Add support for Yocto scanner #1085
Conversation
panicking
force-pushed
the
feature/add-yocto-cve-parser
branch
2 times, most recently
from
04c2d27 to
464e127
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #1085 +/- ##
============================================
- Coverage 90.74% 90.63% -0.12%
- Complexity 2322 2340 +18
============================================
Files 355 357 +2
Lines 6551 6617 +66
Branches 675 686 +11
============================================
+ Hits 5945 5997 +52
- Misses 410 417 +7
- Partials 196 203 +7 ☔ View full report in Codecov by Sentry. |
panicking
force-pushed
the
feature/add-yocto-cve-parser
branch
from
464e127 to
d1751b8
Compare
|
@uhafner Trying to figure out how to test everything to the warning plugin, there are 3 components that are involved 1) the model, 2) model-api plugin 3) warning-ng plugin. Can I have a local setup where all of those components are testable together? The reason I'm asking is because I'm integrate another vulnerabiliy tools and testing of them look really importat to me to fine tuning the information needs to be shown |
panicking
force-pushed
the
feature/add-yocto-cve-parser
branch
from
d1751b8 to
c16b789
Compare
I prepared a development environment that should help. |
|
@uhafner Ok, I need to push a new version. I will include some screenshot. I would like to ask you if I can use html href in description for the vulnerabilities hyperlink and when I don't have filename what is the best approach, because make it empy is not a real nice result |
Yes, that is ok. See
Isn't the package in your case the the actual affected file name? |
Ok
This is how is shown |
panicking
force-pushed
the
feature/add-yocto-cve-parser
branch
from
c16b789 to
560ae43
Compare
|
Thanks for the PR, the screenshots look good! From my understanding (and to be more compatible with other vulnerability scanners like Here the test from softly.assertThat(report.get(0))
.hasFileName("commons-beanutils-1.8.3.jar")
.hasSeverity(Severity.WARNING_HIGH)
.hasCategory("NETWORK")
.hasType("CVE-2014-0114")
.hasMessage("Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.")
.hasDescription("<a href=\"https://nvd.nist.gov/vuln/detail/CVE-2014-0114\">https://nvd.nist.gov/vuln/detail/CVE-2014-0114</a>");Then your test would look like: softly.assertThat(report.get(0))
.hasSeverity(Severity.WARNING_LOW)
.hasFileName("acl")
.hasType("CVE-2009-4411")
.hasDescription("<div><b>Package: </b>acl</div> <div><b>Version: </b>2.3.2</div>"
+ " <div><b>Link: </b><a href=\"https://nvd.nist.gov/vuln/detail/CVE-2009-4411\""
+ ">https://nvd.nist.gov/vuln/detail/CVE-2009-4411</a></div>"
+ " <div><b>Yocto Layer: </b>meta</div> <div><b>Vector: </b>LOCAL</div> <p>"
+ "The (1) setfacl and (2) getfacl commands in XFS acl 2.2.47, when running"
+ " in recursive (-R) mode, follow symbolic links even when the --physical"
+ " (aka -P) or -L option is specified, which might allow local users to modify"
+ " the ACL for arbitrary files or directories via a symlink attack.</p>");Would that work? I think I can remove the |
In the new screenshot I have put as filename the vulnerability (make sense?) I will change it as you ask if I can not use as filename the CVE |
Ok done and change as you suggest. I'm testing it and push a new version |
Yocto project support CVE security vulnerabilities using cve-check in the specific image or target you are building, add the following setting to your configuration: INHERIT += "cve-check" status of each CVE: Patched, Unpatched or Ignored The scanner look only for Unpatched package and calculate the severity using the score_v2 or score_v3. The generated from Yocto can be collected in build/tmp/log/cve/cve-summury.json Signed-off-by: Michael Trimarchi <[email protected]>
panicking
force-pushed
the
feature/add-yocto-cve-parser
branch
from
560ae43 to
ea514ba
Compare
|
Thanks! |
|
|
||
| @Override | ||
| public String getIconUrl() { | ||
| return "https://www.yoctoproject.org/wp-content/uploads/sites/32/2023/09/YoctoProject_Logo_RGB_White_small.svg"; |
There was a problem hiding this comment.
I changed that to https://upload.wikimedia.org/wikipedia/commons/0/00/Yocto_Project_logo.svg, otherwise the text is white on white background. It seems that the project needs to define a SVG logo that correctly assigns the colors.
There was a problem hiding this comment.
@uhafner very good, and sorry, you have done a fantastic job here in this plugin
Yocto project support CVE security vulnerabilities using cve-check in the specific image or target you are building, add the following setting to your configuration:
INHERIT += "cve-check"
status of each CVE: Patched, Unpatched or Ignored
The scanner look only for Unpatched package and calculate the severity using the score_v2 or score_v3
Testing done
Deployed in internal company jenkins infrastructure and verify on real yocto product
