cve-check: close cursors as soon as possible

We can have multiple processes reading the database at the same time, and cursors only release their locks when they're garbage collected. This might be the cause of random sqlite errors on the autobuilder, so explicitly close the cursors when we're done with them. (From OE-Core rev: 5d2e90e4a58217a943ec21140bc2ecdd4357a98a) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@arm.com> 2022-08-26 18:35:47 +0100
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2022-09-02 15:58:25 +0100
commit: 3cca59a9bcba1cad84f788e0f6ae09bc00c00ed7 (patch)
tree: 51d705eb2ebc4d7a77e2c15b1a1bfe2d024c9cf1 /meta/classes/cve-check.bbclass
parent: c9342278d7571750b7c0b5b0aced6a117d43c749 (diff)
download: poky-3cca59a9bcba1cad84f788e0f6ae09bc00c00ed7.tar.gz
1 files changed, 9 insertions, 4 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 5c8b512c11..4b4ea7893e 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -297,7 +297,8 @@ def check_cves(d, patched_cves):
            vendor = "%"
        # Find all relevant CVE IDs.
-        for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):
+        cve_cursor = conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor))
+        for cverow in cve_cursor:
            cve = cverow[0]
            if cve in cve_ignore:
@@ -316,7 +317,8 @@ def check_cves(d, patched_cves):
            vulnerable = False
            ignored = False
-            for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):
+            product_cursor = conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor))
+            for row in product_cursor:
                (_, _, _, version_start, operator_start, version_end, operator_end) = row
                #bb.debug(2, "Evaluating row " + str(row))
                if cve in cve_ignore:
@@ -360,10 +362,12 @@ def check_cves(d, patched_cves):
                        bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
                        cves_unpatched.append(cve)
                    break
+            product_cursor.close()
            if not vulnerable:
                bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
                patched_cves.add(cve)
+        cve_cursor.close()
        if not cves_in_product:
            bb.note("No CVE records found for product %s, pn %s" % (product, pn))
@@ -388,14 +392,15 @@ def get_cve_info(d, cves):
    conn = sqlite3.connect(db_file, uri=True)
    for cve in cves:
-        for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
+        cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,))
+        for row in cursor:
            cve_data[row[0]] = {}
            cve_data[row[0]]["summary"] = row[1]
            cve_data[row[0]]["scorev2"] = row[2]
            cve_data[row[0]]["scorev3"] = row[3]
            cve_data[row[0]]["modified"] = row[4]
            cve_data[row[0]]["vector"] = row[5]
+        cursor.close()
    conn.close()
    return cve_data
author	Ross Burton <ross.burton@arm.com>	2022-08-26 18:35:47 +0100
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2022-09-02 15:58:25 +0100
commit	3cca59a9bcba1cad84f788e0f6ae09bc00c00ed7 (patch)
tree	51d705eb2ebc4d7a77e2c15b1a1bfe2d024c9cf1 /meta/classes/cve-check.bbclass
parent	c9342278d7571750b7c0b5b0aced6a117d43c749 (diff)
download	poky-3cca59a9bcba1cad84f788e0f6ae09bc00c00ed7.tar.gz

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 5c8b512c11..4b4ea7893e 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass
@@ -297,7 +297,8 @@ def check_cves(d, patched_cves):
297	vendor = "%"	297	vendor = "%"
298		298
299	# Find all relevant CVE IDs.	299	# Find all relevant CVE IDs.
300	for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)):	300	cve_cursor = conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor))
		301	for cverow in cve_cursor:
301	cve = cverow[0]	302	cve = cverow[0]
302		303
303	if cve in cve_ignore:	304	if cve in cve_ignore:
@@ -316,7 +317,8 @@ def check_cves(d, patched_cves):
316	vulnerable = False	317	vulnerable = False
317	ignored = False	318	ignored = False
318		319
319	for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)):	320	product_cursor = conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor))
		321	for row in product_cursor:
320	(_, _, _, version_start, operator_start, version_end, operator_end) = row	322	(_, _, _, version_start, operator_start, version_end, operator_end) = row
321	#bb.debug(2, "Evaluating row " + str(row))	323	#bb.debug(2, "Evaluating row " + str(row))
322	if cve in cve_ignore:	324	if cve in cve_ignore:
@@ -360,10 +362,12 @@ def check_cves(d, patched_cves):
360	bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))	362	bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
361	cves_unpatched.append(cve)	363	cves_unpatched.append(cve)
362	break	364	break
		365	product_cursor.close()
363		366
364	if not vulnerable:	367	if not vulnerable:
365	bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))	368	bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
366	patched_cves.add(cve)	369	patched_cves.add(cve)
		370	cve_cursor.close()
367		371
368	if not cves_in_product:	372	if not cves_in_product:
369	bb.note("No CVE records found for product %s, pn %s" % (product, pn))	373	bb.note("No CVE records found for product %s, pn %s" % (product, pn))
@@ -388,14 +392,15 @@ def get_cve_info(d, cves):
388	conn = sqlite3.connect(db_file, uri=True)	392	conn = sqlite3.connect(db_file, uri=True)
389		393
390	for cve in cves:	394	for cve in cves:
391	for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):	395	cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,))
		396	for row in cursor:
392	cve_data[row[0]] = {}	397	cve_data[row[0]] = {}
393	cve_data[row[0]]["summary"] = row[1]	398	cve_data[row[0]]["summary"] = row[1]
394	cve_data[row[0]]["scorev2"] = row[2]	399	cve_data[row[0]]["scorev2"] = row[2]
395	cve_data[row[0]]["scorev3"] = row[3]	400	cve_data[row[0]]["scorev3"] = row[3]
396	cve_data[row[0]]["modified"] = row[4]	401	cve_data[row[0]]["modified"] = row[4]
397	cve_data[row[0]]["vector"] = row[5]	402	cve_data[row[0]]["vector"] = row[5]
398		403	cursor.close()
399	conn.close()	404	conn.close()
400	return cve_data	405	return cve_data
401		406