cve-check: add support for Ignored CVEs

Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>

cve-check: add support for Ignored CVEs
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
cb6db3c8 · Davide Gardenal · b3129cf2 · cb6db3c8
Verified Commit cb6db3c8 authored 2 years ago by Davide Gardenal
--- a/meta-oniro-staging/classes/cve-check.bbclass
+++ b/meta-oniro-staging/classes/cve-check.bbclass
@@ -129,7 +129,7 @@ python do_cve_check () {
            bb.warn("Found unpatched CVE (%s)" % (" ".join(unpatched)))

        if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
-            cve_data = get_cve_info(d, patched + unpatched)
+            cve_data = get_cve_info(d, patched + unpatched + ignored)
            cve_write_data(d, patched, unpatched, ignored, cve_data, status)
    else:
        bb.note("No CVE database found, skipping CVE check")
@@ -208,6 +208,7 @@ def check_cves(d, patched_cves):
    suffix = d.getVar("CVE_VERSION_SUFFIX")

    cves_unpatched = []
+    cves_ignored = []
    cves_status = []
    cves_in_recipe = False
    # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -241,9 +242,8 @@ def check_cves(d, patched_cves):
            cve = cverow[0]

            if cve in cve_ignore:
-                bb.note("%s-%s has been ignored for %s" % (product, pv, cve))
-                # TODO: this should be in the report as 'ignored'
-                patched_cves.add(cve)
+                bb.note("%s-%s ignores %s" % (product, pv, cve))
+                cves_ignored.append(cve)
                continue
            elif cve in patched_cves:
                bb.note("%s has been patched" % (cve))
@@ -255,9 +255,13 @@ def check_cves(d, patched_cves):
                cves_in_recipe = True

            vulnerable = False
+            ignored = False
+
            for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
                (_, _, _, version_start, operator_start, version_end, operator_end) = row
                #bb.debug(2, "Evaluating row " + str(row))
+                if cve in cve_ignore:
+                    ignored = True

                if (operator_start == '=' and pv == version_start) or version_start == '-':
                    vulnerable = True
@@ -290,13 +294,16 @@ def check_cves(d, patched_cves):
                        vulnerable = vulnerable_start or vulnerable_end

                if vulnerable:
-                    bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
-                    cves_unpatched.append(cve)
+                    if ignored:
+                        bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv))
+                        cves_ignored.append(cve)
+                    else:
+                        bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
+                        cves_unpatched.append(cve)
                    break

            if not vulnerable:
                bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
-                # TODO: not patched but not vulnerable
                patched_cves.add(cve)

        if not cves_in_product:
@@ -308,7 +315,7 @@ def check_cves(d, patched_cves):
    if not cves_in_recipe:
        bb.note("No CVE records for products in recipe %s" % (pn))

-    return (list(cve_ignore), list(patched_cves), cves_unpatched, cves_status)
+    return (list(cves_ignored), list(patched_cves), cves_unpatched, cves_status)

 def get_cve_info(d, cves):
    """
@@ -443,16 +450,20 @@ def generate_txt_cve_recipe_report_content(d, patched, unpatched, ignored, cve_d
    nvd_link = "https://nvd.nist.gov/vuln/detail/"
    write_string = ""
    unpatched_cves = []
+    report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"

    for cve in sorted(cve_data):
        is_patched = cve in patched
-        if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"):
+        is_ignored = cve in ignored
+
+        if (is_patched or is_ignored) and not report_all:
            continue
+        
        write_string += "LAYER: %s\n" % layer
        write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
        write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
        write_string += "CVE: %s\n" % cve
-        if cve in ignored:
+        if is_ignored:
            write_string += "CVE STATUS: Ignored\n"
        elif is_patched:
            write_string += "CVE STATUS: Patched\n"
@@ -488,6 +499,7 @@ def generate_json_cve_recipe_report_content(d, patched, unpatched, ignored, cve_
    layer = get_current_recipe_layer(d)
    output = {"version":"1", "package": []}
    nvd_link = "https://nvd.nist.gov/vuln/detail/"
+    report_all = d.getVar("CVE_CHECK_REPORT_PATCHED") == "1"

    unpatched_cves = []

@@ -509,10 +521,11 @@ def generate_json_cve_recipe_report_content(d, patched, unpatched, ignored, cve_

    for cve in sorted(cve_data):
        is_patched = cve in patched
+        is_ignored = cve in ignored
        status = "Unpatched"
-        if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"):
+        if (is_patched or is_ignored) and not report_all:
            continue
-        if cve in ignored:
+        if is_ignored:
            status = "Ignored"
        elif is_patched:
            status = "Patched"