cve-check: Manage CVE_PRODUCT with more than one name

In some rare cases (eg. curl recipe) the CVE_PRODUCT contains more than one name. (From OE-Core rev: 7f62a20b32a3d42f04ec58786a7d0db68ef1bb05) (From OE-Core rev: 4f96e9ba1f4f14f312b6024711fe8da0c3041e4c) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> 2019-11-06 17:37:18 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-11-07 19:47:26 +0000
commit: b409daad1d6c853690ae9ea75447cfac89033712 (patch)
tree: 89cfbaf61a7bfabce7e6bc35bdcfcb1cbeafde1b
parent: 60091cba9b9591294cb947dd1bcac90d579927ee (diff)
download: poky-b409daad1d6c853690ae9ea75447cfac89033712.tar.gz
1 files changed, 14 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 28619c7bd4..e7540b8c1f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -168,9 +168,10 @@ def check_cves(d, patched_cves):
    import ast, csv, tempfile, subprocess, io
    cves_unpatched = []
-    bpn = d.getVar("CVE_PRODUCT")
+    # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
+    bpn = d.getVar("CVE_PRODUCT").split()
    # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
-    if not bpn:
+    if len(bpn) == 0:
        return ([], [])
    pv = d.getVar("CVE_VERSION").split("+git")[0]
    cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
@@ -184,16 +185,18 @@ def check_cves(d, patched_cves):
    db_file = d.getVar("CVE_CHECK_DB_FILE")
    conn = sqlite3.connect(db_file)
    c = conn.cursor()
    query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"
-    for row in c.execute(query % (bpn,pv)):
+    for idx in range(len(bpn)):
-        cve = row[1]
+        for row in c.execute(query % (bpn[idx],pv)):
-        if pv in cve_whitelist.get(cve,[]):
+            cve = row[1]
-            bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))
+            if pv in cve_whitelist.get(cve,[]):
-        elif cve in patched_cves:
+                bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
-            bb.note("%s has been patched" % (cve))
+            elif cve in patched_cves:
-        else:
+                bb.note("%s has been patched" % (cve))
-            cves_unpatched.append(cve)
+            else:
-            bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))
+                cves_unpatched.append(cve)
+                bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))
    conn.close()
    return (list(patched_cves), cves_unpatched)
author	Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>	2019-11-06 17:37:18 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-11-07 19:47:26 +0000
commit	b409daad1d6c853690ae9ea75447cfac89033712 (patch)
tree	89cfbaf61a7bfabce7e6bc35bdcfcb1cbeafde1b
parent	60091cba9b9591294cb947dd1bcac90d579927ee (diff)
download	poky-b409daad1d6c853690ae9ea75447cfac89033712.tar.gz

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 28619c7bd4..e7540b8c1f 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass
@@ -168,9 +168,10 @@ def check_cves(d, patched_cves):
168	import ast, csv, tempfile, subprocess, io	168	import ast, csv, tempfile, subprocess, io
169		169
170	cves_unpatched = []	170	cves_unpatched = []
171	bpn = d.getVar("CVE_PRODUCT")	171	# CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
		172	bpn = d.getVar("CVE_PRODUCT").split()
172	# If this has been unset then we're not scanning for CVEs here (for example, image recipes)	173	# If this has been unset then we're not scanning for CVEs here (for example, image recipes)
173	if not bpn:	174	if len(bpn) == 0:
174	return ([], [])	175	return ([], [])
175	pv = d.getVar("CVE_VERSION").split("+git")[0]	176	pv = d.getVar("CVE_VERSION").split("+git")[0]
176	cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))	177	cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
@@ -184,16 +185,18 @@ def check_cves(d, patched_cves):
184	db_file = d.getVar("CVE_CHECK_DB_FILE")	185	db_file = d.getVar("CVE_CHECK_DB_FILE")
185	conn = sqlite3.connect(db_file)	186	conn = sqlite3.connect(db_file)
186	c = conn.cursor()	187	c = conn.cursor()
		188
187	query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"	189	query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"
188	for row in c.execute(query % (bpn,pv)):	190	for idx in range(len(bpn)):
189	cve = row[1]	191	for row in c.execute(query % (bpn[idx],pv)):
190	if pv in cve_whitelist.get(cve,[]):	192	cve = row[1]
191	bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))	193	if pv in cve_whitelist.get(cve,[]):
192	elif cve in patched_cves:	194	bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
193	bb.note("%s has been patched" % (cve))	195	elif cve in patched_cves:
194	else:	196	bb.note("%s has been patched" % (cve))
195	cves_unpatched.append(cve)	197	else:
196	bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))	198	cves_unpatched.append(cve)
		199	bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))
197	conn.close()	200	conn.close()
198		201
199	return (list(patched_cves), cves_unpatched)	202	return (list(patched_cves), cves_unpatched)