1import collections 2import re 3import itertools 4import functools 5 6_Version = collections.namedtuple( 7 "_Version", ["release", "patch_l", "pre_l", "pre_v"] 8) 9 10@functools.total_ordering 11class Version(): 12 13 def __init__(self, version, suffix=None): 14 15 suffixes = ["alphabetical", "patch"] 16 17 if str(suffix) == "alphabetical": 18 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 19 elif str(suffix) == "patch": 20 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 21 else: 22 version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?""" 23 regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE) 24 25 match = regex.search(version) 26 if not match: 27 raise Exception("Invalid version: '{0}'".format(version)) 28 29 self._version = _Version( 30 release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")), 31 patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "", 32 pre_l=match.group("pre_l"), 33 pre_v=match.group("pre_v") 34 ) 35 36 self._key = _cmpkey( 37 self._version.release, 38 self._version.patch_l, 39 self._version.pre_l, 40 self._version.pre_v 41 ) 42 43 def __eq__(self, other): 44 if not isinstance(other, Version): 45 return NotImplemented 46 return self._key == other._key 47 48 def __gt__(self, other): 49 if not isinstance(other, Version): 50 return NotImplemented 51 return self._key > other._key 52 53def _cmpkey(release, patch_l, pre_l, pre_v): 54 # remove leading 0 55 _release = tuple( 56 reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release)))) 57 ) 58 59 _patch = patch_l.upper() 60 61 if pre_l is None and pre_v is None: 62 _pre = float('inf') 63 else: 64 _pre = float(pre_v) if pre_v else float('-inf') 65 return _release, _patch, _pre 66 67 68def get_patched_cves(d): 69 """ 70 Get patches that solve CVEs using the "CVE: " tag. 71 """ 72 73 import re 74 import oe.patch 75 76 pn = d.getVar("PN") 77 cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") 78 79 # Matches the last "CVE-YYYY-ID" in the file name, also if written 80 # in lowercase. Possible to have multiple CVE IDs in a single 81 # file name, but only the last one will be detected from the file name. 82 # However, patch files contents addressing multiple CVE IDs are supported 83 # (cve_match regular expression) 84 85 cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") 86 87 patched_cves = set() 88 bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) 89 for url in oe.patch.src_patches(d): 90 patch_file = bb.fetch.decodeurl(url)[2] 91 92 # Remote compressed patches may not be unpacked, so silently ignore them 93 if not os.path.isfile(patch_file): 94 bb.warn("%s does not exist, cannot extract CVE list" % patch_file) 95 continue 96 97 # Check patch file name for CVE ID 98 fname_match = cve_file_name_match.search(patch_file) 99 if fname_match: 100 cve = fname_match.group(1).upper() 101 patched_cves.add(cve) 102 bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) 103 104 with open(patch_file, "r", encoding="utf-8") as f: 105 try: 106 patch_text = f.read() 107 except UnicodeDecodeError: 108 bb.debug(1, "Failed to read patch %s using UTF-8 encoding" 109 " trying with iso8859-1" % patch_file) 110 f.close() 111 with open(patch_file, "r", encoding="iso8859-1") as f: 112 patch_text = f.read() 113 114 # Search for one or more "CVE: " lines 115 text_match = False 116 for match in cve_match.finditer(patch_text): 117 # Get only the CVEs without the "CVE: " tag 118 cves = patch_text[match.start()+5:match.end()] 119 for cve in cves.split(): 120 bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) 121 patched_cves.add(cve) 122 text_match = True 123 124 if not fname_match and not text_match: 125 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) 126 127 return patched_cves 128 129 130def get_cpe_ids(cve_product, version): 131 """ 132 Get list of CPE identifiers for the given product and version 133 """ 134 135 version = version.split("+git")[0] 136 137 cpe_ids = [] 138 for product in cve_product.split(): 139 # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not, 140 # use wildcard for vendor. 141 if ":" in product: 142 vendor, product = product.split(":", 1) 143 else: 144 vendor = "*" 145 146 cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*' 147 cpe_ids.append(cpe_id) 148 149 return cpe_ids 150 151def cve_check_merge_jsons(output, data): 152 """ 153 Merge the data in the "package" property to the main data file 154 output 155 """ 156 if output["version"] != data["version"]: 157 bb.error("Version mismatch when merging JSON outputs") 158 return 159 160 for product in output["package"]: 161 if product["name"] == data["package"][0]["name"]: 162 bb.error("Error adding the same package twice") 163 return 164 165 output["package"].append(data["package"][0]) 166