On 10/27/2016 06:03 AM, Sona Sarmadi wrote:
-----Original Message----- From: Sona Sarmadi Sent: den 27 oktober 2016 10:57 To: Scott Rifenbark <srifenb...@gmail.com>; 'mariano.lo...@intel.com' <mariano.lo...@intel.com>; yocto@yoctoproject.org Subject: cve-checker tool Hi guys, I have some questions regarding cve-check tool. I don't find anything about this tool in Yocto 2.2 release, dose documentation mention this tool and how to use it?
Currently we don't have documentation about it, I'll work on it along with Scott. Thanks for updating "How do I?" as Khem suggested.
Is this tool planned to be integrated with daily build so the Yocto project can detect Not addressed CVEs automatically? Mariano: Does this tool look at CVE tag inside the recipe as well or only checks the package version?
If there is a version affected by a CVE it will look for a patch that solves that particular CVE using the the metadata in the patch format. For example, the current bind version is affected by CVE-2016-1285, but there is patch for that, so the cve-check class will find this and will generate a log file saying the vulnerability has been addressed.
After the previous example I know you are familiar with the CVE tag, if someone stumble in the thread, here is more information on the CVE tag needed:
http://openembedded.org/wiki/Commit_Patch_Message_Guidelines#CVE_Patches
Can this tool be used together with "meta-security-isafw" and get a fancy report?
When I was working on this it was the transition to python3 so, meta-security-isafw didn't behave as expected. To be honest I haven't checked again but it will be a good test. I'll try to do this during the weekend.
There are some useful info in the cve-check.bbclass: #In order to use this class just inherit the class in the # local.conf file and it will add the cve_check task for # every recipe. The task can be used per recipe, per image, # or using the special cases "world" and "universe". The # cve_check task will print a warning for every unpatched # CVE found and generate a file in the recipe WORKDIR/cve # directory. If an image is build it will generate a report # in DEPLOY_DIR_IMAGE for all the packages used. I see following logs are generated: ./unzip/1_6.0-r5/cve/cve.log ./gnutls/3.5.3-r0/cve/cve.log ./glibc/2.24-r0/cve/cve.log ./glibc-initial/2.24-r0/cve/cve.log ./foomatic-filters/4.0.17-r1/cve/cve.log ./bzip2/1.0.6-r5/cve/cve.log ./libxml2/2.9.4-r0/cve/cve.log ./perl/5.22.1-r0/cve/cve.log ./expat/2.2.0-r0/cve/cve.log ./flex/2.6.0-r0/cve/cve.log //Sona
Just remember that those logs are created for patched and unpatched CVEs. -- Mariano Lopez -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
