summaryrefslogtreecommitdiffstats
path: root/meta/classes/cve-check.bbclass
diff options
context:
space:
mode:
authorPierre Le Magourou <pierre.lemagourou@softbankrobotics.com>2019-06-19 15:59:39 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-06-20 13:14:21 +0100
commit95f0d11e21ad476efb4b46c87a8c94730d7c355f (patch)
tree810751df79f3cb178889a8ddd7134feb3818f323 /meta/classes/cve-check.bbclass
parent05fb9db63372d32e6ab3cb56186d7bcb09e26b43 (diff)
downloadpoky-95f0d11e21ad476efb4b46c87a8c94730d7c355f.tar.gz
cve-check: Manage CVE_PRODUCT with more than one name
In some rare cases (eg. curl recipe) the CVE_PRODUCT contains more than one name. (From OE-Core rev: 7f62a20b32a3d42f04ec58786a7d0db68ef1bb05) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/cve-check.bbclass')
-rw-r--r--meta/classes/cve-check.bbclass25
1 files changed, 14 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 28619c7bd4..e7540b8c1f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -168,9 +168,10 @@ def check_cves(d, patched_cves):
168 import ast, csv, tempfile, subprocess, io 168 import ast, csv, tempfile, subprocess, io
169 169
170 cves_unpatched = [] 170 cves_unpatched = []
171 bpn = d.getVar("CVE_PRODUCT") 171 # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
172 bpn = d.getVar("CVE_PRODUCT").split()
172 # If this has been unset then we're not scanning for CVEs here (for example, image recipes) 173 # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
173 if not bpn: 174 if len(bpn) == 0:
174 return ([], []) 175 return ([], [])
175 pv = d.getVar("CVE_VERSION").split("+git")[0] 176 pv = d.getVar("CVE_VERSION").split("+git")[0]
176 cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) 177 cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
@@ -184,16 +185,18 @@ def check_cves(d, patched_cves):
184 db_file = d.getVar("CVE_CHECK_DB_FILE") 185 db_file = d.getVar("CVE_CHECK_DB_FILE")
185 conn = sqlite3.connect(db_file) 186 conn = sqlite3.connect(db_file)
186 c = conn.cursor() 187 c = conn.cursor()
188
187 query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" 189 query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"
188 for row in c.execute(query % (bpn,pv)): 190 for idx in range(len(bpn)):
189 cve = row[1] 191 for row in c.execute(query % (bpn[idx],pv)):
190 if pv in cve_whitelist.get(cve,[]): 192 cve = row[1]
191 bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve)) 193 if pv in cve_whitelist.get(cve,[]):
192 elif cve in patched_cves: 194 bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
193 bb.note("%s has been patched" % (cve)) 195 elif cve in patched_cves:
194 else: 196 bb.note("%s has been patched" % (cve))
195 cves_unpatched.append(cve) 197 else:
196 bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve)) 198 cves_unpatched.append(cve)
199 bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))
197 conn.close() 200 conn.close()
198 201
199 return (list(patched_cves), cves_unpatched) 202 return (list(patched_cves), cves_unpatched)