[yocto] cve-checker tool
Mariano Lopez
mariano.lopez at linux.intel.com
Fri Oct 28 07:28:06 PDT 2016
On 10/27/2016 06:03 AM, Sona Sarmadi wrote:
>
>> -----Original Message-----
>> From: Sona Sarmadi
>> Sent: den 27 oktober 2016 10:57
>> To: Scott Rifenbark <srifenbark at gmail.com>; 'mariano.lopez at intel.com'
>> <mariano.lopez at intel.com>; yocto at yoctoproject.org
>> Subject: cve-checker tool
>>
>> Hi guys,
>>
>> I have some questions regarding cve-check tool. I don't find anything
>> about this tool in Yocto
>> 2.2 release, dose documentation mention this tool and how to use it?
Currently we don't have documentation about it, I'll work on it along
with Scott. Thanks for updating "How do I?" as Khem suggested.
>>
>> Is this tool planned to be integrated with daily build so the Yocto project
>> can detect Not addressed CVEs automatically?
>>
>> Mariano:
>> Does this tool look at CVE tag inside the recipe as well or only checks the
>> package version?
If there is a version affected by a CVE it will look for a patch that
solves that particular CVE using the the metadata in the patch format.
For example, the current bind version is affected by CVE-2016-1285, but
there is patch for that, so the cve-check class will find this and will
generate a log file saying the vulnerability has been addressed.
After the previous example I know you are familiar with the CVE tag, if
someone stumble in the thread, here is more information on the CVE tag
needed:
http://openembedded.org/wiki/Commit_Patch_Message_Guidelines#CVE_Patches
>>
>> Can this tool be used together with "meta-security-isafw" and get a fancy
>> report?
When I was working on this it was the transition to python3 so,
meta-security-isafw didn't behave as expected. To be honest I haven't
checked again but it will be a good test. I'll try to do this during the
weekend.
> There are some useful info in the cve-check.bbclass:
>
> #In order to use this class just inherit the class in the
> # local.conf file and it will add the cve_check task for
> # every recipe. The task can be used per recipe, per image,
> # or using the special cases "world" and "universe". The
> # cve_check task will print a warning for every unpatched
> # CVE found and generate a file in the recipe WORKDIR/cve
> # directory. If an image is build it will generate a report
> # in DEPLOY_DIR_IMAGE for all the packages used.
>
> I see following logs are generated:
> ./unzip/1_6.0-r5/cve/cve.log
> ./gnutls/3.5.3-r0/cve/cve.log
> ./glibc/2.24-r0/cve/cve.log
> ./glibc-initial/2.24-r0/cve/cve.log
> ./foomatic-filters/4.0.17-r1/cve/cve.log
> ./bzip2/1.0.6-r5/cve/cve.log
> ./libxml2/2.9.4-r0/cve/cve.log
> ./perl/5.22.1-r0/cve/cve.log
> ./expat/2.2.0-r0/cve/cve.log
> ./flex/2.6.0-r0/cve/cve.log
>
> //Sona
Just remember that those logs are created for patched and unpatched CVEs.
--
Mariano Lopez
More information about the yocto
mailing list