xref: /openbmc/openbmc/poky/meta/lib/oe/cve_check.py (revision d583833a)
1import collections
2import re
3import itertools
4import functools
5
6_Version = collections.namedtuple(
7    "_Version", ["release", "patch_l", "pre_l", "pre_v"]
8)
9
10@functools.total_ordering
11class Version():
12
13    def __init__(self, version, suffix=None):
14
15        suffixes = ["alphabetical", "patch"]
16
17        if str(suffix) == "alphabetical":
18            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
19        elif str(suffix) == "patch":
20            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(p|patch)(?P<patch_l>[0-9]+))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
21        else:
22            version_pattern =  r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
23        regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
24
25        match = regex.search(version)
26        if not match:
27            raise Exception("Invalid version: '{0}'".format(version))
28
29        self._version = _Version(
30            release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
31            patch_l=match.group("patch_l") if str(suffix) in suffixes and match.group("patch_l") else "",
32            pre_l=match.group("pre_l"),
33            pre_v=match.group("pre_v")
34        )
35
36        self._key = _cmpkey(
37            self._version.release,
38            self._version.patch_l,
39            self._version.pre_l,
40            self._version.pre_v
41        )
42
43    def __eq__(self, other):
44        if not isinstance(other, Version):
45            return NotImplemented
46        return self._key == other._key
47
48    def __gt__(self, other):
49        if not isinstance(other, Version):
50            return NotImplemented
51        return self._key > other._key
52
53def _cmpkey(release, patch_l, pre_l, pre_v):
54    # remove leading 0
55    _release = tuple(
56        reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
57    )
58
59    _patch = patch_l.upper()
60
61    if pre_l is None and pre_v is None:
62        _pre = float('inf')
63    else:
64        _pre = float(pre_v) if pre_v else float('-inf')
65    return _release, _patch, _pre
66
67
68def get_patched_cves(d):
69    """
70    Get patches that solve CVEs using the "CVE: " tag.
71    """
72
73    import re
74    import oe.patch
75
76    pn = d.getVar("PN")
77    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
78
79    # Matches the last "CVE-YYYY-ID" in the file name, also if written
80    # in lowercase. Possible to have multiple CVE IDs in a single
81    # file name, but only the last one will be detected from the file name.
82    # However, patch files contents addressing multiple CVE IDs are supported
83    # (cve_match regular expression)
84
85    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
86
87    patched_cves = set()
88    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
89    for url in oe.patch.src_patches(d):
90        patch_file = bb.fetch.decodeurl(url)[2]
91
92        # Remote compressed patches may not be unpacked, so silently ignore them
93        if not os.path.isfile(patch_file):
94            bb.warn("%s does not exist, cannot extract CVE list" % patch_file)
95            continue
96
97        # Check patch file name for CVE ID
98        fname_match = cve_file_name_match.search(patch_file)
99        if fname_match:
100            cve = fname_match.group(1).upper()
101            patched_cves.add(cve)
102            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
103
104        with open(patch_file, "r", encoding="utf-8") as f:
105            try:
106                patch_text = f.read()
107            except UnicodeDecodeError:
108                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
109                        " trying with iso8859-1" %  patch_file)
110                f.close()
111                with open(patch_file, "r", encoding="iso8859-1") as f:
112                    patch_text = f.read()
113
114        # Search for one or more "CVE: " lines
115        text_match = False
116        for match in cve_match.finditer(patch_text):
117            # Get only the CVEs without the "CVE: " tag
118            cves = patch_text[match.start()+5:match.end()]
119            for cve in cves.split():
120                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
121                patched_cves.add(cve)
122                text_match = True
123
124        if not fname_match and not text_match:
125            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
126
127    return patched_cves
128
129
130def get_cpe_ids(cve_product, version):
131    """
132    Get list of CPE identifiers for the given product and version
133    """
134
135    version = version.split("+git")[0]
136
137    cpe_ids = []
138    for product in cve_product.split():
139        # CVE_PRODUCT in recipes may include vendor information for CPE identifiers. If not,
140        # use wildcard for vendor.
141        if ":" in product:
142            vendor, product = product.split(":", 1)
143        else:
144            vendor = "*"
145
146        cpe_id = f'cpe:2.3:a:{vendor}:{product}:{version}:*:*:*:*:*:*:*'
147        cpe_ids.append(cpe_id)
148
149    return cpe_ids
150
151def cve_check_merge_jsons(output, data):
152    """
153    Merge the data in the "package" property to the main data file
154    output
155    """
156    if output["version"] != data["version"]:
157        bb.error("Version mismatch when merging JSON outputs")
158        return
159
160    for product in output["package"]:
161        if product["name"] == data["package"][0]["name"]:
162            bb.error("Error adding the same package twice")
163            return
164
165    output["package"].append(data["package"][0])
166