poky/meta/lib/oe/cve_check.py - openbmc/openbmc - Gitiles

 #
 # Copyright OpenEmbedded Contributors
 #
 # SPDX-License-Identifier: MIT
 #

 import collections
 import re
 import itertools
 import functools

 _Version = collections.namedtuple(
     "_Version", ["release", "patch_l", "pre_l", "pre_v"]
 )

 @functools.total_ordering
 class Version():

     def __init__(self, version, suffix=None):

         suffixes = ["alphabetical", "patch"]

         if str(suffix) == "alphabetical":
             version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
         elif str(suffix) == "patch":
             version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
         else:
             version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
         regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)

         match = regex.search(version)
         if not match:
             raise Exception("Invalid version: '{0}'".format(version))

         self._version = _Version(
             release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
             patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
             pre_l=match.group("pre_l"),
             pre_v=match.group("pre_v")
         )

         self._key = _cmpkey(
             self._version.release,
             self._version.patch_l,
             self._version.pre_l,
             self._version.pre_v
         )

     def __eq__(self, other):
         if not isinstance(other, Version):
             return NotImplemented
         return self._key == other._key

     def __gt__(self, other):
         if not isinstance(other, Version):
             return NotImplemented
         return self._key > other._key

 def _cmpkey(release, patch_l, pre_l, pre_v):
     # remove leading 0
     _release = tuple(
         reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
     )

     _patch = patch_l.upper()

     if pre_l is None and pre_v is None:
         _pre = float('inf')
     else:
         _pre = float(pre_v) if pre_v else float('-inf')
     return _release, _patch, _pre


 def get_patched_cves(d):
     """
     Get patches that solve CVEs using the "CVE: " tag.
     """

     import re
     import oe.patch

     pn = d.getVar("PN")
     cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")

     # Matches the last "CVE-YYYY-ID" in the file name, also if written
     # in lowercase. Possible to have multiple CVE IDs in a single
     # file name, but only the last one will be detected from the file name.
     # However, patch files contents addressing multiple CVE IDs are supported
     # (cve_match regular expression)

     cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")

     patched_cves = set()
     bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
     for url in oe.patch.src_patches(d):
         patch_file = bb.fetch.decodeurl(url)[2]

         # Remote compressed patches may not be unpacked, so silently ignore them
         if not os.path.isfile(patch_file):
             bb.warn("%s does not exist, cannot extract CVE list" % patch_file)
             continue

         # Check patch file name for CVE ID
         fname_match = cve_file_name_match.search(patch_file)
         if fname_match:
             cve = fname_match.group(1).upper()
             patched_cves.add(cve)
             bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))

         with open(patch_file, "r", encoding="utf-8") as f:
             try:
                 patch_text = f.read()
             except UnicodeDecodeError:
                 bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
                         " trying with iso8859-1" %  patch_file)
                 f.close()
                 with open(patch_file, "r", encoding="iso8859-1") as f:
                     patch_text = f.read()

         # Search for one or more "CVE: " lines
         text_match = False
         for match in cve_match.finditer(patch_text):
             # Get only the CVEs without the "CVE: " tag
             cves = patch_text[match.start()+5:match.end()]
             for cve in cves.split():
                 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
                 patched_cves.add(cve)
                 text_match = True

         if not fname_match and not text_match:
             bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)

     # Search for additional patched CVEs
     for cve in (d.getVarFlags("CVE_STATUS") or {}):
         decoded_status, _, _ = decode_cve_status(d, cve)
         if decoded_status == "Patched":
             bb.debug(2, "CVE %s is additionally patched" % cve)
             patched_cves.add(cve)

     return patched_cves


 def get_cpe_ids(cve_product, version):
     """
     Get list of CPE identifiers for the given product and version
     """

     version = version.split("+git")[0]

     cpe_ids = []
     for product in cve_product.split():
         # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
         # use wildcard for vendor.
         if ":" in product:
             vendor, product = product.split(":", 1)
         else:
             vendor = "*"

         cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version)
         cpe_ids.append(cpe_id)

     return cpe_ids

 def cve_check_merge_jsons(output, data):
     """
     Merge the data in the "package" property to the main data file
     output
     """
     if output["version"] != data["version"]:
         bb.error("Version mismatch when merging JSON outputs")
         return

     for product in output["package"]:
         if product["name"] == data["package"][0]["name"]:
             bb.error("Error adding the same package twice")
             return

     output["package"].append(data["package"][0])

 def update_symlinks(target_path, link_path):
     """
     Update a symbolic link link_path to point to target_path.
     Remove the link and recreate it if exist and is different.
     """
     if link_path != target_path and os.path.exists(target_path):
         if os.path.exists(os.path.realpath(link_path)):
             os.remove(link_path)
         os.symlink(os.path.basename(target_path), link_path)


 def convert_cve_version(version):
     """
     This function converts from CVE format to Yocto version format.
     eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1

     Unless it is redefined using CVE_VERSION in the recipe,
     cve_check uses the version in the name of the recipe (${PV})
     to check vulnerabilities against a CVE in the database downloaded from NVD.

     When the version has an update, i.e.
     "p1" in OpenSSH 8.3p1,
     "-rc1" in linux kernel 6.2-rc1,
     the database stores the version as version_update (8.3_p1, 6.2_rc1).
     Therefore, we must transform this version before comparing to the
     recipe version.

     In this case, the parameter of the function is 8.3_p1.
     If the version uses the Release Candidate format, "rc",
     this function replaces the '_' by '-'.
     If the version uses the Update format, "p",
     this function removes the '_' completely.
     """
     import re

     matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)

     if not matches:
         return version

     version = matches.group(1)
     update = matches.group(2)

     if matches.group(3) == "rc":
         return version + '-' + update

     return version + update

 def decode_cve_status(d, cve):
     """
     Convert CVE_STATUS into status, detail and description.
     """
     status = d.getVarFlag("CVE_STATUS", cve)
     if status is None:
         return ("", "", "")

     status_split = status.split(':', 1)
     detail = status_split[0]
     description = status_split[1].strip() if (len(status_split) > 1) else ""

     status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
     if status_mapping is None:
         bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
         status_mapping = "Unpatched"

     return (status_mapping, detail, description)
	#
	# Copyright OpenEmbedded Contributors
	#
	# SPDX-License-Identifier: MIT
	#

	import collections
	import re
	import itertools
	import functools

	_Version = collections.namedtuple(
	"_Version", ["release", "patch_l", "pre_l", "pre_v"]
	)

	@functools.total_ordering
	class Version():

	def __init__(self, version, suffix=None):

	suffixes = ["alphabetical", "patch"]

	if str(suffix) == "alphabetical":
	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""
	elif str(suffix) == "patch":
	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<patch>[-_\.]?(p\|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""
	else:
	version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+))(?P<pre>[-_\.]?(?P<pre_l>(rc\|alpha\|beta\|pre\|preview\|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.)?"""
	regex = re.compile(r"^\s" + version_pattern + r"\s$", re.VERBOSE \| re.IGNORECASE)

	match = regex.search(version)
	if not match:
	raise Exception("Invalid version: '{0}'".format(version))

	self._version = _Version(
	release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
	patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
	pre_l=match.group("pre_l"),
	pre_v=match.group("pre_v")
	)

	self._key = _cmpkey(
	self._version.release,
	self._version.patch_l,
	self._version.pre_l,
	self._version.pre_v
	)

	def __eq__(self, other):
	if not isinstance(other, Version):
	return NotImplemented
	return self._key == other._key

	def __gt__(self, other):
	if not isinstance(other, Version):
	return NotImplemented
	return self._key > other._key

	def _cmpkey(release, patch_l, pre_l, pre_v):
	# remove leading 0
	_release = tuple(
	reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
	)

	_patch = patch_l.upper()

	if pre_l is None and pre_v is None:
	_pre = float('inf')
	else:
	_pre = float(pre_v) if pre_v else float('-inf')
	return _release, _patch, _pre


	def get_patched_cves(d):
	"""
	Get patches that solve CVEs using the "CVE: " tag.
	"""

	import re
	import oe.patch

	pn = d.getVar("PN")
	cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")

	# Matches the last "CVE-YYYY-ID" in the file name, also if written
	# in lowercase. Possible to have multiple CVE IDs in a single
	# file name, but only the last one will be detected from the file name.
	# However, patch files contents addressing multiple CVE IDs are supported
	# (cve_match regular expression)

	cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")

	patched_cves = set()
	bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
	for url in oe.patch.src_patches(d):
	patch_file = bb.fetch.decodeurl(url)[2]

	# Remote compressed patches may not be unpacked, so silently ignore them
	if not os.path.isfile(patch_file):
	bb.warn("%s does not exist, cannot extract CVE list" % patch_file)
	continue

	# Check patch file name for CVE ID
	fname_match = cve_file_name_match.search(patch_file)
	if fname_match:
	cve = fname_match.group(1).upper()
	patched_cves.add(cve)
	bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))

	with open(patch_file, "r", encoding="utf-8") as f:
	try:
	patch_text = f.read()
	except UnicodeDecodeError:
	bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
	" trying with iso8859-1" % patch_file)
	f.close()
	with open(patch_file, "r", encoding="iso8859-1") as f:
	patch_text = f.read()

	# Search for one or more "CVE: " lines
	text_match = False
	for match in cve_match.finditer(patch_text):
	# Get only the CVEs without the "CVE: " tag
	cves = patch_text[match.start()+5:match.end()]
	for cve in cves.split():
	bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
	patched_cves.add(cve)
	text_match = True

	if not fname_match and not text_match:
	bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)

	# Search for additional patched CVEs
	for cve in (d.getVarFlags("CVE_STATUS") or {}):
	decoded_status, _, _ = decode_cve_status(d, cve)
	if decoded_status == "Patched":
	bb.debug(2, "CVE %s is additionally patched" % cve)
	patched_cves.add(cve)

	return patched_cves


	def get_cpe_ids(cve_product, version):
	"""
	Get list of CPE identifiers for the given product and version
	"""

	version = version.split("+git")[0]

	cpe_ids = []
	for product in cve_product.split():
	# CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
	# use wildcard for vendor.
	if ":" in product:
	vendor, product = product.split(":", 1)
	else:
	vendor = "*"

	cpe_id = 'cpe:2.3::{}:{}:{}:::::::'.format(vendor, product, version)
	cpe_ids.append(cpe_id)

	return cpe_ids

	def cve_check_merge_jsons(output, data):
	"""
	Merge the data in the "package" property to the main data file
	output
	"""
	if output["version"] != data["version"]:
	bb.error("Version mismatch when merging JSON outputs")
	return

	for product in output["package"]:
	if product["name"] == data["package"][0]["name"]:
	bb.error("Error adding the same package twice")
	return

	output["package"].append(data["package"][0])

	def update_symlinks(target_path, link_path):
	"""
	Update a symbolic link link_path to point to target_path.
	Remove the link and recreate it if exist and is different.
	"""
	if link_path != target_path and os.path.exists(target_path):
	if os.path.exists(os.path.realpath(link_path)):
	os.remove(link_path)
	os.symlink(os.path.basename(target_path), link_path)


	def convert_cve_version(version):
	"""
	This function converts from CVE format to Yocto version format.
	eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1

	Unless it is redefined using CVE_VERSION in the recipe,
	cve_check uses the version in the name of the recipe (${PV})
	to check vulnerabilities against a CVE in the database downloaded from NVD.

	When the version has an update, i.e.
	"p1" in OpenSSH 8.3p1,
	"-rc1" in linux kernel 6.2-rc1,
	the database stores the version as version_update (8.3_p1, 6.2_rc1).
	Therefore, we must transform this version before comparing to the
	recipe version.

	In this case, the parameter of the function is 8.3_p1.
	If the version uses the Release Candidate format, "rc",
	this function replaces the '_' by '-'.
	If the version uses the Update format, "p",
	this function removes the '_' completely.
	"""
	import re

	matches = re.match('^([0-9.]+)_((p\|rc)[0-9]+)$', version)

	if not matches:
	return version

	version = matches.group(1)
	update = matches.group(2)

	if matches.group(3) == "rc":
	return version + '-' + update

	return version + update

	def decode_cve_status(d, cve):
	"""
	Convert CVE_STATUS into status, detail and description.
	"""
	status = d.getVarFlag("CVE_STATUS", cve)
	if status is None:
	return ("", "", "")

	status_split = status.split(':', 1)
	detail = status_split[0]
	description = status_split[1].strip() if (len(status_split) > 1) else ""

	status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
	if status_mapping is None:
	bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
	status_mapping = "Unpatched"

	return (status_mapping, detail, description)