From patchwork Thu Sep 21 08:23:52 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antoine Lubineau X-Patchwork-Id: 30877 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from aws-us-west-2-korg-lkml-1.web.codeaurora.org (localhost.localdomain [127.0.0.1]) by smtp.lore.kernel.org (Postfix) with ESMTP id 369DDE706ED for ; Thu, 21 Sep 2023 08:23:58 +0000 (UTC) Received: from mail-wr1-f41.google.com (mail-wr1-f41.google.com [209.85.221.41]) by mx.groups.io with SMTP id smtpd.web11.11252.1695284635576238981 for ; Thu, 21 Sep 2023 01:23:56 -0700 Authentication-Results: mx.groups.io; dkim=pass header.i=@easymile.com header.s=easymile header.b=HA0OGctK; spf=pass (domain: easymile.com, ip: 209.85.221.41, mailfrom: antoine.lubineau@easymile.com) Received: by mail-wr1-f41.google.com with SMTP id ffacd0b85a97d-31f737b8b69so560338f8f.3 for ; Thu, 21 Sep 2023 01:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=easymile.com; s=easymile; t=1695284633; x=1695889433; darn=lists.openembedded.org; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:from:to:cc:subject:date:message-id:reply-to; bh=1L1VTbXdyb7chtajJrf0nkzAEOXzYR6g2e4J+AGzeHA=; b=HA0OGctKmf7w8DM3TmHknjKst92FzWJ4AAZzYJjsinK6NJ8KP4AH1A7fYuwsI99q6B IZIT9MnAOYx++DB1JjehubwMFosA2vTBl+XAfLJU//ZKvcCZQfOlMN4X1+oaOLUL/7/l AlhQWy6Cj2RKpG+dcdgOFht82ulFrfYeWwwtY= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695284633; x=1695889433; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=1L1VTbXdyb7chtajJrf0nkzAEOXzYR6g2e4J+AGzeHA=; b=JROwXPbbAsD7l2eGTjDVYzu5H7DWkVnfRfDxHLUHo79D5S8THQLCzMR3ShPaW4CpYh 5+Gv3RfHQZ31Wy0DlSy4DBvPGGjOXv2miIRZskFoqb189NGVzJDj9eEr6HwtD5IR/+XL FSoDynpkru5Ak7HcvqKm0ArdhXio/VYPMSkB7kuIC5kMiaPxlTr4SkKEfSJKkcwtZket JhhT9YKIgVwai3xk3kX7W5fvVtA8SI/M0HbkOPN1UDUXfIJ2GX2NI80dFSz2gcw/hxrQ SMaCtWTp3+ajokeZc67A3eaCxI0+TSyGQ/elTmDZkgpL3rCmltnetZxZPhyYpdysmqeE /A7g== X-Gm-Message-State: AOJu0Yy5pgexkZfbbhvoMjkCOqs9Rn8icpAh7/5bLbI5LvnXeoSrgTZb mvdBvWb4feyD5FobF2GG2R6VtoWDG9qlCPy5++CSFI/Vl6M0LQo+mtTZxqVFenuKj3UrszTQoQI oevXpTYP13fGOjKDHWhPBrSj1ADobneHuV/6wR88RVGkd8FUdc46dWyoRE64aKw5tI00bKmMTP4 QejcvZjWWtvoVw4nToB78oKqA8dprwa/3xEah6BL8= X-Google-Smtp-Source: AGHT+IGjBuM/Upd+6d/opVs9ZKQAGCPKQI0uN1GAy58IFHe9EwqGLJs4E5oRofsXvbPvfO3xGhqAOQ== X-Received: by 2002:adf:f08f:0:b0:320:6d6:3167 with SMTP id n15-20020adff08f000000b0032006d63167mr4311240wro.47.1695284633404; Thu, 21 Sep 2023 01:23:53 -0700 (PDT) Received: from fr001036.. ([185.116.129.142]) by smtp.gmail.com with ESMTPSA id m16-20020a056000009000b0031c71693449sm1076445wrx.1.2023.09.21.01.23.52 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 21 Sep 2023 01:23:53 -0700 (PDT) From: Antoine Lubineau To: openembedded-core@lists.openembedded.org Subject: [PATCH] cve-check: add CVSS vector string to CVE database and reports Date: Thu, 21 Sep 2023 10:23:52 +0200 Message-Id: <20230921082352.21065-1-antoine.lubineau@easymile.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 List-Id: X-Webhook-Received: from li982-79.members.linode.com [45.33.32.79] by aws-us-west-2-korg-lkml-1.web.codeaurora.org with HTTPS for ; Thu, 21 Sep 2023 08:23:58 -0000 X-Groupsio-URL: https://lists.openembedded.org/g/openembedded-core/message/187980 This allows building detailed vulnerability analysis tools without relying on external resources. Signed-off-by: Antoine Lubineau --- meta/classes/cve-check.bbclass | 5 ++++- meta/recipes-core/meta/cve-update-nvd2-native.bb | 11 ++++++++--- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 55ae298024..b55f4299da 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -32,7 +32,7 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" -CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2.db" +CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-1.db" CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" CVE_CHECK_LOG ?= "${T}/cve.log" @@ -442,6 +442,7 @@ def get_cve_info(d, cves): cve_data[row[0]]["scorev3"] = row[3] cve_data[row[0]]["modified"] = row[4] cve_data[row[0]]["vector"] = row[5] + cve_data[row[0]]["vectorString"] = row[6] cursor.close() conn.close() return cve_data @@ -507,6 +508,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] + write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"] write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": @@ -623,6 +625,7 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): "scorev2" : cve_data[cve]["scorev2"], "scorev3" : cve_data[cve]["scorev3"], "vector" : cve_data[cve]["vector"], + "vectorString" : cve_data[cve]["vectorString"], "status" : status, "link": issue_link } diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 2f7dad7e82..d0321f1bb5 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb @@ -225,7 +225,7 @@ def initialize_db(conn): c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ - SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") + SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT, VECTORSTRING TEXT)") c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ @@ -299,6 +299,7 @@ def update_db(conn, elt): """ accessVector = None + vectorString = None cveId = elt['cve']['id'] if elt['cve']['vulnStatus'] == "Rejected": return @@ -309,25 +310,29 @@ def update_db(conn, elt): date = elt['cve']['lastModified'] try: accessVector = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['accessVector'] + vectorString = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['vectorString'] cvssv2 = elt['cve']['metrics']['cvssMetricV2'][0]['cvssData']['baseScore'] except KeyError: cvssv2 = 0.0 cvssv3 = None try: accessVector = accessVector or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['attackVector'] + vectorString = vectorString or elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['vectorString'] cvssv3 = elt['cve']['metrics']['cvssMetricV30'][0]['cvssData']['baseScore'] except KeyError: pass try: accessVector = accessVector or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['attackVector'] + vectorString = vectorString or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['vectorString'] cvssv3 = cvssv3 or elt['cve']['metrics']['cvssMetricV31'][0]['cvssData']['baseScore'] except KeyError: pass accessVector = accessVector or "UNKNOWN" + vectorString = vectorString or "UNKNOWN" cvssv3 = cvssv3 or 0.0 - conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?)", - [cveId, cveDesc, cvssv2, cvssv3, date, accessVector]).close() + conn.execute("insert or replace into NVD values (?, ?, ?, ?, ?, ?, ?)", + [cveId, cveDesc, cvssv2, cvssv3, date, accessVector, vectorString]).close() try: for config in elt['cve']['configurations']: