192b42cb3SPatrick Williams# 292b42cb3SPatrick Williams# Copyright OpenEmbedded Contributors 392b42cb3SPatrick Williams# 492b42cb3SPatrick Williams# SPDX-License-Identifier: MIT 592b42cb3SPatrick Williams# 692b42cb3SPatrick Williams 7d1e89497SAndrew Geisslerimport collections 8d1e89497SAndrew Geisslerimport re 9d1e89497SAndrew Geisslerimport itertools 10d1e89497SAndrew Geisslerimport functools 11d1e89497SAndrew Geissler 12d1e89497SAndrew Geissler_Version = collections.namedtuple( 13d1e89497SAndrew Geissler "_Version", ["release", "patch_l", "pre_l", "pre_v"] 14d1e89497SAndrew Geissler) 15d1e89497SAndrew Geissler 16d1e89497SAndrew Geissler@functools.total_ordering 17d1e89497SAndrew Geisslerclass Version(): 18d1e89497SAndrew Geissler 19d1e89497SAndrew Geissler def __init__(self, version, suffix=None): 2095ac1b8dSAndrew Geissler 2195ac1b8dSAndrew Geissler suffixes = ["alphabetical", "patch"] 2295ac1b8dSAndrew Geissler 23d1e89497SAndrew Geissler if str(suffix) == "alphabetical": 24d1e89497SAndrew Geissler version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 2595ac1b8dSAndrew Geissler elif str(suffix) == "patch": 2695ac1b8dSAndrew Geissler version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 27d1e89497SAndrew Geissler else: 28d1e89497SAndrew Geissler version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 29d1e89497SAndrew Geissler regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) 30d1e89497SAndrew Geissler 31d1e89497SAndrew Geissler match = regex.search(version) 32d1e89497SAndrew Geissler if not match: 33d1e89497SAndrew Geissler raise Exception("Invalid version: '{0}'".format(version)) 34d1e89497SAndrew Geissler 35d1e89497SAndrew Geissler self._version = _Version( 36d1e89497SAndrew Geissler release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), 3795ac1b8dSAndrew Geissler patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "", 38d1e89497SAndrew Geissler pre_l=match.group("pre_l"), 39d1e89497SAndrew Geissler pre_v=match.group("pre_v") 40d1e89497SAndrew Geissler ) 41d1e89497SAndrew Geissler 42d1e89497SAndrew Geissler self._key = _cmpkey( 43d1e89497SAndrew Geissler self._version.release, 44d1e89497SAndrew Geissler self._version.patch_l, 45d1e89497SAndrew Geissler self._version.pre_l, 46d1e89497SAndrew Geissler self._version.pre_v 47d1e89497SAndrew Geissler ) 48d1e89497SAndrew Geissler 49d1e89497SAndrew Geissler def __eq__(self, other): 50d1e89497SAndrew Geissler if not isinstance(other, Version): 51d1e89497SAndrew Geissler return NotImplemented 52d1e89497SAndrew Geissler return self._key == other._key 53d1e89497SAndrew Geissler 54d1e89497SAndrew Geissler def __gt__(self, other): 55d1e89497SAndrew Geissler if not isinstance(other, Version): 56d1e89497SAndrew Geissler return NotImplemented 57d1e89497SAndrew Geissler return self._key > other._key 58d1e89497SAndrew Geissler 59d1e89497SAndrew Geisslerdef _cmpkey(release, patch_l, pre_l, pre_v): 60d1e89497SAndrew Geissler # remove leading 0 61d1e89497SAndrew Geissler _release = tuple( 62d1e89497SAndrew Geissler reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release)))) 63d1e89497SAndrew Geissler ) 64d1e89497SAndrew Geissler 65d1e89497SAndrew Geissler _patch = patch_l.upper() 66d1e89497SAndrew Geissler 67d1e89497SAndrew Geissler if pre_l is None and pre_v is None: 68d1e89497SAndrew Geissler _pre = float('inf') 69d1e89497SAndrew Geissler else: 70d1e89497SAndrew Geissler _pre = float(pre_v) if pre_v else float('-inf') 71d1e89497SAndrew Geissler return _release, _patch, _pre 720ca19ccfSPatrick Williams 730ca19ccfSPatrick Williams 740ca19ccfSPatrick Williamsdef get_patched_cves(d): 750ca19ccfSPatrick Williams """ 760ca19ccfSPatrick Williams Get patches that solve CVEs using the "CVE: " tag. 770ca19ccfSPatrick Williams """ 780ca19ccfSPatrick Williams 790ca19ccfSPatrick Williams import re 800ca19ccfSPatrick Williams import oe.patch 810ca19ccfSPatrick Williams 82*f52e3ddeSPatrick Williams cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+") 830ca19ccfSPatrick Williams 840ca19ccfSPatrick Williams # Matches the last "CVE-YYYY-ID" in the file name, also if written 850ca19ccfSPatrick Williams # in lowercase. Possible to have multiple CVE IDs in a single 860ca19ccfSPatrick Williams # file name, but only the last one will be detected from the file name. 870ca19ccfSPatrick Williams # However, patch files contents addressing multiple CVE IDs are supported 880ca19ccfSPatrick Williams # (cve_match regular expression) 89*f52e3ddeSPatrick Williams cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) 900ca19ccfSPatrick Williams 910ca19ccfSPatrick Williams patched_cves = set() 92*f52e3ddeSPatrick Williams patches = oe.patch.src_patches(d) 93*f52e3ddeSPatrick Williams bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) 94*f52e3ddeSPatrick Williams for url in patches: 950ca19ccfSPatrick Williams patch_file = bb.fetch.decodeurl(url)[2] 960ca19ccfSPatrick Williams 970ca19ccfSPatrick Williams # Check patch file name for CVE ID 980ca19ccfSPatrick Williams fname_match = cve_file_name_match.search(patch_file) 990ca19ccfSPatrick Williams if fname_match: 1000ca19ccfSPatrick Williams cve = fname_match.group(1).upper() 1010ca19ccfSPatrick Williams patched_cves.add(cve) 102*f52e3ddeSPatrick Williams bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) 1030ca19ccfSPatrick Williams 104ac13d5f3SPatrick Williams # Remote patches won't be present and compressed patches won't be 105ac13d5f3SPatrick Williams # unpacked, so say we're not scanning them 106ac13d5f3SPatrick Williams if not os.path.isfile(patch_file): 107ac13d5f3SPatrick Williams bb.note("%s is remote or compressed, not scanning content" % patch_file) 108ac13d5f3SPatrick Williams continue 109ac13d5f3SPatrick Williams 1100ca19ccfSPatrick Williams with open(patch_file, "r", encoding="utf-8") as f: 1110ca19ccfSPatrick Williams try: 1120ca19ccfSPatrick Williams patch_text = f.read() 1130ca19ccfSPatrick Williams except UnicodeDecodeError: 1140ca19ccfSPatrick Williams bb.debug(1, "Failed to read patch %s using UTF-8 encoding" 1150ca19ccfSPatrick Williams " trying with iso8859-1" % patch_file) 1160ca19ccfSPatrick Williams f.close() 1170ca19ccfSPatrick Williams with open(patch_file, "r", encoding="iso8859-1") as f: 1180ca19ccfSPatrick Williams patch_text = f.read() 1190ca19ccfSPatrick Williams 1200ca19ccfSPatrick Williams # Search for one or more "CVE: " lines 1210ca19ccfSPatrick Williams text_match = False 1220ca19ccfSPatrick Williams for match in cve_match.finditer(patch_text): 1230ca19ccfSPatrick Williams # Get only the CVEs without the "CVE: " tag 1240ca19ccfSPatrick Williams cves = patch_text[match.start()+5:match.end()] 1250ca19ccfSPatrick Williams for cve in cves.split(): 1260ca19ccfSPatrick Williams bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) 1270ca19ccfSPatrick Williams patched_cves.add(cve) 1280ca19ccfSPatrick Williams text_match = True 1290ca19ccfSPatrick Williams 1300ca19ccfSPatrick Williams if not fname_match and not text_match: 1310ca19ccfSPatrick Williams bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) 1320ca19ccfSPatrick Williams 1338f840685SAndrew Geissler # Search for additional patched CVEs 1348f840685SAndrew Geissler for cve in (d.getVarFlags("CVE_STATUS") or {}): 1358f840685SAndrew Geissler decoded_status, _, _ = decode_cve_status(d, cve) 1368f840685SAndrew Geissler if decoded_status == "Patched": 1378f840685SAndrew Geissler bb.debug(2, "CVE %s is additionally patched" % cve) 1388f840685SAndrew Geissler patched_cves.add(cve) 1398f840685SAndrew Geissler 1400ca19ccfSPatrick Williams return patched_cves 1410ca19ccfSPatrick Williams 1420ca19ccfSPatrick Williams 1430ca19ccfSPatrick Williamsdef get_cpe_ids(cve_product, version): 1440ca19ccfSPatrick Williams """ 1450ca19ccfSPatrick Williams Get list of CPE identifiers for the given product and version 1460ca19ccfSPatrick Williams """ 1470ca19ccfSPatrick Williams 1480ca19ccfSPatrick Williams version = version.split("+git")[0] 1490ca19ccfSPatrick Williams 1500ca19ccfSPatrick Williams cpe_ids = [] 1510ca19ccfSPatrick Williams for product in cve_product.split(): 1520ca19ccfSPatrick Williams # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not, 1530ca19ccfSPatrick Williams # use wildcard for vendor. 1540ca19ccfSPatrick Williams if ":" in product: 1550ca19ccfSPatrick Williams vendor, product = product.split(":", 1) 1560ca19ccfSPatrick Williams else: 1570ca19ccfSPatrick Williams vendor = "*" 1580ca19ccfSPatrick Williams 1595082cc7fSAndrew Geissler cpe_id = 'cpe:2.3:*:{}:{}:{}:*:*:*:*:*:*:*'.format(vendor, product, version) 1600ca19ccfSPatrick Williams cpe_ids.append(cpe_id) 1610ca19ccfSPatrick Williams 1620ca19ccfSPatrick Williams return cpe_ids 1639aee5003SAndrew Geissler 1649aee5003SAndrew Geisslerdef cve_check_merge_jsons(output, data): 1659aee5003SAndrew Geissler """ 1669aee5003SAndrew Geissler Merge the data in the "package" property to the main data file 1679aee5003SAndrew Geissler output 1689aee5003SAndrew Geissler """ 1699aee5003SAndrew Geissler if output["version"] != data["version"]: 1709aee5003SAndrew Geissler bb.error("Version mismatch when merging JSON outputs") 1719aee5003SAndrew Geissler return 1729aee5003SAndrew Geissler 1739aee5003SAndrew Geissler for product in output["package"]: 1749aee5003SAndrew Geissler if product["name"] == data["package"][0]["name"]: 175ac13d5f3SPatrick Williams bb.error("Error adding the same package %s twice" % product["name"]) 1769aee5003SAndrew Geissler return 1779aee5003SAndrew Geissler 1789aee5003SAndrew Geissler output["package"].append(data["package"][0]) 17978b72798SAndrew Geissler 18078b72798SAndrew Geisslerdef update_symlinks(target_path, link_path): 18178b72798SAndrew Geissler """ 18278b72798SAndrew Geissler Update a symbolic link link_path to point to target_path. 18378b72798SAndrew Geissler Remove the link and recreate it if exist and is different. 18478b72798SAndrew Geissler """ 18578b72798SAndrew Geissler if link_path != target_path and os.path.exists(target_path): 18678b72798SAndrew Geissler if os.path.exists(os.path.realpath(link_path)): 18778b72798SAndrew Geissler os.remove(link_path) 18878b72798SAndrew Geissler os.symlink(os.path.basename(target_path), link_path) 189fc113eadSAndrew Geissler 190fc113eadSAndrew Geissler 191fc113eadSAndrew Geisslerdef convert_cve_version(version): 192fc113eadSAndrew Geissler """ 193fc113eadSAndrew Geissler This function converts from CVE format to Yocto version format. 194fc113eadSAndrew Geissler eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1 195fc113eadSAndrew Geissler 196fc113eadSAndrew Geissler Unless it is redefined using CVE_VERSION in the recipe, 197fc113eadSAndrew Geissler cve_check uses the version in the name of the recipe (${PV}) 198fc113eadSAndrew Geissler to check vulnerabilities against a CVE in the database downloaded from NVD. 199fc113eadSAndrew Geissler 200fc113eadSAndrew Geissler When the version has an update, i.e. 201fc113eadSAndrew Geissler "p1" in OpenSSH 8.3p1, 202fc113eadSAndrew Geissler "-rc1" in linux kernel 6.2-rc1, 203fc113eadSAndrew Geissler the database stores the version as version_update (8.3_p1, 6.2_rc1). 204fc113eadSAndrew Geissler Therefore, we must transform this version before comparing to the 205fc113eadSAndrew Geissler recipe version. 206fc113eadSAndrew Geissler 207fc113eadSAndrew Geissler In this case, the parameter of the function is 8.3_p1. 208fc113eadSAndrew Geissler If the version uses the Release Candidate format, "rc", 209fc113eadSAndrew Geissler this function replaces the '_' by '-'. 210fc113eadSAndrew Geissler If the version uses the Update format, "p", 211fc113eadSAndrew Geissler this function removes the '_' completely. 212fc113eadSAndrew Geissler """ 213fc113eadSAndrew Geissler import re 214fc113eadSAndrew Geissler 215fc113eadSAndrew Geissler matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version) 216fc113eadSAndrew Geissler 217fc113eadSAndrew Geissler if not matches: 218fc113eadSAndrew Geissler return version 219fc113eadSAndrew Geissler 220fc113eadSAndrew Geissler version = matches.group(1) 221fc113eadSAndrew Geissler update = matches.group(2) 222fc113eadSAndrew Geissler 223fc113eadSAndrew Geissler if matches.group(3) == "rc": 224fc113eadSAndrew Geissler return version + '-' + update 225fc113eadSAndrew Geissler 226fc113eadSAndrew Geissler return version + update 227fc113eadSAndrew Geissler 2288f840685SAndrew Geisslerdef decode_cve_status(d, cve): 2298f840685SAndrew Geissler """ 2308f840685SAndrew Geissler Convert CVE_STATUS into status, detail and description. 2318f840685SAndrew Geissler """ 2328f840685SAndrew Geissler status = d.getVarFlag("CVE_STATUS", cve) 233*f52e3ddeSPatrick Williams if not status: 2348f840685SAndrew Geissler return ("", "", "") 2358f840685SAndrew Geissler 2368f840685SAndrew Geissler status_split = status.split(':', 1) 2378f840685SAndrew Geissler detail = status_split[0] 2388f840685SAndrew Geissler description = status_split[1].strip() if (len(status_split) > 1) else "" 2398f840685SAndrew Geissler 2408f840685SAndrew Geissler status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) 2418f840685SAndrew Geissler if status_mapping is None: 242*f52e3ddeSPatrick Williams bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) 2438f840685SAndrew Geissler status_mapping = "Unpatched" 2448f840685SAndrew Geissler 2458f840685SAndrew Geissler return (status_mapping, detail, description) 246