Skip to content

Commit cbd23a1

Browse files
ffontaineffontaine
committed
fix: improve systemd checker
- Drop "LIBSYSTEMD_([0-4]+[0-9]+[0-9]+)(?!.*LIBSYSTEMD_([0-4]+[0-9]+[0-9]+))" pattern as it raises a false positive with dbus-daemon, libvirt and openvpn, etc which contain LIBSYSTEMD_209 - While at it, replace MULTILINE by \r?\n for consistency with other checkers - freedesktop:systemd CPE ID has been deprecated in favor of systemd_project:systemd by NVD NIST in January 2022 Signed-off-by: Fabrice Fontaine <[email protected]>
1 parent caa5612 commit cbd23a1

20 files changed

+60
-83
lines changed

cve_bin_tool/checkers/systemd.py

Lines changed: 3 additions & 26 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,8 @@
44
"""
55
CVE checker for systemd
66
7-
https://www.cvedetails.com/product/38088/Freedesktop-Systemd.html?vendor_id=7971
7+
https://www.cvedetails.com/product/34874/Systemd-Project-Systemd.html?vendor_id=15978
88
"""
9-
10-
from re import DOTALL, MULTILINE, compile
11-
129
from cve_bin_tool.checkers import Checker
1310

1411

@@ -20,37 +17,17 @@ class SystemdChecker(Checker):
2017
]
2118
FILENAME_PATTERNS = [r"libsystemd.so."]
2219
VERSION_PATTERNS = [
23-
compile(
24-
r"LIBSYSTEMD_([0-4]+[0-9]+[0-9]+)(?!.*LIBSYSTEMD_([0-4]+[0-9]+[0-9]+))",
25-
DOTALL,
26-
),
27-
compile(r"^systemd (\d{2,4})", MULTILINE),
20+
r"\r?\nsystemd (\d{2,4})",
2821
r"libsystemd-shared-([0-9]+)\.so", # patterns like this aren't ideal
2922
r"systemd-[a-z]+-([0-9]+)\.so", # patterns like this aren't ideal
3023
r"udev-([0-9]+)\.so", # patterns like this aren't ideal
3124
r"systemd v([0-9]+).* running in ",
3225
r"pam_systemd.so-([0-9]+)\.",
3326
]
34-
VENDOR_PRODUCT = [("freedesktop", "systemd")]
27+
VENDOR_PRODUCT = [("systemd_project", "systemd")]
3528

3629
"""
3730
Using filenames (containing patterns like '.so' etc.) in the binaries as VERSION_PATTERNS aren't ideal.
3831
The reason behind this is that these might depend on who packages the file (like it
3932
might work on fedora but not on ubuntu)
4033
"""
41-
42-
"""
43-
In some packages of systemd the version strings are present in
44-
45-
```
46-
LIBSYSTEMD_209
47-
LIBSYSTEMD_211
48-
...
49-
LIBSYSTEMD_245
50-
LIBSYSTEMD_246
51-
```
52-
53-
this way. So we need to make sure the first regex pattern detects the last and latest version string.
54-
Which is dealt by the regex r"LIBSYSTEMD_([0-4]+[0-9]+[0-9]+)(?!.*LIBSYSTEMD_([0-4]+[0-9]+[0-9]+))".
55-
The regex uses negative lookahead and DOTALL to detect the last occurring match and returns it.
56-
"""

test/test_data/apache_http_server.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,6 @@
1515
"package_name": "httpd-2.4.51-2.fc35.x86_64.rpm",
1616
"product": "http_server",
1717
"version": "2.4.51",
18-
"other_products": ["systemd"],
18+
"other_products": [],
1919
},
2020
]

test/test_data/asterisk.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,27 +19,27 @@
1919
"package_name": "asterisk-18.12.1-1.fc37.1.aarch64.rpm",
2020
"product": "asterisk",
2121
"version": "18.12.1",
22-
"other_products": ["systemd"],
22+
"other_products": [],
2323
},
2424
{
2525
"url": "http://rpmfind.net/linux/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/a/",
2626
"package_name": "asterisk-18.12.1-1.fc37.1.i686.rpm",
2727
"product": "asterisk",
2828
"version": "18.12.1",
29-
"other_products": ["systemd"],
29+
"other_products": [],
3030
},
3131
{
3232
"url": "http://ftp.de.debian.org/debian/pool/main/a/asterisk/",
3333
"package_name": "asterisk_16.16.1~dfsg-1+deb11u1_arm64.deb",
3434
"product": "asterisk",
3535
"version": "16.16.1",
36-
"other_products": ["systemd"],
36+
"other_products": [],
3737
},
3838
{
3939
"url": "https://downloads.openwrt.org/releases/22.03.0/packages/aarch64_generic/telephony/",
4040
"package_name": "asterisk_18.11.2-4_aarch64_generic.ipk",
4141
"product": "asterisk",
4242
"version": "18.11.2",
43-
"other_products": ["systemd"],
43+
"other_products": [],
4444
},
4545
]

test/test_data/dbus.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -20,27 +20,27 @@
2020
"package_name": "dbus-1.10.24-15.el7.x86_64.rpm",
2121
"product": "dbus",
2222
"version": "1.10.24",
23-
"other_products": ["libdbus", "systemd"],
23+
"other_products": ["libdbus"],
2424
},
2525
{
2626
"url": "http://ftp.altlinux.org/pub/distributions/ALTLinux/Sisyphus/x86_64/RPMS.classic/",
2727
"package_name": "libdbus-1.12.18-alt1.x86_64.rpm",
2828
"product": "libdbus",
2929
"version": "1.12.18",
30-
"other_products": ["dbus", "systemd"],
30+
"other_products": ["dbus"],
3131
},
3232
{
3333
"url": "http://archive.ubuntu.com/ubuntu/pool/main/d/dbus/",
3434
"package_name": "dbus_1.12.20-1ubuntu3_amd64.deb",
3535
"product": "dbus",
3636
"version": "1.12.20",
37-
"other_products": ["libdbus", "systemd"],
37+
"other_products": ["libdbus"],
3838
},
3939
{
4040
"url": "http://ftp.fr.debian.org/debian/pool/main/d/dbus/",
4141
"package_name": "dbus_1.8.22-0+deb8u1_amd64.deb",
4242
"product": "dbus",
4343
"version": "1.8.22",
44-
"other_products": ["libdbus", "systemd"],
44+
"other_products": ["libdbus"],
4545
},
4646
]

test/test_data/gnomeshell.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -25,13 +25,13 @@
2525
"package_name": "gnome-shell_3.38.4-1ubuntu2_amd64.deb",
2626
"product": "gnome-shell",
2727
"version": "3.38.4",
28-
"other_products": ["glibc", "systemd"],
28+
"other_products": ["glibc"],
2929
},
3030
{
3131
"url": "https://download-ib01.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/Packages/g/",
3232
"package_name": "gnome-shell-40.2-1.fc35.x86_64.rpm",
3333
"product": "gnome-shell",
3434
"version": "40.2",
35-
"other_products": ["glibc", "systemd"],
35+
"other_products": ["glibc"],
3636
},
3737
]

test/test_data/haproxy.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -19,27 +19,27 @@
1919
"package_name": "haproxy-1.8.4-2.fc28.x86_64.rpm",
2020
"product": "haproxy",
2121
"version": "1.8.4",
22-
"other_products": ["gcc", "lua", "systemd"],
22+
"other_products": ["gcc", "lua"],
2323
},
2424
{
2525
"url": "https://mirrors.edge.kernel.org/centos/7/os/x86_64/Packages/",
2626
"package_name": "haproxy-1.5.18-9.el7.x86_64.rpm",
2727
"product": "haproxy",
2828
"version": "1.5.18",
29-
"other_products": ["gcc", "lua", "systemd"],
29+
"other_products": ["gcc", "lua"],
3030
},
3131
{
3232
"url": "http://ftp.br.debian.org/debian/pool/main/h/haproxy/",
3333
"package_name": "haproxy_2.6.6-1_arm64.deb",
3434
"product": "haproxy",
3535
"version": "2.6.6",
36-
"other_products": ["gcc", "lua", "systemd"],
36+
"other_products": ["gcc", "lua"],
3737
},
3838
{
3939
"url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
4040
"package_name": "haproxy_2.0.25-1_x86_64.ipk",
4141
"product": "haproxy",
4242
"version": "2.0.25",
43-
"other_products": ["gcc", "lua", "systemd"],
43+
"other_products": ["gcc", "lua"],
4444
},
4545
]

test/test_data/jack2.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,20 @@
1010
"package_name": "jack-1.9.21-1.4.aarch64.rpm",
1111
"product": "jack2",
1212
"version": "1.9.21",
13-
"other_products": ["systemd"],
13+
"other_products": [],
1414
},
1515
{
1616
"url": "http://rpmfind.net/linux/opensuse/ports/armv6hl/tumbleweed/repo/oss/armv6hl/",
1717
"package_name": "jack-1.9.21-1.4.armv6hl.rpm",
1818
"product": "jack2",
1919
"version": "1.9.21",
20-
"other_products": ["systemd"],
20+
"other_products": [],
2121
},
2222
{
2323
"url": "http://ftp.fr.debian.org/debian/pool/main/j/jackd2/",
2424
"package_name": "jackd2_1.9.12~dfsg-2_amd64.deb",
2525
"product": "jack2",
2626
"version": "1.9.12",
27-
"other_products": ["systemd"],
27+
"other_products": [],
2828
},
2929
]

test/test_data/janus.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -11,20 +11,20 @@
1111
"package_name": "janus-gateway-1.1.0-1.1.aarch64.rpm",
1212
"product": "janus",
1313
"version": "1.1.0",
14-
"other_products": ["openssl", "systemd"],
14+
"other_products": ["openssl"],
1515
},
1616
{
1717
"url": "http://rpmfind.net/linux/opensuse/ports/armv6hl/tumbleweed/repo/oss/armv6hl/",
1818
"package_name": "janus-gateway-1.1.0-1.1.armv6hl.rpm",
1919
"product": "janus",
2020
"version": "1.1.0",
21-
"other_products": ["openssl", "systemd"],
21+
"other_products": ["openssl"],
2222
},
2323
{
2424
"url": "http://ftp.fr.debian.org/debian/pool/main/j/janus/",
2525
"package_name": "janus_0.9.2-1~bpo10+1_amd64.deb",
2626
"product": "janus",
2727
"version": "0.9.2",
28-
"other_products": ["openssl", "systemd"],
28+
"other_products": ["openssl"],
2929
},
3030
]

test/test_data/keepalived.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -14,34 +14,34 @@
1414
"package_name": "keepalived-2.2.7-3.fc37.aarch64.rpm",
1515
"product": "keepalived",
1616
"version": "2.2.7",
17-
"other_products": ["systemd"],
17+
"other_products": [],
1818
},
1919
{
2020
"url": "http://rpmfind.net/linux/fedora-secondary/development/rawhide/Everything/ppc64le/os/Packages/k/",
2121
"package_name": "keepalived-2.2.7-3.fc37.ppc64le.rpm",
2222
"product": "keepalived",
2323
"version": "2.2.7",
24-
"other_products": ["systemd"],
24+
"other_products": [],
2525
},
2626
{
2727
"url": "http://ftp.fr.debian.org/debian/pool/main/k/keepalived/",
2828
"package_name": "keepalived_1.2.13-1_amd64.deb",
2929
"product": "keepalived",
3030
"version": "1.2.13",
31-
"other_products": ["systemd"],
31+
"other_products": [],
3232
},
3333
{
3434
"url": "http://ftp.fr.debian.org/debian/pool/main/k/keepalived/",
3535
"package_name": "keepalived_1.2.13-1_armel.deb",
3636
"product": "keepalived",
3737
"version": "1.2.13",
38-
"other_products": ["systemd"],
38+
"other_products": [],
3939
},
4040
{
4141
"url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/packages/",
4242
"package_name": "keepalived_2.0.18-5_x86_64.ipk",
4343
"product": "keepalived",
4444
"version": "2.0.18",
45-
"other_products": ["systemd"],
45+
"other_products": [],
4646
},
4747
]

test/test_data/libvirt.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,6 @@
1414
"package_name": "libvirt-client-1.2.2-1.fc21.x86_64.rpm",
1515
"product": "libvirt",
1616
"version": "1.2.2",
17-
"other_products": ["systemd"],
17+
"other_products": [],
1818
}
1919
]

test/test_data/nghttp2.py

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -11,34 +11,34 @@
1111
"package_name": "nghttp2-1.50.0-7.1.riscv64.rpm",
1212
"product": "nghttp2",
1313
"version": "1.50.0",
14-
"other_products": ["systemd"],
14+
"other_products": [],
1515
},
1616
{
1717
"url": "http://rpmfind.net/linux/opensuse/ports/aarch64/tumbleweed/repo/oss/aarch64/",
1818
"package_name": "nghttp2-1.50.0-1.1.aarch64.rpm",
1919
"product": "nghttp2",
2020
"version": "1.50.0",
21-
"other_products": ["systemd"],
21+
"other_products": [],
2222
},
2323
{
2424
"url": "http://ftp.fr.debian.org/debian/pool/main/n/nghttp2/",
2525
"package_name": "libnghttp2-14_1.18.1-1+deb9u1_amd64.deb",
2626
"product": "nghttp2",
2727
"version": "1.18.1",
28-
"other_products": ["systemd"],
28+
"other_products": [],
2929
},
3030
{
3131
"url": "http://ftp.fr.debian.org/debian/pool/main/n/nghttp2/",
3232
"package_name": "libnghttp2-14_1.18.1-1+deb9u1_arm64.deb",
3333
"product": "nghttp2",
3434
"version": "1.18.1",
35-
"other_products": ["systemd"],
35+
"other_products": [],
3636
},
3737
{
3838
"url": "https://downloads.openwrt.org/releases/packages-19.07/x86_64/base/",
3939
"package_name": "libnghttp2-14_1.41.0-1_x86_64.ipk",
4040
"product": "nghttp2",
4141
"version": "1.41.0",
42-
"other_products": ["systemd"],
42+
"other_products": [],
4343
},
4444
]

test/test_data/openvpn.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,13 +10,13 @@
1010
"package_name": "openvpn-2.4.1-1.fc25.x86_64.rpm",
1111
"product": "openvpn",
1212
"version": "2.4.1",
13-
"other_products": ["systemd"],
13+
"other_products": [],
1414
},
1515
{
1616
"url": "http://rpmfind.net/linux/mageia/distrib/5/x86_64/media/core/updates/",
1717
"package_name": "openvpn-2.3.12-1.mga5.x86_64.rpm",
1818
"product": "openvpn",
1919
"version": "2.3.12",
20-
"other_products": ["systemd"],
20+
"other_products": [],
2121
},
2222
]

test/test_data/pcsc_lite.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -23,13 +23,13 @@
2323
"package_name": "pcsc-lite-1.9.1-1.fc33.x86_64.rpm",
2424
"product": "pcsc-lite",
2525
"version": "1.9.1",
26-
"other_products": ["systemd"],
26+
"other_products": [],
2727
},
2828
{
2929
"url": "http://dl-cdn.alpinelinux.org/alpine/v3.11/main/x86_64/",
3030
"package_name": "pcsc-lite-1.8.25-r2.apk",
3131
"product": "pcsc-lite",
3232
"version": "1.8.25",
33-
"other_products": ["systemd"],
33+
"other_products": [],
3434
},
3535
]

test/test_data/rsyslog.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,20 +10,20 @@
1010
"package_name": "rsyslog-5.5.7-1.fc15.x86_64.rpm",
1111
"product": "rsyslog",
1212
"version": "5.5.7",
13-
"other_products": ["systemd"],
13+
"other_products": [],
1414
},
1515
{
1616
"url": "http://archive.ubuntu.com/ubuntu/pool/main/r/rsyslog/",
1717
"package_name": "rsyslog_8.2112.0-2ubuntu2_amd64.deb",
1818
"product": "rsyslog",
1919
"version": "8.2112.0",
20-
"other_products": ["systemd"],
20+
"other_products": [],
2121
},
2222
{
2323
"url": "http://dl-cdn.alpinelinux.org/alpine/v3.13/main/aarch64/",
2424
"package_name": "rsyslog-8.2012.0-r3.apk",
2525
"product": "rsyslog",
2626
"version": "8.2012.0",
27-
"other_products": ["systemd"],
27+
"other_products": [],
2828
},
2929
]

test/test_data/squid.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,20 +24,20 @@
2424
"package_name": "squid_4.11-2~bpo10+1_amd64.deb",
2525
"product": "squid",
2626
"version": "4.11",
27-
"other_products": ["kerberos", "systemd"],
27+
"other_products": ["kerberos"],
2828
},
2929
{
3030
"url": "http://ftp.fr.debian.org/debian/pool/main/s/squid/",
3131
"package_name": "squid_4.11-2~bpo10+1_arm64.deb",
3232
"product": "squid",
3333
"version": "4.11",
34-
"other_products": ["kerberos", "systemd"],
34+
"other_products": ["kerberos"],
3535
},
3636
{
3737
"url": "https://downloads.openwrt.org/releases/packages-21.02/x86_64/packages/",
3838
"package_name": "squid_4.17-1_x86_64.ipk",
3939
"product": "squid",
4040
"version": "4.17",
41-
"other_products": ["kerberos", "systemd"],
41+
"other_products": ["kerberos"],
4242
},
4343
]

0 commit comments

Comments
 (0)