summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2017-05-09 17:31:36 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-05-18 14:01:46 +0100
commit86795b756a503825539e8677d20e719a8e8eb9d1 (patch)
tree3cc1a17d247a637fe2e9c0328afeb48b544df24b
parent4ef31feab1fc15e6d1100348845820e4bc429a16 (diff)
downloadpoky-86795b756a503825539e8677d20e719a8e8eb9d1.tar.gz
cve-check.bbclass: make warning contain CVE IDs
When warning users about unpatched CVE, we'd better put CVE IDs into the warning message, so that it would be more straight forward for the user to know which CVEs are not patched. So instead of: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log. We should have: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log. (From OE-Core rev: ad46069e7b58f2fba373131716f28407816fa1a6) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat
-rw-r--r--meta/classes/cve-check.bbclass9
1 files changed, 5 insertions, 4 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 0e4294fdc4..3a9e227288 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -234,7 +234,7 @@ def cve_write_data(d, patched, unpatched, cve_data):
234 cve_file = d.getVar("CVE_CHECK_LOCAL_FILE") 234 cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
235 nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" 235 nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
236 write_string = "" 236 write_string = ""
237 first_alert = True 237 unpatched_cves = []
238 bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR")) 238 bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
239 239
240 for cve in sorted(cve_data): 240 for cve in sorted(cve_data):
@@ -244,15 +244,16 @@ def cve_write_data(d, patched, unpatched, cve_data):
244 if cve in patched: 244 if cve in patched:
245 write_string += "CVE STATUS: Patched\n" 245 write_string += "CVE STATUS: Patched\n"
246 else: 246 else:
247 unpatched_cves.append(cve)
247 write_string += "CVE STATUS: Unpatched\n" 248 write_string += "CVE STATUS: Unpatched\n"
248 if first_alert:
249 bb.warn("Found unpatched CVE, for more information check %s" % cve_file)
250 first_alert = False
251 write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] 249 write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
252 write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"] 250 write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
253 write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] 251 write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
254 write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) 252 write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
255 253
254 if unpatched_cves:
255 bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
256
256 with open(cve_file, "w") as f: 257 with open(cve_file, "w") as f:
257 bb.note("Writing file %s with CVE information" % cve_file) 258 bb.note("Writing file %s with CVE information" % cve_file)
258 f.write(write_string) 259 f.write(write_string)
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-16 10:17:03 +0000