summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-10-18 01:31:19 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-10-31 16:09:35 +0000
commit3e36ab8dadab36bb286dc6d750ac6c4934f50d04 (patch)
treec363e0c71ed5495cd457348ede0e5b14ea24e58f
parenta5de8b48ab00ed8375d00e589f5613bab66b9333 (diff)
downloadpoky-3e36ab8dadab36bb286dc6d750ac6c4934f50d04.tar.gz
cve-check: ensure all known CVEs are in the report
CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass9
1 files changed, 7 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c00d2910be..f87bcc9dc6 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -208,12 +208,14 @@ def check_cves(d, patched_cves):
208 208
209 if cve in cve_whitelist: 209 if cve in cve_whitelist:
210 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) 210 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
211 # TODO: this should be in the report as 'whitelisted'
212 patched_cves.add(cve)
211 elif cve in patched_cves: 213 elif cve in patched_cves:
212 bb.note("%s has been patched" % (cve)) 214 bb.note("%s has been patched" % (cve))
213 else: 215 else:
214 to_append = False 216 to_append = False
215 if (operator_start == '=' and pv == version_start): 217 if (operator_start == '=' and pv == version_start):
216 cves_unpatched.append(cve) 218 to_append = True
217 else: 219 else:
218 if operator_start: 220 if operator_start:
219 try: 221 try:
@@ -243,8 +245,11 @@ def check_cves(d, patched_cves):
243 to_append = to_append_start or to_append_end 245 to_append = to_append_start or to_append_end
244 246
245 if to_append: 247 if to_append:
248 bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
246 cves_unpatched.append(cve) 249 cves_unpatched.append(cve)
247 bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) 250 else:
251 bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
252 patched_cves.add(cve)
248 conn.close() 253 conn.close()
249 254
250 return (list(patched_cves), cves_unpatched) 255 return (list(patched_cves), cves_unpatched)