summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2017-05-09 09:31:36 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-06-05 22:30:21 (GMT)
commitd2586b6fde626faeb65667a64b4d993a017a1d25 (patch)
treeae5d6745ce681e1ef722b4d8184821794ccaf745
parentbc45d3a86b85c30ee7ec8dac83d487d6b031820e (diff)
downloadpoky-d2586b6fde626faeb65667a64b4d993a017a1d25.tar.gz
cve-check.bbclass: make warning contain CVE IDs
When warning users about unpatched CVE, we'd better put CVE IDs into the warning message, so that it would be more straight forward for the user to know which CVEs are not patched. So instead of: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log. We should have: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log. (From OE-Core rev: ad46069e7b58f2fba373131716f28407816fa1a6) (From OE-Core rev: e0e1414a4574d4165a8dc5d0d9d0d5b5a660355f) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass9
1 files changed, 5 insertions, 4 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 0e4294f..3a9e227 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -234,7 +234,7 @@ def cve_write_data(d, patched, unpatched, cve_data):
234 cve_file = d.getVar("CVE_CHECK_LOCAL_FILE") 234 cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
235 nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" 235 nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
236 write_string = "" 236 write_string = ""
237 first_alert = True 237 unpatched_cves = []
238 bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR")) 238 bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
239 239
240 for cve in sorted(cve_data): 240 for cve in sorted(cve_data):
@@ -244,15 +244,16 @@ def cve_write_data(d, patched, unpatched, cve_data):
244 if cve in patched: 244 if cve in patched:
245 write_string += "CVE STATUS: Patched\n" 245 write_string += "CVE STATUS: Patched\n"
246 else: 246 else:
247 unpatched_cves.append(cve)
247 write_string += "CVE STATUS: Unpatched\n" 248 write_string += "CVE STATUS: Unpatched\n"
248 if first_alert:
249 bb.warn("Found unpatched CVE, for more information check %s" % cve_file)
250 first_alert = False
251 write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] 249 write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
252 write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"] 250 write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
253 write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] 251 write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
254 write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) 252 write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
255 253
254 if unpatched_cves:
255 bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
256
256 with open(cve_file, "w") as f: 257 with open(cve_file, "w") as f:
257 bb.note("Writing file %s with CVE information" % cve_file) 258 bb.note("Writing file %s with CVE information" % cve_file)
258 f.write(write_string) 259 f.write(write_string)