diff options
| author | Chris Laplante <chris.laplante@agilent.com> | 2020-09-29 11:57:46 -0400 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-09-30 15:01:51 +0100 |
| commit | 3d24ecf5406ae75a3acfca2e028581b675d04a8d (patch) | |
| tree | 7f01851145127f52238c0f83b2b7a32855cc5800 /meta/classes | |
| parent | 47a35a3843258e8c590d62603d5062d0b096a22d (diff) | |
| download | poky-3d24ecf5406ae75a3acfca2e028581b675d04a8d.tar.gz | |
cve-check: add CVE_CHECK_REPORT_PATCHED variable to suppress reporting of patched CVEs
Default behavior is not changed. To suppress patched CVEs, set:
CVE_CHECK_REPORT_PATCHED = ""
(From OE-Core rev: 05bd9f1f006cf94cf5324f96df29cd5862abaf45)
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index df28a93687..25cefda92e 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -41,14 +41,16 @@ CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve | |||
| 41 | CVE_CHECK_COPY_FILES ??= "1" | 41 | CVE_CHECK_COPY_FILES ??= "1" |
| 42 | CVE_CHECK_CREATE_MANIFEST ??= "1" | 42 | CVE_CHECK_CREATE_MANIFEST ??= "1" |
| 43 | 43 | ||
| 44 | CVE_CHECK_REPORT_PATCHED ??= "1" | ||
| 45 | |||
| 44 | # Whitelist for packages (PN) | 46 | # Whitelist for packages (PN) |
| 45 | CVE_CHECK_PN_WHITELIST ?= "" | 47 | CVE_CHECK_PN_WHITELIST ?= "" |
| 46 | 48 | ||
| 47 | # Whitelist for CVE. If a CVE is found, then it is considered patched. | 49 | # Whitelist for CVE. If a CVE is found, then it is considered patched. |
| 48 | # The value is a string containing space separated CVE values: | 50 | # The value is a string containing space separated CVE values: |
| 49 | # | 51 | # |
| 50 | # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' | 52 | # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' |
| 51 | # | 53 | # |
| 52 | CVE_CHECK_WHITELIST ?= "" | 54 | CVE_CHECK_WHITELIST ?= "" |
| 53 | 55 | ||
| 54 | python cve_save_summary_handler () { | 56 | python cve_save_summary_handler () { |
| @@ -332,12 +334,15 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | |||
| 332 | bb.utils.mkdirhier(os.path.dirname(cve_file)) | 334 | bb.utils.mkdirhier(os.path.dirname(cve_file)) |
| 333 | 335 | ||
| 334 | for cve in sorted(cve_data): | 336 | for cve in sorted(cve_data): |
| 337 | is_patched = cve in patched | ||
| 338 | if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): | ||
| 339 | continue | ||
| 335 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") | 340 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") |
| 336 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) | 341 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) |
| 337 | write_string += "CVE: %s\n" % cve | 342 | write_string += "CVE: %s\n" % cve |
| 338 | if cve in whitelisted: | 343 | if cve in whitelisted: |
| 339 | write_string += "CVE STATUS: Whitelisted\n" | 344 | write_string += "CVE STATUS: Whitelisted\n" |
| 340 | elif cve in patched: | 345 | elif is_patched: |
| 341 | write_string += "CVE STATUS: Patched\n" | 346 | write_string += "CVE STATUS: Patched\n" |
| 342 | else: | 347 | else: |
| 343 | unpatched_cves.append(cve) | 348 | unpatched_cves.append(cve) |
| @@ -351,19 +356,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | |||
| 351 | if unpatched_cves: | 356 | if unpatched_cves: |
| 352 | bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) | 357 | bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) |
| 353 | 358 | ||
| 354 | with open(cve_file, "w") as f: | 359 | if write_string: |
| 355 | bb.note("Writing file %s with CVE information" % cve_file) | 360 | with open(cve_file, "w") as f: |
| 356 | f.write(write_string) | 361 | bb.note("Writing file %s with CVE information" % cve_file) |
| 357 | |||
| 358 | if d.getVar("CVE_CHECK_COPY_FILES") == "1": | ||
| 359 | deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") | ||
| 360 | bb.utils.mkdirhier(os.path.dirname(deploy_file)) | ||
| 361 | with open(deploy_file, "w") as f: | ||
| 362 | f.write(write_string) | 362 | f.write(write_string) |
| 363 | 363 | ||
| 364 | if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": | 364 | if d.getVar("CVE_CHECK_COPY_FILES") == "1": |
| 365 | cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") | 365 | deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") |
| 366 | bb.utils.mkdirhier(cvelogpath) | 366 | bb.utils.mkdirhier(os.path.dirname(deploy_file)) |
| 367 | with open(deploy_file, "w") as f: | ||
| 368 | f.write(write_string) | ||
| 369 | |||
| 370 | if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": | ||
| 371 | cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") | ||
| 372 | bb.utils.mkdirhier(cvelogpath) | ||
| 367 | 373 | ||
| 368 | with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: | 374 | with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: |
| 369 | f.write("%s" % write_string) | 375 | f.write("%s" % write_string) |