[1/3] cve-check: allow comparison of Vendor as well as Product

Message ID 20190717104538.20990-1-ross.burton@intel.com
State Accepted
Commit e6bf90009877d00243417898700d2320fd87b39c
Headers show
Series
  • [1/3] cve-check: allow comparison of Vendor as well as Product
Related show

Commit Message

Ross Burton July 17, 2019, 10:45 a.m.
Some product names are too vague to be searched without also matching the
vendor, for example Flex could be the parser compiler we ship, or Adobe Flex, or
Apache Flex, or IBM Flex.

If entries in CVE_PRODUCT contain a colon then split it as vendor:product to improve the search.

Also don't use .format() to construct SQL as that can lead to security
issues. Instead, use ? placeholders and lets sqlite3 handle the escaping.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/classes/cve-check.bbclass | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

-- 
2.20.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Patch

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 2a1381604ad..e8668b25663 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -190,12 +190,16 @@  def check_cves(d, patched_cves):
     import sqlite3
     db_file = d.getVar("CVE_CHECK_DB_FILE")
     conn = sqlite3.connect(db_file)
-    c = conn.cursor()
-
-    query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';"
 
     for product in products:
-        for row in c.execute(query.format(product, pv)):
+        c = conn.cursor()
+        if ":" in product:
+            vendor, product = product.split(":", 1)
+            c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor))
+        else:
+            c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
+
+        for row in c:
             cve = row[1]
             version_start = row[4]
             operator_start = row[5]