cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning

add CVE_VERSION_SUFFIX to indicate the version suffix type, currently works in two value, "alphabetical" if the version string uses single alphabetical character suffix as incremental release, blank to not consider the unidentified suffixes. This can be expand when more suffix pattern identified. refactor cve_check.Version class to use functools and add parameter to handle suffix condition. Also update testcases to cover new changes. (From OE-Core rev: 5dfd5ad5144708b474ef31eaa89a846c57be8ac0) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Lee Chee Yang <chee.yang.lee@intel.com> 2021-01-29 11:51:15 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-01-30 10:41:04 +0000
commit: 86b42289bda5bc2a4eff221ab476f170dd3d3794 (patch)
tree: e936bb438cb97ea1a07db5517bc29524e2af501f /meta/classes
parent: ef208aaf0f05c478a3dbade3d2bfd3744f91d87e (diff)
download: poky-86b42289bda5bc2a4eff221ab476f170dd3d3794.tar.gz
1 files changed, 8 insertions, 4 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 646cc879dd..ed86403b6b 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -53,6 +53,9 @@ CVE_CHECK_PN_WHITELIST ?= ""
 #
 CVE_CHECK_WHITELIST ?= ""
+# set to "alphabetical" for version using single alphabetical character as increament release
+CVE_VERSION_SUFFIX ??= ""
 python cve_save_summary_handler () {
    import shutil
    import datetime
@@ -210,6 +213,7 @@ def check_cves(d, patched_cves):
    pn = d.getVar("PN")
    real_pv = d.getVar("PV")
+    suffix = d.getVar("CVE_VERSION_SUFFIX")
    cves_unpatched = []
    # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -263,8 +267,8 @@ def check_cves(d, patched_cves):
                else:
                    if operator_start:
                        try:
-                            vulnerable_start =  (operator_start == '>=' and Version(pv) >= Version(version_start))
+                            vulnerable_start =  (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix))
-                            vulnerable_start |= (operator_start == '>' and Version(pv) > Version(version_start))
+                            vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix))
                        except:
                            bb.warn("%s: Failed to compare %s %s %s for %s" %
                                    (product, pv, operator_start, version_start, cve))
@@ -274,8 +278,8 @@ def check_cves(d, patched_cves):
                    if operator_end:
                        try:
-                            vulnerable_end  = (operator_end == '<=' and Version(pv) <= Version(version_end) )
+                            vulnerable_end  = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) )
-                            vulnerable_end |= (operator_end == '<' and Version(pv) < Version(version_end) )
+                            vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) )
                        except:
                            bb.warn("%s: Failed to compare %s %s %s for %s" %
                                    (product, pv, operator_end, version_end, cve))
author	Lee Chee Yang <chee.yang.lee@intel.com>	2021-01-29 11:51:15 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-01-30 10:41:04 +0000
commit	86b42289bda5bc2a4eff221ab476f170dd3d3794 (patch)
tree	e936bb438cb97ea1a07db5517bc29524e2af501f /meta/classes
parent	ef208aaf0f05c478a3dbade3d2bfd3744f91d87e (diff)
download	poky-86b42289bda5bc2a4eff221ab476f170dd3d3794.tar.gz