diff options
| author | Antoine Lubineau <antoine.lubineau@easymile.com> | 2023-09-21 10:23:52 +0200 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-10-25 04:51:01 -1000 |
| commit | 39bec240c26b2a0b7dfb7e3078f95003a15c0102 (patch) | |
| tree | 84ec7c6c6b3b8386853d7bf00e2769f5a2ef1c36 | |
| parent | df92f67b17f6175a93101ffabf1ad5438fbd82d7 (diff) | |
| download | poky-39bec240c26b2a0b7dfb7e3078f95003a15c0102.tar.gz | |
cve-check: add CVSS vector string to CVE database and reports
This allows building detailed vulnerability analysis tools without
relying on external resources.
(From OE-Core rev: 587ae7bc85fc471d927308d866821d463799023d)
Signed-off-by: Antoine Lubineau <antoine.lubineau@easymile.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
(cherry picked from commit 048ff0ad927f4d37cc5547ebeba9e0c221687ea6)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 5 | ||||
| -rw-r--r-- | meta/recipes-core/meta/cve-update-nvd2-native.bb | 11 |
2 files changed, 12 insertions, 4 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index bd9e7e7445..3846aee5ea 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -32,7 +32,7 @@ CVE_PRODUCT ??= "${BPN}" | |||
| 32 | CVE_VERSION ??= "${PV}" | 32 | CVE_VERSION ??= "${PV}" |
| 33 | 33 | ||
| 34 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" | 34 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" |
| 35 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db" | 35 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-1.db" |
| 36 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" | 36 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" |
| 37 | 37 | ||
| 38 | CVE_CHECK_LOG ?= "${T}/cve.log" | 38 | CVE_CHECK_LOG ?= "${T}/cve.log" |
| @@ -403,6 +403,7 @@ def get_cve_info(d, cves): | |||
| 403 | cve_data[row[0]]["scorev3"] = row[3] | 403 | cve_data[row[0]]["scorev3"] = row[3] |
| 404 | cve_data[row[0]]["modified"] = row[4] | 404 | cve_data[row[0]]["modified"] = row[4] |
| 405 | cve_data[row[0]]["vector"] = row[5] | 405 | cve_data[row[0]]["vector"] = row[5] |
| 406 | cve_data[row[0]]["vectorString"] = row[6] | ||
| 406 | cursor.close() | 407 | cursor.close() |
| 407 | conn.close() | 408 | conn.close() |
| 408 | return cve_data | 409 | return cve_data |
| @@ -459,6 +460,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): | |||
| 459 | write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] | 460 | write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] |
| 460 | write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] | 461 | write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] |
| 461 | write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] | 462 | write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] |
| 463 | write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"] | ||
| 462 | write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) | 464 | write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) |
| 463 | 465 | ||
| 464 | if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": | 466 | if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": |
| @@ -573,6 +575,7 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): | |||
| 573 | "scorev2" : cve_data[cve]["scorev2"], | 575 | "scorev2" : cve_data[cve]["scorev2"], |
| 574 | "scorev3" : cve_data[cve]["scorev3"], | 576 | "scorev3" : cve_data[cve]["scorev3"], |
| 575 | "vector" : cve_data[cve]["vector"], | 577 | "vector" : cve_data[cve]["vector"], |
| 578 | "vectorString" : cve_data[cve]["vectorString"], | ||
| 576 | "status" : status, | 579 | "status" : status, |
| 577 | "link": issue_link | 580 | "link": issue_link |
| 578 | } | 581 | } |
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 2f7dad7e82..d0321f1bb5 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb | |||
| @@ -225,7 +225,7 @@ def initialize_db(conn): | |||
| 225 | c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") | 225 | c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") |
| 226 | 226 | ||
| 227 | c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ | 227 | c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ |
| 228 | SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") | 228 | SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)") |
| 229 | 229 | ||
| 230 | c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ | 230 | c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ |
| 231 | VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ | 231 | VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ |
| @@ -299,6 +299,7 @@ def update_db(conn, elt): | |||
| 299 | """ | 299 | """ |
| 300 | 300 | ||
| 301 | accessVector = None | 301 | accessVector = None |
| 302 | vectorString = None | ||
| 302 | cveId = elt['cve']['id'] | 303 | cveId = elt['cve']['id'] |
| 303 | if elt['cve']['vulnStatus'] == "Rejected": | 304 | if elt['cve']['vulnStatus'] == "Rejected": |
| 304 | return | 305 | return |
| @@ -309,25 +310,29 @@ def update_db(conn, elt): | |||
| 309 | date = elt['cve']['lastModified'] | 310 | date = elt['cve']['lastModified'] |
| 310 | try: | 311 | try: |
| 311 | accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector'] | 312 | accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector'] |
| 313 | vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString'] | ||
| 312 | cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] | 314 | cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] |
| 313 | except KeyError: | 315 | except KeyError: |
| 314 | cvssv2 = 0.0 | 316 | cvssv2 = 0.0 |
| 315 | cvssv3 = None | 317 | cvssv3 = None |
| 316 | try: | 318 | try: |
| 317 | accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] | 319 | accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] |
| 320 | vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString'] | ||
| 318 | cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] | 321 | cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] |
| 319 | except KeyError: | 322 | except KeyError: |
| 320 | pass | 323 | pass |
| 321 | try: | 324 | try: |
| 322 | accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] | 325 | accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] |
| 326 | vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString'] | ||
| 323 | cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] | 327 | cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] |
| 324 | except KeyError: | 328 | except KeyError: |
| 325 | pass | 329 | pass |
| 326 | accessVector = accessVector or "UNKNOWN" | 330 | accessVector = accessVector or "UNKNOWN" |
| 331 | vectorString = vectorString or "UNKNOWN" | ||
| 327 | cvssv3 = cvssv3 or 0.0 | 332 | cvssv3 = cvssv3 or 0.0 |
| 328 | 333 | ||
| 329 | conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", | 334 | conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?)", |
| 330 | [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() | 335 | [cveId, cveDesc, cvssv2, cvssv3, date, accessVector, vectorString]).close() |
| 331 | 336 | ||
| 332 | try: | 337 | try: |
| 333 | for config in elt['cve']['configurations']: | 338 | for config in elt['cve']['configurations']: |