1import collections 2import re 3import itertools 4import functools 5 6_Version = collections.namedtuple( 7 "_Version", ["release", "patch_l", "pre_l", "pre_v"] 8) 9 10@functools.total_ordering 11class Version(): 12 13 def __init__(self, version, suffix=None): 14 15 suffixes = ["alphabetical", "patch"] 16 17 if str(suffix) == "alphabetical": 18 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 19 elif str(suffix) == "patch": 20 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 21 else: 22 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 23 regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) 24 25 match = regex.search(version) 26 if not match: 27 raise Exception("Invalid version: '{0}'".format(version)) 28 29 self._version = _Version( 30 release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), 31 patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "", 32 pre_l=match.group("pre_l"), 33 pre_v=match.group("pre_v") 34 ) 35 36 self._key = _cmpkey( 37 self._version.release, 38 self._version.patch_l, 39 self._version.pre_l, 40 self._version.pre_v 41 ) 42 43 def __eq__(self, other): 44 if not isinstance(other, Version): 45 return NotImplemented 46 return self._key == other._key 47 48 def __gt__(self, other): 49 if not isinstance(other, Version): 50 return NotImplemented 51 return self._key > other._key 52 53def _cmpkey(release, patch_l, pre_l, pre_v): 54 # remove leading 0 55 _release = tuple( 56 reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release)))) 57 ) 58 59 _patch = patch_l.upper() 60 61 if pre_l is None and pre_v is None: 62 _pre = float('inf') 63 else: 64 _pre = float(pre_v) if pre_v else float('-inf') 65 return _release, _patch, _pre 66 67 68def get_patched_cves(d): 69 """ 70 Get patches that solve CVEs using the "CVE: " tag. 71 """ 72 73 import re 74 import oe.patch 75 76 pn = d.getVar("PN") 77 cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") 78 79 # Matches the last "CVE-YYYY-ID" in the file name, also if written 80 # in lowercase. Possible to have multiple CVE IDs in a single 81 # file name, but only the last one will be detected from the file name. 82 # However, patch files contents addressing multiple CVE IDs are supported 83 # (cve_match regular expression) 84 85 cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") 86 87 patched_cves = set() 88 bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) 89 for url in oe.patch.src_patches(d): 90 patch_file = bb.fetch.decodeurl(url)[2] 91 92 if not os.path.isfile(patch_file): 93 bb.error("File Not found: %s" % patch_file) 94 raise FileNotFoundError 95 96 # Check patch file name for CVE ID 97 fname_match = cve_file_name_match.search(patch_file) 98 if fname_match: 99 cve = fname_match.group(1).upper() 100 patched_cves.add(cve) 101 bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) 102 103 with open(patch_file, "r", encoding="utf-8") as f: 104 try: 105 patch_text = f.read() 106 except UnicodeDecodeError: 107 bb.debug(1, "Failed to read patch %s using UTF-8 encoding" 108 " trying with iso8859-1" % patch_file) 109 f.close() 110 with open(patch_file, "r", encoding="iso8859-1") as f: 111 patch_text = f.read() 112 113 # Search for one or more "CVE: " lines 114 text_match = False 115 for match in cve_match.finditer(patch_text): 116 # Get only the CVEs without the "CVE: " tag 117 cves = patch_text[match.start()+5:match.end()] 118 for cve in cves.split(): 119 bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) 120 patched_cves.add(cve) 121 text_match = True 122 123 if not fname_match and not text_match: 124 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) 125 126 return patched_cves 127 128 129def get_cpe_ids(cve_product, version): 130 """ 131 Get list of CPE identifiers for the given product and version 132 """ 133 134 version = version.split("+git")[0] 135 136 cpe_ids = [] 137 for product in cve_product.split(): 138 # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not, 139 # use wildcard for vendor. 140 if ":" in product: 141 vendor, product = product.split(":", 1) 142 else: 143 vendor = "*" 144 145 cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*' 146 cpe_ids.append(cpe_id) 147 148 return cpe_ids 149 150def cve_check_merge_jsons(output, data): 151 """ 152 Merge the data in the "package" property to the main data file 153 output 154 """ 155 if output["version"] != data["version"]: 156 bb.error("Version mismatch when merging JSON outputs") 157 return 158 159 for product in output["package"]: 160 if product["name"] == data["package"][0]["name"]: 161 bb.error("Error adding the same package twice") 162 return 163 164 output["package"].append(data["package"][0]) 165