diff options
| author | Ross Burton <ross.burton@intel.com> | 2019-12-08 20:35:48 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-12-16 23:11:10 +0000 |
| commit | 1675f9638ab6387f492cefa9eac106f627722e12 (patch) | |
| tree | 14e1fbda5c33f38bfdef53cc6831d98892b0185e | |
| parent | 593fe7e35267f665dbb37cc0abcc82be55ac67f8 (diff) | |
| download | poky-1675f9638ab6387f492cefa9eac106f627722e12.tar.gz | |
cve-check: ensure all known CVEs are in the report
CVEs that are whitelisted or were not vulnerable when there are version
comparisons were not included in the report, so alter the logic to ensure that
all relevant CVEs are in the report for completeness.
(From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264)
(From OE-Core rev: 9d01a64844998d98fcfcebbe8580422094cd2dde)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index c00d2910be..f87bcc9dc6 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -208,12 +208,14 @@ def check_cves(d, patched_cves): | |||
| 208 | 208 | ||
| 209 | if cve in cve_whitelist: | 209 | if cve in cve_whitelist: |
| 210 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) | 210 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) |
| 211 | # TODO: this should be in the report as 'whitelisted' | ||
| 212 | patched_cves.add(cve) | ||
| 211 | elif cve in patched_cves: | 213 | elif cve in patched_cves: |
| 212 | bb.note("%s has been patched" % (cve)) | 214 | bb.note("%s has been patched" % (cve)) |
| 213 | else: | 215 | else: |
| 214 | to_append = False | 216 | to_append = False |
| 215 | if (operator_start == '=' and pv == version_start): | 217 | if (operator_start == '=' and pv == version_start): |
| 216 | cves_unpatched.append(cve) | 218 | to_append = True |
| 217 | else: | 219 | else: |
| 218 | if operator_start: | 220 | if operator_start: |
| 219 | try: | 221 | try: |
| @@ -243,8 +245,11 @@ def check_cves(d, patched_cves): | |||
| 243 | to_append = to_append_start or to_append_end | 245 | to_append = to_append_start or to_append_end |
| 244 | 246 | ||
| 245 | if to_append: | 247 | if to_append: |
| 248 | bb.note("%s-%s is vulnerable to %s" % (product, pv, cve)) | ||
| 246 | cves_unpatched.append(cve) | 249 | cves_unpatched.append(cve) |
| 247 | bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) | 250 | else: |
| 251 | bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) | ||
| 252 | patched_cves.add(cve) | ||
| 248 | conn.close() | 253 | conn.close() |
| 249 | 254 | ||
| 250 | return (list(patched_cves), cves_unpatched) | 255 | return (list(patched_cves), cves_unpatched) |