From patchwork Wed Nov 6 15:37:32 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mikko Rapeli X-Patchwork-Id: 178727 Delivered-To: patch@linaro.org Received: by 2002:a92:38d5:0:0:0:0:0 with SMTP id g82csp852512ilf; Wed, 6 Nov 2019 08:37:19 -0800 (PST) X-Google-Smtp-Source: APXvYqxAug/A8oqYxjno6Uw0GP96RDBiz5GrNN7h1oVuFUtx+RBpa+M8YdygU6ZgRDZB6XLIlqgo X-Received: by 2002:a63:1703:: with SMTP id x3mr3984048pgl.263.1573058239417; Wed, 06 Nov 2019 08:37:19 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1573058239; cv=none; d=google.com; s=arc-20160816; b=rCoa6F/HHP//KDeLkB6+N0g4Y9JwXGggwYlxFDRB3EAKPtR2qu1dS6QLEyK9+tRiqP N6c2Wi8mmKKWTfkZpZp59UiFFvH59oQeEtCrVaGuGqjQpXN1Rf59bObcnAQQxIh6SIlI e1r2tadZhrvKdkAXYTWBv0R/cWEWErED6TQ4sVbKOJGmUfDMS4ixKWAP3NF2y5x/A9xI TKipZJ3+/RzYKgGORugnJs7Bs4Ufi2ODxBCicCChkvGBT0NYBwAeu6teebGHkLhp3+qW 15y56t4xcpcPfprolH6NN2GgGnaqlKz9Bq3SS/Ik1mosYSvaUNg9oxhL5D5BZs58p014 +2rw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:references :in-reply-to:message-id:date:to:from:dkim-signature:delivered-to; bh=gDp6fSFhdtsOReY8G+58SH23Zb7yBIVzIJ9yarsyDb4=; b=oy9EQoHHxmOXHAqpvLj0/vSPuCiz4QBUI4TMJBbGIESmEt2NZlKKduHZG8sc/Dj54W G/v6Y66tJf1slHTDv+5DtQsGZCo7PhwdALEwt9DIWO/Ygxl9HUu4mp8E9OU61om4neKI ZdFD+0U8hYiHHiHEmTMFwQE4stpiXWd0dAA7j3KSXYwMFqzbTfbgbe9YywaPqIepdPGX csEDG2yuR7C7m5cuQ9GzU7bGBs0F9in75yYJmqk6Vznc683ME4xjv1FUiRGwdMzhHoPu it6gT9qunG6eZE8QqLSz+mDvGePz9kNTcFPzHYNd92V4x1WLft/s5yOBSi/MjNICqaaW D6ng== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@kapsi.fi header.s=20161220 header.b="O3c/2fQe"; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bmw.de Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id y125si6126691pgb.64.2019.11.06.08.37.19; Wed, 06 Nov 2019 08:37:19 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@kapsi.fi header.s=20161220 header.b="O3c/2fQe"; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=bmw.de Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 181BC7F87E; Wed, 6 Nov 2019 16:36:59 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail.kapsi.fi (mail.kapsi.fi [91.232.154.25]) by mail.openembedded.org (Postfix) with ESMTP id 80F457F859 for ; Wed, 6 Nov 2019 15:38:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kapsi.fi; s=20161220; h=References:In-Reply-To:Message-Id:Date:Subject:Cc:To:From: Sender:Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=ocz+mtV0zAmQN4Rz4TwVhvpnehtbKIBuC2uSnWuKzI0=; b=O3c/2fQeALMMUO83Nc7R+D9JIk AuVuZjqj/XLs+wcdN55prNXBamARyb00fcE8TbCo5bG4iz9GFyZa3heIBIciDMZf/6xAi/K8ICRiw uMKVuFnoy7xFswmwMMUVDkqsxL3iffVYIw2fdX8jZZS8TWsmtDAZpxuwSlA2tBhj+C2NENokySgAp ASJnMiKiv+Zwos67fN7ILwBo7hy1vopchZ/vMZYWBlGTIVdGVSZXNB0BNtEr0z/Cnvfqynqlc8+/d xFYLwv5kz+rfFh/nfLb0IK+q3FtURd/tqsNYfLuOQm5Qlw2PENj3xNHRKjIcdWNLhwP6rAhcRhw6q i+nI0/2Q==; Received: from kapsi.fi ([91.232.154.11] helo=lakka.kapsi.fi) by mail.kapsi.fi with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.89) (envelope-from ) id 1iSNOF-0000AC-EM; Wed, 06 Nov 2019 17:38:35 +0200 Received: from mcfrisk by lakka.kapsi.fi with local (Exim 4.84_2) (envelope-from ) id 1iSNO5-0007Vy-8N; Wed, 06 Nov 2019 17:38:25 +0200 From: Mikko Rapeli To: openembedded-core@lists.openembedded.org Date: Wed, 6 Nov 2019 17:37:32 +0200 Message-Id: X-Mailer: git-send-email 2.1.4 In-Reply-To: References: In-Reply-To: References: X-Rspam-Score: 6.0 (++++++) X-Rspam-Report: Action: add header Symbol: ARC_NA(0.00) Symbol: DMARC_POLICY_SOFTFAIL(0.10) Symbol: R_SPF_NEUTRAL(0.00) Symbol: FROM_HAS_DN(0.00) Symbol: TO_DN_SOME(0.00) Symbol: MULTIPLE_UNIQUE_HEADERS(4.89) Symbol: MIME_GOOD(-0.10) Symbol: TO_MATCH_ENVRCPT_ALL(0.00) Symbol: RCPT_COUNT_THREE(0.00) Symbol: RCVD_TLS_LAST(0.00) Symbol: MID_CONTAINS_FROM(1.00) Symbol: NEURAL_HAM(-0.00) Symbol: IP_SCORE(-0.15) Symbol: FORGED_SENDER(0.30) Symbol: R_DKIM_NA(0.00) Symbol: MIME_TRACE(0.00) Symbol: ASN(0.00) Symbol: FROM_NEQ_ENVFROM(0.00) Symbol: RCVD_COUNT_TWO(0.00) Message: (SPF): spf neutral Message-ID: f42f28b9d3f396b302c5612a031a1fb2311628f1.1573047194.git.mikko.rapeli@bmw.de X-Rspam-Status: Yes X-Rspam-Bar: ++++++ X-SA-Exim-Connect-IP: 91.232.154.11 X-SA-Exim-Mail-From: mcfrisk@kapsi.fi X-SA-Exim-Scanned: No (on mail.kapsi.fi); SAEximRunCond expanded to false Subject: [OE-core] [PATCH RFC CFH][sumo 17/47] cve-check: allow comparison of Vendor as well as Product X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton Some product names are too vague to be searched without also matching the vendor, for example Flex could be the parser compiler we ship, or Adobe Flex, or Apache Flex, or IBM Flex. If entries in CVE_PRODUCT contain a colon then split it as vendor:product to improve the search. Also don't use .format() to construct SQL as that can lead to security issues. Instead, use ? placeholders and lets sqlite3 handle the escaping. (From OE-Core rev: e6bf90009877d00243417898700d2320fd87b39c) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/classes/cve-check.bbclass | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 2a13816..e8668b2 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -190,12 +190,16 @@ def check_cves(d, patched_cves): import sqlite3 db_file = d.getVar("CVE_CHECK_DB_FILE") conn = sqlite3.connect(db_file) - c = conn.cursor() - - query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';" for product in products: - for row in c.execute(query.format(product, pv)): + c = conn.cursor() + if ":" in product: + vendor, product = product.split(":", 1) + c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor)) + else: + c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,)) + + for row in c: cve = row[1] version_start = row[4] operator_start = row[5]