[Bf-blender-cvs] [7bc5193f5e8] tmp-libs-2.93-lts: deps_builder: Add support for cve-bin-tool

Thu Nov 24 17:29:51 CET 2022

Commit: 7bc5193f5e8a35e3e2d75ddb97ca38c4d05c8600
Author: Ray Molenkamp
Date:   Mon Oct 10 11:48:05 2022 -0600
Branches: tmp-libs-2.93-lts
https://developer.blender.org/rB7bc5193f5e8a35e3e2d75ddb97ca38c4d05c8600

deps_builder: Add support for cve-bin-tool

This change adds support for intels cve-bin-tool [1]
in the deps builder. This adds 2 new targets to the
builder that do not build automatically but can be
build on demand when required.

`make cve_check` will output to the console.
`make cve_check_html` will output a html file that
can be shared with other people.

Requirements:

- A working installation of cve-bin-tool on the system

Not required but higly recommended:

- Obtaining a key from the nvd [2] to speed up the
  database download. you can pass the key to cmake
  using `-DCVE_CHECK_NVD_KEY=your_api_key`

[1] https://github.com/intel/cve-bin-tool
[2] https://nvd.nist.gov/developers/request-an-api-key

Reviewed By: brecht

Differential Revision: https://developer.blender.org/D16160

===================================================================

M	build_files/build_environment/CMakeLists.txt
A	build_files/build_environment/cmake/cve_check.cmake
A	build_files/build_environment/cmake/cve_check.csv.in
M	build_files/build_environment/cmake/versions.cmake

===================================================================

diff --git a/build_files/build_environment/CMakeLists.txt b/build_files/build_environment/CMakeLists.txt
index a3d694b4bc3..a679eeddc2f 100644
--- a/build_files/build_environment/CMakeLists.txt
+++ b/build_files/build_environment/CMakeLists.txt
@@ -167,3 +167,4 @@ if(UNIX AND NOT APPLE)
 endif()
 
 include(cmake/harvest.cmake)
+include(cmake/cve_check.cmake)
diff --git a/build_files/build_environment/cmake/cve_check.cmake b/build_files/build_environment/cmake/cve_check.cmake
new file mode 100644
index 00000000000..dfb190bcffa
--- /dev/null
+++ b/build_files/build_environment/cmake/cve_check.cmake
@@ -0,0 +1,73 @@
+# SPDX-License-Identifier: GPL-2.0-or-later
+
+# CVE Check requirements
+#
+# - A working installation of intels cve-bin-tool [1] has to be available in
+#   your path
+#
+# - Not strictly required, but highly recommended is obtaining a NVD key from
+#   nist since it significantly speeds up downloading/updating the required
+#   databases one can request a key on the following website:
+#   https://nvd.nist.gov/developers/request-an-api-key
+
+# Bill of Materials construction
+#
+# This constructs a CSV cve-bin-tool [1] can read and process. Sadly
+# cve-bin-tool at this point does not take a list of CPE's and output a check
+# based on that list. so we need to pick apart the CPE retrieve the vendor,
+# product and version tokens and generate a CSV.
+#
+# [1] https://github.com/intel/cve-bin-tool
+
+# Because not all deps are downloaded (ie python packages) but can still have a
+# xxx_CPE declared loop over all variables and look for variables ending in CPE.
+
+set(SBOMCONTENTS)
+get_cmake_property(_variableNames VARIABLES)
+foreach (_variableName ${_variableNames})
+  if(_variableName MATCHES "CPE$")
+      string(REPLACE ":" ";" CPE_LIST ${${_variableName}})
+      list(GET CPE_LIST 3 CPE_VENDOR)
+      list(GET CPE_LIST 4 CPE_NAME)
+      list(GET CPE_LIST 5 CPE_VERSION)
+      set(SBOMCONTENTS "${SBOMCONTENTS}${CPE_VENDOR},${CPE_NAME},${CPE_VERSION}\n")
+  endif()
+endforeach()
+configure_file(${CMAKE_SOURCE_DIR}/cmake/cve_check.csv.in ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv @ONLY)
+
+# Custom Targets
+#
+# This defines two new custom targets one could run in the build folder
+# `cve_check` which will output the report to the console, and `cve_check_html`
+# which will write out blender_dependencies.html in the build folder that one
+# could share with other people or be used to get more information on the
+# reported CVE's.
+#
+# cve-bin-tool takes data from the nist nvd database which rate limits
+# unauthenticated requests to 1 requests per 6 seconds making the database
+# download take "quite a bit" of time.
+#
+# When adding -DCVE_CHECK_NVD_KEY=your_api_key_here to your cmake invocation
+# this key will be passed on to cve-bin-tool speeding up the process.
+#
+if(DEFINED CVE_CHECK_NVD_KEY)
+  set(NVD_ARGS --nvd-api-key ${CVE_CHECK_NVD_KEY})
+endif()
+
+# This will just report to the console
+add_custom_target(cve_check
+  COMMAND cve-bin-tool
+    ${NVD_ARGS}
+    -i ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
+    --affected-versions
+  SOURCES ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
+)
+
+# This will write out blender_dependencies.html
+add_custom_target(cve_check_html
+  COMMAND cve-bin-tool
+    ${NVD_ARGS}
+    -i ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
+    -f html
+  SOURCES ${CMAKE_CURRENT_BINARY_DIR}/cve_check.csv
+)
diff --git a/build_files/build_environment/cmake/cve_check.csv.in b/build_files/build_environment/cmake/cve_check.csv.in
new file mode 100644
index 00000000000..6e7e8db5609
--- /dev/null
+++ b/build_files/build_environment/cmake/cve_check.csv.in
@@ -0,0 +1,2 @@
+vendor,product,version
+ at SBOMCONTENTS@
diff --git a/build_files/build_environment/cmake/versions.cmake b/build_files/build_environment/cmake/versions.cmake
index 97da5d54d48..91ef1e5614c 100644
--- a/build_files/build_environment/cmake/versions.cmake
+++ b/build_files/build_environment/cmake/versions.cmake
@@ -16,11 +16,20 @@
 #
 # ***** END GPL LICENSE BLOCK *****
 
+# CPE's are used to identify dependencies, for more information on what they
+# are please see https://nvd.nist.gov/products/cpe
+#
+# We use them in combination with cve-bin-tool to scan for known security issues.
+#
+# Not all of our dependencies are currently in the nvd database so not all
+# dependencies have one assigned.
+
 set(ZLIB_VERSION 1.2.11)
 set(ZLIB_URI https://zlib.net/zlib-${ZLIB_VERSION}.tar.gz)
 set(ZLIB_HASH 1c9f62f0778697a09d36121ead88e08e)
 set(ZLIB_HASH_TYPE MD5)
 set(ZLIB_FILE zlib-${ZLIB_VERSION}.tar.gz)
+set(ZLIB_CPE "cpe:2.3:a:zlib:zlib:${ZLIB_VERSION}:*:*:*:*:*:*:*")
 
 set(OPENAL_VERSION 1.20.1)
 set(OPENAL_URI http://openal-soft.org/openal-releases/openal-soft-${OPENAL_VERSION}.tar.bz2)
@@ -33,12 +42,14 @@ set(PNG_URI http://prdownloads.sourceforge.net/libpng/libpng-${PNG_VERSION}.tar.
 set(PNG_HASH 505e70834d35383537b6491e7ae8641f1a4bed1876dbfe361201fc80868d88ca)
 set(PNG_HASH_TYPE SHA256)
 set(PNG_FILE libpng-${PNG_VERSION}.tar.xz)
+set(PNG_CPE "cpe:2.3:a:libpng:libpng:${PNG_VERSION}:*:*:*:*:*:*:*")
 
 set(JPEG_VERSION 2.0.4)
 set(JPEG_URI https://github.com/libjpeg-turbo/libjpeg-turbo/archive/${JPEG_VERSION}.tar.gz)
 set(JPEG_HASH 44c43e4a9fb352f47090804529317c88)
 set(JPEG_HASH_TYPE MD5)
 set(JPEG_FILE libjpeg-turbo-${JPEG_VERSION}.tar.gz)
+set(JPEG_CPE "cpe:2.3:a:d.r.commander:libjpeg-turbo:${JPEG_VERSION}:*:*:*:*:*:*:*")
 
 set(BOOST_VERSION 1.73.0)
 set(BOOST_VERSION_NODOTS 1_73_0)
@@ -47,6 +58,7 @@ set(BOOST_URI https://dl.bintray.com/boostorg/release/${BOOST_VERSION}/source/bo
 set(BOOST_HASH 4036cd27ef7548b8d29c30ea10956196)
 set(BOOST_HASH_TYPE MD5)
 set(BOOST_FILE boost_${BOOST_VERSION_NODOTS}.tar.gz)
+set(BOOST_CPE "cpe:2.3:a:boost:boost:${BOOST_VERSION}:*:*:*:*:*:*:*")
 
 # Using old version as recommended by OpenVDB build documentation.
 set(BLOSC_VERSION 1.5.0)
@@ -54,6 +66,7 @@ set(BLOSC_URI https://github.com/Blosc/c-blosc/archive/v${BLOSC_VERSION}.tar.gz)
 set(BLOSC_HASH 6e4a49c8c06f05aa543f3312cfce3d55)
 set(BLOSC_HASH_TYPE MD5)
 set(BLOSC_FILE blosc-${BLOSC_VERSION}.tar.gz)
+set(BLOSC_CPE "cpe:2.3:a:c-blosc2_project:c-blosc2:${BLOSC_VERSION}:*:*:*:*:*:*:*")
 
 set(PTHREADS_VERSION 3.0.0)
 set(PTHREADS_URI http://prdownloads.sourceforge.net/pthreads4w/pthreads4w-code-v${PTHREADS_VERSION}.zip)
@@ -66,6 +79,7 @@ set(OPENEXR_URI https://github.com/AcademySoftwareFoundation/openexr/archive/v${
 set(OPENEXR_HASH 85e8a979092c9055d10ed103062d31a0)
 set(OPENEXR_HASH_TYPE MD5)
 set(OPENEXR_FILE openexr-${OPENEXR_VERSION}.tar.gz)
+set(OPENEXR_CPE "cpe:2.3:a:openexr:openexr:${OPENEXR_VERSION}:*:*:*:*:*:*:*")
 
 if(WIN32)
   # Openexr started appending _d on its own so now
@@ -88,6 +102,7 @@ set(FREETYPE_URI http://prdownloads.sourceforge.net/freetype/freetype-${FREETYPE
 set(FREETYPE_HASH b1cb620e4c875cd4d1bfa04945400945)
 set(FREETYPE_HASH_TYPE MD5)
 set(FREETYPE_FILE freetype-${FREETYPE_VERSION}.tar.gz)
+SET(FREETYPE_CPE "cpe:2.3:a:freetype:freetype:${FREETYPE_VERSION}:*:*:*:*:*:*:*")
 
 set(GLEW_VERSION 1.13.0)
 set(GLEW_URI http://prdownloads.sourceforge.net/glew/glew/${GLEW_VERSION}/glew-${GLEW_VERSION}.tgz)
@@ -106,6 +121,7 @@ set(ALEMBIC_URI https://github.com/alembic/alembic/archive/${ALEMBIC_VERSION}.ta
 set(ALEMBIC_HASH effcc86e42fe6605588e3de57bde6677)
 set(ALEMBIC_HASH_TYPE MD5)
 set(ALEMBIC_FILE alembic-${ALEMBIC_VERSION}.tar.gz)
+SET(FREETYPE_CPE "cpe:2.3:a:freetype:freetype:${FREETYPE_VERSION}:*:*:*:*:*:*:*")
 
 # hash is for 3.1.2
 set(GLFW_GIT_UID 30306e54705c3adae9fe082c816a3be71963485c)
@@ -139,6 +155,7 @@ set(SDL_URI https://www.libsdl.org/release/SDL2-${SDL_VERSION}.tar.gz)
 set(SDL_HASH 783b6f2df8ff02b19bb5ce492b99c8ff)
 set(SDL_HASH_TYPE MD5)
 set(SDL_FILE SDL2-${SDL_VERSION}.tar.gz)
+set(SDL_CPE "cpe:2.3:a:libsdl:sdl:${SDL_VERSION}:*:*:*:*:*:*:*")
 
 set(OPENCOLLADA_VERSION v1.6.68)
 set(OPENCOLLADA_URI https://github.com/KhronosGroup/OpenCOLLADA/archive/${OPENCOLLADA_VERSION}.tar.gz)
@@ -177,6 +194,7 @@ else()
   set(OPENMP_HASH_TYPE MD5)
   set(OPENMP_FILE openmp-${LLVM_VERSION}.src.tar.xz)
 endif()
+set(LLVM_CPE "cpe:2.3:a:llvm:compiler:${LLVM_VERSION}:*:*:*:*:*:*:*")
 
 set(OPENIMAGEIO_VERSION 2.1.15.0)
 set(OPENIMAGEIO_URI https://github.com/OpenImageIO/oiio/archive/Release-${OPENIMAGEIO_VERSION}.tar.gz)
@@ -189,6 +207,7 @@ set(TIFF_URI http://download.osgeo.org/libtiff/tiff-${TIFF_VERSION}.tar.gz)
 set(TIFF_HASH 2165e7aba557463acc0664e71a3ed424)
 set(TIFF_HASH_TYPE MD5)
 set(TIFF_FILE tiff-${TIFF_VERSION}.tar.gz)
+set(TIFF_CPE "cpe:2.3:a:libtiff:libtiff:${TIFF_VERSION}:*:*:*:*:*:*:*")
 
 set(OSL_VERSION 1.11.10.0)
 set(OSL_URI https://github.com/imageworks/OpenShadingLanguage/archive/Release-${OSL_VERSION}.tar.gz)
@@ -203,12 +222,15 @@ set(PYTHON_URI https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTH
 set(PYTHON_HASH f0dc9000312abeb16de4eccce9a870ab)
 set(PYTHON_HASH_TYPE MD5)
 set(PYTHON_FILE Python-${PYTHON_VERSION}.tar.xz)
+set(PYTHON_CPE "cpe:2.3:a:python:python:${PYTHON_VERSION}:-:*:*:*:*:*:*")
 
-set(TBB_VERSION 2020_U2)
+set(TBB_YEAR 2020)
+set(TBB_VERSION ${TBB_YEAR}_U2)
 set(TBB_URI https://github.com/oneapi-src/oneTBB/archive/${TBB_VERSION}.tar.gz)
 set(TBB_HASH 1b711ae956524855088df3bbf5ec65dc)
 set(TBB_HASH_TYPE MD5)
 set(TBB_FILE oneTBB-${TBB_VERSION}.tar.gz)
+set(TBB_CPE "cpe:2.3:a:intel:threading_building_blocks:${TBB_YEAR}:*:*:*:*:*:*:*")
 
 set(OPENVDB_VERSION 8.0.1)
 set(OPENVDB_URI https://github.com/AcademySoftwareFoundation/openvdb/archive/v${OPENVDB_VERSION}.tar.gz)
@@ -225,6 +247,7 @@ set(NANOVDB_FILE nano-vdb-${NANOVDB_GIT_UID}.tar.gz)
 set(IDNA_VERSION 2.10)
 set(CHARDET_VERSION 4.0.0)
 set(URLLIB3_VERSION 1.26.3)
+set(URLLIB3_CPE "cpe:2.3:a:urllib3:urllib3:${URLLIB3_VERSION}:*:*:*:*:*:*:*")
 set(CERTIFI_VERSION 2020.12.5)
 set(REQUESTS_VERSION 2.25.1)
 set(CYTHON_VERSION 0.29.21)
@@ -235,12 +258,14 @@ set(NUMPY_URI https://github.com/numpy/numpy/releases/download/v${NUMPY_VERSION}
 set(NUMPY_HASH f6a1b48717c552bbc18f1adc3cc1fe0e)
 set(NUMPY_HASH_TYPE MD5)
 set(NUMPY_FILE numpy-${NUMPY_VERSION}.zip)
+set(NUMPY_CPE "cpe:2.3:a:numpy:numpy:${NUMPY_VERSION}:*:*:*:*:*:*:*")
 
 set(LAME_VERSION 3.100)
 set(LAME_URI http://downloads.sourceforge.net/project/lame/lame/3.100/lame-

@@ Diff output truncated at 10240 characters. @@

