mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 00:20:08 +00:00
Code Issues Projects Releases Wiki Activity

cve-check: add CVSS vector string to CVE database and reports

Browse Source 
This allows building detailed vulnerability analysis tools without
relying on external resources.

(From OE-Core rev: 048ff0ad927f4d37cc5547ebeba9e0c221687ea6)

(From OE-Core rev: 3e47644d24d97c2541ccb70d91c144cf6530d5b0)

Signed-off-by: Antoine Lubineau <antoine.lubineau@easymile.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Antoine Lubineau
2024-10-25 22:21:00 +02:00
committed by Steve Sakoman
parent 6cac0cf4fe
commit 24effee3d5
2 changed files with 12 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/classes/cve-check.bbclass
+4 -1
View File
@@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}" CVE_VERSION ??= "${PV}"
CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db" CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-1.db"
CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
CVE_CHECK_LOG ?= "${T}/cve.log" CVE_CHECK_LOG ?= "${T}/cve.log"
@@ -399,6 +399,7 @@ def get_cve_info(d, cves):
cve_data[row[0]]["scorev3"] = row[3] cve_data[row[0]]["scorev3"] = row[3]
cve_data[row[0]]["modified"] = row[4] cve_data[row[0]]["modified"] = row[4]
cve_data[row[0]]["vector"] = row[5] cve_data[row[0]]["vector"] = row[5]
cve_data[row[0]]["vectorString"] = row[6]
cursor.close() cursor.close()
conn.close() conn.close()
return cve_data return cve_data
@@ -455,6 +456,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"]
write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
@@ -569,6 +571,7 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status):
"scorev2" : cve_data[cve]["scorev2"], "scorev2" : cve_data[cve]["scorev2"],
"scorev3" : cve_data[cve]["scorev3"], "scorev3" : cve_data[cve]["scorev3"],
"vector" : cve_data[cve]["vector"], "vector" : cve_data[cve]["vector"],
"vectorString" : cve_data[cve]["vectorString"],
"status" : status, "status" : status,
"link": issue_link "link": issue_link
} }
meta/recipes-core/meta/cve-update-nvd2-native.bb
+8 -3
View File
@@ -247,7 +247,7 @@ def initialize_db(conn):
c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)")
c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \
SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)")
c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \
VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \
@@ -321,6 +321,7 @@ def update_db(conn, elt):
""" """
accessVector = None accessVector = None
vectorString = None
cveId = elt['cve']['id'] cveId = elt['cve']['id']
if elt['cve']['vulnStatus'] == "Rejected": if elt['cve']['vulnStatus'] == "Rejected":
c = conn.cursor() c = conn.cursor()
@@ -335,25 +336,29 @@ def update_db(conn, elt):
date = elt['cve']['lastModified'] date = elt['cve']['lastModified']
try: try:
accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector'] accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector']
vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString']
cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore']
except KeyError: except KeyError:
cvssv2 = 0.0 cvssv2 = 0.0
cvssv3 = None cvssv3 = None
try: try:
accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector']
vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString']
cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore']
except KeyError: except KeyError:
pass pass
try: try:
accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector']
vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString']
cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore']
except KeyError: except KeyError:
pass pass
accessVector = accessVector or "UNKNOWN" accessVector = accessVector or "UNKNOWN"
vectorString = vectorString or "UNKNOWN"
cvssv3 = cvssv3 or 0.0 cvssv3 = cvssv3 or 0.0
conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?)",
[cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() [cveId, cveDesc, cvssv2, cvssv3, date, accessVector, vectorString]).close()
try: try:
# Remove any pre-existing CVE configuration. Even for partial database # Remove any pre-existing CVE configuration. Even for partial database