diff options
| author | Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-11-06 17:37:33 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-11-07 19:47:26 +0000 |
| commit | be0549c677e3be922476b1b43e54765957efff43 (patch) | |
| tree | c282cd9141f046701cfb195cfadc62736b4ae143 | |
| parent | 67a89b3a42c2e0c2bbb8c443bef45de03411a44b (diff) | |
| download | poky-be0549c677e3be922476b1b43e54765957efff43.tar.gz | |
cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
CVE_CHECK_WHITELIST does not contain version anymore, as it was not
used. This variable should be set per recipe.
(From OE-Core rev: 7069302a4ccbb5b72e1902f284cf078516fd7294)
(From OE-Core rev: 8dd899679fc881d02e081d1e0814252d604dd479)
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index e8668b2566..512d4c7302 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -39,15 +39,12 @@ CVE_CHECK_CREATE_MANIFEST ??= "1" | |||
| 39 | # Whitelist for packages (PN) | 39 | # Whitelist for packages (PN) |
| 40 | CVE_CHECK_PN_WHITELIST ?= "" | 40 | CVE_CHECK_PN_WHITELIST ?= "" |
| 41 | 41 | ||
| 42 | # Whitelist for CVE and version of package. If a CVE is found then the PV is | 42 | # Whitelist for CVE. If a CVE is found, then it is considered patched. |
| 43 | # compared with the version list, and if found the CVE is considered | 43 | # The value is a string containing space separated CVE values: |
| 44 | # patched. | 44 | # |
| 45 | # | 45 | # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' |
| 46 | # The value should be valid Python in this format: | 46 | # |
| 47 | # { | 47 | CVE_CHECK_WHITELIST ?= "" |
| 48 | # 'CVE-2014-2524': ('6.3','5.2') | ||
| 49 | # } | ||
| 50 | CVE_CHECK_CVE_WHITELIST ?= "{}" | ||
| 51 | 48 | ||
| 52 | python do_cve_check () { | 49 | python do_cve_check () { |
| 53 | """ | 50 | """ |
| @@ -185,7 +182,10 @@ def check_cves(d, patched_cves): | |||
| 185 | bb.note("Recipe has been whitelisted, skipping check") | 182 | bb.note("Recipe has been whitelisted, skipping check") |
| 186 | return ([], []) | 183 | return ([], []) |
| 187 | 184 | ||
| 188 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | 185 | old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") |
| 186 | if old_cve_whitelist: | ||
| 187 | bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.") | ||
| 188 | cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() | ||
| 189 | 189 | ||
| 190 | import sqlite3 | 190 | import sqlite3 |
| 191 | db_file = d.getVar("CVE_CHECK_DB_FILE") | 191 | db_file = d.getVar("CVE_CHECK_DB_FILE") |
| @@ -206,7 +206,7 @@ def check_cves(d, patched_cves): | |||
| 206 | version_end = row[6] | 206 | version_end = row[6] |
| 207 | operator_end = row[7] | 207 | operator_end = row[7] |
| 208 | 208 | ||
| 209 | if pv in cve_whitelist.get(cve, []): | 209 | if cve in cve_whitelist: |
| 210 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) | 210 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) |
| 211 | elif cve in patched_cves: | 211 | elif cve in patched_cves: |
| 212 | bb.note("%s has been patched" % (cve)) | 212 | bb.note("%s has been patched" % (cve)) |