classes: cve-check: Get shared database lock

The CVE check database needs to have a shared lock acquired on it before it is accessed. This to prevent cve-update-db-native from deleting the database file out from underneath it. [YOCTO #14899] (From OE-Core rev: 20a9911b73df62a0d0d1884e57085f13ac5016dd) Signed-off-by: Joshua Watt <JPEWhacker@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Joshua Watt <JPEWhacker@gmail.com> 2022-08-30 10:59:39 -0500
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-08-31 10:40:07 +0100
commit: a19e278f2ec5fed8b4647c7541254bcb96bcdabc (patch)
tree: 003fa8c2ef6834d986059994b849f495af837181 /meta/classes/cve-check.bbclass
parent: 4d756897a47f3f93393fccf3d937e499d1a0333d (diff)
download: poky-a19e278f2ec5fed8b4647c7541254bcb96bcdabc.tar.gz
1 files changed, 12 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index d95465775d..5c8b512c11 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -145,17 +145,18 @@ python do_cve_check () {
    """
    from oe.cve_check import get_patched_cves
-    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
+    with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True):
-        try:
+        if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
-            patched_cves = get_patched_cves(d)
+            try:
-        except FileNotFoundError:
+                patched_cves = get_patched_cves(d)
-            bb.fatal("Failure in searching patches")
+            except FileNotFoundError:
-        ignored, patched, unpatched, status = check_cves(d, patched_cves)
+                bb.fatal("Failure in searching patches")
-        if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
+            ignored, patched, unpatched, status = check_cves(d, patched_cves)
-            cve_data = get_cve_info(d, patched + unpatched + ignored)
+            if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
-            cve_write_data(d, patched, unpatched, ignored, cve_data, status)
+                cve_data = get_cve_info(d, patched + unpatched + ignored)
-    else:
+                cve_write_data(d, patched, unpatched, ignored, cve_data, status)
-        bb.note("No CVE database found, skipping CVE check")
+        else:
+            bb.note("No CVE database found, skipping CVE check")
 }
author	Joshua Watt <JPEWhacker@gmail.com>	2022-08-30 10:59:39 -0500
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-08-31 10:40:07 +0100
commit	a19e278f2ec5fed8b4647c7541254bcb96bcdabc (patch)
tree	003fa8c2ef6834d986059994b849f495af837181 /meta/classes/cve-check.bbclass
parent	4d756897a47f3f93393fccf3d937e499d1a0333d (diff)
download	poky-a19e278f2ec5fed8b4647c7541254bcb96bcdabc.tar.gz

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index d95465775d..5c8b512c11 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass
@@ -145,17 +145,18 @@ python do_cve_check () {
145	"""	145	"""
146	from oe.cve_check import get_patched_cves	146	from oe.cve_check import get_patched_cves
147		147
148	if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):	148	with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True):
149	try:	149	if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
150	patched_cves = get_patched_cves(d)	150	try:
151	except FileNotFoundError:	151	patched_cves = get_patched_cves(d)
152	bb.fatal("Failure in searching patches")	152	except FileNotFoundError:
153	ignored, patched, unpatched, status = check_cves(d, patched_cves)	153	bb.fatal("Failure in searching patches")
154	if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):	154	ignored, patched, unpatched, status = check_cves(d, patched_cves)
155	cve_data = get_cve_info(d, patched + unpatched + ignored)	155	if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status):
156	cve_write_data(d, patched, unpatched, ignored, cve_data, status)	156	cve_data = get_cve_info(d, patched + unpatched + ignored)
157	else:	157	cve_write_data(d, patched, unpatched, ignored, cve_data, status)
158	bb.note("No CVE database found, skipping CVE check")	158	else:
		159	bb.note("No CVE database found, skipping CVE check")
159		160
160	}	161	}
161		162