summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-07-19 21:33:18 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-22 17:31:03 +0100
commit297605eec0077c82ee7405c0172643e3cec85c3a (patch)
tree7cbc2e83c10777e86118d5299d896b97c2a498e9 /meta/recipes-core
parent8ec4cd3e2addcfa29cfe8b5a2777d9b7e305e43e (diff)
downloadpoky-297605eec0077c82ee7405c0172643e3cec85c3a.tar.gz
cve-update-db-native: improve metadata parsing
The metadata parser is fragile: first it coerces a bytes() to a str() (so the string is b'LastModifiedDate:2019...'), assumes the first line is the date, and then uses a regex to parse (which then includes the trailing quote as part of the date). Clean this up by parsing the bytes as UTF-8 (ASCII is probably fine, but this is safer), iterate through the lines and split on colons to find the right key/value pair. (From OE-Core rev: bb4e53af33d6ca1e9346464adbdc1b39c47530f3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/meta/cve-update-db-native.bb18
1 files changed, 10 insertions, 8 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 09e19c0aae..41a2aa8f20 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -22,7 +22,7 @@ python do_populate_cve_db() {
22 Update NVD database with json data feed 22 Update NVD database with json data feed
23 """ 23 """
24 24
25 import sqlite3, urllib, shutil, gzip, re 25 import sqlite3, urllib, shutil, gzip
26 from datetime import date 26 from datetime import date
27 27
28 BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-" 28 BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
@@ -52,13 +52,15 @@ python do_populate_cve_db() {
52 req = urllib.request.Request(meta_url) 52 req = urllib.request.Request(meta_url)
53 if proxy: 53 if proxy:
54 req.set_proxy(proxy, 'https') 54 req.set_proxy(proxy, 'https')
55 try: 55 with urllib.request.urlopen(req) as r:
56 with urllib.request.urlopen(req, timeout=1) as r: 56 for l in r.read().decode("utf-8").splitlines():
57 date_line = str(r.read().splitlines()[0]) 57 key, value = l.split(":", 1)
58 last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1) 58 if key == "lastModifiedDate":
59 except: 59 last_modified = value
60 cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') 60 break
61 break 61 else:
62 bb.warn("Cannot parse CVE metadata, update failed")
63 return
62 64
63 # Compare with current db last modified date 65 # Compare with current db last modified date
64 c.execute("select DATE from META where YEAR = ?", (year,)) 66 c.execute("select DATE from META where YEAR = ?", (year,))