[yocto] cve-checker tool

[Mariano Lopez]

On 06/12/16 08:41, Sona Sarmadi wrote:
> Another qustion:
>
> We don't have recipes for libcurl, I guess both curl and libcurl CVEs are patched in the curl recipes, right?
> I think curl uses libcurl, and libcurl is built when building curl. 
>
> Those CVEs which are listed in the nvd.xml file under "cpe:/a:haxx:libcurl: are not detected and reported by cve-check tool.

In the case of libcurl, it is build using the curl recipe, and currently
cve-check class will look for BPN, so it won't check against libcurl.
Can you open a bug for this?

> [snip]


> It seems that this tool does not detect all CVEs, e.g. bind has some CVE patches but it is not reported, I tried all options below nothing is reported (no cve.log file):
> bitbake -c cve_check bind
> bitbake -k -c cve_check universe
> bitbake -k -c cve_check world
>
> There are some CVEs in bind (reported in nvd.xml file for our version cpe:/a:isc:bind:9.10.3"/> ) but cve.check-tool does not report them ex: (CVE-2016-2776). Do you know why?
>
>
> CVEs are reported for the following packages using e.g. "bitbake -k -c cve_check universe"
> or  "bitbake -c cve_check perl"
>  
> tmp/work/i586-poky-linux/perl/5.22.1-r0/cve/cve.log
> tmp/work/i586-poky-linux/foomatic-filters/4.0.17-r1/cve/cve.log
> tmp/work/i586-poky-linux/flex/2.6.0-r0/cve/cve.log
> tmp/work/i586-poky-linux/glibc/2.24-r0/cve/cve.log
> tmp/work/i586-poky-linux/unzip/1_6.0-r5/cve/cve.log
> tmp/work/i586-poky-linux/expat/2.2.0-r0/cve/cve.log
> tmp/work/i586-poky-linux/gnutls/3.5.3-r0/cve/cve.log
> tmp/work/i586-poky-linux/glibc-initial/2.24-r0/cve/cve.log
> tmp/work/i586-poky-linux/libxml2/2.9.4-r0/cve/cve.log
> tmp/work/i586-poky-linux/bzip2/1.0.6-r5/cve/cve.log
>
> We have more recipes which have CVE patches but they are not reported. 
> I have analyzed these; some of these CVEs are still marked as reserved on Mitre  and are not present in the nvd.xml files (although they are public (e.g. Busybox: 
> https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147).

cve-check-tool will only check against the database that got from the
nvd.xml files, and these files won't have information for not yet fully
disclosed CVEs, so that is why you will find these cases frequently in
OE recipes (Armin does a great job with CVEs).

>
> I don't understand why for instance bind CVEs are not detected and reported by cve-check tool?
> Is it because of cpe:/a:isc:bind? It looks for isc?

I need to check on this, unfortunately my proxies decided to not
download the database, I'll get back to you as soon as I can investigate
more.

>
> morty/poky/meta$ find . -name *CVE-201*.patch ./recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
>
> ./recipes-connectivity/bind/bind/CVE-2016-2776.patch ?
> ./recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
> ./recipes-connectivity/bind/bind/CVE-2016-1285.patch
> ./recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
> ./recipes-connectivity/bind/bind/CVE-2016-2088.patch
> ./recipes-connectivity/bind/bind/CVE-2016-2775.patch
>
> ./recipes-extended/unzip/unzip/CVE-2015-7696.patch
> ./recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
> ./recipes-extended/unzip/unzip/CVE-2015-7697.patch
> ./recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
> ./recipes-extended/cpio/cpio-2.12/0001-Fix-CVE-2015-1197.patch
> ./recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
> ./recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch
> ./recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch
> ./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch
> ./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3623.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-5323.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-5321.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3991.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3622.patch
> ./recipes-multimedia/libtiff/files/CVE-2015-8781.patch
> ./recipes-multimedia/libtiff/files/CVE-2015-8784.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3186.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3990.patch
> ./recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
> ./recipes-core/systemd/systemd/CVE-2016-7795.patch
> ./recipes-core/busybox/busybox/CVE-2016-2147_2.patch  <<< Reserved on Mitre: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147
> ./recipes-core/busybox/busybox/CVE-2016-2147.patch
> ./recipes-core/busybox/busybox/CVE-2016-2148.patch <<< https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2148
> ./recipes-devtools/elfutils/elfutils-0.148/elf_begin.c-CVE-2014-9447-fix.patch
> ./recipes-devtools/python/python3/CVE-2016-5636.patch
> ./recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
> ./recipes-devtools/python/python/CVE-2016-5636.patch
> ./recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch
> ./recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
> ./recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
> ./recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
> ./recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
> ./recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch
> ./recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch
> ./recipes-devtools/gcc/gcc-6.2/CVE-2016-4490.patch
> ./recipes-devtools/flex/flex/CVE-2016-6354.patch
> ./recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
> ./recipes-support/nettle/nettle-2.7.1/CVE-2015-8804.patch
> ./recipes-support/nettle/nettle-2.7.1/CVE-2015-8803_8805.patch
> ./recipes-support/gnutls/gnutls/CVE-2016-7444.patch
> ./recipes-support/boost/boost/boost-CVE-2012-2677.patch
> ./recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
> ./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
> ./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
> ./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
>
> Thanks
> //Sona
>
>
>
>
>
>
>