bd-kernel-vulns 1.0__tar.gz

bd_kernel_vulns-1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Matthew Brady
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

bd_kernel_vulns-1.0/PKG-INFO

@@ -0,0 +1,18 @@
+Metadata-Version: 2.4
+Name: bd_kernel_vulns
+Version: 1.0
+Summary: bd_kernel_vulns - Script to process the Linux Kernel in a BD project to assess vulns applicability based on supplied list of kernel source files (or folders)
+Author-email: Matthew Brady <mbrad@blackduck.com>
+Project-URL: Homepage, https://github.com/matthewb66/bd_kernel_vulns
+Project-URL: Issues, https://github.com/matthewb66/bd_kernel_vulns/issues
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: blackduck>=1.1.3
+Requires-Dist: requests
+Requires-Dist: aiohttp
+Requires-Dist: asyncio
+Dynamic: license-file

bd_kernel_vulns-1.0/bd_kernel_vulns/BOMClass.py

@@ -0,0 +1,141 @@
+# import config
+from .ComponentListClass import ComponentList
+# from ComponentClass import Component
+from .VulnListClass import VulnList
+# from . import global_values
+# import logging
+from blackduck import Client
+import sys
+# from tabulate import tabulate
+# import aiohttp
+import asyncio
+import platform
+# import re
+
+
+class BOM:
+    def __init__(self, conf):
+        try:
+            self.complist = ComponentList()
+            self.vulnlist = VulnList()
+            self.bd = Client(
+                token=conf.bd_api,
+                base_url=conf.bd_url,
+                verify=(not conf.bd_trustcert),  # TLS certificate verification
+                timeout=60
+            )
+
+            conf.logger.info(f"Working on project '{conf.bd_project}' version '{conf.bd_version}'")
+
+            self.bdver_dict = self.get_project(conf)
+            if not self.bd:
+                raise ValueError("Unable to create BOM object")
+
+            res = self.bd.list_resources(self.bdver_dict)
+            self.projver = res['href']
+            # thishref = f"{self.projver}/components"
+            #
+            # bom_arr = self.get_paginated_data(thishref, "application/vnd.blackducksoftware.bill-of-materials-6+json")
+            #
+            # for comp in bom_arr:
+            #     if 'componentVersion' not in comp:
+            #         continue
+            #     # compver = comp['componentVersion']
+            #
+            #     compclass = Component(comp['componentName'], comp['componentVersionName'], comp)
+            #     self.complist.add(compclass)
+            #
+        except ValueError as v:
+            conf.logger.error(v)
+            sys.exit(-1)
+        return
+
+    def get_paginated_data(self, url, accept_hdr):
+        headers = {
+            'accept': accept_hdr,
+        }
+        url = url + "?limit=1000"
+        res = self.bd.get_json(url, headers=headers)
+        if 'totalCount' in res and 'items' in res:
+            total_comps = res['totalCount']
+        else:
+            return []
+
+        ret_arr = []
+        downloaded_comps = 0
+        while downloaded_comps < total_comps:
+            downloaded_comps += len(res['items'])
+
+            ret_arr += res['items']
+
+            newurl = f"{url}&offset={downloaded_comps}"
+            res = self.bd.get_json(newurl, headers=headers)
+            if 'totalCount' not in res or 'items' not in res:
+                break
+
+        return ret_arr
+
+    def get_project(self, conf):
+        params = {
+            'q': "name:" + conf.bd_project,
+            'sort': 'name',
+        }
+
+        ver_dict = None
+        projects = self.bd.get_resource('projects', params=params)
+        for p in projects:
+            if p['name'] == conf.bd_project:
+                versions = self.bd.get_resource('versions', parent=p, params=params)
+                for v in versions:
+                    if v['versionName'] == conf.bd_version:
+                        ver_dict = v
+                        break
+                break
+        else:
+            conf.logger.error(f"Version '{conf.bd_version}' does not exist in project '{conf.bd_project}'")
+            sys.exit(2)
+
+        if ver_dict is None:
+            conf.logger.warning(f"Project '{conf.bd_project}' does not exist")
+            sys.exit(2)
+
+        return ver_dict
+
+    def get_vulns(self, conf):
+        vuln_url = f"{self.projver}/vulnerable-bom-components"
+        vuln_arr = self.get_paginated_data(vuln_url, "application/vnd.blackducksoftware.bill-of-materials-8+json")
+        self.vulnlist.add_comp_data(vuln_arr, conf)
+
+    def process_data_async(self, conf):
+        if platform.system() == "Windows":
+            asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())
+
+        self.vulnlist.add_vuln_data(asyncio.run(self.vulnlist.async_get_vuln_data(self.bd, conf)), conf)
+
+    def ignore_vulns_async(self):
+        if platform.system() == "Windows":
+            asyncio.set_event_loop_policy(asyncio.WindowsSelectorEventLoopPolicy())
+
+        data = asyncio.run(self.vulnlist.async_ignore_vulns(self.bd))
+        return len(data)
+
+    def ignore_vulns(self, conf):  # DEBUG
+        self.vulnlist.ignore_vulns(self.bd, conf)
+
+    def process_kernel_vulns(self, conf, kfiles):
+        self.vulnlist.process_kernel_vulns(conf, kfiles)
+
+    # def count_comps(self):
+    #     return len(self.complist)
+
+    def count_vulns(self):
+        return self.vulnlist.count()
+
+    def count_in_kernel_vulns(self):
+        return self.vulnlist.count_in_kernel()
+
+    def count_not_in_kernel_vulns(self):
+        return self.vulnlist.count() - self.vulnlist.count_in_kernel()
+
+    def check_kernel_comp(self):
+        return self.complist.check_kernel()

bd_kernel_vulns-1.0/bd_kernel_vulns/ComponentClass.py

@@ -0,0 +1,199 @@
+# import global_values
+import re
+# import global_values
+# import logging
+# from thefuzz import fuzz
+from .VulnListClass import VulnList
+
+
+class Component:
+    def __init__(self, name, version):
+        self.name = name
+        self.version = version
+        self.vulnlist = VulnList()
+        self.data = None
+
+    # def get_matchtypes(self):
+    #     try:
+    #         return self.data['matchTypes']
+    #     except KeyError:
+    #         return []
+    #
+    # def is_dependency(self):
+    #     dep_types = ['FILE_DEPENDENCY_DIRECT', 'FILE_DEPENDENCY_TRANSITIVE']
+    #     match_types = self.get_matchtypes()
+    #     for m in dep_types:
+    #         if m in match_types:
+    #             return True
+    #     return False
+    #
+    # def is_signature(self):
+    #     sig_types = ['FILE_EXACT', 'FILE_SOME_FILES_MODIFIED', 'FILE_FILES_ADDED_DELETED_AND_MODIFIED',
+    #                  'FILE_EXACT_FILE_MATCH']
+    #     match_types = self.get_matchtypes()
+    #     for m in sig_types:
+    #         if m in match_types:
+    #             return True
+    #     return False
+
+    def is_ignored(self):
+        try:
+            return self.data['ignored']
+        except KeyError:
+            return False
+
+    # def process_signatures(self):
+    #     all_paths_ignoreable = True
+    #     unmatched = False
+    #     reason = ''
+    #     for sigentry in self.sigentry_arr:
+    #         ignore, reason = sigentry.filter_folders()
+    #         if not ignore:
+    #             all_paths_ignoreable = False
+    #         else:
+    #             self.sigentry_arr.remove(sigentry)
+    #
+    #     if all_paths_ignoreable:
+    #         # Ignore
+    #         reason = f"Mark IGNORED - {reason}"
+    #         self.reason = reason
+    #         logging.debug(f"- Component {self.filter_name}/{self.version}: {reason}")
+    #         self.set_ignore()
+    #     else:
+    #     #     print(f"NOT Ignoring {self.name}/{self.version}")
+    #         self.sig_match_result = 0
+    #         set_reviewed = False
+    #         ignore = True
+    #         unmatched = True
+    #         reason = f"No Action - component name '{self.oriname_arr}' not found in signature paths"
+    #         for sigentry in self.sigentry_arr:
+    #             # compname_found, compver_found,\
+    #             #     new_match_result = sigentry.search_component(self.filter_name, self.filter_version)
+    #             compname_found, compver_found,\
+    #                 new_match_result = sigentry.search_component(self.oriname_arr, self.filter_version)
+    #             logging.debug(f"Compname in path {compname_found}, Version in path {compver_found}, "
+    #                           f"Match result {new_match_result}, Path '{sigentry.path}'")
+    #
+    #             if compver_found:
+    #                 self.compver_found = True
+    #                 ignore = False
+    #                 unmatched = False
+    #             if compname_found:
+    #                 self.compname_found = True
+    #             if global_values.version_match_reqd:
+    #                 if compver_found:
+    #                     set_reviewed = True
+    #                     ignore = False
+    #                     unmatched = False
+    #                 else:
+    #                     reason = f"No Action - component version {self.filter_version} not found
+    #                     (and required because --version_match_reqd set)"
+    #             elif compname_found:
+    #                 set_reviewed = True
+    #                 ignore = False
+    #                 unmatched = False
+    #             if new_match_result > self.sig_match_result:
+    #                 self.sig_match_result = new_match_result
+    #                 self.best_sigpath = sigentry.path
+    #             # print(self.name, self.version, src['commentPath'])
+    #         if set_reviewed:
+    #             if self.compver_found:
+    #                 reason = f"Mark REVIEWED - Compname & version in path '{self.best_sigpath}'
+    #                 (Match result {self.sig_match_result})"
+    #             elif self.compname_found:
+    #                 reason = f"Mark REVIEWED - Compname {self.oriname_arr} in path '{self.best_sigpath}'
+    #                 (Match result {self.sig_match_result})"
+    #
+    #             logging.debug(f"- Component {self.name}/{self.version}: {reason}")
+    #             self.set_reviewed()
+    #             unmatched = False
+    #     if ignore and global_values.ignore_no_path_matches:
+    #         self.set_ignore()
+    #         reason = f"Mark IGNORED - compname or version not found in paths & --ignore_no_path_matches set"
+    #
+    #     self.reason = reason
+    #     self.unmatched = unmatched
+
+    # @staticmethod
+    # def filter_name_string(name, logger):
+    #     # Remove common words
+    #     # - for, with, in, on,
+    #     # Remove strings in brackets
+    #     # Replace / with space
+    #     ret_name = re.sub(r"\(.*\)", r"", name)
+    #     for rep in [r" for ", r" with ", r" in ", r" on ", r" a ", r" the ", r" by ",
+    #                 r" and ", r"^apache | apache | apache$", r" bundle ", r" only | only$", r" from ",
+    #                 r" to ", r" - "]:
+    #         ret_name = re.sub(rep, " ", ret_name, flags=re.IGNORECASE)
+    #     ret_name = re.sub(r"[/@#:]", " ", ret_name)
+    #     ret_name = re.sub(r" \w$| \w |^\w ", r" ", ret_name)
+    #     ret_name = ret_name.replace("::", " ")
+    #     ret_name = re.sub(r" +", r" ", ret_name)
+    #     ret_name = re.sub(r"^ ", r"", ret_name)
+    #     ret_name = re.sub(r" $", r"", ret_name)
+    #
+    #     debug(f"filter_name_string(): Compname '{name}' replaced with '{ret_name}'")
+    #     return ret_name.lower()
+
+    @staticmethod
+    def filter_version_string(version):
+        # Remove +git*
+        # Remove -snapshot*
+        # Replace / with space
+        ret_version = re.sub(r"\+git.*", r"", version, flags=re.IGNORECASE)
+        ret_version = re.sub(r"-snapshot.*", r"", ret_version, flags=re.IGNORECASE)
+        ret_version = re.sub(r"/", r" ", ret_version)
+        ret_version = re.sub(r"^v", r"", ret_version, flags=re.IGNORECASE)
+        ret_version = re.sub(r"\+*", r"", ret_version, flags=re.IGNORECASE)
+
+        return ret_version.lower()
+
+    def get_compid(self):
+        try:
+            compurl = self.data['component']
+            return compurl.split('/')[-1]
+        except KeyError:
+            return ''
+
+    # def print_origins(self):
+    #     try:
+    #         for ori in self.data['origins']:
+    #             print(f"Comp '{self.name}/{self.version}' Origin '{ori['externalId']}' Name '{ori['name']}'")
+    #     except KeyError:
+    #         print(f"Comp '{self.name}/{self.version}' No Origin")
+    #
+    # def get_origin_compnames(self):
+    #     compnames_arr = []
+    #     try:
+    #         for ori_entry in self.data['origins']:
+    #             ori = ori_entry['externalId']
+    #             ori_ver = ori_entry['name']
+    #             ori_string = ori.replace(f"{ori_ver}", '')
+    #             arr = re.split(r"[:/#]", ori_string)
+    #             new_name = arr[-2].lower()
+    #             if new_name not in compnames_arr:
+    #                 logging.debug(
+    #                     f"Comp '{self.name}/{self.version}' Compname calculate from origin '{new_name}' -
+    #                     origin='{ori}'")
+    #                 compnames_arr.append(new_name)
+    #         if self.filter_name.find(' ') == -1:
+    #             # Single word component name
+    #             if self.filter_name not in compnames_arr:
+    #                 compnames_arr.append(self.filter_name.lower())
+    #     except (KeyError, IndexError):
+    #         logging.debug(f"Comp '{self.name}/{self.version}' Compname calculate from compname only '{self.name}'")
+    #         compnames_arr.append(self.filter_name.lower())
+    #     return compnames_arr
+    #
+    # def get_sigpaths(self):
+    #     data = ''
+    #     count = 0
+    #     for sigentry in self.sigentry_arr:
+    #         data += f"{sigentry.get_sigpath()}\n"
+    #         count += 1
+    #     return data
+
+    def check_kernel(self):
+        if self.name == 'Linux Kernel':
+            return True
+        return False

bd_kernel_vulns-1.0/bd_kernel_vulns/ComponentListClass.py

@@ -0,0 +1,32 @@
+# from Component import Component
+# import global_values
+# import logging
+# import requests
+
+class ComponentList:
+    def __init__(self):
+        self.components = []
+
+    def add(self, comp):
+        self.components.append(comp)
+
+    def count(self):
+        return len(self.components)
+
+    def count_ignored(self):
+        count = 0
+        for comp in self.components:
+            if comp.is_ignored():
+                count += 1
+        return count
+
+    def get_vulns(self):
+        for comp in self.components:
+            comp.get_vulns()
+
+    def check_kernel(self):
+        for comp in self.components:
+            if comp.is_kernel():
+                return True
+
+        return False

bd_kernel_vulns-1.0/bd_kernel_vulns/ConfigClass.py

@@ -0,0 +1,117 @@
+import argparse
+import logging
+import os
+
+
+class Config:
+    def __init__(self):
+        self.bd_api = ''
+        self.bd_url = ''
+        self.bd_trustcert = False
+
+        self.bd_project = ''
+        self.bd_version = ''
+        self.logger = None
+        self.logfile = ''
+        self.kernel_source_file = ''
+        self.folders = False
+        self.debug = False
+
+    def get_cli_args(self):
+        parser = argparse.ArgumentParser(description='Black Duck vulns', prog='bd_vulns')
+
+        # parser.add_argument("projfolder", nargs="?", help="Yocto project folder to analyse", default=".")
+
+        parser.add_argument("--blackduck_url", type=str, help="Black Duck server URL (REQUIRED)", default="")
+        parser.add_argument("--blackduck_api_token", type=str, help="Black Duck API token (REQUIRED)", default="")
+        parser.add_argument("--blackduck_trust_cert", help="Black Duck trust server cert", action='store_true')
+        parser.add_argument("-p", "--project", help="Black Duck project to process (REQUIRED)", default="")
+        parser.add_argument("-v", "--version", help="Black Duck project version to process (REQUIRED)", default="")
+        parser.add_argument("--debug", help="Debug logging mode", action='store_true')
+        parser.add_argument("--logfile", help="Logging output file", default="")
+        parser.add_argument("-k", "--kernel_source_file", help="Kernel source files list (REQUIRED)", default="")
+        parser.add_argument("--folders", help="Kernel Source file only contains folders to be used to map vulns",
+                            action='store_true')
+        
+        args = parser.parse_args()
+
+        terminate = False
+        if args.debug:
+            loglevel = logging.DEBUG
+        else:
+            loglevel = logging.INFO
+        # global_values.logging_level = loglevel
+        self.logfile = args.logfile
+    
+        self.logger = self.setup_logger('kernel-vulns', loglevel)
+    
+        self.logger.debug("ARGUMENTS:")
+        for arg in vars(args):
+            self.logger.debug(f"--{arg}={getattr(args, arg)}")
+        self.logger.debug('')
+    
+        url = os.environ.get('BLACKDUCK_URL')
+        if args.blackduck_url != '':
+            self.bd_url = args.blackduck_url
+        elif url is not None:
+            self.bd_url = url
+        else:
+            self.logger.error("Black Duck URL not specified")
+            terminate = True
+    
+        if args.project != "" and args.version != "":
+            self.bd_project = args.project
+            self.bd_version = args.version
+        else:
+            self.logger.error("Black Duck project/version not specified")
+            terminate = True
+    
+        api = os.environ.get('BLACKDUCK_API_TOKEN')
+        if args.blackduck_api_token != '':
+            self.bd_api = args.blackduck_api_token
+        elif api is not None:
+            self.bd_api = api
+        else:
+            self.logger.error("Black Duck API Token not specified")
+            terminate = True
+    
+        trustcert = os.environ.get('BLACKDUCK_TRUST_CERT')
+        if trustcert == 'true' or args.blackduck_trust_cert:
+            self.bd_trustcert = True
+    
+        if args.kernel_source_file != '':
+            if not os.path.exists(args.kernel_source_file):
+                self.logger.error(f"Supplied kernel source list file '{args.kernel_source_file}' does not exist")
+                terminate = True
+            else:
+                self.kernel_source_file = args.kernel_source_file
+        else:
+            self.logger.error(f"Kernel source list file required (--kernel_source_list)")
+            terminate = True
+    
+        if args.folders == 'true':
+            self.folders = True
+    
+        if terminate:
+            return False
+        return True
+
+    def setup_logger(self, name: str, level) -> logging.Logger:
+        logger = logging.getLogger(name)
+        logger.setLevel(level)
+
+        if not logger.hasHandlers():  # Avoid duplicate handlers
+            formatter = logging.Formatter(
+                '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+            )
+
+            console_handler = logging.StreamHandler()
+            console_handler.setFormatter(formatter)
+            logger.addHandler(console_handler)
+
+            if self.logfile != '':
+                file_handler = logging.FileHandler(self.logfile)
+                file_handler.setFormatter(formatter)
+                logger.addHandler(file_handler)
+
+        return logger

bd_kernel_vulns-1.0/bd_kernel_vulns/KernelSourceClass.py

@@ -0,0 +1,35 @@
+# import global_values
+
+
+class KernelSource:
+    def __init__(self, conf):
+        self.file_arr = []
+        self.folders = conf.folders
+        try:
+            with open(conf.kernel_source_file) as klfile:
+                lines = klfile.readlines()
+        except FileExistsError:
+            return
+
+        for line in lines:
+            line = line.strip()
+            if not self.folders:
+                if line.endswith('.c') or line.endswith('.h'):
+                    self.file_arr.append(line)
+            else:
+                self.file_arr.append(line)
+
+    def check_files(self, f_arr):
+        for f in f_arr:
+            for kf in self.file_arr:
+                if not self.folders:
+                    if kf.endswith(f):
+                        return True
+                else:
+                    folder = f + '/'
+                    if kf.find(folder) != -1:
+                        return True
+        return False
+
+    def count(self):
+        return len(self.file_arr)

bd_kernel_vulns-1.0/bd_kernel_vulns/VulnClass.py

@@ -0,0 +1,261 @@
+# from . import global_values
+# import config
+import re
+import datetime
+# import json
+
+
+class Vuln:
+    def __init__(self, data, conf, id='', cve_data=None):
+        self.comp_vuln_data = data
+        self.bdsa_data = None
+        self.cve_data = cve_data
+        self.linked_cve_data = None
+        self.id = id
+        self.in_kernel = True
+        if self.id == '':
+            # self.id = self.get_id()
+            if 'vulnerability' in self.comp_vuln_data:
+                self.id = self.comp_vuln_data['vulnerability']['vulnerabilityId']
+            else:
+                conf.logger.error('Unable to determine vuln id')
+
+    def get_id(self):
+        return self.id
+
+    def status(self):
+        try:
+            return self.comp_vuln_data['vulnerability']['remediationStatus']
+        except KeyError:
+            return ''
+
+    def severity(self):
+        try:
+            return self.comp_vuln_data['vulnerability']['severity']
+        except KeyError:
+            return ''
+
+    def related_vuln(self):
+        try:
+            return self.comp_vuln_data['vulnerability']['relatedVulnerability'].split('/')[-1]
+        except KeyError:
+            return ''
+
+    def component(self):
+        try:
+            return f"{self.comp_vuln_data['componentName']}/{self.comp_vuln_data['componentVersionName']}"
+        except KeyError:
+            return ''
+
+    def get_linked_vuln(self):
+        # vuln_url = f"{bd.base_url}/api/vulnerabilities/{self.id()}"
+        # vuln_data = self.get_data(bd, vuln_url, "application/vnd.blackducksoftware.vulnerability-4+json")
+
+        try:
+            if self.get_vuln_source() == 'BDSA':
+                if self.comp_vuln_data['vulnerability']['relatedVulnerability'] != '':
+                    cve = self.comp_vuln_data['vulnerability']['relatedVulnerability'].split("/")[-1]
+                    return cve
+
+                # for x in self.comp_vuln_data['_meta']['links']:
+                #     if x['rel'] == 'related-vulnerability':
+                #         if x['label'] == 'NVD':
+                #             cve = x['href'].split("/")[-1]
+                #             return cve
+                #         break
+            else:
+                return ''
+        except KeyError:
+            return ''
+
+    @staticmethod
+    def get_data(bd, url, accept_hdr):
+        headers = {
+            'accept': accept_hdr,
+        }
+        res = bd.get_json(url, headers=headers)
+        return res
+
+    def get_component(self):
+        try:
+            return self.comp_vuln_data['componentName']
+        except KeyError:
+            return ''
+
+    def vuln_url(self, bd):
+        return f"{bd.base_url}/api/vulnerabilities/{self.get_id()}"
+
+    def url(self):
+        try:
+            return self.comp_vuln_data['_meta']['href']
+        except KeyError:
+            return ''
+
+    def get_associated_vuln_url(self, bd):
+        return f"{bd.base_url}/api/vulnerabilities/{self.get_linked_vuln()}"
+
+    def is_ignored(self):
+        if self.comp_vuln_data['ignored']:
+            return True
+        if 'vulnerability' in self.comp_vuln_data:
+            if self.comp_vuln_data['vulnerability']['remediationStatus'] == 'IGNORED':
+                return True
+            else:
+                return False
+        else:
+            return False
+
+    def add_data(self, data):
+        try:
+            if data['source'] == 'BDSA':
+                self.bdsa_data = data
+            elif data['source'] == 'NVD':
+                self.cve_data = data
+        except KeyError:
+            return
+
+    def add_linked_cve_data(self, data):
+        self.linked_cve_data = data
+
+    @staticmethod
+    def find_sourcefile(sline):
+        pattern = r'[\w/\.-]+\.[ch]\b'
+        res = re.findall(pattern, sline)
+        arr = []
+        for str in res:
+            if str not in arr:
+                arr.append(str)
+        return arr
+
+    def get_vuln_source(self):
+        try:
+            if 'source' in self.comp_vuln_data and self.comp_vuln_data['source'] != '':
+                return self.comp_vuln_data['source']
+            elif self.get_id().startswith('BDSA-'):
+                return 'BDSA'
+            elif self.get_id().startswith('CVE-'):
+                return 'NVD'
+            else:
+                return ''
+
+        except KeyError:
+            return ''
+
+    def process_kernel_vuln(self, conf):
+        try:
+            sourcefiles = []
+            if self.get_vuln_source() == 'NVD':
+                sourcefiles = self.find_sourcefile(self.cve_data['description'])
+                if len(sourcefiles) == 0:
+                    desc = self.cve_data['description'].replace('\n', ' ')
+                    conf.logger.debug(f"CVE {self.get_id()} - Description: {desc}")
+            elif self.get_vuln_source() == 'BDSA':
+                sourcefiles = self.find_sourcefile(self.bdsa_data['description'])
+                if len(sourcefiles) == 0:
+                    sourcefiles = self.find_sourcefile(self.bdsa_data['technicalDescription'])
+                    if len(sourcefiles) == 0:
+                        bdsa = self.bdsa_data['description'].replace('\n', ' ')
+                        conf.logger.debug(f"BDSA {self.get_id()} - Description: {bdsa}")
+                        tech = self.bdsa_data['technicalDescription'].replace('\n', ' ')
+                        conf.logger.debug(f"BDSA {self.get_id()} - Technical Description: {tech}")
+                        if self.linked_cve_data:
+                            # No source file found - need to check for linked CVE
+                            sourcefiles = self.find_sourcefile(self.linked_cve_data['description'])
+                            cve = self.linked_cve_data['description'].replace('\n', ' ')
+                            conf.logger.debug(f"Linked CVE Description: {cve}")
+
+            return sourcefiles
+            # print(f"{self.get_id()}: {sourcefile}")
+        except KeyError:
+            return []
+
+    def is_kernel_vuln(self):
+        if self.comp_vuln_data['componentName'] == 'Linux Kernel':
+            return True
+        return False
+
+    def set_not_in_kernel(self):
+        self.in_kernel = False
+
+    def ignore_vuln(self, bd, logger):
+        try:
+            # vuln_name = comp['vulnerabilityWithRemediation']['vulnerabilityName']
+            x = datetime.datetime.now()
+            mydate = x.strftime("%x %X")
+
+            payload = self.comp_vuln_data
+            # payload['remediationJustification'] = "NO_CODE"
+            payload[
+                'comment'] = (f"Remediated by bd-vulns utility {mydate} - "
+                              f"vuln refers to source file not compiled in kernel")
+            payload['remediationStatus'] = "IGNORED"
+
+            # result = hub.execute_put(comp['_meta']['href'], data=comp)
+            href = self.comp_vuln_data['_meta']['href']
+            # href = '/'.join(href.split('/')[3:])
+            r = bd.session.put(href, json=self.comp_vuln_data)
+            r.raise_for_status()
+            if r.status_code != 202:
+                raise Exception(f"PUT returned {r.status_code}")
+            return True
+
+        except Exception as e:
+            logger.error("Unable to update vulnerabilities via API\n" + str(e))
+            return False
+
+    async def async_get_vuln_data(self, bd, conf, session, token):
+        if conf.bd_trustcert:
+            ssl = False
+        else:
+            ssl = None
+
+        headers = {
+            # 'accept': "application/vnd.blackducksoftware.bill-of-materials-6+json",
+            'Authorization': f'Bearer {token}',
+        }
+        # resp = globals.bd.get_json(thishref, headers=headers)
+        async with session.get(self.vuln_url(bd), headers=headers, ssl=ssl) as resp:
+            result_data = await resp.json()
+        return self.get_id(), result_data
+
+    async def async_get_associated_vuln_data(self, bd, conf, session, token):
+        if conf.bd_trustcert:
+            ssl = False
+        else:
+            ssl = None
+
+        headers = {
+            # 'accept': "application/vnd.blackducksoftware.bill-of-materials-6+json",
+            'Authorization': f'Bearer {token}',
+        }
+        # resp = globals.bd.get_json(thishref, headers=headers)
+        async with session.get(self.get_associated_vuln_url(bd), headers=headers, ssl=ssl) as resp:
+            result_data = await resp.json()
+        return self.get_id(), result_data
+
+    async def async_ignore_vuln(self, conf, session, token):
+        if conf.bd_trustcert:
+            ssl = False
+        else:
+            ssl = None
+
+        headers = {
+            # 'accept': "application/vnd.blackducksoftware.bill-of-materials-6+json",
+            'Authorization': f'Bearer {token}',
+        }
+        # resp = globals.bd.get_json(thishref, headers=headers)
+        x = datetime.datetime.now()
+        mydate = x.strftime("%x %X")
+
+        payload = self.comp_vuln_data
+        # payload['remediationJustification'] = "NO_CODE"
+        payload['comment'] = (f"Remediated by bd-vulns utility {mydate} - "
+                              f"vuln refers to source file not compiled in kernel")
+        payload['remediationStatus'] = "IGNORED"
+
+        conf.logger.debug(f"{self.id} - {self.url()}")
+        async with session.put(self.url(), headers=headers, json=payload, ssl=ssl) as response:
+            res = response.status
+
+        # print(res)
+        return self.get_id(), res

bd_kernel_vulns-1.0/bd_kernel_vulns/VulnListClass.py

@@ -0,0 +1,140 @@
+import aiohttp
+import asyncio
+from .VulnClass import Vuln
+# import config
+from .KernelSourceClass import KernelSource
+# from . import global_values
+
+# logger = config.setup_logger('kernel-vulns')
+
+
+class VulnList:
+    def __init__(self):
+        self.vulns = []
+        self.associated_vulns = []
+
+    def add_comp_data(self, data, conf):
+        conf.logger.debug(f"Vulnlist: processing {len(data)} vulns from compdata")
+        ignored = 0
+        for vulndata in data:
+            # if vulndata['ignored']:
+            #     ignored += 1
+            #     continue
+            vuln = Vuln(vulndata, conf.logger)
+            if not vuln:
+                conf.logger.error(f"Unable to process vuln entry {vulndata}")
+                continue
+            if vuln.is_ignored():
+                ignored += 1
+                continue
+            if vuln.is_kernel_vuln():
+                self.vulns.append(vuln)
+        conf.logger.debug(f"Skipped {ignored} ignored vulns")
+
+    def get_vuln(self, id):
+        for vuln in self.vulns:
+            if id == vuln.get_id():
+                return vuln
+        # global_values.logger.error(f"Unable to find vuln {id} in vuln list")
+        return None
+
+    def is_associated_vuln(self, id):
+        for vuln in self.associated_vulns:
+            if vuln == id:
+                return True
+        return False
+
+    def add_vuln_data(self, data, conf):
+        try:
+            conf.logger.debug(f"Vulnlist: adding {len(data)} vulns from asyncdata")
+            for id, entry in data.items():
+                # if id.startswith('CVE-'):   # DEBUG
+                #     global_values.logger.info(f"add_vuln_data(): Working on {id}")
+                if not self.is_associated_vuln(id):
+                    vuln = self.get_vuln(id)
+                    if vuln:
+                        # vuln is in standard list (not a linked vuln)
+                        if vuln.is_ignored():
+                            continue
+                        vuln.add_data(entry)
+                        if vuln.get_vuln_source() == 'BDSA':
+                            linked_vuln = vuln.get_linked_vuln()
+                            if linked_vuln:
+                                if linked_vuln in data.keys():
+                                    vuln.add_linked_cve_data(data[linked_vuln])
+                                    self.associated_vulns.append(id)
+        except KeyError as e:
+            conf.logger.error(f"add_vuln_data(): Key Error {e}")
+
+        return
+
+    def process_kernel_vulns(self, conf, kfiles: KernelSource):
+        for vuln in self.vulns:
+            if vuln.is_ignored() or vuln.get_id() in self.associated_vulns:
+                continue
+            files = vuln.process_kernel_vuln(conf)
+            if len(files) == 0 or kfiles.check_files(files):
+                conf.logger.debug(f"VULN IN KERNEL: {vuln.get_id()} - {files}")
+            else:
+                conf.logger.debug(f"VULN NOT IN KERNEL: {vuln.get_id()} - {files}")
+                vuln.set_not_in_kernel()
+
+    def count(self):
+        return len(self.vulns)
+
+    def count_in_kernel(self):
+        count = 0
+        for vuln in self.vulns:
+            if vuln.in_kernel:
+                count += 1
+
+        return count
+
+    # def remediate_vulns(self):
+    #     for vuln in self.vulns:
+
+    def ignore_vulns(self, bd, conf):  # DEBUG
+        for vuln in self.vulns:
+            vuln.ignore_vuln(bd, conf)
+
+    async def async_get_vuln_data(self, bd, conf):
+        token = bd.session.auth.bearer_token
+
+        async with aiohttp.ClientSession(trust_env=True) as session:
+            vuln_tasks = []
+            for vuln in self.vulns:
+                if vuln.is_ignored():
+                    continue
+
+                vuln_task = asyncio.ensure_future(vuln.async_get_vuln_data(bd, conf, session, token))
+                vuln_tasks.append(vuln_task)
+
+                if vuln.get_vuln_source() == 'BDSA':
+                    linked_vuln = vuln.get_linked_vuln()
+                    if linked_vuln != '':
+                        lvuln = Vuln({}, conf, linked_vuln)
+                        self.associated_vulns.append(lvuln)
+                        vuln_task = asyncio.ensure_future(lvuln.async_get_vuln_data(bd, conf, session, token))
+                        vuln_tasks.append(vuln_task)
+
+            vuln_data = dict(await asyncio.gather(*vuln_tasks))
+            await asyncio.sleep(0.250)
+
+        return vuln_data
+
+    async def async_ignore_vulns(self, bd):
+        token = bd.session.auth.bearer_token
+
+        async with aiohttp.ClientSession(trust_env=True) as session:
+            vuln_tasks = []
+            for vuln in self.vulns:
+                if vuln.is_ignored() or vuln.in_kernel:
+                    continue
+
+                vuln_task = asyncio.ensure_future(vuln.async_ignore_vuln(bd, session, token))
+                vuln_tasks.append(vuln_task)
+
+            vuln_data = dict(await asyncio.gather(*vuln_tasks))
+            await asyncio.sleep(0.250)
+
+        return vuln_data

bd_kernel_vulns-1.0/bd_kernel_vulns/config.py

@@ -0,0 +1,104 @@
+import os
+import argparse
+import sys
+import logging
+
+# from . import global_values
+
+parser = argparse.ArgumentParser(description='Black Duck vulns', prog='bd_vulns')
+
+# parser.add_argument("projfolder", nargs="?", help="Yocto project folder to analyse", default=".")
+
+parser.add_argument("--blackduck_url", type=str, help="Black Duck server URL (REQUIRED)", default="")
+parser.add_argument("--blackduck_api_token", type=str, help="Black Duck API token (REQUIRED)", default="")
+parser.add_argument("--blackduck_trust_cert", help="Black Duck trust server cert", action='store_true')
+parser.add_argument("-p", "--project", help="Black Duck project to process (REQUIRED)", default="")
+parser.add_argument("-v", "--version", help="Black Duck project version to process (REQUIRED)", default="")
+parser.add_argument("--debug", help="Debug logging mode", action='store_true')
+parser.add_argument("--logfile", help="Logging output file", default="")
+parser.add_argument("-k", "--kernel_source_file", help="Kernel source files list (REQUIRED)", default="")
+parser.add_argument("--folders", help="Kernel Source file only contains folders to be used to map vulns",
+                    action='store_true')
+
+def check_args(args):
+    terminate = False
+    if args.debug:
+        loglevel = logging.DEBUG
+    else:
+        loglevel = logging.INFO
+    # global_values.logging_level = loglevel
+    global_values.logfile = args.logfile
+
+    global_values.logger = setup_logger('kernel-vulns', loglevel)
+
+    global_values.logger.debug("ARGUMENTS:")
+    for arg in vars(args):
+        global_values.logger.debug(f"--{arg}={getattr(args, arg)}")
+    global_values.logger.debug('')
+
+    url = os.environ.get('BLACKDUCK_URL')
+    if args.blackduck_url != '':
+        global_values.bd_url = args.blackduck_url
+    elif url is not None:
+        global_values.bd_url = url
+    else:
+        global_values.logger.error("Black Duck URL not specified")
+        terminate = True
+
+    if args.project != "" and args.version != "":
+        global_values.bd_project = args.project
+        global_values.bd_version = args.version
+    else:
+        global_values.logger.error("Black Duck project/version not specified")
+        terminate = True
+
+    api = os.environ.get('BLACKDUCK_API_TOKEN')
+    if args.blackduck_api_token != '':
+        global_values.bd_api = args.blackduck_api_token
+    elif api is not None:
+        global_values.bd_api = api
+    else:
+        global_values.logger.error("Black Duck API Token not specified")
+        terminate = True
+
+    trustcert = os.environ.get('BLACKDUCK_TRUST_CERT')
+    if trustcert == 'true' or args.blackduck_trust_cert:
+        global_values.bd_trustcert = True
+
+    if args.kernel_source_file != '':
+        if not os.path.exists(args.kernel_source_file):
+            global_values.logger.error(f"Supplied kernel source list file '{args.kernel_source_file}' does not exist")
+            terminate = True
+        else:
+            global_values.kernel_source_file = args.kernel_source_file
+    else:
+        global_values.logger.error(f"Kernel source list file required (--kernel_source_list)")
+        terminate = True
+
+    if args.folders == 'true':
+        global_values.folders = True
+
+    if terminate:
+        sys.exit(2)
+    return
+
+
+def setup_logger(name: str, level) -> logging.Logger:
+    logger = logging.getLogger(name)
+    logger.setLevel(level)
+
+    if not logger.hasHandlers():  # Avoid duplicate handlers
+        formatter = logging.Formatter(
+            '%(asctime)s - %(name)s - %(levelname)s - %(message)s'
+        )
+
+        console_handler = logging.StreamHandler()
+        console_handler.setFormatter(formatter)
+        logger.addHandler(console_handler)
+
+        if global_values.logfile != '':
+            file_handler = logging.FileHandler(global_values.logfile)
+            file_handler.setFormatter(formatter)
+            logger.addHandler(file_handler)
+
+    return logger

bd_kernel_vulns-1.0/bd_kernel_vulns/global_values.py

@@ -0,0 +1,11 @@
+bd_api = ''
+bd_url = ''
+bd_trustcert = False
+
+bd_project = ''
+bd_version = ''
+logger = None
+logfile = ''
+kernel_source_file = ''
+folders = False
+debug = False

bd_kernel_vulns-1.0/bd_kernel_vulns/main.py

@@ -0,0 +1,67 @@
+# from . import global_values
+from .BOMClass import BOM
+# from . import config
+from .KernelSourceClass import KernelSource
+from .ConfigClass import Config
+import sys
+
+# logger = config.setup_logger('kernel-vulns')
+
+
+def main():
+    conf = Config()
+    conf.get_cli_args()
+
+    process(conf)
+    # config.check_args(args)
+    
+    sys.exit(0)
+
+
+def process_kernel_vulns(blackduck_url, blackduck_api_token, kernel_source_file,
+                         project, version, logger, blackduck_trust_cert=False, folders=''):
+    conf = Config()
+    conf.bd_url = blackduck_url
+    conf.bd_api = blackduck_api_token
+    conf.bd_project = project
+    conf.bd_version = version
+    conf.logger = logger
+    conf.bd_trustcert = blackduck_trust_cert
+    conf.folders = folders
+    conf.kernel_source_file = kernel_source_file
+
+    process(conf)
+
+    return
+
+
+def process(conf):
+    kfiles = KernelSource(conf)
+    conf.logger.debug(f"Read {kfiles.count()} source entries from kernel source file "
+                      f"'{conf.kernel_source_file}'")
+
+    bom = BOM(conf)
+    if bom.check_kernel_comp():
+        conf.logger.warn("Linux Kernel not found in project - terminating")
+        sys.exit(-1)
+
+    bom.get_vulns(conf)
+    conf.logger.info(f"Found {bom.count_vulns()} kernel vulnerabilities from project")
+
+    # bom.print_vulns()
+    conf.logger.info("Get detailed data for vulnerabilities")
+    bom.process_data_async(conf)
+
+    conf.logger.info("Checking for kernel source file references in vulnerabilities")
+    bom.process_kernel_vulns(conf, kfiles)
+
+    conf.logger.info(f"Identified {bom.count_in_kernel_vulns()} in-scope kernel vulns "
+                     f"({bom.count_not_in_kernel_vulns()} not in-scope)")
+
+    conf.logger.info(f"Ignored {bom.ignore_vulns_async()} vulns")
+    # bom.ignore_vulns()
+    conf.logger.info("Done")
+
+
+if __name__ == '__main__':
+    main()

bd_kernel_vulns-1.0/bd_kernel_vulns.egg-info/PKG-INFO

@@ -0,0 +1,18 @@
+Metadata-Version: 2.4
+Name: bd_kernel_vulns
+Version: 1.0
+Summary: bd_kernel_vulns - Script to process the Linux Kernel in a BD project to assess vulns applicability based on supplied list of kernel source files (or folders)
+Author-email: Matthew Brady <mbrad@blackduck.com>
+Project-URL: Homepage, https://github.com/matthewb66/bd_kernel_vulns
+Project-URL: Issues, https://github.com/matthewb66/bd_kernel_vulns/issues
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: blackduck>=1.1.3
+Requires-Dist: requests
+Requires-Dist: aiohttp
+Requires-Dist: asyncio
+Dynamic: license-file

bd_kernel_vulns-1.0/bd_kernel_vulns.egg-info/SOURCES.txt

@@ -0,0 +1,19 @@
+LICENSE
+pyproject.toml
+bd_kernel_vulns/BOMClass.py
+bd_kernel_vulns/ComponentClass.py
+bd_kernel_vulns/ComponentListClass.py
+bd_kernel_vulns/ConfigClass.py
+bd_kernel_vulns/KernelSourceClass.py
+bd_kernel_vulns/VulnClass.py
+bd_kernel_vulns/VulnListClass.py
+bd_kernel_vulns/__init__.py
+bd_kernel_vulns/config.py
+bd_kernel_vulns/global_values.py
+bd_kernel_vulns/main.py
+bd_kernel_vulns.egg-info/PKG-INFO
+bd_kernel_vulns.egg-info/SOURCES.txt
+bd_kernel_vulns.egg-info/dependency_links.txt
+bd_kernel_vulns.egg-info/entry_points.txt
+bd_kernel_vulns.egg-info/requires.txt
+bd_kernel_vulns.egg-info/top_level.txt

bd_kernel_vulns-1.0/bd_kernel_vulns.egg-info/dependency_links.txt

@@ -0,0 +1 @@
+

bd_kernel_vulns-1.0/bd_kernel_vulns.egg-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+bd-scan-yocto-via-sbom = bd_kernel_vulns:main.main

bd_kernel_vulns-1.0/bd_kernel_vulns.egg-info/requires.txt

@@ -0,0 +1,4 @@
+blackduck>=1.1.3
+requests
+aiohttp
+asyncio

bd_kernel_vulns-1.0/bd_kernel_vulns.egg-info/top_level.txt

@@ -0,0 +1 @@
+bd_kernel_vulns

bd_kernel_vulns-1.0/pyproject.toml

@@ -0,0 +1,31 @@
+[build-system]
+requires = ["setuptools>=67.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "bd_kernel_vulns"
+version = "1.0"
+authors = [
+  { name="Matthew Brady", email="mbrad@blackduck.com" },
+]
+description = "bd_kernel_vulns - Script to process the Linux Kernel in a BD project to assess vulns applicability based on supplied list of kernel source files (or folders)"
+readme = "README.md"
+requires-python = ">=3.8"
+classifiers = [
+    "Programming Language :: Python :: 3",
+    "License :: OSI Approved :: MIT License",
+    "Operating System :: OS Independent",
+]
+dependencies = [
+    "blackduck>=1.1.3",
+    "requests",
+    "aiohttp",
+    "asyncio"
+]
+
+[project.urls]
+Homepage = "https://github.com/matthewb66/bd_kernel_vulns"
+Issues = "https://github.com/matthewb66/bd_kernel_vulns/issues"
+
+[project.scripts]
+bd-scan-yocto-via-sbom = "bd_kernel_vulns:main.main"

bd_kernel_vulns-1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+