Re: cve-checker tool

Re: cve-checker tool

[Sona Sarmadi]

> -----Original Message-----
> From: Sona Sarmadi
> Sent: den 27 oktober 2016 10:57
> To: Scott Rifenbark <srifenbark@gmail.com>; 'mariano.lopez@intel.com'
> <mariano.lopez@intel.com>; yocto@yoctoproject.org
> Subject: cve-checker tool
> 
> Hi guys,
> 
> I have some questions regarding cve-check tool. I don't find anything
> about this tool in Yocto
> 2.2 release, dose documentation mention this tool and how to use it?
> 
> Is this tool planned to be integrated with daily build so the Yocto project
> can detect Not addressed CVEs automatically?
> 
> Mariano:
> Does this tool look at CVE tag inside the recipe as well or only checks the
> package version?
> 
> Can this tool be used together with "meta-security-isafw" and get a fancy
> report?

There are some useful info in the cve-check.bbclass:        

#In order to use this class just inherit the class in the
# local.conf file and it will add the cve_check task for
# every recipe. The task can be used per recipe, per image,
# or using the special cases "world" and "universe". The
# cve_check task will print a warning for every unpatched
# CVE found and generate a file in the recipe WORKDIR/cve
# directory. If an image is build it will generate a report
# in DEPLOY_DIR_IMAGE for all the packages used.

I see following logs are generated:
./unzip/1_6.0-r5/cve/cve.log
./gnutls/3.5.3-r0/cve/cve.log
./glibc/2.24-r0/cve/cve.log
./glibc-initial/2.24-r0/cve/cve.log
./foomatic-filters/4.0.17-r1/cve/cve.log
./bzip2/1.0.6-r5/cve/cve.log
./libxml2/2.9.4-r0/cve/cve.log
./perl/5.22.1-r0/cve/cve.log
./expat/2.2.0-r0/cve/cve.log
./flex/2.6.0-r0/cve/cve.log

//Sona

Re: cve-checker tool

[Khem Raj]

[-- Attachment #1: Type: text/plain, Size: 2100 bytes --]


> On Oct 27, 2016, at 4:03 AM, Sona Sarmadi <sona.sarmadi@enea.com> wrote:
> 
> 
> 
>> -----Original Message-----
>> From: Sona Sarmadi
>> Sent: den 27 oktober 2016 10:57
>> To: Scott Rifenbark <srifenbark@gmail.com>; 'mariano.lopez@intel.com'
>> <mariano.lopez@intel.com>; yocto@yoctoproject.org
>> Subject: cve-checker tool
>> 
>> Hi guys,
>> 
>> I have some questions regarding cve-check tool. I don't find anything
>> about this tool in Yocto
>> 2.2 release, dose documentation mention this tool and how to use it?
>> 
>> Is this tool planned to be integrated with daily build so the Yocto project
>> can detect Not addressed CVEs automatically?
>> 
>> Mariano:
>> Does this tool look at CVE tag inside the recipe as well or only checks the
>> package version?
>> 
>> Can this tool be used together with "meta-security-isafw" and get a fancy
>> report?
> 
> There are some useful info in the cve-check.bbclass:
> 
> #In order to use this class just inherit the class in the
> # local.conf file and it will add the cve_check task for
> # every recipe. The task can be used per recipe, per image,
> # or using the special cases "world" and "universe". The
> # cve_check task will print a warning for every unpatched
> # CVE found and generate a file in the recipe WORKDIR/cve
> # directory. If an image is build it will generate a report
> # in DEPLOY_DIR_IMAGE for all the packages used.
> 
> I see following logs are generated:
> ./unzip/1_6.0-r5/cve/cve.log
> ./gnutls/3.5.3-r0/cve/cve.log
> ./glibc/2.24-r0/cve/cve.log
> ./glibc-initial/2.24-r0/cve/cve.log
> ./foomatic-filters/4.0.17-r1/cve/cve.log
> ./bzip2/1.0.6-r5/cve/cve.log
> ./libxml2/2.9.4-r0/cve/cve.log
> ./perl/5.22.1-r0/cve/cve.log
> ./expat/2.2.0-r0/cve/cve.log
> ./flex/2.6.0-r0/cve/cve.log

perhaps you can add this info to "How Do I”
section in wiki here https://wiki.yoctoproject.org/wiki/How_do_I

> 
> //Sona
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto


[-- Attachment #2: Message signed with OpenPGP using GPGMail --]
[-- Type: application/pgp-signature, Size: 211 bytes --]

Re: cve-checker tool

[Sona Sarmadi]

> > ./bzip2/1.0.6-r5/cve/cve.log
> > ./libxml2/2.9.4-r0/cve/cve.log
> > ./perl/5.22.1-r0/cve/cve.log
> > ./expat/2.2.0-r0/cve/cve.log
> > ./flex/2.6.0-r0/cve/cve.log
> 
> perhaps you can add this info to "How Do I”
> section in wiki here https://wiki.yoctoproject.org/wiki/How_do_I

Good idea, thanks for the hint. I did it, please feel free to improve it :)

Re: cve-checker tool

[Mariano Lopez]

On 10/27/2016 06:03 AM, Sona Sarmadi wrote:
>
>> -----Original Message-----
>> From: Sona Sarmadi
>> Sent: den 27 oktober 2016 10:57
>> To: Scott Rifenbark <srifenbark@gmail.com>; 'mariano.lopez@intel.com'
>> <mariano.lopez@intel.com>; yocto@yoctoproject.org
>> Subject: cve-checker tool
>>
>> Hi guys,
>>
>> I have some questions regarding cve-check tool. I don't find anything
>> about this tool in Yocto
>> 2.2 release, dose documentation mention this tool and how to use it?

Currently we don't have documentation about it, I'll work on it along 
with Scott. Thanks for updating "How do I?" as Khem suggested.

>>
>> Is this tool planned to be integrated with daily build so the Yocto project
>> can detect Not addressed CVEs automatically?
>>
>> Mariano:
>> Does this tool look at CVE tag inside the recipe as well or only checks the
>> package version?

If there is a version affected by a CVE it will look for a patch that 
solves that particular CVE using the the metadata in the patch format. 
For example, the current bind version is affected by CVE-2016-1285, but 
there is patch for that, so the cve-check class will find this and will 
generate a log file saying the vulnerability has been addressed.

After the previous example I know you are familiar with the CVE tag, if 
someone stumble in the thread, here is more information on the CVE tag 
needed:
http://openembedded.org/wiki/Commit_Patch_Message_Guidelines#CVE_Patches

>>
>> Can this tool be used together with "meta-security-isafw" and get a fancy
>> report?

When I was working on this it was the transition to python3 so, 
meta-security-isafw didn't behave as expected. To be honest I haven't 
checked again but it will be a good test. I'll try to do this during the 
weekend.

> There are some useful info in the cve-check.bbclass:
>
> #In order to use this class just inherit the class in the
> # local.conf file and it will add the cve_check task for
> # every recipe. The task can be used per recipe, per image,
> # or using the special cases "world" and "universe". The
> # cve_check task will print a warning for every unpatched
> # CVE found and generate a file in the recipe WORKDIR/cve
> # directory. If an image is build it will generate a report
> # in DEPLOY_DIR_IMAGE for all the packages used.
>
> I see following logs are generated:
> ./unzip/1_6.0-r5/cve/cve.log
> ./gnutls/3.5.3-r0/cve/cve.log
> ./glibc/2.24-r0/cve/cve.log
> ./glibc-initial/2.24-r0/cve/cve.log
> ./foomatic-filters/4.0.17-r1/cve/cve.log
> ./bzip2/1.0.6-r5/cve/cve.log
> ./libxml2/2.9.4-r0/cve/cve.log
> ./perl/5.22.1-r0/cve/cve.log
> ./expat/2.2.0-r0/cve/cve.log
> ./flex/2.6.0-r0/cve/cve.log
>
> //Sona

Just remember that those logs are created for patched and unpatched CVEs.

-- 
Mariano Lopez

Re: cve-checker tool

[Patrick Ohly]

On Fri, 2016-10-28 at 09:28 -0500, Mariano Lopez wrote:
> 
> On 10/27/2016 06:03 AM, Sona Sarmadi wrote:
> >> Can this tool be used together with "meta-security-isafw" and get a fancy
> >> report?
> 
> When I was working on this it was the transition to python3 so, 
> meta-security-isafw didn't behave as expected.

It does now.

>  To be honest I haven't 
> checked again but it will be a good test. I'll try to do this during the 
> weekend.

meta-security-isafw has its own support for generating CVE reports, for
example in the XMLunit format. Here's an example how Jenkins displays
that:
https://ostroproject.org/jenkins/view/Code-Analysis/job/code_isafw_reports/checker=cve,label=coordinator,machine=beaglebone/lastCompletedBuild/testReport/

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: cve-checker tool

[Sona Sarmadi]

Hi Mariano, all,

> If there is a version affected by a CVE it will look for a patch that solves
> that particular CVE using the the metadata in the patch format.
> For example, the current bind version is affected by CVE-2016-1285, but
> there is patch for that, so the cve-check class will find this and will
> generate a log file saying the vulnerability has been addressed.

It seems that this tool does not detect all CVEs, e.g. bind has some CVE patches
but it is not reported, I tried all options below nothing is reported (no cve.log file):
bitbake -c cve_check bind 
bitbake -k -c cve_check universe
bitbake -k -c cve_check world

There are some CVEs in bind (reported in nvd.xml file for our version cpe:/a:isc:bind:9.10.3"/> )
but cve.check-tool does not report them ex: (CVE-2016-2776). Do you know why?


CVEs are reported for the following packages using e.g. "bitbake -k -c cve_check universe"
or  "bitbake -c cve_check perl"
 
tmp/work/i586-poky-linux/perl/5.22.1-r0/cve/cve.log
tmp/work/i586-poky-linux/foomatic-filters/4.0.17-r1/cve/cve.log
tmp/work/i586-poky-linux/flex/2.6.0-r0/cve/cve.log
tmp/work/i586-poky-linux/glibc/2.24-r0/cve/cve.log
tmp/work/i586-poky-linux/unzip/1_6.0-r5/cve/cve.log
tmp/work/i586-poky-linux/expat/2.2.0-r0/cve/cve.log
tmp/work/i586-poky-linux/gnutls/3.5.3-r0/cve/cve.log
tmp/work/i586-poky-linux/glibc-initial/2.24-r0/cve/cve.log
tmp/work/i586-poky-linux/libxml2/2.9.4-r0/cve/cve.log
tmp/work/i586-poky-linux/bzip2/1.0.6-r5/cve/cve.log

We have more recipes which have CVE patches but they are not reported. 
I have analyzed these; some of these CVEs are still marked as reserved on Mitre
 and are not present in the nvd.xml files (although they are public (e.g. Busybox: 
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147).

I don't understand why for instance bind CVEs are not detected and reported by cve-check tool?
Is it because of cpe:/a:isc:bind? It looks for isc?

morty/poky/meta$ find . -name *CVE-201*.patch
./recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch

./recipes-connectivity/bind/bind/CVE-2016-2776.patch ?
./recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
./recipes-connectivity/bind/bind/CVE-2016-1285.patch
./recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
./recipes-connectivity/bind/bind/CVE-2016-2088.patch
./recipes-connectivity/bind/bind/CVE-2016-2775.patch

./recipes-extended/unzip/unzip/CVE-2015-7696.patch
./recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
./recipes-extended/unzip/unzip/CVE-2015-7697.patch
./recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
./recipes-extended/cpio/cpio-2.12/0001-Fix-CVE-2015-1197.patch
./recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
./recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch
./recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch
./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch
./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch
./recipes-multimedia/libtiff/files/CVE-2016-3945.patch
./recipes-multimedia/libtiff/files/CVE-2016-3623.patch
./recipes-multimedia/libtiff/files/CVE-2016-5323.patch
./recipes-multimedia/libtiff/files/CVE-2016-5321.patch
./recipes-multimedia/libtiff/files/CVE-2016-3991.patch
./recipes-multimedia/libtiff/files/CVE-2016-3622.patch
./recipes-multimedia/libtiff/files/CVE-2015-8781.patch
./recipes-multimedia/libtiff/files/CVE-2015-8784.patch
./recipes-multimedia/libtiff/files/CVE-2016-3186.patch
./recipes-multimedia/libtiff/files/CVE-2016-3990.patch
./recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
./recipes-core/systemd/systemd/CVE-2016-7795.patch
./recipes-core/busybox/busybox/CVE-2016-2147_2.patch  <<< Reserved on Mitre: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147
./recipes-core/busybox/busybox/CVE-2016-2147.patch
./recipes-core/busybox/busybox/CVE-2016-2148.patch <<< https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2148
./recipes-devtools/elfutils/elfutils-0.148/elf_begin.c-CVE-2014-9447-fix.patch
./recipes-devtools/python/python3/CVE-2016-5636.patch
./recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
./recipes-devtools/python/python/CVE-2016-5636.patch
./recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch
./recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
./recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch
./recipes-devtools/gcc/gcc-6.2/CVE-2016-4490.patch
./recipes-devtools/flex/flex/CVE-2016-6354.patch
./recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
./recipes-support/nettle/nettle-2.7.1/CVE-2015-8804.patch
./recipes-support/nettle/nettle-2.7.1/CVE-2015-8803_8805.patch
./recipes-support/gnutls/gnutls/CVE-2016-7444.patch
./recipes-support/boost/boost/boost-CVE-2012-2677.patch
./recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch

Thanks
//Sona

Re: cve-checker tool

[Sona Sarmadi]

Another qustion:

We don't have recipes for libcurl, I guess both curl and libcurl CVEs are patched in the curl recipes, right?
I think curl uses libcurl, and libcurl is built when building curl. 

Those CVEs which are listed in the nvd.xml file under "cpe:/a:haxx:libcurl: are not detected and reported by cve-check tool.

//Sona 

-----Original Message-----
From: Sona Sarmadi 
Sent: den 6 december 2016 15:28
To: Mariano Lopez <mariano.lopez@linux.intel.com>; mariano.lopez@intel.com; yocto@yoctoproject.org
Subject: RE: [yocto] cve-checker tool

Hi Mariano, all,

> If there is a version affected by a CVE it will look for a patch that 
> solves that particular CVE using the the metadata in the patch format.
> For example, the current bind version is affected by CVE-2016-1285, 
> but there is patch for that, so the cve-check class will find this and 
> will generate a log file saying the vulnerability has been addressed.

It seems that this tool does not detect all CVEs, e.g. bind has some CVE patches but it is not reported, I tried all options below nothing is reported (no cve.log file):
bitbake -c cve_check bind
bitbake -k -c cve_check universe
bitbake -k -c cve_check world

There are some CVEs in bind (reported in nvd.xml file for our version cpe:/a:isc:bind:9.10.3"/> ) but cve.check-tool does not report them ex: (CVE-2016-2776). Do you know why?


CVEs are reported for the following packages using e.g. "bitbake -k -c cve_check universe"
or  "bitbake -c cve_check perl"
 
tmp/work/i586-poky-linux/perl/5.22.1-r0/cve/cve.log
tmp/work/i586-poky-linux/foomatic-filters/4.0.17-r1/cve/cve.log
tmp/work/i586-poky-linux/flex/2.6.0-r0/cve/cve.log
tmp/work/i586-poky-linux/glibc/2.24-r0/cve/cve.log
tmp/work/i586-poky-linux/unzip/1_6.0-r5/cve/cve.log
tmp/work/i586-poky-linux/expat/2.2.0-r0/cve/cve.log
tmp/work/i586-poky-linux/gnutls/3.5.3-r0/cve/cve.log
tmp/work/i586-poky-linux/glibc-initial/2.24-r0/cve/cve.log
tmp/work/i586-poky-linux/libxml2/2.9.4-r0/cve/cve.log
tmp/work/i586-poky-linux/bzip2/1.0.6-r5/cve/cve.log

We have more recipes which have CVE patches but they are not reported. 
I have analyzed these; some of these CVEs are still marked as reserved on Mitre  and are not present in the nvd.xml files (although they are public (e.g. Busybox: 
https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147).

I don't understand why for instance bind CVEs are not detected and reported by cve-check tool?
Is it because of cpe:/a:isc:bind? It looks for isc?

morty/poky/meta$ find . -name *CVE-201*.patch ./recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch

./recipes-connectivity/bind/bind/CVE-2016-2776.patch ?
./recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
./recipes-connectivity/bind/bind/CVE-2016-1285.patch
./recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
./recipes-connectivity/bind/bind/CVE-2016-2088.patch
./recipes-connectivity/bind/bind/CVE-2016-2775.patch

./recipes-extended/unzip/unzip/CVE-2015-7696.patch
./recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
./recipes-extended/unzip/unzip/CVE-2015-7697.patch
./recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
./recipes-extended/cpio/cpio-2.12/0001-Fix-CVE-2015-1197.patch
./recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
./recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch
./recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch
./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch
./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch
./recipes-multimedia/libtiff/files/CVE-2016-3945.patch
./recipes-multimedia/libtiff/files/CVE-2016-3623.patch
./recipes-multimedia/libtiff/files/CVE-2016-5323.patch
./recipes-multimedia/libtiff/files/CVE-2016-5321.patch
./recipes-multimedia/libtiff/files/CVE-2016-3991.patch
./recipes-multimedia/libtiff/files/CVE-2016-3622.patch
./recipes-multimedia/libtiff/files/CVE-2015-8781.patch
./recipes-multimedia/libtiff/files/CVE-2015-8784.patch
./recipes-multimedia/libtiff/files/CVE-2016-3186.patch
./recipes-multimedia/libtiff/files/CVE-2016-3990.patch
./recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
./recipes-core/systemd/systemd/CVE-2016-7795.patch
./recipes-core/busybox/busybox/CVE-2016-2147_2.patch  <<< Reserved on Mitre: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147
./recipes-core/busybox/busybox/CVE-2016-2147.patch
./recipes-core/busybox/busybox/CVE-2016-2148.patch <<< https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2148
./recipes-devtools/elfutils/elfutils-0.148/elf_begin.c-CVE-2014-9447-fix.patch
./recipes-devtools/python/python3/CVE-2016-5636.patch
./recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
./recipes-devtools/python/python/CVE-2016-5636.patch
./recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch
./recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
./recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch
./recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch
./recipes-devtools/gcc/gcc-6.2/CVE-2016-4490.patch
./recipes-devtools/flex/flex/CVE-2016-6354.patch
./recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
./recipes-support/nettle/nettle-2.7.1/CVE-2015-8804.patch
./recipes-support/nettle/nettle-2.7.1/CVE-2015-8803_8805.patch
./recipes-support/gnutls/gnutls/CVE-2016-7444.patch
./recipes-support/boost/boost/boost-CVE-2012-2677.patch
./recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch

Thanks
//Sona

Re: cve-checker tool

[Mariano Lopez]

On 06/12/16 08:41, Sona Sarmadi wrote:
> Another qustion:
>
> We don't have recipes for libcurl, I guess both curl and libcurl CVEs are patched in the curl recipes, right?
> I think curl uses libcurl, and libcurl is built when building curl. 
>
> Those CVEs which are listed in the nvd.xml file under "cpe:/a:haxx:libcurl: are not detected and reported by cve-check tool.

In the case of libcurl, it is build using the curl recipe, and currently
cve-check class will look for BPN, so it won't check against libcurl.
Can you open a bug for this?

> [snip]


> It seems that this tool does not detect all CVEs, e.g. bind has some CVE patches but it is not reported, I tried all options below nothing is reported (no cve.log file):
> bitbake -c cve_check bind
> bitbake -k -c cve_check universe
> bitbake -k -c cve_check world
>
> There are some CVEs in bind (reported in nvd.xml file for our version cpe:/a:isc:bind:9.10.3"/> ) but cve.check-tool does not report them ex: (CVE-2016-2776). Do you know why?
>
>
> CVEs are reported for the following packages using e.g. "bitbake -k -c cve_check universe"
> or  "bitbake -c cve_check perl"
>  
> tmp/work/i586-poky-linux/perl/5.22.1-r0/cve/cve.log
> tmp/work/i586-poky-linux/foomatic-filters/4.0.17-r1/cve/cve.log
> tmp/work/i586-poky-linux/flex/2.6.0-r0/cve/cve.log
> tmp/work/i586-poky-linux/glibc/2.24-r0/cve/cve.log
> tmp/work/i586-poky-linux/unzip/1_6.0-r5/cve/cve.log
> tmp/work/i586-poky-linux/expat/2.2.0-r0/cve/cve.log
> tmp/work/i586-poky-linux/gnutls/3.5.3-r0/cve/cve.log
> tmp/work/i586-poky-linux/glibc-initial/2.24-r0/cve/cve.log
> tmp/work/i586-poky-linux/libxml2/2.9.4-r0/cve/cve.log
> tmp/work/i586-poky-linux/bzip2/1.0.6-r5/cve/cve.log
>
> We have more recipes which have CVE patches but they are not reported. 
> I have analyzed these; some of these CVEs are still marked as reserved on Mitre  and are not present in the nvd.xml files (although they are public (e.g. Busybox: 
> https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147).

cve-check-tool will only check against the database that got from the
nvd.xml files, and these files won't have information for not yet fully
disclosed CVEs, so that is why you will find these cases frequently in
OE recipes (Armin does a great job with CVEs).

>
> I don't understand why for instance bind CVEs are not detected and reported by cve-check tool?
> Is it because of cpe:/a:isc:bind? It looks for isc?

I need to check on this, unfortunately my proxies decided to not
download the database, I'll get back to you as soon as I can investigate
more.

>
> morty/poky/meta$ find . -name *CVE-201*.patch ./recipes-connectivity/ppp/ppp/fix-CVE-2015-3310.patch
>
> ./recipes-connectivity/bind/bind/CVE-2016-2776.patch ?
> ./recipes-connectivity/bind/bind/CVE-2016-1286_2.patch
> ./recipes-connectivity/bind/bind/CVE-2016-1285.patch
> ./recipes-connectivity/bind/bind/CVE-2016-1286_1.patch
> ./recipes-connectivity/bind/bind/CVE-2016-2088.patch
> ./recipes-connectivity/bind/bind/CVE-2016-2775.patch
>
> ./recipes-extended/unzip/unzip/CVE-2015-7696.patch
> ./recipes-extended/unzip/unzip/06-unzip60-alt-iconv-utf8_CVE-2015-1315.patch
> ./recipes-extended/unzip/unzip/CVE-2015-7697.patch
> ./recipes-extended/xinetd/xinetd/xinetd-CVE-2013-4342.patch
> ./recipes-extended/cpio/cpio-2.12/0001-Fix-CVE-2015-1197.patch
> ./recipes-extended/cracklib/cracklib/0001-Apply-patch-to-fix-CVE-2016-6318.patch
> ./recipes-extended/bzip2/bzip2-1.0.6/CVE-2016-3189.patch
> ./recipes-extended/grep/grep-2.5.1a/grep-CVE-2012-5667.patch
> ./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8327.patch
> ./recipes-extended/foomatic/foomatic-filters-4.0.17/CVE-2015-8560.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3945.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3623.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-5323.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-5321.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3991.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3622.patch
> ./recipes-multimedia/libtiff/files/CVE-2015-8781.patch
> ./recipes-multimedia/libtiff/files/CVE-2015-8784.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3186.patch
> ./recipes-multimedia/libtiff/files/CVE-2016-3990.patch
> ./recipes-multimedia/libtiff/files/CVE-2015-8665_8683.patch
> ./recipes-core/systemd/systemd/CVE-2016-7795.patch
> ./recipes-core/busybox/busybox/CVE-2016-2147_2.patch  <<< Reserved on Mitre: https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147
> ./recipes-core/busybox/busybox/CVE-2016-2147.patch
> ./recipes-core/busybox/busybox/CVE-2016-2148.patch <<< https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2148
> ./recipes-devtools/elfutils/elfutils-0.148/elf_begin.c-CVE-2014-9447-fix.patch
> ./recipes-devtools/python/python3/CVE-2016-5636.patch
> ./recipes-devtools/python/python3/python3-fix-CVE-2016-1000110.patch
> ./recipes-devtools/python/python/CVE-2016-5636.patch
> ./recipes-devtools/python/python/python-fix-CVE-2016-1000110.patch
> ./recipes-devtools/qemu/qemu/0002-fix-CVE-2016-7423.patch
> ./recipes-devtools/qemu/qemu/0003-fix-CVE-2016-7908.patch
> ./recipes-devtools/perl/perl/perl-fix-CVE-2015-8607.patch
> ./recipes-devtools/perl/perl/perl-fix-CVE-2016-2381.patch
> ./recipes-devtools/perl/perl/perl-fix-CVE-2016-1238.patch
> ./recipes-devtools/perl/perl/perl-fix-CVE-2016-6185.patch
> ./recipes-devtools/gcc/gcc-6.2/CVE-2016-4490.patch
> ./recipes-devtools/flex/flex/CVE-2016-6354.patch
> ./recipes-bsp/grub/files/0001-Fix-CVE-2015-8370-Grub2-user-pass-vulnerability.patch
> ./recipes-support/nettle/nettle-2.7.1/CVE-2015-8804.patch
> ./recipes-support/nettle/nettle-2.7.1/CVE-2015-8803_8805.patch
> ./recipes-support/gnutls/gnutls/CVE-2016-7444.patch
> ./recipes-support/boost/boost/boost-CVE-2012-2677.patch
> ./recipes-support/gnupg/gnupg-1.4.7/GnuPG1-CVE-2012-6085.patch
> ./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4576.patch
> ./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4351.patch
> ./recipes-support/gnupg/gnupg-1.4.7/CVE-2013-4242.patch
>
> Thanks
> //Sona
>
>
>
>
>
>
>

Re: cve-checker tool

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 977 bytes --]

On 7 December 2016 at 14:58, Mariano Lopez <mariano.lopez@linux.intel.com>
wrote:

> > We have more recipes which have CVE patches but they are not reported.
> > I have analyzed these; some of these CVEs are still marked as reserved
> on Mitre  and are not present in the nvd.xml files (although they are
> public (e.g. Busybox:
> > https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2147).
>
> cve-check-tool will only check against the database that got from the
> nvd.xml files, and these files won't have information for not yet fully
> disclosed CVEs, so that is why you will find these cases frequently in
> OE recipes (Armin does a great job with CVEs).
>

A lot of CVEs get reserved but never actually updated in MITRE.  This is
why the planned successor to cve-check-tool plans to download the Debian /
RHEL / etc security databases to fill in the gaps (I'm not sure what the
state of this rewrite is as we didn't write this tool).

Ross

[-- Attachment #2: Type: text/html, Size: 1508 bytes --]

Re: cve-checker tool

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 527 bytes --]

On 7 December 2016 at 14:58, Mariano Lopez <mariano.lopez@linux.intel.com>
wrote:

> > Those CVEs which are listed in the nvd.xml file under
> "cpe:/a:haxx:libcurl: are not detected and reported by cve-check tool.
>
> In the case of libcurl, it is build using the curl recipe, and currently
> cve-check class will look for BPN, so it won't check against libcurl.
> Can you open a bug for this?
>

A fix for this is trivial but we need a variable name.  Any objections or
better suggestions to CVE_PRODUCT?

Ross

[-- Attachment #2: Type: text/html, Size: 925 bytes --]

cve-checker tool

[Sona Sarmadi]

Hi guys,

I have some questions regarding cve-check tool. I don't find anything about this tool in Yocto 
2.2 release, dose documentation mention this tool and how to use it?

Is this tool planned to be integrated with daily build so the Yocto project can detect 
Not addressed CVEs automatically?

Mariano:
Does this tool look at CVE tag inside the recipe as well or only checks the package version?

Can this tool be used together with "meta-security-isafw" and get a fancy report?


Thanks
//Sona