* [PATCH 1/2] cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning
@ 2021-01-27 9:03 Lee Chee Yang
2021-01-27 9:03 ` [PATCH 2/2] openssl: set CVE_VERSION_SUFFIX Lee Chee Yang
2021-01-28 11:49 ` [OE-core] [PATCH 1/2] cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning Alexandre Belloni
0 siblings, 2 replies; 7+ messages in thread
From: Lee Chee Yang @ 2021-01-27 9:03 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
add CVE_VERSION_SUFFIX to indicate the version suffix type, currently
works in two value, "alphabetical" if the version string uses single
alphabetical character suffix as incremental release, blank to not
consider the unidentified suffixes. This can be expand when more suffix
pattern identified.
refactor cve_check.Version class to use functools add parameter to handle
suffix condition.
Also update testcases to cover new changes.
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/classes/cve-check.bbclass | 12 ++++---
meta/lib/oe/cve_check.py | 40 ++++++++++++-----------
meta/lib/oeqa/selftest/cases/cve_check.py | 11 ++++++-
3 files changed, 39 insertions(+), 24 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 646cc879dd..ed86403b6b 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -53,6 +53,9 @@ CVE_CHECK_PN_WHITELIST ?= ""
#
CVE_CHECK_WHITELIST ?= ""
+# set to "alphabetical" for version using single alphabetical character as increament release
+CVE_VERSION_SUFFIX ??= ""
+
python cve_save_summary_handler () {
import shutil
import datetime
@@ -210,6 +213,7 @@ def check_cves(d, patched_cves):
pn = d.getVar("PN")
real_pv = d.getVar("PV")
+ suffix = d.getVar("CVE_VERSION_SUFFIX")
cves_unpatched = []
# CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -263,8 +267,8 @@ def check_cves(d, patched_cves):
else:
if operator_start:
try:
- vulnerable_start = (operator_start == '>=' and Version(pv) >= Version(version_start))
- vulnerable_start |= (operator_start == '>' and Version(pv) > Version(version_start))
+ vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix))
+ vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix))
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_start, version_start, cve))
@@ -274,8 +278,8 @@ def check_cves(d, patched_cves):
if operator_end:
try:
- vulnerable_end = (operator_end == '<=' and Version(pv) <= Version(version_end) )
- vulnerable_end |= (operator_end == '<' and Version(pv) < Version(version_end) )
+ vulnerable_end = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) )
+ vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) )
except:
bb.warn("%s: Failed to compare %s %s %s for %s" %
(product, pv, operator_end, version_end, cve))
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index ec48a3f829..e40929fd2b 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -1,58 +1,60 @@
import collections
import re
import itertools
+import functools
_Version = collections.namedtuple(
- "_Version", ["release", "pre_l", "pre_v"]
+ "_Version", ["release", "patch_l", "pre_l", "pre_v"]
)
+@functools.total_ordering
class Version():
- _version_pattern = r"""v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
- _regex = re.compile(r"^\s*" + _version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
- def __init__(self, version):
- match = self._regex.search(version)
+
+ def __init__(self, version, suffix=None):
+ if suffix == "alphabetical":
+ version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+ else:
+ version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
+ regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
+
+ match = regex.search(version)
if not match:
raise Exception("Invalid version: '{0}'".format(version))
self._version = _Version(
release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
+ patch_l=str(match.group("patch_l")) if suffix == "alphabetical" else "",
pre_l=match.group("pre_l"),
pre_v=match.group("pre_v")
)
self._key = _cmpkey(
self._version.release,
+ self._version.patch_l,
self._version.pre_l,
self._version.pre_v
)
- def __le__(self, other):
- if not isinstance(other, Version):
- return NotImplemented
- return self._key <= other._key
-
- def __lt__(self, other):
+ def __eq__(self, other):
if not isinstance(other, Version):
return NotImplemented
- return self._key < other._key
-
- def __ge__(self, other):
- if not isinstance(other, Version):
- return NotImplemented
- return self._key >= other._key
+ return self._key == other._key
def __gt__(self, other):
if not isinstance(other, Version):
return NotImplemented
return self._key > other._key
-def _cmpkey(release, pre_l, pre_v):
+def _cmpkey(release, patch_l, pre_l, pre_v):
# remove leading 0
_release = tuple(
reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
)
+
+ _patch = patch_l.upper()
+
if pre_l is None and pre_v is None:
_pre = float('inf')
else:
_pre = float(pre_v) if pre_v else float('-inf')
- return _release, _pre
+ return _release, _patch, _pre
diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
index 35e2b29a9a..3f343a2841 100644
--- a/meta/lib/oeqa/selftest/cases/cve_check.py
+++ b/meta/lib/oeqa/selftest/cases/cve_check.py
@@ -23,5 +23,14 @@ class CVECheck(OESelftestTestCase):
self.assertTrue( result, msg="Failed to compare version '1.0_dev' <= '1.0'")
# ignore "p1" and "p2", so these should be equal
- result = Version("1.0p2") <= Version("1.0p1") and Version("1.0p2") >= Version("1.0p1")
+ result = Version("1.0p2") == Version("1.0p1")
self.assertTrue( result ,msg="Failed to compare version '1.0p2' to '1.0p1'")
+ # ignore the "b" and "r"
+ result = Version("1.0b") == Version("1.0r")
+ self.assertTrue( result ,msg="Failed to compare version '1.0b' to '1.0r'")
+
+ # consider the trailing alphabet as patched level when comparing
+ result = Version("1.0b","alphabetical") < Version("1.0r","alphabetical")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'")
+ result = Version("1.0b","alphabetical") > Version("1.0","alphabetical")
+ self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'")
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/2] openssl: set CVE_VERSION_SUFFIX
2021-01-27 9:03 [PATCH 1/2] cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning Lee Chee Yang
@ 2021-01-27 9:03 ` Lee Chee Yang
2021-01-27 9:12 ` [OE-core] " Mikko Rapeli
2021-01-28 11:49 ` [OE-core] [PATCH 1/2] cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning Alexandre Belloni
1 sibling, 1 reply; 7+ messages in thread
From: Lee Chee Yang @ 2021-01-27 9:03 UTC (permalink / raw)
To: openembedded-core
From: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
---
meta/recipes-connectivity/openssl/openssl_1.1.1i.bb | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
index 52e96b7831..9ff80b3d4f 100644
--- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
+++ b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
@@ -230,6 +230,8 @@ BBCLASSEXTEND = "native nativesdk"
CVE_PRODUCT = "openssl:openssl"
+CVE_VERSION_SUFFIX = "alphabetical"
+
# Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
# Apache in meta-webserver is already recent enough
CVE_CHECK_WHITELIST += "CVE-2019-0190"
--
2.17.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 2/2] openssl: set CVE_VERSION_SUFFIX
2021-01-27 9:03 ` [PATCH 2/2] openssl: set CVE_VERSION_SUFFIX Lee Chee Yang
@ 2021-01-27 9:12 ` Mikko Rapeli
2021-01-27 17:01 ` Richard Purdie
0 siblings, 1 reply; 7+ messages in thread
From: Mikko Rapeli @ 2021-01-27 9:12 UTC (permalink / raw)
To: chee.yang.lee; +Cc: openembedded-core
On Wed, Jan 27, 2021 at 05:03:54PM +0800, Lee Chee Yang wrote:
> From: Lee Chee Yang <chee.yang.lee@intel.com>
>
> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> ---
> meta/recipes-connectivity/openssl/openssl_1.1.1i.bb | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> index 52e96b7831..9ff80b3d4f 100644
> --- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> @@ -230,6 +230,8 @@ BBCLASSEXTEND = "native nativesdk"
>
> CVE_PRODUCT = "openssl:openssl"
>
> +CVE_VERSION_SUFFIX = "alphabetical"
> +
I have to say that I don't like this. I'd prefer automation
which works like dpkg --compare-versions:
--compare-versions ver1 op ver2
Compare version numbers, where op is a binary operator. dpkg returns true (0) if the specified condition is satisfied,
and false (1) otherwise. There are two groups of operators, which differ in how they treat an empty ver1 or ver2.
These treat an empty version as earlier than any version: lt le eq ne ge gt. These treat an empty version as later
than any version: lt-nl le-nl ge-nl gt-nl. These are provided only for compatibility with control file syntax: < << <=
= >= >> >. The < and > operators are obsolete and should not be used, due to confusing semantics. To illustrate: 0.1 <
0.1 evaluates to true.
Cheers,
-Mikko
> # Only affects OpenSSL >= 1.1.1 in combination with Apache < 2.4.37
> # Apache in meta-webserver is already recent enough
> CVE_CHECK_WHITELIST += "CVE-2019-0190"
> --
> 2.17.1
>
>
>
>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 2/2] openssl: set CVE_VERSION_SUFFIX
2021-01-27 9:12 ` [OE-core] " Mikko Rapeli
@ 2021-01-27 17:01 ` Richard Purdie
2021-01-27 17:11 ` Mikko Rapeli
0 siblings, 1 reply; 7+ messages in thread
From: Richard Purdie @ 2021-01-27 17:01 UTC (permalink / raw)
To: Mikko Rapeli, chee.yang.lee; +Cc: openembedded-core
On Wed, 2021-01-27 at 09:12 +0000, Mikko Rapeli wrote:
> On Wed, Jan 27, 2021 at 05:03:54PM +0800, Lee Chee Yang wrote:
> > From: Lee Chee Yang <chee.yang.lee@intel.com>
> >
> > Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> > ---
> > meta/recipes-connectivity/openssl/openssl_1.1.1i.bb | 2 ++
> > 1 file changed, 2 insertions(+)
> >
> > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> > index 52e96b7831..9ff80b3d4f 100644
> > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> > @@ -230,6 +230,8 @@ BBCLASSEXTEND = "native nativesdk"
> >
> >
> >
> >
> > CVE_PRODUCT = "openssl:openssl"
> >
> >
> >
> >
> > +CVE_VERSION_SUFFIX = "alphabetical"
> > +
>
> I have to say that I don't like this. I'd prefer automation
> which works like dpkg --compare-versions:
>
> --compare-versions ver1 op ver2
> Compare version numbers, where op is a binary operator. dpkg returns true (0) if the specified condition is satisfied,
> and false (1) otherwise. There are two groups of operators, which differ in how they treat an empty ver1 or ver2.
> These treat an empty version as earlier than any version: lt le eq ne ge gt. These treat an empty version as later
> than any version: lt-nl le-nl ge-nl gt-nl. These are provided only for compatibility with control file syntax: < << <=
> = >= >> >. The < and > operators are obsolete and should not be used, due to confusing semantics. To illustrate: 0.1 <
> 0.1 evaluates to true.
The trouble is we have no control over what versions end up in the CPEs
and I suspect that even dpkg's version comparison doesn't work for some
of our test cases?
If it does, it would be useful to understand how they're managing to do
that as I think some of the patterns conflict as I understand it.
Debian can make it work for their packages since they control what
version they ultimately assign to them.
Cheers,
Richard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 2/2] openssl: set CVE_VERSION_SUFFIX
2021-01-27 17:01 ` Richard Purdie
@ 2021-01-27 17:11 ` Mikko Rapeli
2021-01-27 17:40 ` Richard Purdie
0 siblings, 1 reply; 7+ messages in thread
From: Mikko Rapeli @ 2021-01-27 17:11 UTC (permalink / raw)
To: richard.purdie; +Cc: chee.yang.lee, openembedded-core
Hi,
On Wed, Jan 27, 2021 at 05:01:38PM +0000, Richard Purdie wrote:
> On Wed, 2021-01-27 at 09:12 +0000, Mikko Rapeli wrote:
> > On Wed, Jan 27, 2021 at 05:03:54PM +0800, Lee Chee Yang wrote:
> > > From: Lee Chee Yang <chee.yang.lee@intel.com>
> > >
> > > Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> > > ---
> > > meta/recipes-connectivity/openssl/openssl_1.1.1i.bb | 2 ++
> > > 1 file changed, 2 insertions(+)
> > >
> > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> > > index 52e96b7831..9ff80b3d4f 100644
> > > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> > > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> > > @@ -230,6 +230,8 @@ BBCLASSEXTEND = "native nativesdk"
> > >
> > >
> > >
> > >
> > > CVE_PRODUCT = "openssl:openssl"
> > >
> > >
> > >
> > >
> > > +CVE_VERSION_SUFFIX = "alphabetical"
> > > +
> >
> > I have to say that I don't like this. I'd prefer automation
> > which works like dpkg --compare-versions:
> >
> > --compare-versions ver1 op ver2
> > Compare version numbers, where op is a binary operator. dpkg returns true (0) if the specified condition is satisfied,
> > and false (1) otherwise. There are two groups of operators, which differ in how they treat an empty ver1 or ver2.
> > These treat an empty version as earlier than any version: lt le eq ne ge gt. These treat an empty version as later
> > than any version: lt-nl le-nl ge-nl gt-nl. These are provided only for compatibility with control file syntax: < << <=
> > = >= >> >. The < and > operators are obsolete and should not be used, due to confusing semantics. To illustrate: 0.1 <
> > 0.1 evaluates to true.
>
> The trouble is we have no control over what versions end up in the CPEs
> and I suspect that even dpkg's version comparison doesn't work for some
> of our test cases?
For example:
$ dpkg --compare-versions 1.1.1i lt 1.1.1j && echo true
true
dpkg can tell that 1.1.1i older version than 1.1.1j.
$ dpkg --compare-versions 1.1.1i lt 1.1.1e || echo not older
not older
and dpkg can tell that 1.1.1i is not older than 1.1.1e.
Hope this helps,
-Mikko
> If it does, it would be useful to understand how they're managing to do
> that as I think some of the patterns conflict as I understand it.
>
> Debian can make it work for their packages since they control what
> version they ultimately assign to them.
Yes but the tool does seem to work for most SW version identifiers in Debian and
can deduce which one is newer. openssl version numbers work correctly out of the box.
Cheers,
-Mikko
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 2/2] openssl: set CVE_VERSION_SUFFIX
2021-01-27 17:11 ` Mikko Rapeli
@ 2021-01-27 17:40 ` Richard Purdie
0 siblings, 0 replies; 7+ messages in thread
From: Richard Purdie @ 2021-01-27 17:40 UTC (permalink / raw)
To: Mikko.Rapeli; +Cc: chee.yang.lee, openembedded-core
On Wed, 2021-01-27 at 17:11 +0000, Mikko.Rapeli@bmw.de wrote:
> Hi,
>
> On Wed, Jan 27, 2021 at 05:01:38PM +0000, Richard Purdie wrote:
> > On Wed, 2021-01-27 at 09:12 +0000, Mikko Rapeli wrote:
> > > On Wed, Jan 27, 2021 at 05:03:54PM +0800, Lee Chee Yang wrote:
> > > > From: Lee Chee Yang <chee.yang.lee@intel.com>
> > > >
> > > > Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> > > > ---
> > > > meta/recipes-connectivity/openssl/openssl_1.1.1i.bb | 2 ++
> > > > 1 file changed, 2 insertions(+)
> > > >
> > > > diff --git a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> > > > index 52e96b7831..9ff80b3d4f 100644
> > > > --- a/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> > > > +++ b/meta/recipes-connectivity/openssl/openssl_1.1.1i.bb
> > > > @@ -230,6 +230,8 @@ BBCLASSEXTEND = "native nativesdk"
> > > >
> > > >
> > > >
> > > >
> > > > CVE_PRODUCT = "openssl:openssl"
> > > >
> > > >
> > > >
> > > >
> > > > +CVE_VERSION_SUFFIX = "alphabetical"
> > > > +
> > >
> > > I have to say that I don't like this. I'd prefer automation
> > > which works like dpkg --compare-versions:
> > >
> > > --compare-versions ver1 op ver2
> > > Compare version numbers, where op is a binary operator. dpkg returns true (0) if the specified condition is satisfied,
> > > and false (1) otherwise. There are two groups of operators, which differ in how they treat an empty ver1 or ver2.
> > > These treat an empty version as earlier than any version: lt le eq ne ge gt. These treat an empty version as later
> > > than any version: lt-nl le-nl ge-nl gt-nl. These are provided only for compatibility with control file syntax: < << <=
> > > = >= >> >. The < and > operators are obsolete and should not be used, due to confusing semantics. To illustrate: 0.1 <
> > > 0.1 evaluates to true.
> >
> > The trouble is we have no control over what versions end up in the CPEs
> > and I suspect that even dpkg's version comparison doesn't work for some
> > of our test cases?
>
> For example:
>
> $ dpkg --compare-versions 1.1.1i lt 1.1.1j && echo true
> true
>
> dpkg can tell that 1.1.1i older version than 1.1.1j.
>
> $ dpkg --compare-versions 1.1.1i lt 1.1.1e || echo not older
> not older
>
> and dpkg can tell that 1.1.1i is not older than 1.1.1e.
I think the problem is things like:
$ dpkg --compare-versions 1.1.1 gt 1.1.1pre0; echo $?
1
$ dpkg --compare-versions 1.1.1 gt 1.1.0; echo $?
0
which we can disallow in OE's version fields but not in upstream CPE
entries :(
Cheers,
Richard
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [OE-core] [PATCH 1/2] cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning
2021-01-27 9:03 [PATCH 1/2] cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning Lee Chee Yang
2021-01-27 9:03 ` [PATCH 2/2] openssl: set CVE_VERSION_SUFFIX Lee Chee Yang
@ 2021-01-28 11:49 ` Alexandre Belloni
1 sibling, 0 replies; 7+ messages in thread
From: Alexandre Belloni @ 2021-01-28 11:49 UTC (permalink / raw)
To: Lee Chee Yang; +Cc: openembedded-core
Hello,
On 27/01/2021 17:03:53+0800, Lee Chee Yang wrote:
> From: Lee Chee Yang <chee.yang.lee@intel.com>
>
> add CVE_VERSION_SUFFIX to indicate the version suffix type, currently
> works in two value, "alphabetical" if the version string uses single
> alphabetical character suffix as incremental release, blank to not
> consider the unidentified suffixes. This can be expand when more suffix
> pattern identified.
>
> refactor cve_check.Version class to use functools add parameter to handle
> suffix condition.
>
> Also update testcases to cover new changes.
>
> Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
> ---
> meta/classes/cve-check.bbclass | 12 ++++---
> meta/lib/oe/cve_check.py | 40 ++++++++++++-----------
> meta/lib/oeqa/selftest/cases/cve_check.py | 11 ++++++-
> 3 files changed, 39 insertions(+), 24 deletions(-)
>
I believe this patch resulted in the following autobuilder errors:
https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/1768/steps/14/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/80/builds/1752/steps/15/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/86/builds/1757/steps/14/logs/stdio
https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/1784/steps/14/logs/stdio
2021-01-28 00:16:31,719 - oe-selftest - INFO - cve_check.CVECheck.test_version_compare (subunit.RemotedTestCase)
2021-01-28 00:16:31,720 - oe-selftest - INFO - ... FAIL
2021-01-28 00:16:31,720 - oe-selftest - INFO - 11: 1/17 2/424 (0.14s) (cve_check.CVECheck.test_version_compare)
2021-01-28 00:16:31,720 - oe-selftest - INFO - testtools.testresult.real._StringException: Traceback (most recent call last):
File "/home/pokybuild/yocto-worker/oe-selftest-centos/build/meta/lib/oeqa/selftest/cases/cve_check.py", line 36, in test_version_compare
self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'")
File "/usr/lib64/python3.6/unittest/case.py", line 699, in assertTrue
raise self.failureException(msg)
AssertionError: False is not true : Failed to compare version with suffix '1.0b' > '1.0'
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 646cc879dd..ed86403b6b 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -53,6 +53,9 @@ CVE_CHECK_PN_WHITELIST ?= ""
> #
> CVE_CHECK_WHITELIST ?= ""
>
> +# set to "alphabetical" for version using single alphabetical character as increament release
> +CVE_VERSION_SUFFIX ??= ""
> +
> python cve_save_summary_handler () {
> import shutil
> import datetime
> @@ -210,6 +213,7 @@ def check_cves(d, patched_cves):
>
> pn = d.getVar("PN")
> real_pv = d.getVar("PV")
> + suffix = d.getVar("CVE_VERSION_SUFFIX")
>
> cves_unpatched = []
> # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
> @@ -263,8 +267,8 @@ def check_cves(d, patched_cves):
> else:
> if operator_start:
> try:
> - vulnerable_start = (operator_start == '>=' and Version(pv) >= Version(version_start))
> - vulnerable_start |= (operator_start == '>' and Version(pv) > Version(version_start))
> + vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix))
> + vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix))
> except:
> bb.warn("%s: Failed to compare %s %s %s for %s" %
> (product, pv, operator_start, version_start, cve))
> @@ -274,8 +278,8 @@ def check_cves(d, patched_cves):
>
> if operator_end:
> try:
> - vulnerable_end = (operator_end == '<=' and Version(pv) <= Version(version_end) )
> - vulnerable_end |= (operator_end == '<' and Version(pv) < Version(version_end) )
> + vulnerable_end = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) )
> + vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) )
> except:
> bb.warn("%s: Failed to compare %s %s %s for %s" %
> (product, pv, operator_end, version_end, cve))
> diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
> index ec48a3f829..e40929fd2b 100644
> --- a/meta/lib/oe/cve_check.py
> +++ b/meta/lib/oe/cve_check.py
> @@ -1,58 +1,60 @@
> import collections
> import re
> import itertools
> +import functools
>
> _Version = collections.namedtuple(
> - "_Version", ["release", "pre_l", "pre_v"]
> + "_Version", ["release", "patch_l", "pre_l", "pre_v"]
> )
>
> +@functools.total_ordering
> class Version():
> - _version_pattern = r"""v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
> - _regex = re.compile(r"^\s*" + _version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
> - def __init__(self, version):
> - match = self._regex.search(version)
> +
> + def __init__(self, version, suffix=None):
> + if suffix == "alphabetical":
> + version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<patch>[-_\.]?(?P<patch_l>[a-z]))?(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
> + else:
> + version_pattern = r"""r?v?(?:(?P<release>[0-9]+(?:[-\.][0-9]+)*)(?P<pre>[-_\.]?(?P<pre_l>(rc|alpha|beta|pre|preview|dev))[-_\.]?(?P<pre_v>[0-9]+)?)?)(.*)?"""
> + regex = re.compile(r"^\s*" + version_pattern + r"\s*$", re.VERBOSE | re.IGNORECASE)
> +
> + match = regex.search(version)
> if not match:
> raise Exception("Invalid version: '{0}'".format(version))
>
> self._version = _Version(
> release=tuple(int(i) for i in match.group("release").replace("-",".").split(".")),
> + patch_l=str(match.group("patch_l")) if suffix == "alphabetical" else "",
> pre_l=match.group("pre_l"),
> pre_v=match.group("pre_v")
> )
>
> self._key = _cmpkey(
> self._version.release,
> + self._version.patch_l,
> self._version.pre_l,
> self._version.pre_v
> )
>
> - def __le__(self, other):
> - if not isinstance(other, Version):
> - return NotImplemented
> - return self._key <= other._key
> -
> - def __lt__(self, other):
> + def __eq__(self, other):
> if not isinstance(other, Version):
> return NotImplemented
> - return self._key < other._key
> -
> - def __ge__(self, other):
> - if not isinstance(other, Version):
> - return NotImplemented
> - return self._key >= other._key
> + return self._key == other._key
>
> def __gt__(self, other):
> if not isinstance(other, Version):
> return NotImplemented
> return self._key > other._key
>
> -def _cmpkey(release, pre_l, pre_v):
> +def _cmpkey(release, patch_l, pre_l, pre_v):
> # remove leading 0
> _release = tuple(
> reversed(list(itertools.dropwhile(lambda x: x == 0, reversed(release))))
> )
> +
> + _patch = patch_l.upper()
> +
> if pre_l is None and pre_v is None:
> _pre = float('inf')
> else:
> _pre = float(pre_v) if pre_v else float('-inf')
> - return _release, _pre
> + return _release, _patch, _pre
> diff --git a/meta/lib/oeqa/selftest/cases/cve_check.py b/meta/lib/oeqa/selftest/cases/cve_check.py
> index 35e2b29a9a..3f343a2841 100644
> --- a/meta/lib/oeqa/selftest/cases/cve_check.py
> +++ b/meta/lib/oeqa/selftest/cases/cve_check.py
> @@ -23,5 +23,14 @@ class CVECheck(OESelftestTestCase):
> self.assertTrue( result, msg="Failed to compare version '1.0_dev' <= '1.0'")
>
> # ignore "p1" and "p2", so these should be equal
> - result = Version("1.0p2") <= Version("1.0p1") and Version("1.0p2") >= Version("1.0p1")
> + result = Version("1.0p2") == Version("1.0p1")
> self.assertTrue( result ,msg="Failed to compare version '1.0p2' to '1.0p1'")
> + # ignore the "b" and "r"
> + result = Version("1.0b") == Version("1.0r")
> + self.assertTrue( result ,msg="Failed to compare version '1.0b' to '1.0r'")
> +
> + # consider the trailing alphabet as patched level when comparing
> + result = Version("1.0b","alphabetical") < Version("1.0r","alphabetical")
> + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' < '1.0r'")
> + result = Version("1.0b","alphabetical") > Version("1.0","alphabetical")
> + self.assertTrue( result ,msg="Failed to compare version with suffix '1.0b' > '1.0'")
> --
> 2.17.1
>
>
>
>
--
Alexandre Belloni, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-01-28 11:49 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-27 9:03 [PATCH 1/2] cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning Lee Chee Yang
2021-01-27 9:03 ` [PATCH 2/2] openssl: set CVE_VERSION_SUFFIX Lee Chee Yang
2021-01-27 9:12 ` [OE-core] " Mikko Rapeli
2021-01-27 17:01 ` Richard Purdie
2021-01-27 17:11 ` Mikko Rapeli
2021-01-27 17:40 ` Richard Purdie
2021-01-28 11:49 ` [OE-core] [PATCH 1/2] cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning Alexandre Belloni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.