diff options
| author | Saul Wold <Saul.Wold@windriver.com> | 2022-03-09 09:40:52 -0800 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-10 08:00:28 +0000 |
| commit | d9e500f83d0223925ca2595c77c8fb45eab10f7c (patch) | |
| tree | 5b8fc1787ced86daebd7a7e26dd3bd69f9d5551b /meta/classes/cve-check.bbclass | |
| parent | 8827a3ed80ec8f0adcf4b778f88cb8f9f051262b (diff) | |
| download | poky-d9e500f83d0223925ca2595c77c8fb45eab10f7c.tar.gz | |
meta/scripts: Improve internal variable naming
Update internal variable names to improve the terms used.
(From OE-Core rev: f408068e5d7998ae165f3002e51bc54b380b8099)
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/cve-check.bbclass')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 079d09a76f..dfad10c22b 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -43,11 +43,12 @@ CVE_CHECK_CREATE_MANIFEST ??= "1" | |||
| 43 | 43 | ||
| 44 | CVE_CHECK_REPORT_PATCHED ??= "1" | 44 | CVE_CHECK_REPORT_PATCHED ??= "1" |
| 45 | 45 | ||
| 46 | # Whitelist for packages (PN) | 46 | # Skip CVE Check for packages (PN) |
| 47 | CVE_CHECK_SKIP_RECIPE ?= "" | 47 | CVE_CHECK_SKIP_RECIPE ?= "" |
| 48 | 48 | ||
| 49 | # Whitelist for CVE. If a CVE is found, then it is considered patched. | 49 | # Ingore the check for a given list of CVEs. If a CVE is found, |
| 50 | # The value is a string containing space separated CVE values: | 50 | # then it is considered patched. The value is a string containing |
| 51 | # space separated CVE values: | ||
| 51 | # | 52 | # |
| 52 | # CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234' | 53 | # CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234' |
| 53 | # | 54 | # |
| @@ -101,10 +102,10 @@ python do_cve_check () { | |||
| 101 | patched_cves = get_patched_cves(d) | 102 | patched_cves = get_patched_cves(d) |
| 102 | except FileNotFoundError: | 103 | except FileNotFoundError: |
| 103 | bb.fatal("Failure in searching patches") | 104 | bb.fatal("Failure in searching patches") |
| 104 | whitelisted, patched, unpatched = check_cves(d, patched_cves) | 105 | ignored, patched, unpatched = check_cves(d, patched_cves) |
| 105 | if patched or unpatched: | 106 | if patched or unpatched: |
| 106 | cve_data = get_cve_info(d, patched + unpatched) | 107 | cve_data = get_cve_info(d, patched + unpatched) |
| 107 | cve_write_data(d, patched, unpatched, whitelisted, cve_data) | 108 | cve_write_data(d, patched, unpatched, ignored, cve_data) |
| 108 | else: | 109 | else: |
| 109 | bb.note("No CVE database found, skipping CVE check") | 110 | bb.note("No CVE database found, skipping CVE check") |
| 110 | 111 | ||
| @@ -176,12 +177,12 @@ def check_cves(d, patched_cves): | |||
| 176 | return ([], [], []) | 177 | return ([], [], []) |
| 177 | pv = d.getVar("CVE_VERSION").split("+git")[0] | 178 | pv = d.getVar("CVE_VERSION").split("+git")[0] |
| 178 | 179 | ||
| 179 | # If the recipe has been whitelisted we return empty lists | 180 | # If the recipe has been skipped/ignored we return empty lists |
| 180 | if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split(): | 181 | if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split(): |
| 181 | bb.note("Recipe has been whitelisted, skipping check") | 182 | bb.note("Recipe has been skipped by cve-check") |
| 182 | return ([], [], []) | 183 | return ([], [], []) |
| 183 | 184 | ||
| 184 | cve_whitelist = d.getVar("CVE_CHECK_IGNORE").split() | 185 | cve_ignore = d.getVar("CVE_CHECK_IGNORE").split() |
| 185 | 186 | ||
| 186 | import sqlite3 | 187 | import sqlite3 |
| 187 | db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") | 188 | db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") |
| @@ -198,9 +199,9 @@ def check_cves(d, patched_cves): | |||
| 198 | for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): | 199 | for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): |
| 199 | cve = cverow[0] | 200 | cve = cverow[0] |
| 200 | 201 | ||
| 201 | if cve in cve_whitelist: | 202 | if cve in cve_ignore: |
| 202 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) | 203 | bb.note("%s-%s has been ignored for %s" % (product, pv, cve)) |
| 203 | # TODO: this should be in the report as 'whitelisted' | 204 | # TODO: this should be in the report as 'ignored' |
| 204 | patched_cves.add(cve) | 205 | patched_cves.add(cve) |
| 205 | continue | 206 | continue |
| 206 | elif cve in patched_cves: | 207 | elif cve in patched_cves: |
| @@ -254,7 +255,7 @@ def check_cves(d, patched_cves): | |||
| 254 | 255 | ||
| 255 | conn.close() | 256 | conn.close() |
| 256 | 257 | ||
| 257 | return (list(cve_whitelist), list(patched_cves), cves_unpatched) | 258 | return (list(cve_ignore), list(patched_cves), cves_unpatched) |
| 258 | 259 | ||
| 259 | def get_cve_info(d, cves): | 260 | def get_cve_info(d, cves): |
| 260 | """ | 261 | """ |
| @@ -279,7 +280,7 @@ def get_cve_info(d, cves): | |||
| 279 | conn.close() | 280 | conn.close() |
| 280 | return cve_data | 281 | return cve_data |
| 281 | 282 | ||
| 282 | def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | 283 | def cve_write_data(d, patched, unpatched, ignored, cve_data): |
| 283 | """ | 284 | """ |
| 284 | Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and | 285 | Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and |
| 285 | CVE manifest if enabled. | 286 | CVE manifest if enabled. |
| @@ -312,8 +313,8 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | |||
| 312 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") | 313 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") |
| 313 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) | 314 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) |
| 314 | write_string += "CVE: %s\n" % cve | 315 | write_string += "CVE: %s\n" % cve |
| 315 | if cve in whitelisted: | 316 | if cve in ignored: |
| 316 | write_string += "CVE STATUS: Whitelisted\n" | 317 | write_string += "CVE STATUS: Ignored\n" |
| 317 | elif is_patched: | 318 | elif is_patched: |
| 318 | write_string += "CVE STATUS: Patched\n" | 319 | write_string += "CVE STATUS: Patched\n" |
| 319 | else: | 320 | else: |