Age | Commit message (Collapse) | Author |
|
Implements "report_cve" and "report_patched" tasks.
"report_patched" prepares image manifest with patched CVE info.
"report_cve" runs cvert-* scripts to generate kernel and package CVE reports.
You can configure it to set report filenames, reuse NVD feeds,
stop after manifest generation and ignore specific classes,
like native, nativesdk, etc.
Signed-off-by: grygorii tertychnyi <gtertych@cisco.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
NVD entries for the Linux kernel are almost always outdated.
For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065
is shown as matched for "versions up to (including) 4.15.7",
however the patch 57ebd808a97d has been back ported for 4.14.
By default, it checks NVD Resource entries for the patch
URLs and looks for the commits in the local GIT tree.
Additionaly ("--resource") it checks other resources, that
may have up-to-date CVE data. You can combine resources and
decide which one you want to be based on.
Signed-off-by: grygorii tertychnyi <gtertych@cisco.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
cvert-foss - generate CVE report for the list of packages.
Analyze the whole image manifest to align with the complex
CPE configurations.
cvert-update - update NVD feeds and store CVE structues dump.
CVE dump is a pickled representation of the cve_struct dictionary.
cvert.py - python library used by cvert-* scripts.
NVD JSON Vulnerability Feeds https://nvd.nist.gov/vuln/data-feeds#JSON_FEED
Usage examples:
o Download CVE feeds to "nvdfeed" directory
% cvert-update nvdfeed
o Update CVE feeds and store a dump in a file
% cvert-update --store cvedump nvdfeed
o Generate a CVE report
% cvert-foss --feed-dir nvdfeed --output report-foss.txt cve-manifest
o (faster) Use dump file to generate a CVE report
% cvert-foss --restore cvedump --output report-foss.txt cve-manifest
o Generate a full report
% cvert-foss --restore cvedump --show-description --show-reference \
--output report-foss-full.txt cve-manifest
Manifest example:
bash,4.2,CVE-2014-7187
python,2.7.35,
python,3.5.5,CVE-2017-17522 CVE-2018-1061
Report example:
patched | 7.5 | CVE-2018-1061 | python | 3.5.5
patched | 10.0 | CVE-2014-7187 | bash | 4.2
patched | 8.8 | CVE-2017-17522 | python | 3.5.5
unpatched | 10.0 | CVE-2014-6271 | bash | 4.2
unpatched | 10.0 | CVE-2014-6277 | bash | 4.2
unpatched | 10.0 | CVE-2014-6278 | bash | 4.2
unpatched | 10.0 | CVE-2014-7169 | bash | 4.2
unpatched | 10.0 | CVE-2014-7186 | bash | 4.2
unpatched | 4.6 | CVE-2012-3410 | bash | 4.2
unpatched | 8.4 | CVE-2016-7543 | bash | 4.2
unpatched | 5.0 | CVE-2010-3492 | python | 2.7.35
unpatched | 5.3 | CVE-2016-1494 | python | 2.7.35
unpatched | 6.5 | CVE-2017-18207 | python | 3.5.5
unpatched | 6.5 | CVE-2017-18207 | python | 2.7.35
unpatched | 7.1 | CVE-2013-7338 | python | 2.7.35
unpatched | 7.5 | CVE-2018-1060 | python | 3.5.5
unpatched | 8.8 | CVE-2017-17522 | python | 2.7.35
Signed-off-by: grygorii tertychnyi <gtertych@cisco.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
remove untested code
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
update to tip
backported patches to fix build issues.
fix native support
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
NameError: name 'xrange' is not defined
Signed-off-by: Lei Maohui <leimaohui@cn.fujitsu.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
[v2]
fix multilib support
Als add native support
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
* checksec.sh: Updated to 1.11.1
* checksec.sh: resolved issues with readelf
* checksec.sh: Added docker images for testing
* checksec.sh: Added armhf and aarch64 libc locations
* checksec.sh: Replace FS_COUNT with fgrep
* checksec.sh: Fixed symbols count in csv
* checksec.sh: Fixed RW-RPATH and RW-RUNPATH
* checksec.sh: Added stack canaries generated by intel compiler
* checksec.sh: Mute stat errors for non-existent directories
* checksec.sh: Removed invalid json structures and duplicate kernel checks
* checksec.sh: fixed spaces in -d option
* checksec.sh: Added stack-protector-string check
* checksec.sh: Add arm64 specific kernel checks
* checksec.sh: Add REFCOUNT_FULL to kernel tests
* checksec.sh: Remove OSX support
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Tarballs from archive.ubuntu.com can and do disappear (similar to archive.debian.org).
Signed-off-by: Alexander Kanavin <alex.kanavin@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
bug fix release.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This version does not have a dependacy on samba
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
ported over smack tests
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Add more description
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Add openembedded-layer to layer dependencies.
Fix the following build errors:
ERROR: Required build target 'tpm2-pkcs11' has no buildable providers.
Missing or unbuildable dependency chain was: ['tpm2-pkcs11', 'dstat']
ERROR: Required build target 'cryptsetup-tpm-incubator' has no buildable providers.
Missing or unbuildable dependency chain was: ['cryptsetup-tpm-incubator', 'libdevmapper']
ERROR: Required build target 'tpm2-totp' has no buildable providers.
Missing or unbuildable dependency chain was: ['tpm2-totp', 'qrencode']
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
re-arch the reciped to build properly.
Fixed /var/lib/clamav dir issue
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Add native package to support creating a mirror
of the clamav cvd and supply it in a new package.
Provide a INSTALL_CLAMAV_CVD flag to bypass this creation
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
This addes the localhost to resolve.conf to fix:
ERROR: Can't get information about database.clamav.net: Temporary failure in name resolution
ERROR: Can't download main.cvd from database.clamav.net
Giving up on database.clamav.net...
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
llvm8.0 does not exist. dropped the version part.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
and ping test too
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
For details see: https://github.com/kyz/libmspack/blob/master/libmspack/ChangeLog
change compression to match that now being used from source
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
update apparmor configs
[v2]
Just update configs.
leave versions intact.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Drop patch included in update:
tool-paths.patch
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|
|
There is only one llvm and its in core so
drop allowing it to be overwritten.
We can hardcode it now.
Signed-off-by: Armin Kuster <akuster808@gmail.com>
|