Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 9aee50030142f0352e48fd0b14b3aab4e7efa158 / . / poky / meta / lib / oe / cve_check.py
blob: e445b7a6ae2b7eec320db3d24386fce6d06a580b [file] [log] [blame]
Andrew Geisslerd1e89492021-02-12 15:35:20 -0600[diff] [blame]1import collections
2import re
3import itertools
4import functools
5
6_Version = collections.namedtuple(
7 "_Version", ["release", "patch_l", "pre_l", "pre_v"]
8)
9
10@functools.total_ordering
11class Version():
12
13 def __init__(self, version, suffix=None):
Andrew Geissler95ac1b82021-03-31 14:34:31 -0500[diff] [blame]14
15 suffixes = ["alphabetical", "patch"]
16
Andrew Geisslerd1e89492021-02-12 15:35:20 -0600[diff] [blame]17 if str(suffix) == "alphabetical":
18 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
Andrew Geissler95ac1b82021-03-31 14:34:31 -0500[diff] [blame]19 elif str(suffix) == "patch":
20 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
Andrew Geisslerd1e89492021-02-12 15:35:20 -0600[diff] [blame]21 else:
22 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
23 regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
24
25 match = regex.search(version)
26 if not match:
27 raise Exception("Invalid version: '{0}'".format(version))
28
29 self._version = _Version(
30 release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
Andrew Geissler95ac1b82021-03-31 14:34:31 -0500[diff] [blame]31 patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
Andrew Geisslerd1e89492021-02-12 15:35:20 -0600[diff] [blame]32 pre_l=match.group("pre_l"),
33 pre_v=match.group("pre_v")
34 )
35
36 self._key = _cmpkey(
37 self._version.release,
38 self._version.patch_l,
39 self._version.pre_l,
40 self._version.pre_v
41 )
42
43 def __eq__(self, other):
44 if not isinstance(other, Version):
45 return NotImplemented
46 return self._key == other._key
47
48 def __gt__(self, other):
49 if not isinstance(other, Version):
50 return NotImplemented
51 return self._key > other._key
52
53def _cmpkey(release, patch_l, pre_l, pre_v):
54 # remove leading 0
55 _release = tuple(
56 reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
57 )
58
59 _patch = patch_l.upper()
60
61 if pre_l is None and pre_v is None:
62 _pre = float('inf')
63 else:
64 _pre = float(pre_v) if pre_v else float('-inf')
65 return _release, _patch, _pre
Patrick Williams0ca19cc2021-08-16 14:03:13 -0500[diff] [blame]66
67
68def get_patched_cves(d):
69 """
70 Get patches that solve CVEs using the "CVE: " tag.
71 """
72
73 import re
74 import oe.patch
75
76 pn = d.getVar("PN")
77 cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
78
79 # Matches the last "CVE-YYYY-ID" in the file name, also if written
80 # in lowercase. Possible to have multiple CVE IDs in a single
81 # file name, but only the last one will be detected from the file name.
82 # However, patch files contents addressing multiple CVE IDs are supported
83 # (cve_match regular expression)
84
85 cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
86
87 patched_cves = set()
88 bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
89 for url in oe.patch.src_patches(d):
90 patch_file = bb.fetch.decodeurl(url)[2]
91
92 if not os.path.isfile(patch_file):
93 bb.error("File Not found: %s" % patch_file)
94 raise FileNotFoundError
95
96 # Check patch file name for CVE ID
97 fname_match = cve_file_name_match.search(patch_file)
98 if fname_match:
99 cve = fname_match.group(1).upper()
100 patched_cves.add(cve)
101 bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
102
103 with open(patch_file, "r", encoding="utf-8") as f:
104 try:
105 patch_text = f.read()
106 except UnicodeDecodeError:
107 bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
108 " trying with iso8859-1" % patch_file)
109 f.close()
110 with open(patch_file, "r", encoding="iso8859-1") as f:
111 patch_text = f.read()
112
113 # Search for one or more "CVE: " lines
114 text_match = False
115 for match in cve_match.finditer(patch_text):
116 # Get only the CVEs without the "CVE: " tag
117 cves = patch_text[match.start()+5:match.end()]
118 for cve in cves.split():
119 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
120 patched_cves.add(cve)
121 text_match = True
122
123 if not fname_match and not text_match:
124 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
125
126 return patched_cves
127
128
129def get_cpe_ids(cve_product, version):
130 """
131 Get list of CPE identifiers for the given product and version
132 """
133
134 version = version.split("+git")[0]
135
136 cpe_ids = []
137 for product in cve_product.split():
138 # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
139 # use wildcard for vendor.
140 if ":" in product:
141 vendor, product = product.split(":", 1)
142 else:
143 vendor = "*"
144
145 cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*'
146 cpe_ids.append(cpe_id)
147
148 return cpe_ids
Andrew Geissler9aee5002022-03-30 16:27:02 +0000[diff] [blame^]149
150def cve_check_merge_jsons(output, data):
151 """
152 Merge the data in the "package" property to the main data file
153 output
154 """
155 if output["version"] != data["version"]:
156 bb.error("Version mismatch when merging JSON outputs")
157 return
158
159 for product in output["package"]:
160 if product["name"] == data["package"][0]["name"]:
161 bb.error("Error adding the same package twice")
162 return
163
164 output["package"].append(data["package"][0])