diff options
author | Chris Laplante <chris.laplante@agilent.com> | 2020-09-29 11:57:46 -0400 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-03-04 17:39:08 +0000 |
commit | 95886950fb29fc68d9b71d6ebc2532ee96418a7e (patch) | |
tree | 6ea25c95a9b500c4610c7d0d2d0cc15e08a9a3b2 | |
parent | 51400abb8a2caa310f8516a7038ed765a465806c (diff) | |
download | poky-95886950fb29fc68d9b71d6ebc2532ee96418a7e.tar.gz |
cve-check: add CVE_CHECK_REPORT_PATCHED variable to suppress reporting of patched CVEs
Default behavior is not changed. To suppress patched CVEs, set:
CVE_CHECK_REPORT_PATCHED = ""
(From OE-Core rev: cdbed91b1e23d6373a759e87fcadb85a37fead8d)
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 05bd9f1f006cf94cf5324f96df29cd5862abaf45)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/classes/cve-check.bbclass | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 259852876c..edb704b187 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -41,14 +41,16 @@ CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve | |||
41 | CVE_CHECK_COPY_FILES ??= "1" | 41 | CVE_CHECK_COPY_FILES ??= "1" |
42 | CVE_CHECK_CREATE_MANIFEST ??= "1" | 42 | CVE_CHECK_CREATE_MANIFEST ??= "1" |
43 | 43 | ||
44 | CVE_CHECK_REPORT_PATCHED ??= "1" | ||
45 | |||
44 | # Whitelist for packages (PN) | 46 | # Whitelist for packages (PN) |
45 | CVE_CHECK_PN_WHITELIST ?= "" | 47 | CVE_CHECK_PN_WHITELIST ?= "" |
46 | 48 | ||
47 | # Whitelist for CVE. If a CVE is found, then it is considered patched. | 49 | # Whitelist for CVE. If a CVE is found, then it is considered patched. |
48 | # The value is a string containing space separated CVE values: | 50 | # The value is a string containing space separated CVE values: |
49 | # | 51 | # |
50 | # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' | 52 | # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' |
51 | # | 53 | # |
52 | CVE_CHECK_WHITELIST ?= "" | 54 | CVE_CHECK_WHITELIST ?= "" |
53 | 55 | ||
54 | # set to "alphabetical" for version using single alphabetical character as increament release | 56 | # set to "alphabetical" for version using single alphabetical character as increament release |
@@ -339,12 +341,15 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | |||
339 | bb.utils.mkdirhier(os.path.dirname(cve_file)) | 341 | bb.utils.mkdirhier(os.path.dirname(cve_file)) |
340 | 342 | ||
341 | for cve in sorted(cve_data): | 343 | for cve in sorted(cve_data): |
344 | is_patched = cve in patched | ||
345 | if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): | ||
346 | continue | ||
342 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") | 347 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") |
343 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) | 348 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) |
344 | write_string += "CVE: %s\n" % cve | 349 | write_string += "CVE: %s\n" % cve |
345 | if cve in whitelisted: | 350 | if cve in whitelisted: |
346 | write_string += "CVE STATUS: Whitelisted\n" | 351 | write_string += "CVE STATUS: Whitelisted\n" |
347 | elif cve in patched: | 352 | elif is_patched: |
348 | write_string += "CVE STATUS: Patched\n" | 353 | write_string += "CVE STATUS: Patched\n" |
349 | else: | 354 | else: |
350 | unpatched_cves.append(cve) | 355 | unpatched_cves.append(cve) |
@@ -358,19 +363,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | |||
358 | if unpatched_cves: | 363 | if unpatched_cves: |
359 | bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) | 364 | bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) |
360 | 365 | ||
361 | with open(cve_file, "w") as f: | 366 | if write_string: |
362 | bb.note("Writing file %s with CVE information" % cve_file) | 367 | with open(cve_file, "w") as f: |
363 | f.write(write_string) | 368 | bb.note("Writing file %s with CVE information" % cve_file) |
364 | |||
365 | if d.getVar("CVE_CHECK_COPY_FILES") == "1": | ||
366 | deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") | ||
367 | bb.utils.mkdirhier(os.path.dirname(deploy_file)) | ||
368 | with open(deploy_file, "w") as f: | ||
369 | f.write(write_string) | 369 | f.write(write_string) |
370 | 370 | ||
371 | if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": | 371 | if d.getVar("CVE_CHECK_COPY_FILES") == "1": |
372 | cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") | 372 | deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") |
373 | bb.utils.mkdirhier(cvelogpath) | 373 | bb.utils.mkdirhier(os.path.dirname(deploy_file)) |
374 | with open(deploy_file, "w") as f: | ||
375 | f.write(write_string) | ||
376 | |||
377 | if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": | ||
378 | cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") | ||
379 | bb.utils.mkdirhier(cvelogpath) | ||
374 | 380 | ||
375 | with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: | 381 | with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: |
376 | f.write("%s" % write_string) | 382 | f.write("%s" % write_string) |