Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 737a9486ac03752ef198ba756ec1b13b225e25b3 / . / meta-security / meta-security-isafw / lib / isafw / isaplugins / ISA_cve_plugin.py
blob: 268aa45c5f9373bafabe557fcfde42692bbc706d [file] [log] [blame]
Andrew Geissler1fe918a2020-05-15 14:16:47 -0500[diff] [blame]1#
2# ISA_cve_plugin.py - CVE checker plugin, part of ISA FW
3#
4# Copyright (c) 2015 - 2016, Intel Corporation
5#
6# Redistribution and use in source and binary forms, with or without
7# modification, are permitted provided that the following conditions are met:
8#
9# * Redistributions of source code must retain the above copyright notice,
10# this list of conditions and the following disclaimer.
11# * Redistributions in binary form must reproduce the above copyright
12# notice, this list of conditions and the following disclaimer in the
13# documentation and/or other materials provided with the distribution.
14# * Neither the name of Intel Corporation nor the names of its contributors
15# may be used to endorse or promote products derived from this software
16# without specific prior written permission.
17#
18# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
19# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
20# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
21# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
22# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
23# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
24# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
25# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
26# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
27# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28
29import subprocess
30import os, sys
31import re
32
33CVEChecker = None
34pkglist = "/cve_check_tool_pkglist"
35
36
37class ISA_CVEChecker:
38 initialized = False
39
40 def __init__(self, ISA_config):
41 self.cacert = ISA_config.cacert
42 self.reportdir = ISA_config.reportdir
43 self.timestamp = ISA_config.timestamp
44 self.logfile = ISA_config.logdir + "/isafw_cvelog"
45 self.report_name = ISA_config.reportdir + "/cve_report_" + \
46 ISA_config.machine + "_" + ISA_config.timestamp
47 self.initialized = True
48 with open(self.logfile, 'a') as flog:
49 flog.write("\nPlugin ISA_CVEChecker initialized!\n")
50 output = ""
51 # check that cve-check-tool is installed
52
53 def process_package(self, ISA_pkg):
54 if (self.initialized):
55 if (ISA_pkg.name and ISA_pkg.version and ISA_pkg.patch_files):
56 alias_pkgs_faux = []
57 # need to compose faux format line for cve-check-tool
58 cve_patch_info = self.process_patch_list(ISA_pkg.patch_files)
59 pkgline_faux = ISA_pkg.name + "," + ISA_pkg.version + "," + cve_patch_info + ",\n"
60 if ISA_pkg.aliases:
61 for a in ISA_pkg.aliases:
62 alias_pkgs_faux.append(
63 a + "," + ISA_pkg.version + "," + cve_patch_info + ",\n")
64 pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
65 with open(self.reportdir + pkglist_faux, 'a') as fauxfile:
66 fauxfile.write(pkgline_faux)
67 for a in alias_pkgs_faux:
68 fauxfile.write(a)
69
70 with open(self.logfile, 'a') as flog:
71 flog.write("\npkg info: " + pkgline_faux)
72 else:
73 self.initialized = False
74 with open(self.logfile, 'a') as flog:
75 flog.write(
76 "Mandatory arguments such as pkg name, version and list of patches are not provided!\n")
77 flog.write("Not performing the call.\n")
78 else:
79 with open(self.logfile, 'a') as flog:
80 flog.write(
81 "Plugin hasn't initialized! Not performing the call.\n")
82
83 def process_report(self):
84 if not os.path.isfile(self.reportdir + pkglist + "_" + self.timestamp + ".faux"):
85 return
86 if (self.initialized):
87 with open(self.logfile, 'a') as flog:
88 flog.write("Creating report in HTML format.\n")
89 result = self.process_report_type("html")
90
91 with open(self.logfile, 'a') as flog:
92 flog.write("Creating report in CSV format.\n")
93 result = self.process_report_type("csv")
94
95 pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
96 os.remove(self.reportdir + pkglist_faux)
97
98 with open(self.logfile, 'a') as flog:
99 flog.write("Creating report in XML format.\n")
100 self.write_report_xml(result)
101
102 def write_report_xml(self, result):
103 try:
104 from lxml import etree
105 except ImportError:
106 try:
107 import xml.etree.cElementTree as etree
108 except ImportError:
109 import xml.etree.ElementTree as etree
110 num_tests = 0
111 root = etree.Element('testsuite', name='CVE_Plugin', tests='1')
112
113 if result :
114 num_tests = 1
115 tcase = etree.SubElement(
116 root, 'testcase', classname='ISA_CVEChecker', name="Error in cve-check-tool")
117 etree.SubElement( tcase, 'failure', message=result, type='violation')
118 else:
119 with open(self.report_name + ".csv", 'r') as f:
120 for line in f:
121 num_tests += 1
122 line = line.strip()
123 line_sp = line.split(',', 2)
124 if (len(line_sp) >= 3) and (line_sp[2].startswith('CVE')):
125 tcase = etree.SubElement(
126 root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
127 etree.SubElement(
128 tcase, 'failure', message=line, type='violation')
129 else:
130 tcase = etree.SubElement(
131 root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0])
132
133 root.set('tests', str(num_tests))
134 tree = etree.ElementTree(root)
135 output = self.report_name + '.xml'
136 try:
137 tree.write(output, encoding='UTF-8',
138 pretty_print=True, xml_declaration=True)
139 except TypeError:
140 tree.write(output, encoding='UTF-8', xml_declaration=True)
141
142 def process_report_type(self, rtype):
143 # now faux file is ready and we can process it
144 args = ""
145 result = ""
146 tool_stderr_value = ""
147 args += "cve-check-tool "
148 if self.cacert:
149 args += "--cacert '%s' " % self.cacert
150 if rtype != "html":
151 args += "-c "
152 rtype = "csv"
153 pkglist_faux = pkglist + "_" + self.timestamp + ".faux"
154 args += "-a -t faux '" + self.reportdir + pkglist_faux + "'"
155 with open(self.logfile, 'a') as flog:
156 flog.write("Args: " + args)
157 try:
158 popen = subprocess.Popen(
159 args, shell=True, env=os.environ, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
160 result = popen.communicate()
161 except:
162 tool_stderr_value = "Error in executing cve-check-tool" + str(sys.exc_info())
163 with open(self.logfile, 'a') as flog:
164 flog.write("Error in executing cve-check-tool: " +
165 str(sys.exc_info()))
166 else:
167 stdout_value = result[0]
168 tool_stderr_value = result[1].decode('utf-8')
169 if not tool_stderr_value and popen.returncode == 0:
170 report = self.report_name + "." + rtype
171 with open(report, 'wb') as freport:
172 freport.write(stdout_value)
173 else:
174 tool_stderr_value = tool_stderr_value + \
175 "\ncve-check-tool terminated with exit code " + str(popen.returncode)
176 return tool_stderr_value
177
178 def process_patch_list(self, patch_files):
179 patch_info = ""
180 for patch in patch_files:
181 patch1 = patch.partition("cve")
182 if (patch1[0] == patch):
183 # no cve substring, try CVE
184 patch1 = patch.partition("CVE")
185 if (patch1[0] == patch):
186 continue
187 patchstripped = patch1[2].split('-')
188 try:
189 patch_info += " CVE-" + \
190 patchstripped[1] + "-" + re.findall('\d+', patchstripped[2])[0]
191 except IndexError:
192 # string parsing attempt failed, so just skip this patch
193 continue
194 return patch_info
195
196# ======== supported callbacks from ISA ============= #
197
198
199def init(ISA_config):
200 global CVEChecker
201 CVEChecker = ISA_CVEChecker(ISA_config)
202
203
204def getPluginName():
205 return "ISA_CVEChecker"
206
207
208def process_package(ISA_pkg):
209 global CVEChecker
210 return CVEChecker.process_package(ISA_pkg)
211
212
213def process_report():
214 global CVEChecker
215 return CVEChecker.process_report()
216
217# ==================================================== #