cve-update-db-native: fix https proxy issues

When https_proxy is set, use proxy opener to open CVE metadata and database URLs, otherwise fallback to the urllib.request.urlopen. Also fix a minor issue where the json database which has been gzip decompressed as byte object should be decoded as utf-8 string as expected by update_db. (From OE-Core rev: 95438d52b732bec217301fbfc2fb019bbc3707c8) Signed-off-by: Chin Huat Ang <chin.huat.ang@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Chin Huat Ang <chin.huat.ang@intel.com> 2019-07-25 10:01:20 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-07-26 08:41:39 +0100
commit: fa1a3f5328d2ee6d96e01f55e7c194a0e09c95da (patch)
tree: 0e16712883832cc5e9d30fe0fcf326e2c043b6c6
parent: b8cbefb3fdb4b62a8a536c717359fd6314335cb7 (diff)
download: poky-fa1a3f5328d2ee6d96e01f55e7c194a0e09c95da.tar.gz
1 files changed, 30 insertions, 11 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 9c083bdc99..2c427a5884 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -22,7 +22,7 @@ python do_populate_cve_db() {
    Update NVD database with json data feed
    """
-    import sqlite3, urllib, shutil, gzip
+    import sqlite3, urllib, urllib.parse, shutil, gzip
    from datetime import date
    BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
@@ -32,6 +32,16 @@ python do_populate_cve_db() {
    db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
    json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
    proxy = d.getVar("https_proxy")
+    if proxy:
+        # instantiate an opener but do not install it as the global
+        # opener unless if we're really sure it's applicable for all
+        # urllib requests
+        proxy_handler = urllib.request.ProxyHandler({'https': proxy})
+        proxy_opener = urllib.request.build_opener(proxy_handler)
+    else:
+        proxy_opener = None
    cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
    if not os.path.isdir(db_dir):
@@ -49,11 +59,17 @@ python do_populate_cve_db() {
        json_url = year_url + ".json.gz"
        # Retrieve meta last modified date
-        req = urllib.request.Request(meta_url)
-        if proxy:
+        response = None
-            req.set_proxy(proxy, 'https')
-        with urllib.request.urlopen(req) as r:
+        if proxy_opener:
-            for l in r.read().decode("utf-8").splitlines():
+            response = proxy_opener.open(meta_url)
+        else:
+            req = urllib.request.Request(meta_url)
+            response = urllib.request.urlopen(req)
+        if response:
+            for l in response.read().decode("utf-8").splitlines():
                key, value = l.split(":", 1)
                if key == "lastModifiedDate":
                    last_modified = value
@@ -71,11 +87,14 @@ python do_populate_cve_db() {
            # Update db with current year json file
            try:
-                req = urllib.request.Request(json_url)
+                if proxy_opener:
-                if proxy:
+                    response = proxy_opener.open(json_url)
-                    req.set_proxy(proxy, 'https')
+                else:
-                with urllib.request.urlopen(req) as r:
+                    req = urllib.request.Request(json_url)
-                    update_db(c, gzip.decompress(r.read()))
+                    response = urllib.request.urlopen(req)
+                if response:
+                    update_db(c, gzip.decompress(response.read()).decode('utf-8'))
                c.execute("insert or replace into META values (?, ?)", [year, last_modified])
            except urllib.error.URLError as e:
                cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
author	Chin Huat Ang <chin.huat.ang@intel.com>	2019-07-25 10:01:20 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-07-26 08:41:39 +0100
commit	fa1a3f5328d2ee6d96e01f55e7c194a0e09c95da (patch)
tree	0e16712883832cc5e9d30fe0fcf326e2c043b6c6
parent	b8cbefb3fdb4b62a8a536c717359fd6314335cb7 (diff)
download	poky-fa1a3f5328d2ee6d96e01f55e7c194a0e09c95da.tar.gz

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 9c083bdc99..2c427a5884 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -22,7 +22,7 @@ python do_populate_cve_db() {
22	Update NVD database with json data feed	22	Update NVD database with json data feed
23	"""	23	"""
24		24
25	import sqlite3, urllib, shutil, gzip	25	import sqlite3, urllib, urllib.parse, shutil, gzip
26	from datetime import date	26	from datetime import date
27		27
28	BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"	28	BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
@@ -32,6 +32,16 @@ python do_populate_cve_db() {
32	db_file = os.path.join(db_dir, 'nvdcve_1.0.db')	32	db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
33	json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')	33	json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
34	proxy = d.getVar("https_proxy")	34	proxy = d.getVar("https_proxy")
		35
		36	if proxy:
		37	# instantiate an opener but do not install it as the global
		38	# opener unless if we're really sure it's applicable for all
		39	# urllib requests
		40	proxy_handler = urllib.request.ProxyHandler({'https': proxy})
		41	proxy_opener = urllib.request.build_opener(proxy_handler)
		42	else:
		43	proxy_opener = None
		44
35	cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')	45	cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
36		46
37	if not os.path.isdir(db_dir):	47	if not os.path.isdir(db_dir):
@@ -49,11 +59,17 @@ python do_populate_cve_db() {
49	json_url = year_url + ".json.gz"	59	json_url = year_url + ".json.gz"
50		60
51	# Retrieve meta last modified date	61	# Retrieve meta last modified date
52	req = urllib.request.Request(meta_url)	62
53	if proxy:	63	response = None
54	req.set_proxy(proxy, 'https')	64
55	with urllib.request.urlopen(req) as r:	65	if proxy_opener:
56	for l in r.read().decode("utf-8").splitlines():	66	response = proxy_opener.open(meta_url)
		67	else:
		68	req = urllib.request.Request(meta_url)
		69	response = urllib.request.urlopen(req)
		70
		71	if response:
		72	for l in response.read().decode("utf-8").splitlines():
57	key, value = l.split(":", 1)	73	key, value = l.split(":", 1)
58	if key == "lastModifiedDate":	74	if key == "lastModifiedDate":
59	last_modified = value	75	last_modified = value
@@ -71,11 +87,14 @@ python do_populate_cve_db() {
71		87
72	# Update db with current year json file	88	# Update db with current year json file
73	try:	89	try:
74	req = urllib.request.Request(json_url)	90	if proxy_opener:
75	if proxy:	91	response = proxy_opener.open(json_url)
76	req.set_proxy(proxy, 'https')	92	else:
77	with urllib.request.urlopen(req) as r:	93	req = urllib.request.Request(json_url)
78	update_db(c, gzip.decompress(r.read()))	94	response = urllib.request.urlopen(req)
		95
		96	if response:
		97	update_db(c, gzip.decompress(response.read()).decode('utf-8'))
79	c.execute("insert or replace into META values (?, ?)", [year, last_modified])	98	c.execute("insert or replace into META values (?, ?)", [year, last_modified])
80	except urllib.error.URLError as e:	99	except urllib.error.URLError as e:
81	cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')	100	cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')