Andrew Geissler | 1fe918a | 2020-05-15 14:16:47 -0500 | [diff] [blame] | 1 | # |
| 2 | # ISA_cve_plugin.py - CVE checker plugin, part of ISA FW |
| 3 | # |
| 4 | # Copyright (c) 2015 - 2016, Intel Corporation |
| 5 | # |
| 6 | # Redistribution and use in source and binary forms, with or without |
| 7 | # modification, are permitted provided that the following conditions are met: |
| 8 | # |
| 9 | # * Redistributions of source code must retain the above copyright notice, |
| 10 | # this list of conditions and the following disclaimer. |
| 11 | # * Redistributions in binary form must reproduce the above copyright |
| 12 | # notice, this list of conditions and the following disclaimer in the |
| 13 | # documentation and/or other materials provided with the distribution. |
| 14 | # * Neither the name of Intel Corporation nor the names of its contributors |
| 15 | # may be used to endorse or promote products derived from this software |
| 16 | # without specific prior written permission. |
| 17 | # |
| 18 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" |
| 19 | # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 20 | # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| 21 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE |
| 22 | # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 23 | # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
| 24 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
| 25 | # CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
| 26 | # OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 27 | # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 28 | |
| 29 | import subprocess |
| 30 | import os, sys |
| 31 | import re |
| 32 | |
| 33 | CVEChecker = None |
| 34 | pkglist = "/cve_check_tool_pkglist" |
| 35 | |
| 36 | |
| 37 | class ISA_CVEChecker: |
| 38 | initialized = False |
| 39 | |
| 40 | def __init__(self, ISA_config): |
| 41 | self.cacert = ISA_config.cacert |
| 42 | self.reportdir = ISA_config.reportdir |
| 43 | self.timestamp = ISA_config.timestamp |
| 44 | self.logfile = ISA_config.logdir + "/isafw_cvelog" |
| 45 | self.report_name = ISA_config.reportdir + "/cve_report_" + \ |
| 46 | ISA_config.machine + "_" + ISA_config.timestamp |
| 47 | self.initialized = True |
| 48 | with open(self.logfile, 'a') as flog: |
| 49 | flog.write("\nPlugin ISA_CVEChecker initialized!\n") |
| 50 | output = "" |
| 51 | # check that cve-check-tool is installed |
| 52 | |
| 53 | def process_package(self, ISA_pkg): |
| 54 | if (self.initialized): |
| 55 | if (ISA_pkg.name and ISA_pkg.version and ISA_pkg.patch_files): |
| 56 | alias_pkgs_faux = [] |
| 57 | # need to compose faux format line for cve-check-tool |
| 58 | cve_patch_info = self.process_patch_list(ISA_pkg.patch_files) |
| 59 | pkgline_faux = ISA_pkg.name + "," + ISA_pkg.version + "," + cve_patch_info + ",\n" |
| 60 | if ISA_pkg.aliases: |
| 61 | for a in ISA_pkg.aliases: |
| 62 | alias_pkgs_faux.append( |
| 63 | a + "," + ISA_pkg.version + "," + cve_patch_info + ",\n") |
| 64 | pkglist_faux = pkglist + "_" + self.timestamp + ".faux" |
| 65 | with open(self.reportdir + pkglist_faux, 'a') as fauxfile: |
| 66 | fauxfile.write(pkgline_faux) |
| 67 | for a in alias_pkgs_faux: |
| 68 | fauxfile.write(a) |
| 69 | |
| 70 | with open(self.logfile, 'a') as flog: |
| 71 | flog.write("\npkg info: " + pkgline_faux) |
| 72 | else: |
| 73 | self.initialized = False |
| 74 | with open(self.logfile, 'a') as flog: |
| 75 | flog.write( |
| 76 | "Mandatory arguments such as pkg name, version and list of patches are not provided!\n") |
| 77 | flog.write("Not performing the call.\n") |
| 78 | else: |
| 79 | with open(self.logfile, 'a') as flog: |
| 80 | flog.write( |
| 81 | "Plugin hasn't initialized! Not performing the call.\n") |
| 82 | |
| 83 | def process_report(self): |
| 84 | if not os.path.isfile(self.reportdir + pkglist + "_" + self.timestamp + ".faux"): |
| 85 | return |
| 86 | if (self.initialized): |
| 87 | with open(self.logfile, 'a') as flog: |
| 88 | flog.write("Creating report in HTML format.\n") |
| 89 | result = self.process_report_type("html") |
| 90 | |
| 91 | with open(self.logfile, 'a') as flog: |
| 92 | flog.write("Creating report in CSV format.\n") |
| 93 | result = self.process_report_type("csv") |
| 94 | |
| 95 | pkglist_faux = pkglist + "_" + self.timestamp + ".faux" |
| 96 | os.remove(self.reportdir + pkglist_faux) |
| 97 | |
| 98 | with open(self.logfile, 'a') as flog: |
| 99 | flog.write("Creating report in XML format.\n") |
| 100 | self.write_report_xml(result) |
| 101 | |
| 102 | def write_report_xml(self, result): |
| 103 | try: |
| 104 | from lxml import etree |
| 105 | except ImportError: |
| 106 | try: |
| 107 | import xml.etree.cElementTree as etree |
| 108 | except ImportError: |
| 109 | import xml.etree.ElementTree as etree |
| 110 | num_tests = 0 |
| 111 | root = etree.Element('testsuite', name='CVE_Plugin', tests='1') |
| 112 | |
| 113 | if result : |
| 114 | num_tests = 1 |
| 115 | tcase = etree.SubElement( |
| 116 | root, 'testcase', classname='ISA_CVEChecker', name="Error in cve-check-tool") |
| 117 | etree.SubElement( tcase, 'failure', message=result, type='violation') |
| 118 | else: |
| 119 | with open(self.report_name + ".csv", 'r') as f: |
| 120 | for line in f: |
| 121 | num_tests += 1 |
| 122 | line = line.strip() |
| 123 | line_sp = line.split(',', 2) |
| 124 | if (len(line_sp) >= 3) and (line_sp[2].startswith('CVE')): |
| 125 | tcase = etree.SubElement( |
| 126 | root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0]) |
| 127 | etree.SubElement( |
| 128 | tcase, 'failure', message=line, type='violation') |
| 129 | else: |
| 130 | tcase = etree.SubElement( |
| 131 | root, 'testcase', classname='ISA_CVEChecker', name=line.split(',', 1)[0]) |
| 132 | |
| 133 | root.set('tests', str(num_tests)) |
| 134 | tree = etree.ElementTree(root) |
| 135 | output = self.report_name + '.xml' |
| 136 | try: |
| 137 | tree.write(output, encoding='UTF-8', |
| 138 | pretty_print=True, xml_declaration=True) |
| 139 | except TypeError: |
| 140 | tree.write(output, encoding='UTF-8', xml_declaration=True) |
| 141 | |
| 142 | def process_report_type(self, rtype): |
| 143 | # now faux file is ready and we can process it |
| 144 | args = "" |
| 145 | result = "" |
| 146 | tool_stderr_value = "" |
| 147 | args += "cve-check-tool " |
| 148 | if self.cacert: |
| 149 | args += "--cacert '%s' " % self.cacert |
| 150 | if rtype != "html": |
| 151 | args += "-c " |
| 152 | rtype = "csv" |
| 153 | pkglist_faux = pkglist + "_" + self.timestamp + ".faux" |
| 154 | args += "-a -t faux '" + self.reportdir + pkglist_faux + "'" |
| 155 | with open(self.logfile, 'a') as flog: |
| 156 | flog.write("Args: " + args) |
| 157 | try: |
| 158 | popen = subprocess.Popen( |
| 159 | args, shell=True, env=os.environ, stdout=subprocess.PIPE, stderr=subprocess.PIPE) |
| 160 | result = popen.communicate() |
| 161 | except: |
| 162 | tool_stderr_value = "Error in executing cve-check-tool" + str(sys.exc_info()) |
| 163 | with open(self.logfile, 'a') as flog: |
| 164 | flog.write("Error in executing cve-check-tool: " + |
| 165 | str(sys.exc_info())) |
| 166 | else: |
| 167 | stdout_value = result[0] |
| 168 | tool_stderr_value = result[1].decode('utf-8') |
| 169 | if not tool_stderr_value and popen.returncode == 0: |
| 170 | report = self.report_name + "." + rtype |
| 171 | with open(report, 'wb') as freport: |
| 172 | freport.write(stdout_value) |
| 173 | else: |
| 174 | tool_stderr_value = tool_stderr_value + \ |
| 175 | "\ncve-check-tool terminated with exit code " + str(popen.returncode) |
| 176 | return tool_stderr_value |
| 177 | |
| 178 | def process_patch_list(self, patch_files): |
| 179 | patch_info = "" |
| 180 | for patch in patch_files: |
| 181 | patch1 = patch.partition("cve") |
| 182 | if (patch1[0] == patch): |
| 183 | # no cve substring, try CVE |
| 184 | patch1 = patch.partition("CVE") |
| 185 | if (patch1[0] == patch): |
| 186 | continue |
| 187 | patchstripped = patch1[2].split('-') |
| 188 | try: |
| 189 | patch_info += " CVE-" + \ |
| 190 | patchstripped[1] + "-" + re.findall('\d+', patchstripped[2])[0] |
| 191 | except IndexError: |
| 192 | # string parsing attempt failed, so just skip this patch |
| 193 | continue |
| 194 | return patch_info |
| 195 | |
| 196 | # ======== supported callbacks from ISA ============= # |
| 197 | |
| 198 | |
| 199 | def init(ISA_config): |
| 200 | global CVEChecker |
| 201 | CVEChecker = ISA_CVEChecker(ISA_config) |
| 202 | |
| 203 | |
| 204 | def getPluginName(): |
| 205 | return "ISA_CVEChecker" |
| 206 | |
| 207 | |
| 208 | def process_package(ISA_pkg): |
| 209 | global CVEChecker |
| 210 | return CVEChecker.process_package(ISA_pkg) |
| 211 | |
| 212 | |
| 213 | def process_report(): |
| 214 | global CVEChecker |
| 215 | return CVEChecker.process_report() |
| 216 | |
| 217 | # ==================================================== # |