summaryrefslogtreecommitdiffstats
path: root/meta/classes/cve-check.bbclass
diff options
context:
space:
mode:
authorMikko Rapeli <mikko.rapeli@bmw.de>2017-07-20 16:23:11 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-07-24 09:13:32 +0100
commit87af2104afc3c6119ac150873aca0aeded3d3c42 (patch)
tree9dd8aac58e1859176a663fc6d5ad059c4d03ca5b /meta/classes/cve-check.bbclass
parenta2cf84affff8a78fdaa8fabcfa9b40be1936678e (diff)
downloadpoky-87af2104afc3c6119ac150873aca0aeded3d3c42.tar.gz
cve-check.bbclass: use "+git" as separator in PV instead of "git+"
PV is the recipe major version number. cve-check tries to map that to NVD database release versions of the component. If the recipe sources are taken from git, the PV can be automatically modified to include git details, but the syntax is like 233+gitAUTOINC+a1e2ef7ec9. In CVE checks we want to remove the git details and just use the major version information, in this example 233. Thus use "+git" as the separator and use the first part before the separator as SW product version number in CVE check. Fixes version number for e.g. systemd recipe. If systemd PV is 233+gitAUTOINC+a1e2ef7ec9 there will be no matches from CVE database where latest release mentioned is plain 233. If the filter is set to +git, then CVE PV is 233 and issues like this are detected by do_cve_check: https://nvd.nist.gov/vuln/detail/CVE-2017-1000082 (From OE-Core rev: db8815abe3db60b0510fb378bf6d82172c2f2768) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/cve-check.bbclass')
-rw-r--r--meta/classes/cve-check.bbclass2
1 files changed, 1 insertions, 1 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 8dde4a2cf1..f44bbed6ac 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -155,7 +155,7 @@ def check_cves(d, patched_cves):
155 cves_patched = [] 155 cves_patched = []
156 cves_unpatched = [] 156 cves_unpatched = []
157 bpn = d.getVar("CVE_PRODUCT") 157 bpn = d.getVar("CVE_PRODUCT")
158 pv = d.getVar("PV").split("git+")[0] 158 pv = d.getVar("PV").split("+git")[0]
159 cves = " ".join(patched_cves) 159 cves = " ".join(patched_cves)
160 cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") 160 cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
161 cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) 161 cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))