[Bf-blender-cvs] [2db9bfb6d88] blender-v3.3-release: deps_builder: Add support for cve-bin-tool

Thu Nov 3 15:04:27 CET 2022

Commit: 2db9bfb6d8844aea27b07c963673c3ce3393079d
Author: Ray Molenkamp
Date:   Mon Oct 10 11:48:05 2022 -0600
Branches: blender-v3.3-release
https://developer.blender.org/rB2db9bfb6d8844aea27b07c963673c3ce3393079d

deps_builder: Add support for cve-bin-tool

This change adds support for intels cve-bin-tool [1]
in the deps builder. This adds 2 new targets to the
builder that do not build automatically but can be
build on demand when required.

`make cve_check` will output to the console.
`make cve_check_html` will output a html file that
can be shared with other people.

Requirements:

- A working installation of cve-bin-tool on the system

Not required but higly recommended:

- Obtaining a key from the nvd [2] to speed up the
  database download. you can pass the key to cmake
  using `-DCVE_CHECK_NVD_KEY=your_api_key`

[1] https://github.com/intel/cve-bin-tool
[2] https://nvd.nist.gov/developers/request-an-api-key

Reviewed By: brecht

Differential Revision: https://developer.blender.org/D16160

===================================================================

M	build_files/build_environment/CMakeLists.txt
A	build_files/build_environment/cmake/cve_check.cmake
A	build_files/build_environment/cmake/cve_check.csv.in
M	build_files/build_environment/cmake/versions.cmake

===================================================================

diff --git a/build_files/build_environment/CMakeLists.txt b/build_files/build_environment/CMakeLists.txt
index 856fe7b32ff..2cd225ebc85 100644
--- a/build_files/build_environment/CMakeLists.txt
+++ b/build_files/build_environment/CMakeLists.txt
@@ -172,3 +172,4 @@ if(UNIX AND NOT APPLE)
 endif()
 
 include(cmake/harvest.cmake)
+include(cmake/cve_check.cmake)
diff --git a/build_files/build_environment/cmake/cve_check.cmake b/build_files/build_environment/cmake/cve_check.cmake
new file mode 100644
index 00000000000..dfb190bcffa
--- /dev/null
+++ b/build_files/build_environment/cmake/cve_check.cmake
@@ -0,0 +1,73 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+# CVE Check requirements
+#
+# - A working installation of intels cve-bin-tool [1] has to be available in
+#   your path
+#
+# - Not strictly required, but highly recommended is obtaining a NVD key from
+#   nist since it significantly speeds up downloading/updating the required
+#   databases one can request a key on the following website:
+#   https://nvd.nist.gov/developers/request-an-api-key
+
+# Bill of Materials construction
+#
+# This constructs a CSV cve-bin-tool [1] can read and process. Sadly
+# cve-bin-tool at this point does not take a list of CPE's and output a check
+# based on that list. so we need to pick apart the CPE retrieve the vendor,
+# product and version tokens and generate a CSV.
+#
+# [1] https://github.com/intel/cve-bin-tool
+
+# Because not all deps are downloaded (ie python packages) but can still have a
+# xxx_CPE declared loop over all variables and look for variables ending in CPE.
+
+set(SBOMCONTENTS)
+get_cmake_property(_variableNames VARIABLES)
+foreach (_variableName ${_variableNames})
+  if(_variableName MATCHES "CPE$")
+      string(REPLACE ":" ";" CPE_LIST ${${_variableName}})
+      list(GET CPE_LIST 3 CPE_VENDOR)
+      list(GET CPE_LIST 4 CPE_NAME)
+      list(GET CPE_LIST 5 CPE_VERSION)
+      set(SBOMCONTENTS "${SBOMCONTENTS}${CPE_VENDOR},${CPE_NAME},${CPE_VERSION}\n")
+  endif()
+endforeach()
+configure_file(${CMAKE_SOURCE_DIR}/cmake/cve_check.csv.in ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv @ONLY)
+
+# Custom Targets
+#
+# This defines two new custom targets one could run in the build folder
+# `cve_check` which will output the report to the console, and `cve_check_html`
+# which will write out blender_dependencies.html in the build folder that one
+# could share with other people or be used to get more information on the
+# reported CVE's.
+#
+# cve-bin-tool takes data from the nist nvd database which rate limits
+# unauthenticated requests to 1 requests per 6 seconds making the database
+# download take "quite a bit" of time.
+#
+# When adding -DCVE_CHECK_NVD_KEY=your_api_key_here to your cmake invocation
+# this key will be passed on to cve-bin-tool speeding up the process.
+#
+if(DEFINED CVE_CHECK_NVD_KEY)
+  set(NVD_ARGS --nvd-api-key ${CVE_CHECK_NVD_KEY})
+endif()
+
+# This will just report to the console
+add_custom_target(cve_check
+  COMMAND cve-bin-tool
+    ${NVD_ARGS}
+    -i ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
+    --affected-versions
+  SOURCES ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
+)
+
+# This will write out blender_dependencies.html
+add_custom_target(cve_check_html
+  COMMAND cve-bin-tool
+    ${NVD_ARGS}
+    -i ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
+    -f html
+  SOURCES ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
+)
diff --git a/build_files/build_environment/cmake/cve_check.csv.in b/build_files/build_environment/cmake/cve_check.csv.in
new file mode 100644
index 00000000000..6e7e8db5609
--- /dev/null
+++ b/build_files/build_environment/cmake/cve_check.csv.in
@@ -0,0 +1,2 @@
+vendor,product,version
+ at SBOMCONTENTS@
diff --git a/build_files/build_environment/cmake/versions.cmake b/build_files/build_environment/cmake/versions.cmake
index 9dd6d3273cf..b4ed50c2679 100644
--- a/build_files/build_environment/cmake/versions.cmake
+++ b/build_files/build_environment/cmake/versions.cmake
@@ -1,10 +1,19 @@
 # SPDX-License-Identifier: GPL-2.0-or-later
 
+# CPE's are used to identify dependencies, for more information on what they
+# are please see https://nvd.nist.gov/products/cpe
+#
+# We use them in combination with cve-bin-tool to scan for known security issues.
+#
+# Not all of our dependencies are currently in the nvd database so not all
+# dependencies have one assigned.
+
 set(ZLIB_VERSION 1.2.12)
 set(ZLIB_URI https://zlib.net/zlib-${ZLIB_VERSION}.tar.gz)
 set(ZLIB_HASH 5fc414a9726be31427b440b434d05f78)
 set(ZLIB_HASH_TYPE MD5)
 set(ZLIB_FILE zlib-${ZLIB_VERSION}.tar.gz)
+set(ZLIB_CPE "cpe:2.3:a:zlib:zlib:${ZLIB_VERSION}:*:*:*:*:*:*:*")
 
 set(OPENAL_VERSION 1.21.1)
 set(OPENAL_URI http://openal-soft.org/openal-releases/openal-soft-${OPENAL_VERSION}.tar.bz2)
@@ -17,12 +26,14 @@ set(PNG_URI http://prdownloads.sourceforge.net/libpng/libpng-${PNG_VERSION}.tar.
 set(PNG_HASH 505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca)
 set(PNG_HASH_TYPE SHA256)
 set(PNG_FILE libpng-${PNG_VERSION}.tar.xz)
+set(PNG_CPE "cpe:2.3:a:libpng:libpng:${PNG_VERSION}:*:*:*:*:*:*:*")
 
 set(JPEG_VERSION 2.1.3)
 set(JPEG_URI https://github.com/libjpeg-turbo/libjpeg-turbo/archive/${JPEG_VERSION}.tar.gz)
 set(JPEG_HASH 627b980fad0573e08e4c3b80b290fc91)
 set(JPEG_HASH_TYPE MD5)
 set(JPEG_FILE libjpeg-turbo-${JPEG_VERSION}.tar.gz)
+set(JPEG_CPE "cpe:2.3:a:d.r.commander:libjpeg-turbo:${JPEG_VERSION}:*:*:*:*:*:*:*")
 
 set(BOOST_VERSION 1.78.0)
 set(BOOST_VERSION_SHORT 1.78)
@@ -32,12 +43,14 @@ set(BOOST_URI https://boostorg.jfrog.io/artifactory/main/release/${BOOST_VERSION
 set(BOOST_HASH c2f6428ac52b0e5a3c9b2e1d8cc832b5)
 set(BOOST_HASH_TYPE MD5)
 set(BOOST_FILE boost_${BOOST_VERSION_NODOTS}.tar.gz)
+set(BOOST_CPE "cpe:2.3:a:boost:boost:${BOOST_VERSION}:*:*:*:*:*:*:*")
 
 set(BLOSC_VERSION 1.21.1)
 set(BLOSC_URI https://github.com/Blosc/c-blosc/archive/v${BLOSC_VERSION}.tar.gz)
 set(BLOSC_HASH 134b55813b1dca57019d2a2dc1f7a923)
 set(BLOSC_HASH_TYPE MD5)
 set(BLOSC_FILE blosc-${BLOSC_VERSION}.tar.gz)
+set(BLOSC_CPE "cpe:2.3:a:c-blosc2_project:c-blosc2:${BLOSC_VERSION}:*:*:*:*:*:*:*")
 
 set(PTHREADS_VERSION 3.0.0)
 set(PTHREADS_URI http://prdownloads.sourceforge.net/pthreads4w/pthreads4w-code-v${PTHREADS_VERSION}.zip)
@@ -50,6 +63,7 @@ set(OPENEXR_URI https://github.com/AcademySoftwareFoundation/openexr/archive/v${
 set(OPENEXR_HASH a92f38eedd43e56c0af56d4852506886)
 set(OPENEXR_HASH_TYPE MD5)
 set(OPENEXR_FILE openexr-${OPENEXR_VERSION}.tar.gz)
+set(OPENEXR_CPE "cpe:2.3:a:openexr:openexr:${OPENEXR_VERSION}:*:*:*:*:*:*:*")
 
 set(IMATH_VERSION 3.1.5)
 set(IMATH_URI https://github.com/AcademySoftwareFoundation/Imath/archive/v${OPENEXR_VERSION}.tar.gz)
@@ -79,6 +93,7 @@ set(FREETYPE_URI http://prdownloads.sourceforge.net/freetype/freetype-${FREETYPE
 set(FREETYPE_HASH bd4e3b007474319909a6b79d50908e85)
 set(FREETYPE_HASH_TYPE MD5)
 set(FREETYPE_FILE freetype-${FREETYPE_VERSION}.tar.gz)
+SET(FREETYPE_CPE "cpe:2.3:a:freetype:freetype:${FREETYPE_VERSION}:*:*:*:*:*:*:*")
 
 set(GLEW_VERSION 1.13.0)
 set(GLEW_URI http://prdownloads.sourceforge.net/glew/glew/${GLEW_VERSION}/glew-${GLEW_VERSION}.tgz)
@@ -97,6 +112,7 @@ set(ALEMBIC_URI https://github.com/alembic/alembic/archive/${ALEMBIC_VERSION}.ta
 set(ALEMBIC_HASH 2cd8d6e5a3ac4a014e24a4b04f4fadf9)
 set(ALEMBIC_HASH_TYPE MD5)
 set(ALEMBIC_FILE alembic-${ALEMBIC_VERSION}.tar.gz)
+SET(FREETYPE_CPE "cpe:2.3:a:freetype:freetype:${FREETYPE_VERSION}:*:*:*:*:*:*:*")
 
 set(OPENSUBDIV_VERSION v3_4_4)
 set(OPENSUBDIV_URI https://github.com/PixarAnimationStudios/OpenSubdiv/archive/${OPENSUBDIV_VERSION}.tar.gz)
@@ -109,6 +125,7 @@ set(SDL_URI https://www.libsdl.org/release/SDL2-${SDL_VERSION}.tar.gz)
 set(SDL_HASH a53acc02e1cca98c4123229069b67c9e)
 set(SDL_HASH_TYPE MD5)
 set(SDL_FILE SDL2-${SDL_VERSION}.tar.gz)
+set(SDL_CPE "cpe:2.3:a:libsdl:sdl:${SDL_VERSION}:*:*:*:*:*:*:*")
 
 set(OPENCOLLADA_VERSION v1.6.68)
 set(OPENCOLLADA_URI https://github.com/KhronosGroup/OpenCOLLADA/archive/${OPENCOLLADA_VERSION}.tar.gz)
@@ -127,6 +144,7 @@ set(LLVM_URI https://github.com/llvm/llvm-project/releases/download/llvmorg-${LL
 set(LLVM_HASH 5a4fab4d7fc84aefffb118ac2c8a4fc0)
 set(LLVM_HASH_TYPE MD5)
 set(LLVM_FILE llvm-project-${LLVM_VERSION}.src.tar.xz)
+set(LLVM_CPE "cpe:2.3:a:llvm:compiler:${LLVM_VERSION}:*:*:*:*:*:*:*")
 
 if(APPLE)
   # Cloth physics test is crashing due to this bug:
@@ -154,6 +172,7 @@ set(FMT_URI https://github.com/fmtlib/fmt/archive/refs/tags/${FMT_VERSION}.tar.g
 set(FMT_HASH 7bce0e9e022e586b178b150002e7c2339994e3c2bbe44027e9abb0d60f9cce83)
 set(FMT_HASH_TYPE SHA256)
 set(FMT_FILE fmt-${FMT_VERSION}.tar.gz)
+set(FMT_CPE "cpe:2.3:a:fmt:fmt:${FMT_VERSION}:*:*:*:*:*:*:*")
 
 # 0.6.2 is currently oiio's preferred version although never versions may be available.
 # the preferred version can be found in oiio's externalpackages.cmake
@@ -168,6 +187,7 @@ set(TIFF_URI http://download.osgeo.org/libtiff/tiff-${TIFF_VERSION}.tar.gz)
 set(TIFF_HASH 376f17f189e9d02280dfe709b2b2bbea)
 set(TIFF_HASH_TYPE MD5)
 set(TIFF_FILE tiff-${TIFF_VERSION}.tar.gz)
+set(TIFF_CPE "cpe:2.3:a:libtiff:libtiff:${TIFF_VERSION}:*:*:*:*:*:*:*")
 
 set(OSL_VERSION 1.11.17.0)
 set(OSL_URI https://github.com/imageworks/OpenShadingLanguage/archive/Release-${OSL_VERSION}.tar.gz)
@@ -182,12 +202,15 @@ set(PYTHON_URI https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTH
 set(PYTHON_HASH 14e8c22458ed7779a1957b26cde01db9)
 set(PYTHON_HASH_TYPE MD5)
 set(PYTHON_FILE Python-${PYTHON_VERSION}.tar.xz)
+set(PYTHON_CPE "cpe:2.3:a:python:python:${PYTHON_VERSION}:-:*:*:*:*:*:*")
 
-set(TBB_VERSION 2020_U3)
+set(TBB_YEAR 2020)
+set(TBB_VERSION ${TBB_YEAR}_U3)
 set(TBB_URI https://github.com/oneapi-src/oneTBB/archive/${TBB_VERSION}.tar.gz)
 set(TBB_HASH 55ec8df6eae5ed6364a47f0e671e460c)
 set(TBB_HASH_TYPE MD5)
 set(TBB_FILE oneTBB-${TBB_VERSION}.tar.gz)
+set(TBB_CPE "cpe:2.3:a:intel:threading_building_blocks:${TBB_YEAR}:*:*:*:*:*:*:*")
 
 set(OPENVDB_VERSION 9.0.0)
 set(OPENVDB_URI https://github.com/AcademySoftwareFoundation/openvdb/archive/v${OPENVDB_VERSION}.tar.gz)
@@ -198,6 +221,7 @@ set(OPENVDB_FILE openvdb-${OPENVDB_VERSION}.tar.gz)
 set(IDNA_VERSION 3.3)
 set(CHARSET_NORMALIZER_VERSION 2.0.10)
 set(URLLIB3_VERSION 1.26.8)
+set

@@ Diff output truncated at 10240 characters. @@

