| Andrew Geissler | d1e8949 | 2021-02-12 15:35:20 -0600 | [diff] [blame] | 1 | import collections |
| 2 | import re |
| 3 | import itertools |
| 4 | import functools |
| 5 | |
| 6 | _Version = collections.namedtuple( |
| 7 | "_Version", ["release", "patch_l", "pre_l", "pre_v"] |
| 8 | ) |
| 9 | |
| 10 | @functools.total_ordering |
| 11 | class Version(): |
| 12 | |
| 13 | def __init__(self, version, suffix=None): |
| Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 14 | |
| 15 | suffixes = ["alphabetical", "patch"] |
| 16 | |
| Andrew Geissler | d1e8949 | 2021-02-12 15:35:20 -0600 | [diff] [blame] | 17 | if str(suffix) == "alphabetical": |
| 18 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" |
| Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 19 | elif str(suffix) == "patch": |
| 20 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" |
| Andrew Geissler | d1e8949 | 2021-02-12 15:35:20 -0600 | [diff] [blame] | 21 | else: |
| 22 | version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" |
| 23 | regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) |
| 24 | |
| 25 | match = regex.search(version) |
| 26 | if not match: |
| 27 | raise Exception("Invalid version: '{0}'".format(version)) |
| 28 | |
| 29 | self._version = _Version( |
| 30 | release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), |
| Andrew Geissler | 95ac1b8 | 2021-03-31 14:34:31 -0500 | [diff] [blame] | 31 | patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "", |
| Andrew Geissler | d1e8949 | 2021-02-12 15:35:20 -0600 | [diff] [blame] | 32 | pre_l=match.group("pre_l"), |
| 33 | pre_v=match.group("pre_v") |
| 34 | ) |
| 35 | |
| 36 | self._key = _cmpkey( |
| 37 | self._version.release, |
| 38 | self._version.patch_l, |
| 39 | self._version.pre_l, |
| 40 | self._version.pre_v |
| 41 | ) |
| 42 | |
| 43 | def __eq__(self, other): |
| 44 | if not isinstance(other, Version): |
| 45 | return NotImplemented |
| 46 | return self._key == other._key |
| 47 | |
| 48 | def __gt__(self, other): |
| 49 | if not isinstance(other, Version): |
| 50 | return NotImplemented |
| 51 | return self._key > other._key |
| 52 | |
| 53 | def _cmpkey(release, patch_l, pre_l, pre_v): |
| 54 | # remove leading 0 |
| 55 | _release = tuple( |
| 56 | reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release)))) |
| 57 | ) |
| 58 | |
| 59 | _patch = patch_l.upper() |
| 60 | |
| 61 | if pre_l is None and pre_v is None: |
| 62 | _pre = float('inf') |
| 63 | else: |
| 64 | _pre = float(pre_v) if pre_v else float('-inf') |
| 65 | return _release, _patch, _pre |
| Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 66 | |
| 67 | |
| 68 | def get_patched_cves(d): |
| 69 | """ |
| 70 | Get patches that solve CVEs using the "CVE: " tag. |
| 71 | """ |
| 72 | |
| 73 | import re |
| 74 | import oe.patch |
| 75 | |
| 76 | pn = d.getVar("PN") |
| 77 | cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") |
| 78 | |
| 79 | # Matches the last "CVE-YYYY-ID" in the file name, also if written |
| 80 | # in lowercase. Possible to have multiple CVE IDs in a single |
| 81 | # file name, but only the last one will be detected from the file name. |
| 82 | # However, patch files contents addressing multiple CVE IDs are supported |
| 83 | # (cve_match regular expression) |
| 84 | |
| 85 | cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") |
| 86 | |
| 87 | patched_cves = set() |
| 88 | bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) |
| 89 | for url in oe.patch.src_patches(d): |
| 90 | patch_file = bb.fetch.decodeurl(url)[2] |
| 91 | |
| Patrick Williams | 03907ee | 2022-05-01 06:28:52 -0500 | [diff] [blame] | 92 | # Remote compressed patches may not be unpacked, so silently ignore them |
| Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 93 | if not os.path.isfile(patch_file): |
| Patrick Williams | 03907ee | 2022-05-01 06:28:52 -0500 | [diff] [blame] | 94 | bb.warn("%s does not exist, cannot extract CVE list" % patch_file) |
| 95 | continue |
| Patrick Williams | 0ca19cc | 2021-08-16 14:03:13 -0500 | [diff] [blame] | 96 | |
| 97 | # Check patch file name for CVE ID |
| 98 | fname_match = cve_file_name_match.search(patch_file) |
| 99 | if fname_match: |
| 100 | cve = fname_match.group(1).upper() |
| 101 | patched_cves.add(cve) |
| 102 | bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) |
| 103 | |
| 104 | with open(patch_file, "r", encoding="utf-8") as f: |
| 105 | try: |
| 106 | patch_text = f.read() |
| 107 | except UnicodeDecodeError: |
| 108 | bb.debug(1, "Failed to read patch %s using UTF-8 encoding" |
| 109 | " trying with iso8859-1" % patch_file) |
| 110 | f.close() |
| 111 | with open(patch_file, "r", encoding="iso8859-1") as f: |
| 112 | patch_text = f.read() |
| 113 | |
| 114 | # Search for one or more "CVE: " lines |
| 115 | text_match = False |
| 116 | for match in cve_match.finditer(patch_text): |
| 117 | # Get only the CVEs without the "CVE: " tag |
| 118 | cves = patch_text[match.start()+5:match.end()] |
| 119 | for cve in cves.split(): |
| 120 | bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) |
| 121 | patched_cves.add(cve) |
| 122 | text_match = True |
| 123 | |
| 124 | if not fname_match and not text_match: |
| 125 | bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) |
| 126 | |
| 127 | return patched_cves |
| 128 | |
| 129 | |
| 130 | def get_cpe_ids(cve_product, version): |
| 131 | """ |
| 132 | Get list of CPE identifiers for the given product and version |
| 133 | """ |
| 134 | |
| 135 | version = version.split("+git")[0] |
| 136 | |
| 137 | cpe_ids = [] |
| 138 | for product in cve_product.split(): |
| 139 | # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not, |
| 140 | # use wildcard for vendor. |
| 141 | if ":" in product: |
| 142 | vendor, product = product.split(":", 1) |
| 143 | else: |
| 144 | vendor = "*" |
| 145 | |
| 146 | cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*' |
| 147 | cpe_ids.append(cpe_id) |
| 148 | |
| 149 | return cpe_ids |
| Andrew Geissler | 9aee500 | 2022-03-30 16:27:02 +0000 | [diff] [blame] | 150 | |
| 151 | def cve_check_merge_jsons(output, data): |
| 152 | """ |
| 153 | Merge the data in the "package" property to the main data file |
| 154 | output |
| 155 | """ |
| 156 | if output["version"] != data["version"]: |
| 157 | bb.error("Version mismatch when merging JSON outputs") |
| 158 | return |
| 159 | |
| 160 | for product in output["package"]: |
| 161 | if product["name"] == data["package"][0]["name"]: |
| 162 | bb.error("Error adding the same package twice") |
| 163 | return |
| 164 | |
| 165 | output["package"].append(data["package"][0]) |
| Andrew Geissler | 78b7279 | 2022-06-14 06:47:25 -0500 | [diff] [blame^] | 166 | |
| 167 | def update_symlinks(target_path, link_path): |
| 168 | """ |
| 169 | Update a symbolic link link_path to point to target_path. |
| 170 | Remove the link and recreate it if exist and is different. |
| 171 | """ |
| 172 | if link_path != target_path and os.path.exists(target_path): |
| 173 | if os.path.exists(os.path.realpath(link_path)): |
| 174 | os.remove(link_path) |
| 175 | os.symlink(os.path.basename(target_path), link_path) |