diff options
author | Mikko Rapeli <mikko.rapeli@bmw.de> | 2017-07-20 16:23:11 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2017-07-24 09:13:32 +0100 |
commit | 87af2104afc3c6119ac150873aca0aeded3d3c42 (patch) | |
tree | 9dd8aac58e1859176a663fc6d5ad059c4d03ca5b /meta/classes/cve-check.bbclass | |
parent | a2cf84affff8a78fdaa8fabcfa9b40be1936678e (diff) | |
download | poky-87af2104afc3c6119ac150873aca0aeded3d3c42.tar.gz |
cve-check.bbclass: use "+git" as separator in PV instead of "git+"
PV is the recipe major version number. cve-check tries to map that to
NVD database release versions of the component. If the recipe sources
are taken from git, the PV can be automatically modified to include
git details, but the syntax is like 233+gitAUTOINC+a1e2ef7ec9.
In CVE checks we want to remove the git details and just use the major
version information, in this example 233.
Thus use "+git" as the separator and use the first part before the separator
as SW product version number in CVE check.
Fixes version number for e.g. systemd recipe. If systemd PV is
233+gitAUTOINC+a1e2ef7ec9 there will be no matches from CVE database where
latest release mentioned is plain 233. If the filter is set to +git, then
CVE PV is 233 and issues like this are detected by do_cve_check:
https://nvd.nist.gov/vuln/detail/CVE-2017-1000082
(From OE-Core rev: db8815abe3db60b0510fb378bf6d82172c2f2768)
Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/cve-check.bbclass')
-rw-r--r-- | meta/classes/cve-check.bbclass | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 8dde4a2cf1..f44bbed6ac 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -155,7 +155,7 @@ def check_cves(d, patched_cves): | |||
155 | cves_patched = [] | 155 | cves_patched = [] |
156 | cves_unpatched = [] | 156 | cves_unpatched = [] |
157 | bpn = d.getVar("CVE_PRODUCT") | 157 | bpn = d.getVar("CVE_PRODUCT") |
158 | pv = d.getVar("PV").split("git+")[0] | 158 | pv = d.getVar("PV").split("+git")[0] |
159 | cves = " ".join(patched_cves) | 159 | cves = " ".join(patched_cves) |
160 | cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") | 160 | cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") |
161 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | 161 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) |