Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 1 | SUMMARY = "Updates the NVD CVE database" |
| 2 | LICENSE = "MIT" |
| 3 | |
| 4 | INHIBIT_DEFAULT_DEPS = "1" |
| 5 | |
| 6 | inherit native |
| 7 | |
| 8 | deltask do_unpack |
| 9 | deltask do_patch |
| 10 | deltask do_configure |
| 11 | deltask do_compile |
| 12 | deltask do_install |
| 13 | deltask do_populate_sysroot |
| 14 | |
Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 15 | NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-" |
Andrew Geissler | d583833 | 2022-05-27 11:33:10 -0500 | [diff] [blame] | 16 | # CVE database update interval, in seconds. By default: once a day (24*60*60). |
| 17 | # Use 0 to force the update |
Andrew Geissler | 78b7279 | 2022-06-14 06:47:25 -0500 | [diff] [blame] | 18 | # Use a negative value to skip the update |
Andrew Geissler | d583833 | 2022-05-27 11:33:10 -0500 | [diff] [blame] | 19 | CVE_DB_UPDATE_INTERVAL ?= "86400" |
Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 20 | |
Patrick Williams | 2390b1b | 2022-11-03 13:47:49 -0500 | [diff] [blame] | 21 | # Timeout for blocking socket operations, such as the connection attempt. |
| 22 | CVE_SOCKET_TIMEOUT ?= "60" |
| 23 | |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 24 | CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_1.1.db" |
| 25 | |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 26 | python () { |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 27 | if not bb.data.inherits_class("cve-check", d): |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 28 | raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") |
| 29 | } |
| 30 | |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 31 | python do_fetch() { |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 32 | """ |
| 33 | Update NVD database with json data feed |
| 34 | """ |
Brad Bishop | 6dbb316 | 2019-11-25 09:41:34 -0500 | [diff] [blame] | 35 | import bb.utils |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 36 | import bb.progress |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 37 | import shutil |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 38 | |
Brad Bishop | 6dbb316 | 2019-11-25 09:41:34 -0500 | [diff] [blame] | 39 | bb.utils.export_proxies(d) |
| 40 | |
Brad Bishop | 6dbb316 | 2019-11-25 09:41:34 -0500 | [diff] [blame] | 41 | db_file = d.getVar("CVE_CHECK_DB_FILE") |
| 42 | db_dir = os.path.dirname(db_file) |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 43 | db_tmp_file = d.getVar("CVE_DB_TEMP_FILE") |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 44 | |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 45 | cleanup_db_download(db_file, db_tmp_file) |
Brad Bishop | 08902b0 | 2019-08-20 09:16:51 -0400 | [diff] [blame] | 46 | |
Andrew Geissler | d583833 | 2022-05-27 11:33:10 -0500 | [diff] [blame] | 47 | # The NVD database changes once a day, so no need to update more frequently |
| 48 | # Allow the user to force-update |
Brad Bishop | 1d80a2e | 2019-11-15 16:35:03 -0500 | [diff] [blame] | 49 | try: |
| 50 | import time |
Andrew Geissler | d583833 | 2022-05-27 11:33:10 -0500 | [diff] [blame] | 51 | update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL")) |
Andrew Geissler | 78b7279 | 2022-06-14 06:47:25 -0500 | [diff] [blame] | 52 | if update_interval < 0: |
| 53 | bb.note("CVE database update skipped") |
| 54 | return |
Andrew Geissler | d583833 | 2022-05-27 11:33:10 -0500 | [diff] [blame] | 55 | if time.time() - os.path.getmtime(db_file) < update_interval: |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 56 | bb.debug(2, "Recently updated, skipping") |
Brad Bishop | 1d80a2e | 2019-11-15 16:35:03 -0500 | [diff] [blame] | 57 | return |
Andrew Geissler | d583833 | 2022-05-27 11:33:10 -0500 | [diff] [blame] | 58 | |
Brad Bishop | 1d80a2e | 2019-11-15 16:35:03 -0500 | [diff] [blame] | 59 | except OSError: |
| 60 | pass |
| 61 | |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 62 | bb.utils.mkdirhier(db_dir) |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 63 | if os.path.exists(db_file): |
| 64 | shutil.copy2(db_file, db_tmp_file) |
| 65 | |
| 66 | if update_db_file(db_tmp_file, d) == True: |
| 67 | # Update downloaded correctly, can swap files |
| 68 | shutil.move(db_tmp_file, db_file) |
| 69 | else: |
| 70 | # Update failed, do not modify the database |
| 71 | bb.note("CVE database update failed") |
| 72 | os.remove(db_tmp_file) |
| 73 | } |
| 74 | |
| 75 | do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" |
| 76 | do_fetch[file-checksums] = "" |
| 77 | do_fetch[vardeps] = "" |
| 78 | |
| 79 | def cleanup_db_download(db_file, db_tmp_file): |
| 80 | """ |
| 81 | Cleanup the download space from possible failed downloads |
| 82 | """ |
| 83 | |
| 84 | # Clean up the updates done on the main file |
| 85 | # Remove it only if a journal file exists - it means a complete re-download |
| 86 | if os.path.exists("{0}-journal".format(db_file)): |
| 87 | # If a journal is present the last update might have been interrupted. In that case, |
| 88 | # just wipe any leftovers and force the DB to be recreated. |
| 89 | os.remove("{0}-journal".format(db_file)) |
| 90 | |
| 91 | if os.path.exists(db_file): |
| 92 | os.remove(db_file) |
| 93 | |
| 94 | # Clean-up the temporary file downloads, we can remove both journal |
| 95 | # and the temporary database |
| 96 | if os.path.exists("{0}-journal".format(db_tmp_file)): |
| 97 | # If a journal is present the last update might have been interrupted. In that case, |
| 98 | # just wipe any leftovers and force the DB to be recreated. |
| 99 | os.remove("{0}-journal".format(db_tmp_file)) |
| 100 | |
| 101 | if os.path.exists(db_tmp_file): |
| 102 | os.remove(db_tmp_file) |
| 103 | |
| 104 | def update_db_file(db_tmp_file, d): |
| 105 | """ |
| 106 | Update the given database file |
| 107 | """ |
| 108 | import bb.utils, bb.progress |
| 109 | from datetime import date |
| 110 | import urllib, gzip, sqlite3 |
| 111 | |
| 112 | YEAR_START = 2002 |
| 113 | cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT")) |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 114 | |
| 115 | # Connect to database |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 116 | conn = sqlite3.connect(db_tmp_file) |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 117 | initialize_db(conn) |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 118 | |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 119 | with bb.progress.ProgressHandler(d) as ph, open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') as cve_f: |
| 120 | total_years = date.today().year + 1 - YEAR_START |
| 121 | for i, year in enumerate(range(YEAR_START, date.today().year + 1)): |
| 122 | bb.debug(2, "Updating %d" % year) |
| 123 | ph.update((float(i + 1) / total_years) * 100) |
Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 124 | year_url = (d.getVar('NVDCVE_URL')) + str(year) |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 125 | meta_url = year_url + ".meta" |
| 126 | json_url = year_url + ".json.gz" |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 127 | |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 128 | # Retrieve meta last modified date |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 129 | try: |
Patrick Williams | 2390b1b | 2022-11-03 13:47:49 -0500 | [diff] [blame] | 130 | response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout) |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 131 | except urllib.error.URLError as e: |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 132 | cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') |
| 133 | bb.warn("Failed to fetch CVE data (%s)" % e.reason) |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 134 | return False |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 135 | |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 136 | if response: |
| 137 | for l in response.read().decode("utf-8").splitlines(): |
| 138 | key, value = l.split(":", 1) |
| 139 | if key == "lastModifiedDate": |
| 140 | last_modified = value |
| 141 | break |
| 142 | else: |
| 143 | bb.warn("Cannot parse CVE metadata, update failed") |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 144 | return False |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 145 | |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 146 | # Compare with current db last modified date |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 147 | cursor = conn.execute("select DATE from META where YEAR = ?", (year,)) |
| 148 | meta = cursor.fetchone() |
| 149 | cursor.close() |
| 150 | |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 151 | if not meta or meta[0] != last_modified: |
| 152 | bb.debug(2, "Updating entries") |
| 153 | # Clear products table entries corresponding to current year |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 154 | conn.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)).close() |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 155 | |
| 156 | # Update db with current year json file |
| 157 | try: |
Patrick Williams | 2390b1b | 2022-11-03 13:47:49 -0500 | [diff] [blame] | 158 | response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout) |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 159 | if response: |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 160 | update_db(conn, gzip.decompress(response.read()).decode('utf-8')) |
| 161 | conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 162 | except urllib.error.URLError as e: |
| 163 | cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') |
| 164 | bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 165 | return False |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 166 | else: |
| 167 | bb.debug(2, "Already up to date (last modified %s)" % last_modified) |
| 168 | # Update success, set the date to cve_check file. |
| 169 | if year == date.today().year: |
| 170 | cve_f.write('CVE database update : %s\n\n' % date.today()) |
| 171 | |
| 172 | conn.commit() |
| 173 | conn.close() |
Andrew Geissler | 517393d | 2023-01-13 08:55:19 -0600 | [diff] [blame] | 174 | return True |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 175 | |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 176 | def initialize_db(conn): |
| 177 | with conn: |
| 178 | c = conn.cursor() |
Brad Bishop | 6dbb316 | 2019-11-25 09:41:34 -0500 | [diff] [blame] | 179 | |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 180 | c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") |
Brad Bishop | 6dbb316 | 2019-11-25 09:41:34 -0500 | [diff] [blame] | 181 | |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 182 | c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ |
| 183 | SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 184 | |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 185 | c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ |
| 186 | VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ |
| 187 | VERSION_END TEXT, OPERATOR_END TEXT)") |
| 188 | c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);") |
| 189 | |
| 190 | c.close() |
| 191 | |
| 192 | def parse_node_and_insert(conn, node, cveId): |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 193 | # Parse children node if needed |
| 194 | for child in node.get('children', ()): |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 195 | parse_node_and_insert(conn, child, cveId) |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 196 | |
| 197 | def cpe_generator(): |
| 198 | for cpe in node.get('cpe_match', ()): |
| 199 | if not cpe['vulnerable']: |
| 200 | return |
Andrew Geissler | c926e17 | 2021-05-07 16:11:35 -0500 | [diff] [blame] | 201 | cpe23 = cpe.get('cpe23Uri') |
| 202 | if not cpe23: |
| 203 | return |
| 204 | cpe23 = cpe23.split(':') |
| 205 | if len(cpe23) < 6: |
| 206 | return |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 207 | vendor = cpe23[3] |
| 208 | product = cpe23[4] |
| 209 | version = cpe23[5] |
| 210 | |
Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 211 | if cpe23[6] == '*' or cpe23[6] == '-': |
| 212 | version_suffix = "" |
| 213 | else: |
| 214 | version_suffix = "_" + cpe23[6] |
| 215 | |
Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame] | 216 | if version != '*' and version != '-': |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 217 | # Version is defined, this is a '=' match |
Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 218 | yield [cveId, vendor, product, version + version_suffix, '=', '', ''] |
Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame] | 219 | elif version == '-': |
| 220 | # no version information is available |
| 221 | yield [cveId, vendor, product, version, '', '', ''] |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 222 | else: |
| 223 | # Parse start version, end version and operators |
| 224 | op_start = '' |
| 225 | op_end = '' |
| 226 | v_start = '' |
| 227 | v_end = '' |
| 228 | |
| 229 | if 'versionStartIncluding' in cpe: |
| 230 | op_start = '>=' |
| 231 | v_start = cpe['versionStartIncluding'] |
| 232 | |
| 233 | if 'versionStartExcluding' in cpe: |
| 234 | op_start = '>' |
| 235 | v_start = cpe['versionStartExcluding'] |
| 236 | |
| 237 | if 'versionEndIncluding' in cpe: |
| 238 | op_end = '<=' |
| 239 | v_end = cpe['versionEndIncluding'] |
| 240 | |
| 241 | if 'versionEndExcluding' in cpe: |
| 242 | op_end = '<' |
| 243 | v_end = cpe['versionEndExcluding'] |
| 244 | |
Andrew Geissler | 6ce62a2 | 2020-11-30 19:58:47 -0600 | [diff] [blame] | 245 | if op_start or op_end or v_start or v_end: |
| 246 | yield [cveId, vendor, product, v_start, op_start, v_end, op_end] |
| 247 | else: |
| 248 | # This is no version information, expressed differently. |
| 249 | # Save processing by representing as -. |
| 250 | yield [cveId, vendor, product, '-', '', '', ''] |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 251 | |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 252 | conn.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()).close() |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 253 | |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 254 | def update_db(conn, jsondata): |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 255 | import json |
| 256 | root = json.loads(jsondata) |
| 257 | |
| 258 | for elt in root['CVE_Items']: |
| 259 | if not elt['impact']: |
| 260 | continue |
| 261 | |
Andrew Geissler | 635e0e4 | 2020-08-21 15:58:33 -0500 | [diff] [blame] | 262 | accessVector = None |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 263 | cveId = elt['cve']['CVE_data_meta']['ID'] |
| 264 | cveDesc = elt['cve']['description']['description_data'][0]['value'] |
| 265 | date = elt['lastModifiedDate'] |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 266 | try: |
Andrew Geissler | 635e0e4 | 2020-08-21 15:58:33 -0500 | [diff] [blame] | 267 | accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector'] |
| 268 | cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore'] |
| 269 | except KeyError: |
| 270 | cvssv2 = 0.0 |
| 271 | try: |
| 272 | accessVector = accessVector or elt['impact']['baseMetricV3']['cvssV3']['attackVector'] |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 273 | cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] |
Andrew Geissler | 635e0e4 | 2020-08-21 15:58:33 -0500 | [diff] [blame] | 274 | except KeyError: |
| 275 | accessVector = accessVector or "UNKNOWN" |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 276 | cvssv3 = 0.0 |
| 277 | |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 278 | conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", |
| 279 | [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 280 | |
| 281 | configurations = elt['configurations']['nodes'] |
| 282 | for config in configurations: |
Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame] | 283 | parse_node_and_insert(conn, config, cveId) |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 284 | |
| 285 | |
Andrew Geissler | c9f7865 | 2020-09-18 14:11:35 -0500 | [diff] [blame] | 286 | do_fetch[nostamp] = "1" |
Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame] | 287 | |
| 288 | EXCLUDE_FROM_WORLD = "1" |