cve-update-db-native: add timeout to urlopen() calls

The urlopen() call can block indefinitely under some circumstances. This can result in the bitbake process to run endlessly because of the 'do_fetch' task of cve-update-bb-native to remain active. This adds a default timeout of 60 seconds to avoid this hang, while being large enough to minimize the risk of unwanted timeouts. (From OE-Core rev: f51a6742bcae3a151a326d17cd44935815eb78c7) Signed-off-by: Frank de Brabander <debrabander@gmail.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit e5f6652854f544106b40d860de2946954de642f3) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Frank de Brabander <debrabander@gmail.com> 2022-10-18 18:37:51 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-11-09 17:42:03 +0000
commit: 600261eafa3866761dd38fdf8987fddcc10fde6a (patch)
tree: 2a6246975f820031fc31980333b693a89cc89c0d
parent: 5502d7326cc5e8da56227457a2f874d22cd49389 (diff)
download: poky-600261eafa3866761dd38fdf8987fddcc10fde6a.tar.gz
1 files changed, 7 insertions, 2 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 85874ead01..59e7d7dc2c 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -17,6 +17,9 @@ deltask do_populate_sysroot
 # Use a negative value to skip the update
 CVE_DB_UPDATE_INTERVAL ?= "86400"
+# Timeout for blocking socket operations, such as the connection attempt.
+CVE_SOCKET_TIMEOUT ?= "60"
 python () {
    if not bb.data.inherits_class("cve-check", d):
        raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
@@ -39,6 +42,8 @@ python do_fetch() {
    db_file = d.getVar("CVE_CHECK_DB_FILE")
    db_dir = os.path.dirname(db_file)
+    cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
    if os.path.exists("{0}-journal".format(db_file)):
        # If a journal is present the last update might have been interrupted. In that case,
        # just wipe any leftovers and force the DB to be recreated.
@@ -77,7 +82,7 @@ python do_fetch() {
            # Retrieve meta last modified date
            try:
-                response = urllib.request.urlopen(meta_url)
+                response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout)
            except urllib.error.URLError as e:
                cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
                bb.warn("Failed to fetch CVE data (%s)" % e.reason)
@@ -104,7 +109,7 @@ python do_fetch() {
                # Update db with current year json file
                try:
-                    response = urllib.request.urlopen(json_url)
+                    response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
                    if response:
                        update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
                    conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()
author	Frank de Brabander <debrabander@gmail.com>	2022-10-18 18:37:51 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-11-09 17:42:03 +0000
commit	600261eafa3866761dd38fdf8987fddcc10fde6a (patch)
tree	2a6246975f820031fc31980333b693a89cc89c0d
parent	5502d7326cc5e8da56227457a2f874d22cd49389 (diff)
download	poky-600261eafa3866761dd38fdf8987fddcc10fde6a.tar.gz