summaryrefslogtreecommitdiffstats
path: root/meta/classes
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-07-17 11:45:36 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-18 12:16:19 +0100
commita78725c81f78559a4223fd6822c5b886772cca4c (patch)
tree748c603e9d491c7f410eb9a12e500be2400aa1f1 /meta/classes
parentda620cc68b4d99c8be3f539ded71fedd9ada01ed (diff)
downloadpoky-a78725c81f78559a4223fd6822c5b886772cca4c.tar.gz
cve-check: allow comparison of Vendor as well as Product
Some product names are too vague to be searched without also matching the vendor, for example Flex could be the parser compiler we ship, or Adobe Flex, or Apache Flex, or IBM Flex. If entries in CVE_PRODUCT contain a colon then split it as vendor:product to improve the search. Also don't use .format() to construct SQL as that can lead to security issues. Instead, use ? placeholders and lets sqlite3 handle the escaping. (From OE-Core rev: e6bf90009877d00243417898700d2320fd87b39c) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
-rw-r--r--meta/classes/cve-check.bbclass12
1 files changed, 8 insertions, 4 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 2a1381604a..e8668b2566 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -190,12 +190,16 @@ def check_cves(d, patched_cves):
190 import sqlite3 190 import sqlite3
191 db_file = d.getVar("CVE_CHECK_DB_FILE") 191 db_file = d.getVar("CVE_CHECK_DB_FILE")
192 conn = sqlite3.connect(db_file) 192 conn = sqlite3.connect(db_file)
193 c = conn.cursor()
194
195 query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';"
196 193
197 for product in products: 194 for product in products:
198 for row in c.execute(query.format(product, pv)): 195 c = conn.cursor()
196 if ":" in product:
197 vendor, product = product.split(":", 1)
198 c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor))
199 else:
200 c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
201
202 for row in c:
199 cve = row[1] 203 cve = row[1]
200 version_start = row[4] 204 version_start = row[4]
201 operator_start = row[5] 205 operator_start = row[5]