Skip to content

Commit d4551f9

Browse files
masami256masami256
committed
Implement plugin architecture for CVE check
This change adds plugin feature to cve check. The plugin feature helps adding new CVE data source easer than current implementation. * Basic Specification ** Plugin directory and naming rule Plugin are stored in scripts/lib/python/cve/plugin/ in a layer. And, plugin nams should use following name format. ``` eml_cve_<your plugin name>_plugin.py ``` e.g. scripts/lib/python/cve/plugin/eml_cve_myplugin_plugin.py ** Import path Plugin's base class and libraries are in meta-emlinux/scripts/lib/python so plugin need to import libraries from this directory. For example, implementing your plguin must have following line. ``` from lib.python.cve.plugin.eml_cve_plugin_base import EmlCvePlugin ``` ** Plugin priority Plugin has its own priority number. For priority number, 1 is lowest. This number is used to decided CVE is patched or unpatched if plugins have different CVE check result. For example, if PLUGIN-A(priority 1) said CVE-1111-1111 is patched but PLUGIN-B(priority 10) said it is unpatched, we adopt PLUGIN-B's analysis result because PLUGIN-B has higher priority than PLUGIN-A. ** Base class The EmlCvePlugin class is base class for plugins. This class contains 2 methods that plugins should implement these methods. - update_database - run_check The update_databae function updates CVE database. The run_check execute CVE check. The run-check function should return instance of CveCheckResultList class which stores CVE analysis result. ** CVE check result CVE check result is stored in CveCheckResult class. This class sotres folloing data - CVE ID - source package name - Patched/Unpatched status The CveCheckResultList class stores CveCheckResult instance. So, when create an instance of CveCheckResult, you shoud add it to CveCheckResultList class. ** CVE vendor and product CVE vendor and product information is stored in CveProductList class. To get this information, use _get_cve_products_from_source_package_name function in EmlCvePlugin class. You can use these data like this. ``` cve_product = self._get_cve_products_from_source_package_name(src_pkg_name) for cve_product in cve_products: vendor = cve_product.vendor product = cve_product.product ``` ** Installed package information Installed package information is storeed in PackageInfoList class. This class is iteratable and returns source package name. ``` for src_pkg_name in self.installed_packages: data = self.installed_packages[src_pkg_name] ``` ** Common library Common functions are implemented in lib.py. One of the useful function is check_affected function that checks if given version is affected or not. This function uses LooseVersion class to compare versions. ** Logging Add following lines in your code to use logger class. ``` import logging logger = logging.getLogger("emlinux-cve-check") ``` * Improved from current CVE check ** Support multiple type in product list yaml file Current CVE check feature support following format. ``` package: - vendor - product ``` New cve check feature support dictionary style and list which contains dictonaries. ``` packageA: - vendor - product packageB: - vendor: vendor name product: product name - vendor: another vendor name product: another product name ``` In the yaml file, product attribute should exist but vendor attibute is optional. This specification is based on poky's cve-check.bbclass. ** Add some options for debugging Checking CVE by cve_check_ng.py takes command line options which same as cve_check.py. However some options are added for debugging. - skip-update option This option skips database update process. - target-source-package option It checks given source package only. - dpkg-status-file option Use given .dpkg_status file instead of .dpkg_status file in ${DEPLOY_DIR_IMAGE} directory. Signed-off-by: Masami Ichikawa <masami.ichikawa@miraclelinux.com>
1 parent b3e92d4 commit d4551f9

File tree

14 files changed

+1881
-0
lines changed

14 files changed

+1881
-0
lines changed

docker/Dockerfile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -76,6 +76,7 @@ RUN bash -c 'if test -n "$no_proxy"; then git config --global core.noproxy "$no_
7676
RUN pip install --user 'cyclonedx-python-lib>=7.3.2,<=7.5.1' --break-system-packages --no-warn-script-location
7777
RUN pip install --user jsonschema==4.21.1 --break-system-packages --no-warn-script-location
7878
RUN pip install --user spdx-tools==0.8.2 --break-system-packages --no-warn-script-location
79+
RUN pip install --user looseversion==1.3.0 --break-system-packages --no-warn-script-location
7980

8081
RUN mkdir work
8182
WORKDIR /home/build/work

0 commit comments

Comments
 (0)