diff options
author | Ross Burton <ross.burton@intel.com> | 2019-06-24 11:42:55 +0100 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-06-27 12:20:35 +0100 |
commit | db98b1ef483c6e0f4a31c752aed1a2c5b2780ced (patch) | |
tree | 7bae2af50382781d2d7a8977886e8d8b6f98fecd /meta/classes | |
parent | 3baf4d7fd0887519d5d38ac0afd7d1963261a95f (diff) | |
download | poky-db98b1ef483c6e0f4a31c752aed1a2c5b2780ced.tar.gz |
cve-check: be idiomatic
Instead of generating a series of indexes via range(len(list)), just iterate the
list.
(From OE-Core rev: 27eb839ee651c2d584db42d23bcf5dd764eb33f1)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
-rw-r--r-- | meta/classes/cve-check.bbclass | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 379f7121cc..1e7e8dd441 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -170,18 +170,19 @@ def check_cves(d, patched_cves): | |||
170 | 170 | ||
171 | cves_unpatched = [] | 171 | cves_unpatched = [] |
172 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) | 172 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) |
173 | bpn = d.getVar("CVE_PRODUCT").split() | 173 | products = d.getVar("CVE_PRODUCT").split() |
174 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) | 174 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) |
175 | if len(bpn) == 0: | 175 | if not products: |
176 | return ([], []) | 176 | return ([], []) |
177 | pv = d.getVar("CVE_VERSION").split("+git")[0] | 177 | pv = d.getVar("CVE_VERSION").split("+git")[0] |
178 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | ||
179 | 178 | ||
180 | # If the recipe has been whitlisted we return empty lists | 179 | # If the recipe has been whitlisted we return empty lists |
181 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): | 180 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): |
182 | bb.note("Recipe has been whitelisted, skipping check") | 181 | bb.note("Recipe has been whitelisted, skipping check") |
183 | return ([], []) | 182 | return ([], []) |
184 | 183 | ||
184 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | ||
185 | |||
185 | import sqlite3 | 186 | import sqlite3 |
186 | db_file = d.getVar("CVE_CHECK_DB_FILE") | 187 | db_file = d.getVar("CVE_CHECK_DB_FILE") |
187 | conn = sqlite3.connect(db_file) | 188 | conn = sqlite3.connect(db_file) |
@@ -190,8 +191,8 @@ def check_cves(d, patched_cves): | |||
190 | query = """SELECT * FROM PRODUCTS WHERE | 191 | query = """SELECT * FROM PRODUCTS WHERE |
191 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR | 192 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR |
192 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" | 193 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" |
193 | for idx in range(len(bpn)): | 194 | for product in products: |
194 | for row in c.execute(query.format(bpn[idx],pv)): | 195 | for row in c.execute(query.format(product, pv)): |
195 | cve = row[1] | 196 | cve = row[1] |
196 | version = row[4] | 197 | version = row[4] |
197 | 198 | ||
@@ -200,15 +201,15 @@ def check_cves(d, patched_cves): | |||
200 | except: | 201 | except: |
201 | discardVersion = True | 202 | discardVersion = True |
202 | 203 | ||
203 | if pv in cve_whitelist.get(cve,[]): | 204 | if pv in cve_whitelist.get(cve, []): |
204 | bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) | 205 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) |
205 | elif cve in patched_cves: | 206 | elif cve in patched_cves: |
206 | bb.note("%s has been patched" % (cve)) | 207 | bb.note("%s has been patched" % (cve)) |
207 | elif discardVersion: | 208 | elif discardVersion: |
208 | bb.debug(2, "Do not consider version %s " % (version)) | 209 | bb.debug(2, "Do not consider version %s " % (version)) |
209 | else: | 210 | else: |
210 | cves_unpatched.append(cve) | 211 | cves_unpatched.append(cve) |
211 | bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) | 212 | bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) |
212 | conn.close() | 213 | conn.close() |
213 | 214 | ||
214 | return (list(patched_cves), cves_unpatched) | 215 | return (list(patched_cves), cves_unpatched) |