23807475aab2c0c636e78097482b16ad4b5 [file] [log] [blame]
SUMMARY = "Updates the NVD CVE database"
LICENSE = "MIT"
INHIBIT_DEFAULT_DEPS = "1"
PACKAGES = ""
inherit nopackages
deltask do_fetch
deltask do_unpack
deltask do_patch
deltask do_configure
deltask do_compile
deltask do_install
deltask do_populate_sysroot
python do_populate_cve_db() {
"""
Update NVD database with json data feed
"""
import sqlite3, urllib3, shutil, gzip, re
from datetime import date
BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
YEAR_START = 2002
JSON_TMPFILE = d.getVar("CVE_CHECK_DB_DIR") + '/nvd.json.gz'
# Connect to database
db_file = d.getVar("CVE_CHECK_DB_FILE")
conn = sqlite3.connect(db_file)
c = conn.cursor()
initialize_db(c)
http = urllib3.PoolManager()
for year in range(YEAR_START, date.today().year + 1):
year_url = BASE_URL + str(year)
meta_url = year_url + ".meta"
json_url = year_url + ".json.gz"
# Retrieve meta last modified date
with http.request('GET', meta_url, preload_content=False) as r:
date_line = str(r.data.splitlines()[0])
last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1)
# Compare with current db last modified date
c.execute("select DATE from META where YEAR = '%d'" % year)
meta = c.fetchone()
if not meta or meta[0] != last_modified:
# Update db with current year json file
with http.request('GET', json_url, preload_content=False) as r, open(JSON_TMPFILE, 'wb') as tmpfile:
shutil.copyfileobj(r, tmpfile)
with gzip.open(JSON_TMPFILE, 'rt') as jsonfile:
update_db(c, jsonfile)
c.execute("insert or replace into META values (?, ?)",
[year, last_modified])
conn.commit()
conn.close()
with open(d.getVar("CVE_CHECK_TMP_FILE"), 'a'):
os.utime(d.getVar("CVE_CHECK_TMP_FILE"), None)
}
# DJB2 hash algorithm
def hash_djb2(s):
hash = 5381
for x in s:
hash = (( hash << 5) + hash) + ord(x)
return hash & 0xFFFFFFFF
def initialize_db(c):
c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)")
c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (HASH INTEGER UNIQUE, ID TEXT, \
VENDOR TEXT, PRODUCT TEXT, VERSION TEXT, OPERATOR TEXT)")
c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_IDX ON PRODUCTS \
(PRODUCT, VERSION)")
def update_db(c, json_filename):
import json
root = json.load(json_filename)
for elt in root['CVE_Items']:
if not elt['impact']:
continue
cveId = elt['cve']['CVE_data_meta']['ID']
cveDesc = elt['cve']['description']['description_data'][0]['value']
date = elt['lastModifiedDate']
accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector']
cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore']
try:
cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore']
except:
cvssv3 = 0.0
c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)",
[cveId, cveDesc, cvssv2, cvssv3, date, accessVector])
for vendor in elt['cve']['affects']['vendor']['vendor_data']:
for product in vendor['product']['product_data']:
for version in product['version']['version_data']:
product_str = cveId+vendor['vendor_name']+product['product_name']+version['version_value']
hashstr = hash_djb2(product_str)
c.execute("insert or replace into PRODUCTS values (?, ?, ?, ?, ?, ?)",
[ hashstr, cveId, vendor['vendor_name'],
product['product_name'], version['version_value'],
version['version_affected']])
addtask do_populate_cve_db before do_cve_check
do_populate_cve_db[nostamp] = "1"
EXCLUDE_FROM_WORLD = "1"