summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorFrank de Brabander <debrabander@gmail.com>2022-10-18 18:37:51 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-10-25 13:42:03 +0100
commit180de83da8ac66c2a66465d739896617056b9d0a (patch)
tree900a8dd19e88ecdfe848bba3760ae32467e46d7b /meta/recipes-core
parentee9db0d1fdb13c333cabe36b94c97bbc19319e1f (diff)
downloadpoky-180de83da8ac66c2a66465d739896617056b9d0a.tar.gz
cve-update-db-native: add timeout to urlopen() calls
The urlopen() call can block indefinitely under some circumstances. This can result in the bitbake process to run endlessly because of the 'do_fetch' task of cve-update-bb-native to remain active. This adds a default timeout of 60 seconds to avoid this hang, while being large enough to minimize the risk of unwanted timeouts. (From OE-Core rev: e5f6652854f544106b40d860de2946954de642f3) Signed-off-by: Frank de Brabander <debrabander@gmail.com> Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/meta/cve-update-db-native.bb9
1 files changed, 7 insertions, 2 deletions
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index 944243fce9..9b9dbbd75f 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -18,6 +18,9 @@ NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-"
18# Use a negative value to skip the update 18# Use a negative value to skip the update
19CVE_DB_UPDATE_INTERVAL ?= "86400" 19CVE_DB_UPDATE_INTERVAL ?= "86400"
20 20
21# Timeout for blocking socket operations, such as the connection attempt.
22CVE_SOCKET_TIMEOUT ?= "60"
23
21python () { 24python () {
22 if not bb.data.inherits_class("cve-check", d): 25 if not bb.data.inherits_class("cve-check", d):
23 raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.") 26 raise bb.parse.SkipRecipe("Skip recipe when cve-check class is not loaded.")
@@ -39,6 +42,8 @@ python do_fetch() {
39 db_file = d.getVar("CVE_CHECK_DB_FILE") 42 db_file = d.getVar("CVE_CHECK_DB_FILE")
40 db_dir = os.path.dirname(db_file) 43 db_dir = os.path.dirname(db_file)
41 44
45 cve_socket_timeout = int(d.getVar("CVE_SOCKET_TIMEOUT"))
46
42 if os.path.exists("{0}-journal".format(db_file)): 47 if os.path.exists("{0}-journal".format(db_file)):
43 # If a journal is present the last update might have been interrupted. In that case, 48 # If a journal is present the last update might have been interrupted. In that case,
44 # just wipe any leftovers and force the DB to be recreated. 49 # just wipe any leftovers and force the DB to be recreated.
@@ -79,7 +84,7 @@ python do_fetch() {
79 84
80 # Retrieve meta last modified date 85 # Retrieve meta last modified date
81 try: 86 try:
82 response = urllib.request.urlopen(meta_url) 87 response = urllib.request.urlopen(meta_url, timeout=cve_socket_timeout)
83 except urllib.error.URLError as e: 88 except urllib.error.URLError as e:
84 cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n') 89 cve_f.write('Warning: CVE db update error, Unable to fetch CVE data.\n\n')
85 bb.warn("Failed to fetch CVE data (%s)" % e.reason) 90 bb.warn("Failed to fetch CVE data (%s)" % e.reason)
@@ -107,7 +112,7 @@ python do_fetch() {
107 112
108 # Update db with current year json file 113 # Update db with current year json file
109 try: 114 try:
110 response = urllib.request.urlopen(json_url) 115 response = urllib.request.urlopen(json_url, timeout=cve_socket_timeout)
111 if response: 116 if response:
112 update_db(conn, gzip.decompress(response.read()).decode('utf-8')) 117 update_db(conn, gzip.decompress(response.read()).decode('utf-8'))
113 conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close() 118 conn.execute("insert or replace into META values (?, ?)", [year, last_modified]).close()