diff options
| author | Joshua Watt <JPEWhacker@gmail.com> | 2022-08-30 10:59:39 -0500 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-09-12 08:41:52 +0100 |
| commit | 7ba4ed6f5fcbc0878723e41281e927c1caa46a0b (patch) | |
| tree | 626f3eea19bc4f67e9f1a48ec29ac31a3a922c92 | |
| parent | 85637f30f37bf0f6773e3d29cb2437c0060c0d7f (diff) | |
| download | poky-7ba4ed6f5fcbc0878723e41281e927c1caa46a0b.tar.gz | |
classes: cve-check: Get shared database lock
The CVE check database needs to have a shared lock acquired on it before
it is accessed. This to prevent cve-update-db-native from deleting the
database file out from underneath it.
[YOCTO #14899]
(From OE-Core rev: 374dd13db2c4fa92793f12c93d68d09304f77c17)
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 20a9911b73df62a0d0d1884e57085f13ac5016dd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 9eb9a95574..c0d4e2a972 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -138,17 +138,18 @@ python do_cve_check () { | |||
| 138 | """ | 138 | """ |
| 139 | from oe.cve_check import get_patched_cves | 139 | from oe.cve_check import get_patched_cves |
| 140 | 140 | ||
| 141 | if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): | 141 | with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True): |
| 142 | try: | 142 | if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): |
| 143 | patched_cves = get_patched_cves(d) | 143 | try: |
| 144 | except FileNotFoundError: | 144 | patched_cves = get_patched_cves(d) |
| 145 | bb.fatal("Failure in searching patches") | 145 | except FileNotFoundError: |
| 146 | whitelisted, patched, unpatched, status = check_cves(d, patched_cves) | 146 | bb.fatal("Failure in searching patches") |
| 147 | if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): | 147 | ignored, patched, unpatched, status = check_cves(d, patched_cves) |
| 148 | cve_data = get_cve_info(d, patched + unpatched + whitelisted) | 148 | if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): |
| 149 | cve_write_data(d, patched, unpatched, whitelisted, cve_data, status) | 149 | cve_data = get_cve_info(d, patched + unpatched + ignored) |
| 150 | else: | 150 | cve_write_data(d, patched, unpatched, ignored, cve_data, status) |
| 151 | bb.note("No CVE database found, skipping CVE check") | 151 | else: |
| 152 | bb.note("No CVE database found, skipping CVE check") | ||
| 152 | 153 | ||
| 153 | } | 154 | } |
| 154 | 155 | ||