Merge pull request #1029 from m-1-k-3/workflow_generate_version

Improved EMBA update checks

emba

@@ -453,6 +453,7 @@ main() {
 
     # create log directory, if not exists and needed subdirectories
     # do not create a log dir for dep check
+    export MAIN_LOG="${LOG_DIR}""/""${MAIN_LOG_FILE}"
     [[ "${ONLY_DEP}" -eq 0 ]] && create_log_dir
 
     # kernel downloader runs on the host and waits for an identified kernel version. Afterwards
@@ -500,7 +501,6 @@ main() {
 
     # Now we have the firmware and log path, lets set some additional paths
     FIRMWARE_PATH="$(abs_path "${FIRMWARE_PATH}")"
-    export MAIN_LOG="${LOG_DIR}""/""${MAIN_LOG_FILE}"
 
     # Check firmware type (file/directory)
     # copy the firmware outside of the docker and not a second time within the docker
@@ -787,9 +787,6 @@ main() {
 
   if [[ -v CONTAINER_NUMBER ]] && [[ "${DIFF_MODE}" -ne 1 ]]; then
     if [[ "${CONTAINER_NUMBER}" -eq 2 ]] ;  then
-      while ! [[ -f "${LOG_DIR}"/"${MAIN_LOG_FILE}" ]]; do
-        sleep 1
-      done
       while ! grep -q "Pre-checking phase started" "${LOG_DIR}"/"${MAIN_LOG_FILE}"; do
         sleep 1
       done

helpers/helpers_emba_dependency_check.sh

@@ -114,11 +114,25 @@ check_emba_version(){
   fi
 }
 
+check_nvd_db(){
+  local REMOTE_HASH="${1:-}"
+  local LOCAL_HASH=""
+  if [[ -d "${EXT_DIR}"/nvd-json-data-feeds ]] ; then
+    LOCAL_HASH="$(head -c 8 "${EXT_DIR}"/nvd-json-data-feeds/.git/refs/heads/main)"
+
+    if [[ "${REMOTE_HASH}" == "${LOCAL_HASH}" ]]; then
+      echo -e "    CVE database version - ${GREEN}ok${NC}"
+    else
+      echo -e "    CVE database version - ${ORANGE}Updates available${NC}"
+    fi
+  fi
+}
+
+
 check_git_hash(){
-  local REMOTE_HASH=""
+  local REMOTE_HASH="${1:-}"
   local LOCAL_HASH=""
   if git rev-parse --is-inside-work-tree >/dev/null 2>&1 ; then
-    REMOTE_HASH="$(curl --connect-timeout 5 -s -o - https://github.com/e-m-b-a/emba | grep "spoofed_commit_check" | sed -E 's/.*commit_check\/([a-zA-Z0-9]{8}).*/\1/' || true)"
     LOCAL_HASH="$(git describe --always)"
 
     if [[ "${REMOTE_HASH}" == "${LOCAL_HASH}" ]]; then
@@ -130,10 +144,9 @@ check_git_hash(){
 }
 
 check_docker_image(){
+  local REMOTE_DOCKER_HASH="${1:-}"
   local LOCAL_DOCKER_HASH=""
-  local REMOTE_DOCKER_HASH=""
   LOCAL_DOCKER_HASH="$(docker image inspect embeddedanalyzer/emba:latest --format '{{json .RepoDigests}}' | jq . | grep "sha" | sed -E 's/.*sha256:([0-9|[a-z]+)"/\1/' || true)"
-  REMOTE_DOCKER_HASH="$(docker manifest inspect embeddedanalyzer/emba:latest -v | jq . | grep "digest" | head -n1 | awk '{print $2}' | sed -E 's/"sha256:(.+)",/\1/' || true)"
 
   if [[ "${LOCAL_DOCKER_HASH}" == "${REMOTE_DOCKER_HASH}" ]]; then
     echo -e "    Docker image version - ${GREEN}ok${NC}"
@@ -178,18 +191,32 @@ dependency_check()
   if [[ "${CONTAINER_NUMBER}" -ne 1 ]]; then
     print_output "    Internet connection - \\c" "no_log"
 
-    LATEST_EMBA_VERSION="$(curl --connect-timeout 5 -s -o - https://github.com/e-m-b-a/emba/blob/master/config/VERSION.txt | grep -w "rawLines" | sed -E 's/.*"rawLines":\["([0-9]\.[0-9]\.[0-9]).*/\1/' || true)"
-    if [[ -z "${LATEST_EMBA_VERSION}" ]] ; then
-      echo -e "${RED}""not ok""${NC}"
-      print_output "[-] Warning: Quest container has no internet connection!" "no_log"
-    else
+    # LATEST_EMBA_VERSION="$(curl --connect-timeout 5 -s -o - https://github.com/e-m-b-a/emba/blob/master/config/VERSION.txt | grep -w "rawLines" | sed -E 's/.*"rawLines":\["([0-9]\.[0-9]\.[0-9]).*/\1/' || true)"
+    if [[ -d "${EXT_DIR}"/onlinechecker ]]; then
+      rm -rf "${EXT_DIR}"/onlinechecker
+    fi
+    if [[ "${NO_UPDATE_CHECK}" -ne 1 ]]; then
+      GIT_TERMINAL_PROMPT=0 git clone https://github.com/EMBA-support-repos/onlinecheck "${EXT_DIR}"/onlinechecker -q
+    fi
+    if [[ -f "${EXT_DIR}"/onlinechecker/EMBA_VERSION.txt ]]; then
       echo -e "${GREEN}""ok""${NC}"
       # ensure this only runs on the host and not in any container
       if [[ "${IN_DOCKER}" -eq 0 ]]; then
+        EMBA_VERSION="$(cat "${EXT_DIR}"/onlinechecker/EMBA_VERSION.txt)"
+        DOCKER_HASH="$(cat "${EXT_DIR}"/onlinechecker/EMBA_CONTAINER_HASH.txt)"
+        NVD_GITHUB_HASH="$(cat "${EXT_DIR}"/onlinechecker/NVD_HASH.txt)"
+        GITHUB_HASH="${EMBA_VERSION/*-}"
+        LATEST_EMBA_VERSION="${EMBA_VERSION/-*}"
         check_emba_version "${LATEST_EMBA_VERSION}"
-        check_docker_image
-        check_git_hash
+        check_docker_image "${DOCKER_HASH}"
+        check_git_hash "${GITHUB_HASH}"
+        check_nvd_db "${NVD_GITHUB_HASH}"
       fi
+    else
+      echo -e "${RED}""not ok""${NC}"
+      print_output "[-] Warning: EMBA has no internet connection!" "no_log"
+      print_output "[-] Warning: Update checks are not possible!" "no_log"
+      print_output "[-] Warning: GPT and other online modules are disabled!" "no_log"
     fi
 
     if [[ -n "${PROXY_SETTINGS}" ]]; then

helpers/helpers_emba_path.sh

@@ -198,6 +198,10 @@ create_log_dir() {
     mkdir "${CSV_DIR}" || (print_output "[!] WARNING: Cannot create log directory" "no_log" && exit 1)
   fi
 
+  if ! [[ -f "${MAIN_LOG}" ]]; then
+    touch "${MAIN_LOG}" || true
+  fi
+
   export HTML_PATH="${LOG_DIR}""/html-report"
   if ! [[ -d "${HTML_PATH}" ]] && [[ "${HTML}" -eq 1 ]]; then
     mkdir "${HTML_PATH}" 2> /dev/null || true

modules/F50_base_aggregator.sh

@@ -413,7 +413,6 @@ output_config_issues() {
       write_link "s17"
       write_csv_log "apk_issues" "${APK_ISSUES}" "NA" "NA" "NA" "NA" "NA" "NA" "NA"
     fi
-
   fi
   if [[ ${DATA} -eq 1 ]]; then
     print_bar
@@ -501,7 +500,6 @@ output_binaries() {
     fi
     if [[ "${BINS_CHECKED:-0}" -gt 0 ]]; then
       write_csv_log "bins_checked" "${BINS_CHECKED}" "NA" "NA" "NA" "NA" "NA" "NA" "NA"
-      DATA=1
     fi
   fi
   if [[ ${DATA} -eq 1 ]]; then
@@ -561,7 +559,7 @@ output_binaries() {
         write_link "s14#strcpysummary"
       fi
       DATA=1
-      printf "${GREEN_}\t%-5.5s| %-15.15s | common linux file: y/n | %-8.8s / %-8.8s| %-8.8s | %-9.9s | %-11.11s | %-10.10s | %-13.13s |${NC}\n" "COUNT" "BINARY NAME" "CWE CNT" "SEMGREP" "RELRO" "CANARY" "NX state" "SYMBOLS" "NETWORKING" | tee -a "${LOG_FILE}"
+      printf "${GREEN_}\t%-5.5s| %-15.15s | common linux file: y/n | %-8.8s / %-8.8s| %-9.9s | %-9.9s | %-11.11s | %-10.10s | %-13.13s |${NC}\n" "COUNT" "BINARY NAME" "CWE CNT" "SEMGREP" "RELRO" "CANARY" "NX state" "SYMBOLS" "NETWORKING" | tee -a "${LOG_FILE}"
       for DETAIL_STRCPY in "${RESULTS_STRCPY[@]}" ; do
         binary_fct_output "${DETAIL_STRCPY}"
         write_csv_log "strcpy_bin" "${BINARY}" "${F_COUNTER}" "NA" "NA" "NA" "NA" "NA" "NA"
@@ -579,7 +577,7 @@ output_binaries() {
         write_link "s14#systemsummary"
       fi
       DATA=1
-      printf "${GREEN_}\t%-5.5s| %-15.15s | common linux file: y/n | %-8.8s / %-8.8s| %-8.8s | %-9.9s | %-11.11s | %-10.10s | %-13.13s |${NC}\n" "COUNT" "BINARY NAME" "CWE CNT" "SEMGREP" "RELRO" "CANARY" "NX state" "SYMBOLS" "NETWORKING" | tee -a "${LOG_FILE}"
+      printf "${GREEN_}\t%-5.5s| %-15.15s | common linux file: y/n | %-8.8s / %-8.8s| %-9.9s | %-9.9s | %-11.11s | %-10.10s | %-13.13s |${NC}\n" "COUNT" "BINARY NAME" "CWE CNT" "SEMGREP" "RELRO" "CANARY" "NX state" "SYMBOLS" "NETWORKING" | tee -a "${LOG_FILE}"
       for DETAIL_SYSTEM in "${RESULTS_SYSTEM[@]}" ; do
         binary_fct_output "${DETAIL_SYSTEM}"
         write_csv_log "system_bin" "${BINARY}" "${F_COUNTER}" "NA" "NA" "NA" "NA" "NA" "NA"