blob: 3fa77bf9a710539a4fffadc7cb4ca7fde1e4fc8c [file] [log] [blame]
Patrick Williams92b42cb2022-09-03 06:53:57 -05001#
2# Copyright OpenEmbedded Contributors
3#
4# SPDX-License-Identifier: MIT
5#
6
Andrew Geisslerd1e89492021-02-12 15:35:20 -06007import collections
8import re
9import itertools
10import functools
11
12_Version = collections.namedtuple(
13 "_Version", ["release", "patch_l", "pre_l", "pre_v"]
14)
15
16@functools.total_ordering
17class Version():
18
19 def __init__(self, version, suffix=None):
Andrew Geissler95ac1b82021-03-31 14:34:31 -050020
21 suffixes = ["alphabetical", "patch"]
22
Andrew Geisslerd1e89492021-02-12 15:35:20 -060023 if str(suffix) == "alphabetical":
24 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
Andrew Geissler95ac1b82021-03-31 14:34:31 -050025 elif str(suffix) == "patch":
26 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
Andrew Geisslerd1e89492021-02-12 15:35:20 -060027 else:
28 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
29 regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
30
31 match = regex.search(version)
32 if not match:
33 raise Exception("Invalid version: '{0}'".format(version))
34
35 self._version = _Version(
36 release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
Andrew Geissler95ac1b82021-03-31 14:34:31 -050037 patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
Andrew Geisslerd1e89492021-02-12 15:35:20 -060038 pre_l=match.group("pre_l"),
39 pre_v=match.group("pre_v")
40 )
41
42 self._key = _cmpkey(
43 self._version.release,
44 self._version.patch_l,
45 self._version.pre_l,
46 self._version.pre_v
47 )
48
49 def __eq__(self, other):
50 if not isinstance(other, Version):
51 return NotImplemented
52 return self._key == other._key
53
54 def __gt__(self, other):
55 if not isinstance(other, Version):
56 return NotImplemented
57 return self._key > other._key
58
59def _cmpkey(release, patch_l, pre_l, pre_v):
60 # remove leading 0
61 _release = tuple(
62 reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
63 )
64
65 _patch = patch_l.upper()
66
67 if pre_l is None and pre_v is None:
68 _pre = float('inf')
69 else:
70 _pre = float(pre_v) if pre_v else float('-inf')
71 return _release, _patch, _pre
Patrick Williams0ca19cc2021-08-16 14:03:13 -050072
73
74def get_patched_cves(d):
75 """
76 Get patches that solve CVEs using the "CVE: " tag.
77 """
78
79 import re
80 import oe.patch
81
82 pn = d.getVar("PN")
83 cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
84
85 # Matches the last "CVE-YYYY-ID" in the file name, also if written
86 # in lowercase. Possible to have multiple CVE IDs in a single
87 # file name, but only the last one will be detected from the file name.
88 # However, patch files contents addressing multiple CVE IDs are supported
89 # (cve_match regular expression)
90
91 cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
92
93 patched_cves = set()
94 bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
95 for url in oe.patch.src_patches(d):
96 patch_file = bb.fetch.decodeurl(url)[2]
97
Patrick Williams0ca19cc2021-08-16 14:03:13 -050098 # Check patch file name for CVE ID
99 fname_match = cve_file_name_match.search(patch_file)
100 if fname_match:
101 cve = fname_match.group(1).upper()
102 patched_cves.add(cve)
103 bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
104
Patrick Williamsac13d5f2023-11-24 18:59:46 -0600105 # Remote patches won't be present and compressed patches won't be
106 # unpacked, so say we're not scanning them
107 if not os.path.isfile(patch_file):
108 bb.note("%s is remote or compressed, not scanning content" % patch_file)
109 continue
110
Patrick Williams0ca19cc2021-08-16 14:03:13 -0500111 with open(patch_file, "r", encoding="utf-8") as f:
112 try:
113 patch_text = f.read()
114 except UnicodeDecodeError:
115 bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
116 " trying with iso8859-1" % patch_file)
117 f.close()
118 with open(patch_file, "r", encoding="iso8859-1") as f:
119 patch_text = f.read()
120
121 # Search for one or more "CVE: " lines
122 text_match = False
123 for match in cve_match.finditer(patch_text):
124 # Get only the CVEs without the "CVE: " tag
125 cves = patch_text[match.start()+5:match.end()]
126 for cve in cves.split():
127 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
128 patched_cves.add(cve)
129 text_match = True
130
131 if not fname_match and not text_match:
132 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
133
Andrew Geissler8f840682023-07-21 09:09:43 -0500134 # Search for additional patched CVEs
135 for cve in (d.getVarFlags("CVE_STATUS") or {}):
136 decoded_status, _, _ = decode_cve_status(d, cve)
137 if decoded_status == "Patched":
138 bb.debug(2, "CVE %s is additionally patched" % cve)
139 patched_cves.add(cve)
140
Patrick Williams0ca19cc2021-08-16 14:03:13 -0500141 return patched_cves
142
143
144def get_cpe_ids(cve_product, version):
145 """
146 Get list of CPE identifiers for the given product and version
147 """
148
149 version = version.split("+git")[0]
150
151 cpe_ids = []
152 for product in cve_product.split():
153 # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
154 # use wildcard for vendor.
155 if ":" in product:
156 vendor, product = product.split(":", 1)
157 else:
158 vendor = "*"
159
Andrew Geissler5082cc72023-09-11 08:41:39 -0400160 cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version)
Patrick Williams0ca19cc2021-08-16 14:03:13 -0500161 cpe_ids.append(cpe_id)
162
163 return cpe_ids
Andrew Geissler9aee5002022-03-30 16:27:02 +0000164
165def cve_check_merge_jsons(output, data):
166 """
167 Merge the data in the "package" property to the main data file
168 output
169 """
170 if output["version"] != data["version"]:
171 bb.error("Version mismatch when merging JSON outputs")
172 return
173
174 for product in output["package"]:
175 if product["name"] == data["package"][0]["name"]:
Patrick Williamsac13d5f2023-11-24 18:59:46 -0600176 bb.error("Error adding the same package %s twice" % product["name"])
Andrew Geissler9aee5002022-03-30 16:27:02 +0000177 return
178
179 output["package"].append(data["package"][0])
Andrew Geissler78b72792022-06-14 06:47:25 -0500180
181def update_symlinks(target_path, link_path):
182 """
183 Update a symbolic link link_path to point to target_path.
184 Remove the link and recreate it if exist and is different.
185 """
186 if link_path != target_path and os.path.exists(target_path):
187 if os.path.exists(os.path.realpath(link_path)):
188 os.remove(link_path)
189 os.symlink(os.path.basename(target_path), link_path)
Andrew Geisslerfc113ea2023-03-31 09:59:46 -0500190
191
192def convert_cve_version(version):
193 """
194 This function converts from CVE format to Yocto version format.
195 eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
196
197 Unless it is redefined using CVE_VERSION in the recipe,
198 cve_check uses the version in the name of the recipe (${PV})
199 to check vulnerabilities against a CVE in the database downloaded from NVD.
200
201 When the version has an update, i.e.
202 "p1" in OpenSSH 8.3p1,
203 "-rc1" in linux kernel 6.2-rc1,
204 the database stores the version as version_update (8.3_p1, 6.2_rc1).
205 Therefore, we must transform this version before comparing to the
206 recipe version.
207
208 In this case, the parameter of the function is 8.3_p1.
209 If the version uses the Release Candidate format, "rc",
210 this function replaces the '_' by '-'.
211 If the version uses the Update format, "p",
212 this function removes the '_' completely.
213 """
214 import re
215
216 matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)
217
218 if not matches:
219 return version
220
221 version = matches.group(1)
222 update = matches.group(2)
223
224 if matches.group(3) == "rc":
225 return version + '-' + update
226
227 return version + update
228
Andrew Geissler8f840682023-07-21 09:09:43 -0500229def decode_cve_status(d, cve):
230 """
231 Convert CVE_STATUS into status, detail and description.
232 """
233 status = d.getVarFlag("CVE_STATUS", cve)
234 if status is None:
235 return ("", "", "")
236
237 status_split = status.split(':', 1)
238 detail = status_split[0]
239 description = status_split[1].strip() if (len(status_split) > 1) else ""
240
241 status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail)
242 if status_mapping is None:
243 bb.warn('Invalid detail %s for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status))
244 status_mapping = "Unpatched"
245
246 return (status_mapping, detail, description)