Re: [OE-core] [PATCHv3 1/2] cve-check-tool: Add recipe

[Mariano Lopez]

On 07/12/2016 05:19 PM, akuster808 wrote:

Mariano,


On 07/11/2016 05:52 AM, mariano.lo...@linux.intel.com wrote:

From: Mariano Lopez 

cve-check-tool is a program for public CVEs checking.
This tool also seek to determine if a vulnerability has
been addressed by a patch.

By tool do you mean the "cve-check-tool"? All the Nvd DB can tell you if
an CVE has been assigned, anything more than that is not guaranteed.

Look at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5320


Sorry for the confusion, here I was referring to patches in OE that 
address the CVE, the class will look for the CVE tag for this.





The recipe also includes the do_populate_cve_db task
that will populate the database used by the tool.

This DB is big. May want to add a note to that affect. Maybe a note
about how to share the DB across builds like with the AB.


You are right, the DB is big and it will take some time to download. By 
default the tool will download the DB to DL_DIR, so if you have this dir 
shared, it will be downloaded just one time, and incremental updates later.




time for me to play with this.

Thanks for driving this.


Glad to be helping with this.


regards,
Armin


Mariano
--
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [OE-core] [PATCHv3 1/2] cve-check-tool: Add recipe

[akuster808]

Mariano,


On 07/11/2016 05:52 AM, mariano.lo...@linux.intel.com wrote:
> From: Mariano Lopez 
> 
> cve-check-tool is a program for public CVEs checking.
> This tool also seek to determine if a vulnerability has
> been addressed by a patch.

By tool do you mean the "cve-check-tool"? All the Nvd DB can tell you if
an CVE has been assigned, anything more than that is not guaranteed.

Look at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5320

> 
> The recipe also includes the do_populate_cve_db task
> that will populate the database used by the tool.

This DB is big. May want to add a note to that affect. Maybe a note
about how to share the DB across builds like with the AB.

time for me to play with this.

Thanks for driving this.
regards,
Armin

> 
> [YOCTO #7515]
> 
> Signed-off-by: Mariano Lopez 
> ---
>  .../cve-check-tool/cve-check-tool_5.6.4.bb | 55 
> ++
>  1 file changed, 55 insertions(+)
>  create mode 100644 
> meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> 
> diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb 
> b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> new file mode 100644
> index 000..0cf64e4
> --- /dev/null
> +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> @@ -0,0 +1,55 @@
> +SUMMARY = "cve-check-tool"
> +DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
> +The tool will identify potentially vunlnerable software packages within 
> Linux distributions through version matching."
> +HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool;
> +SECTION = "Development/Tools"
> +LICENSE = "GPL-2.0"
> +LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
> +
> +SRC_URI = 
> "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz;
> +
> +SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
> +SRC_URI[sha256sum] = 
> "b8f283be718af8d31232ac1bfc10a0378fb95849af39168f8acf501e6a5b"
> +
> +DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl"
> +
> +inherit pkgconfig autotools
> +
> +EXTRA_OECONF = "--disable-static"
> +
> +python do_populate_cve_db () {
> +import subprocess
> +import time
> +
> +if d.getVar("BB_NO_NETWORK", True) == "1":
> +bb.error("BB_NO_NETWORK is set; Can't update cve-check-tool 
> database, "
> +  "CVEs won't be checked")
> +return
> +
> +bb.utils.export_proxies(d)
> +# In case we don't inherit cve-check class, use default values defined 
> in the class.
> +cve_dir = d.getVar("CVE_CHECK_DB_DIR", True) or 
> d.expand("${DL_DIR}/CVE_CHECK")
> +cve_file = d.getVar("CVE_CHECK_TMP_FILE", True) or 
> d.expand("${TMPDIR}/cve_check")
> +cve_cmd = "cve-check-update"
> +cmd = [cve_cmd, "-d", cve_dir]
> +bb.debug(1, "Updating cve-check-tool database located in %s" % cve_dir)
> +try:
> +output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
> +bb.debug(2, "Command '%s' returned:\n%s" % ("\n".join(cmd), output))
> +if bb.data.inherits_class('cve-check', d):
> +time_utc = time.gmtime(time.time())
> +time_format = "%Y-%m-%d %H:%M:%S"
> +with open(cve_file, "w") as f:
> +f.write("CVE database was updated on %s UTC\n\n"
> +% time.strftime(time_format, time_utc))
> +
> +except subprocess.CalledProcessError as e:
> +bb.warn("Error in executing cve-check-update: %s (output %s)" % (e, 
> e.output))
> +if bb.data.inherits_class('cve-check', d):
> +bb.warn("Failed to update cve-check-tool database, CVEs won't be 
> checked")
> +}
> +
> +addtask populate_cve_db after do_populate_sysroot
> +do_populate_cve_db[nostamp] = "1"
> +
> +BBCLASSEXTEND = "native"
> 
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCHv3 1/2] cve-check-tool: Add recipe

[mariano . lopez]

From: Mariano Lopez 

cve-check-tool is a program for public CVEs checking.
This tool also seek to determine if a vulnerability has
been addressed by a patch.

The recipe also includes the do_populate_cve_db task
that will populate the database used by the tool.

[YOCTO #7515]

Signed-off-by: Mariano Lopez 
---
 .../cve-check-tool/cve-check-tool_5.6.4.bb | 55 ++
 1 file changed, 55 insertions(+)
 create mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb 
b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
new file mode 100644
index 000..0cf64e4
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -0,0 +1,55 @@
+SUMMARY = "cve-check-tool"
+DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
+The tool will identify potentially vunlnerable software packages within Linux 
distributions through version matching."
+HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool;
+SECTION = "Development/Tools"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
+
+SRC_URI = 
"https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz;
+
+SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
+SRC_URI[sha256sum] = 
"b8f283be718af8d31232ac1bfc10a0378fb95849af39168f8acf501e6a5b"
+
+DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl"
+
+inherit pkgconfig autotools
+
+EXTRA_OECONF = "--disable-static"
+
+python do_populate_cve_db () {
+import subprocess
+import time
+
+if d.getVar("BB_NO_NETWORK", True) == "1":
+bb.error("BB_NO_NETWORK is set; Can't update cve-check-tool database, "
+  "CVEs won't be checked")
+return
+
+bb.utils.export_proxies(d)
+# In case we don't inherit cve-check class, use default values defined in 
the class.
+cve_dir = d.getVar("CVE_CHECK_DB_DIR", True) or 
d.expand("${DL_DIR}/CVE_CHECK")
+cve_file = d.getVar("CVE_CHECK_TMP_FILE", True) or 
d.expand("${TMPDIR}/cve_check")
+cve_cmd = "cve-check-update"
+cmd = [cve_cmd, "-d", cve_dir]
+bb.debug(1, "Updating cve-check-tool database located in %s" % cve_dir)
+try:
+output = subprocess.check_output(cmd, stderr=subprocess.STDOUT)
+bb.debug(2, "Command '%s' returned:\n%s" % ("\n".join(cmd), output))
+if bb.data.inherits_class('cve-check', d):
+time_utc = time.gmtime(time.time())
+time_format = "%Y-%m-%d %H:%M:%S"
+with open(cve_file, "w") as f:
+f.write("CVE database was updated on %s UTC\n\n"
+% time.strftime(time_format, time_utc))
+
+except subprocess.CalledProcessError as e:
+bb.warn("Error in executing cve-check-update: %s (output %s)" % (e, 
e.output))
+if bb.data.inherits_class('cve-check', d):
+bb.warn("Failed to update cve-check-tool database, CVEs won't be 
checked")
+}
+
+addtask populate_cve_db after do_populate_sysroot
+do_populate_cve_db[nostamp] = "1"
+
+BBCLASSEXTEND = "native"
-- 
2.6.6

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core