summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-12-08 18:35:48 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-12-16 23:11:10 (GMT)
commit1675f9638ab6387f492cefa9eac106f627722e12 (patch)
tree14e1fbda5c33f38bfdef53cc6831d98892b0185e
parent593fe7e35267f665dbb37cc0abcc82be55ac67f8 (diff)
downloadpoky-1675f9638ab6387f492cefa9eac106f627722e12.tar.gz
cve-check: ensure all known CVEs are in the report
CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) (From OE-Core rev: 9d01a64844998d98fcfcebbe8580422094cd2dde) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass9
1 files changed, 7 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c00d291..f87bcc9 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -208,12 +208,14 @@ def check_cves(d, patched_cves):
208 208
209 if cve in cve_whitelist: 209 if cve in cve_whitelist:
210 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) 210 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
211 # TODO: this should be in the report as 'whitelisted'
212 patched_cves.add(cve)
211 elif cve in patched_cves: 213 elif cve in patched_cves:
212 bb.note("%s has been patched" % (cve)) 214 bb.note("%s has been patched" % (cve))
213 else: 215 else:
214 to_append = False 216 to_append = False
215 if (operator_start == '=' and pv == version_start): 217 if (operator_start == '=' and pv == version_start):
216 cves_unpatched.append(cve) 218 to_append = True
217 else: 219 else:
218 if operator_start: 220 if operator_start:
219 try: 221 try:
@@ -243,8 +245,11 @@ def check_cves(d, patched_cves):
243 to_append = to_append_start or to_append_end 245 to_append = to_append_start or to_append_end
244 246
245 if to_append: 247 if to_append:
248 bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
246 cves_unpatched.append(cve) 249 cves_unpatched.append(cve)
247 bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) 250 else:
251 bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
252 patched_cves.add(cve)
248 conn.close() 253 conn.close()
249 254
250 return (list(patched_cves), cves_unpatched) 255 return (list(patched_cves), cves_unpatched)