diff options
| author | Ross Burton <ross.burton@arm.com> | 2024-01-22 14:04:03 +0000 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-01-23 11:53:41 +0000 |
| commit | bfaea5f7ecbfae5f962a910c6fda7ee1399b3b09 (patch) | |
| tree | 7d3317fd47e2c8829bea88247607cd9bc00bd44d /meta/lib/oe | |
| parent | ab375ea3fe58ec4655302b25b7bd6013b2a791de (diff) | |
| download | poky-bfaea5f7ecbfae5f962a910c6fda7ee1399b3b09.tar.gz | |
cve_check: cleanup logging
Primarily list the number of patches found, useful when debugging.
Also clean up some bad escaping that caused warnings and use
re.IGNORECASE instead of manually doing case-insenstive rang matches.
(From OE-Core rev: 10acc75b7f3387b968bacd51aade6a8dc11a463f)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/lib/oe')
| -rw-r--r-- | meta/lib/oe/cve_check.py | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index b5fc5364dc..ed5c714cb8 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py | |||
| @@ -79,20 +79,19 @@ def get_patched_cves(d): | |||
| 79 | import re | 79 | import re |
| 80 | import oe.patch | 80 | import oe.patch |
| 81 | 81 | ||
| 82 | pn = d.getVar("PN") | 82 | cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+") |
| 83 | cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") | ||
| 84 | 83 | ||
| 85 | # Matches the last "CVE-YYYY-ID" in the file name, also if written | 84 | # Matches the last "CVE-YYYY-ID" in the file name, also if written |
| 86 | # in lowercase. Possible to have multiple CVE IDs in a single | 85 | # in lowercase. Possible to have multiple CVE IDs in a single |
| 87 | # file name, but only the last one will be detected from the file name. | 86 | # file name, but only the last one will be detected from the file name. |
| 88 | # However, patch files contents addressing multiple CVE IDs are supported | 87 | # However, patch files contents addressing multiple CVE IDs are supported |
| 89 | # (cve_match regular expression) | 88 | # (cve_match regular expression) |
| 90 | 89 | cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) | |
| 91 | cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") | ||
| 92 | 90 | ||
| 93 | patched_cves = set() | 91 | patched_cves = set() |
| 94 | bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) | 92 | patches = oe.patch.src_patches(d) |
| 95 | for url in oe.patch.src_patches(d): | 93 | bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) |
| 94 | for url in patches: | ||
| 96 | patch_file = bb.fetch.decodeurl(url)[2] | 95 | patch_file = bb.fetch.decodeurl(url)[2] |
| 97 | 96 | ||
| 98 | # Check patch file name for CVE ID | 97 | # Check patch file name for CVE ID |
| @@ -100,7 +99,7 @@ def get_patched_cves(d): | |||
| 100 | if fname_match: | 99 | if fname_match: |
| 101 | cve = fname_match.group(1).upper() | 100 | cve = fname_match.group(1).upper() |
| 102 | patched_cves.add(cve) | 101 | patched_cves.add(cve) |
| 103 | bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) | 102 | bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) |
| 104 | 103 | ||
| 105 | # Remote patches won't be present and compressed patches won't be | 104 | # Remote patches won't be present and compressed patches won't be |
| 106 | # unpacked, so say we're not scanning them | 105 | # unpacked, so say we're not scanning them |