Brad Bishop | 96ff198 | 2019-08-19 13:50:42 -0400 | [diff] [blame^] | 1 | SUMMARY = "Updates the NVD CVE database" |
| 2 | LICENSE = "MIT" |
| 3 | |
| 4 | INHIBIT_DEFAULT_DEPS = "1" |
| 5 | |
| 6 | inherit native |
| 7 | |
| 8 | deltask do_unpack |
| 9 | deltask do_patch |
| 10 | deltask do_configure |
| 11 | deltask do_compile |
| 12 | deltask do_install |
| 13 | deltask do_populate_sysroot |
| 14 | |
| 15 | python () { |
| 16 | if not d.getVar("CVE_CHECK_DB_FILE"): |
| 17 | raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") |
| 18 | } |
| 19 | |
| 20 | python do_populate_cve_db() { |
| 21 | """ |
| 22 | Update NVD database with json data feed |
| 23 | """ |
| 24 | |
| 25 | import sqlite3, urllib, shutil, gzip |
| 26 | from datetime import date |
| 27 | |
| 28 | BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-" |
| 29 | YEAR_START = 2002 |
| 30 | |
| 31 | db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK') |
| 32 | db_file = os.path.join(db_dir, 'nvdcve_1.0.db') |
| 33 | json_tmpfile = os.path.join(db_dir, 'nvd.json.gz') |
| 34 | proxy = d.getVar("https_proxy") |
| 35 | cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') |
| 36 | |
| 37 | if not os.path.isdir(db_dir): |
| 38 | os.mkdir(db_dir) |
| 39 | |
| 40 | # Connect to database |
| 41 | conn = sqlite3.connect(db_file) |
| 42 | c = conn.cursor() |
| 43 | |
| 44 | initialize_db(c) |
| 45 | |
| 46 | for year in range(YEAR_START, date.today().year + 1): |
| 47 | year_url = BASE_URL + str(year) |
| 48 | meta_url = year_url + ".meta" |
| 49 | json_url = year_url + ".json.gz" |
| 50 | |
| 51 | # Retrieve meta last modified date |
| 52 | req = urllib.request.Request(meta_url) |
| 53 | if proxy: |
| 54 | req.set_proxy(proxy, 'https') |
| 55 | with urllib.request.urlopen(req) as r: |
| 56 | for l in r.read().decode("utf-8").splitlines(): |
| 57 | key, value = l.split(":", 1) |
| 58 | if key == "lastModifiedDate": |
| 59 | last_modified = value |
| 60 | break |
| 61 | else: |
| 62 | bb.warn("Cannot parse CVE metadata, update failed") |
| 63 | return |
| 64 | |
| 65 | # Compare with current db last modified date |
| 66 | c.execute("select DATE from META where YEAR = ?", (year,)) |
| 67 | meta = c.fetchone() |
| 68 | if not meta or meta[0] != last_modified: |
| 69 | # Clear products table entries corresponding to current year |
| 70 | c.execute("delete from PRODUCTS where ID like ?", ('CVE-%d%%' % year,)) |
| 71 | |
| 72 | # Update db with current year json file |
| 73 | try: |
| 74 | req = urllib.request.Request(json_url) |
| 75 | if proxy: |
| 76 | req.set_proxy(proxy, 'https') |
| 77 | with urllib.request.urlopen(req) as r: |
| 78 | update_db(c, gzip.decompress(r.read())) |
| 79 | c.execute("insert or replace into META values (?, ?)", [year, last_modified]) |
| 80 | except urllib.error.URLError as e: |
| 81 | cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') |
| 82 | bb.warn("Cannot parse CVE data (%s), update failed" % e.reason) |
| 83 | return |
| 84 | |
| 85 | # Update success, set the date to cve_check file. |
| 86 | if year == date.today().year: |
| 87 | cve_f.write('CVE database update : %s\n\n' % date.today()) |
| 88 | |
| 89 | cve_f.close() |
| 90 | conn.commit() |
| 91 | conn.close() |
| 92 | } |
| 93 | |
| 94 | def initialize_db(c): |
| 95 | c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") |
| 96 | c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ |
| 97 | SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") |
| 98 | c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ |
| 99 | VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ |
| 100 | VERSION_END TEXT, OPERATOR_END TEXT)") |
| 101 | |
| 102 | def parse_node_and_insert(c, node, cveId): |
| 103 | # Parse children node if needed |
| 104 | for child in node.get('children', ()): |
| 105 | parse_node_and_insert(c, child, cveId) |
| 106 | |
| 107 | def cpe_generator(): |
| 108 | for cpe in node.get('cpe_match', ()): |
| 109 | if not cpe['vulnerable']: |
| 110 | return |
| 111 | cpe23 = cpe['cpe23Uri'].split(':') |
| 112 | vendor = cpe23[3] |
| 113 | product = cpe23[4] |
| 114 | version = cpe23[5] |
| 115 | |
| 116 | if version != '*': |
| 117 | # Version is defined, this is a '=' match |
| 118 | yield [cveId, vendor, product, version, '=', '', ''] |
| 119 | else: |
| 120 | # Parse start version, end version and operators |
| 121 | op_start = '' |
| 122 | op_end = '' |
| 123 | v_start = '' |
| 124 | v_end = '' |
| 125 | |
| 126 | if 'versionStartIncluding' in cpe: |
| 127 | op_start = '>=' |
| 128 | v_start = cpe['versionStartIncluding'] |
| 129 | |
| 130 | if 'versionStartExcluding' in cpe: |
| 131 | op_start = '>' |
| 132 | v_start = cpe['versionStartExcluding'] |
| 133 | |
| 134 | if 'versionEndIncluding' in cpe: |
| 135 | op_end = '<=' |
| 136 | v_end = cpe['versionEndIncluding'] |
| 137 | |
| 138 | if 'versionEndExcluding' in cpe: |
| 139 | op_end = '<' |
| 140 | v_end = cpe['versionEndExcluding'] |
| 141 | |
| 142 | yield [cveId, vendor, product, v_start, op_start, v_end, op_end] |
| 143 | |
| 144 | c.executemany("insert into PRODUCTS values (?, ?, ?, ?, ?, ?, ?)", cpe_generator()) |
| 145 | |
| 146 | def update_db(c, jsondata): |
| 147 | import json |
| 148 | root = json.loads(jsondata) |
| 149 | |
| 150 | for elt in root['CVE_Items']: |
| 151 | if not elt['impact']: |
| 152 | continue |
| 153 | |
| 154 | cveId = elt['cve']['CVE_data_meta']['ID'] |
| 155 | cveDesc = elt['cve']['description']['description_data'][0]['value'] |
| 156 | date = elt['lastModifiedDate'] |
| 157 | accessVector = elt['impact']['baseMetricV2']['cvssV2']['accessVector'] |
| 158 | cvssv2 = elt['impact']['baseMetricV2']['cvssV2']['baseScore'] |
| 159 | |
| 160 | try: |
| 161 | cvssv3 = elt['impact']['baseMetricV3']['cvssV3']['baseScore'] |
| 162 | except: |
| 163 | cvssv3 = 0.0 |
| 164 | |
| 165 | c.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", |
| 166 | [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]) |
| 167 | |
| 168 | configurations = elt['configurations']['nodes'] |
| 169 | for config in configurations: |
| 170 | parse_node_and_insert(c, config, cveId) |
| 171 | |
| 172 | |
| 173 | addtask do_populate_cve_db before do_fetch |
| 174 | do_populate_cve_db[nostamp] = "1" |
| 175 | |
| 176 | EXCLUDE_FROM_WORLD = "1" |