78 lines
2.8 KiB
CMake
78 lines
2.8 KiB
CMake
# SPDX-FileCopyrightText: 2022 Blender Authors
|
|
#
|
|
# SPDX-License-Identifier: GPL-2.0-or-later
|
|
|
|
# CVE Check requirements
|
|
#
|
|
# - A working installation of intels cve-bin-tool [1] has to be available in
|
|
# your path
|
|
#
|
|
# - Not strictly required, but highly recommended is obtaining a NVD key from
|
|
# nist since it significantly speeds up downloading/updating the required
|
|
# databases one can request a key on the following website:
|
|
# https://nvd.nist.gov/developers/request-an-api-key
|
|
|
|
# Bill of Materials construction
|
|
#
|
|
# This constructs a CSV cve-bin-tool [1] can read and process. Sadly
|
|
# cve-bin-tool at this point does not take a list of CPE's and output a check
|
|
# based on that list. so we need to pick apart the CPE retrieve the vendor,
|
|
# product and version tokens and generate a CSV.
|
|
#
|
|
# [1] https://github.com/intel/cve-bin-tool
|
|
|
|
# Because not all deps are downloaded (ie python packages) but can still have a
|
|
# xxx_CPE declared loop over all variables and look for variables ending in CPE.
|
|
|
|
set(SBOMCONTENTS)
|
|
get_cmake_property(_variableNames VARIABLES)
|
|
foreach(_variableName ${_variableNames})
|
|
if(_variableName MATCHES "CPE$")
|
|
string(REPLACE ":" ";" CPE_LIST ${${_variableName}})
|
|
string(REPLACE "_CPE" "_ID" CPE_DEPNAME ${_variableName})
|
|
list(GET CPE_LIST 3 CPE_VENDOR)
|
|
list(GET CPE_LIST 4 CPE_NAME)
|
|
list(GET CPE_LIST 5 CPE_VERSION)
|
|
set(${CPE_DEPNAME} "${CPE_VENDOR},${CPE_NAME},${CPE_VERSION}")
|
|
set(SBOMCONTENTS "${SBOMCONTENTS}${CPE_VENDOR},${CPE_NAME},${CPE_VERSION},,,\n")
|
|
endif()
|
|
endforeach()
|
|
configure_file(${CMAKE_SOURCE_DIR}/cmake/cve_check.csv.in ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv @ONLY)
|
|
|
|
# Custom Targets
|
|
#
|
|
# This defines two new custom targets one could run in the build folder
|
|
# `cve_check` which will output the report to the console, and `cve_check_html`
|
|
# which will write out blender_dependencies.html in the build folder that one
|
|
# could share with other people or be used to get more information on the
|
|
# reported CVE's.
|
|
#
|
|
# cve-bin-tool takes data from the nist nvd database which rate limits
|
|
# unauthenticated requests to 1 requests per 6 seconds making the database
|
|
# download take "quite a bit" of time.
|
|
#
|
|
# When adding -DCVE_CHECK_NVD_KEY=your_api_key_here to your cmake invocation
|
|
# this key will be passed on to cve-bin-tool speeding up the process.
|
|
#
|
|
if(DEFINED CVE_CHECK_NVD_KEY)
|
|
set(NVD_ARGS --nvd-api-key ${CVE_CHECK_NVD_KEY})
|
|
endif()
|
|
|
|
# This will just report to the console
|
|
add_custom_target(cve_check
|
|
COMMAND cve-bin-tool
|
|
${NVD_ARGS}
|
|
-i ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
|
|
--affected-versions
|
|
SOURCES ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
|
|
)
|
|
|
|
# This will write out blender_dependencies.html
|
|
add_custom_target(cve_check_html
|
|
COMMAND cve-bin-tool
|
|
${NVD_ARGS}
|
|
-i ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
|
|
-f html
|
|
SOURCES ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
|
|
)
|