cve-check: backport rewrite from master

As detailed at [1] the XML feeds provided by NIST are being discontinued on October 9th 2019. As cve-check-tool uses these feeds, cve-check.bbclass will be inoperable after this date. To ensure that cve-check continues working, backport the following commits from master to move away from the unmaintained cve-check-tool to our own Python code that fetches the JSON: 546d14135c5 cve-update-db: New recipe to update CVE database bc144b028f6 cve-check: Remove dependency to cve-check-tool-native 7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name 3bf63bc6084 cve-check: Consider CVE that affects versions with less than operator c0eabd30d7b cve-update-db: Use std library instead of urllib3 27eb839ee65 cve-check: be idiomatic 09be21f4d17 cve-update-db: Manage proxy if needed. 975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch 0325dd72714 cve-update-db: Catch request.urlopen errors. 4078da92b49 cve-check: Depends on cve-update-db-native f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table bc0195be1b1 cve-check: Update unpatched CVE matching c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not loaded. 07bb8b25e17 cve-check: remove redundant readline CVE whitelisting 5388ed6d137 cve-check-tool: remove 270ac00cb43 cve-check.bbclass: initialize to_append e6bf9000987 cve-check: allow comparison of Vendor as well as Product 91770338f76 cve-update-db-native: use SQL placeholders instead of format strings 7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST 78de2cb39d7 cve-update-db-native: Remove hash column from database. 4b301030cf9 cve-update-db-native: use os.path.join instead of + f0d822fad2a cve-update-db: actually inherit native b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion bb4e53af33d cve-update-db-native: improve metadata parsing 94227459792 cve-update-db-native: clean up JSON fetching 95438d52b73 cve-update-db-native: fix https proxy issues 1f9a963b9ff glibc: exclude child recipes from CVE scanning [1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement (From OE-Core rev: 8c87e78547c598cada1bce92e7b25d85b994e2eb) (From OE-Core rev: beeed02f9831e75c3f773e44d7efc726f1ff859c) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Ross Burton <ross.burton@intel.com> 2019-12-08 20:35:47 +0200
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2019-12-16 23:11:10 +0000
commit: 593fe7e35267f665dbb37cc0abcc82be55ac67f8 (patch)
tree: 91bf149b019845a339354d9be48d4aed1b8b6c93 /meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
parent: 53acd121ab1097435812e3922bad7f8ff75f7107 (diff)
download: poky-593fe7e35267f665dbb37cc0abcc82be55ac67f8.tar.gz
1 files changed, 0 insertions, 62 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
deleted file mode 100644
index 1c84fb1cf2..0000000000
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ /dev/null
@@ -1,62 +0,0 @@
-SUMMARY = "cve-check-tool"
-DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
-The tool will identify potentially vunlnerable software packages within Linux distributions through version matching."
-HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool"
-SECTION = "Development/Tools"
-LICENSE = "GPL-2.0+"
-LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
-SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
-           file://check-for-malloc_trim-before-using-it.patch \
-           file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
-           file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
-           file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
-           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
-          "
-SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
-SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"
-UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases"
-DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates"
-RDEPENDS_${PN} = "ca-certificates"
-inherit pkgconfig autotools
-EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"
-CFLAGS_append = " -Wno-error=pedantic"
-do_populate_cve_db() {
-    if [ "${BB_NO_NETWORK}" = "1" ] ; then
-        bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected"
-        return
-    fi
-    # In case we don't inherit cve-check class, use default values defined in the class.
-    cve_dir="${CVE_CHECK_DB_DIR}"
-    cve_file="${CVE_CHECK_TMP_FILE}"
-    [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
-    [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
-    unused="${@bb.utils.export_proxies(d)}"
-    bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
-    # --cacert works around curl-native not finding the CA bundle
-    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
-        printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
-    else
-        bbwarn "Error in executing cve-check-update"
-        if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then
-            bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"
-        fi
-    fi
-}
-addtask populate_cve_db after do_populate_sysroot
-do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"
-do_populate_cve_db[nostamp] = "1"
-do_populate_cve_db[progress] = "percent"
-BBCLASSEXTEND = "native nativesdk"
author	Ross Burton <ross.burton@intel.com>	2019-12-08 20:35:47 +0200
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2019-12-16 23:11:10 +0000
commit	593fe7e35267f665dbb37cc0abcc82be55ac67f8 (patch)
tree	91bf149b019845a339354d9be48d4aed1b8b6c93 /meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
parent	53acd121ab1097435812e3922bad7f8ff75f7107 (diff)
download	poky-593fe7e35267f665dbb37cc0abcc82be55ac67f8.tar.gz

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb deleted file mode 100644 index 1c84fb1cf2..0000000000 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ /dev/null
@@ -1,62 +0,0 @@
1	SUMMARY = "cve-check-tool"
2	DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
3	The tool will identify potentially vunlnerable software packages within Linux distributions through version matching."
4	HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool"
5	SECTION = "Development/Tools"
6	LICENSE = "GPL-2.0+"
7	LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
8
9	SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
10	file://check-for-malloc_trim-before-using-it.patch \
11	file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
12	file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
13	file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
14	file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
15	"
16
17	SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
18	SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"
19
20	UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases"
21
22	DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates"
23
24	RDEPENDS_${PN} = "ca-certificates"
25
26	inherit pkgconfig autotools
27
28	EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"
29	CFLAGS_append = " -Wno-error=pedantic"
30
31	do_populate_cve_db() {
32	if [ "${BB_NO_NETWORK}" = "1" ] ; then
33	bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected"
34	return
35	fi
36
37	# In case we don't inherit cve-check class, use default values defined in the class.
38	cve_dir="${CVE_CHECK_DB_DIR}"
39	cve_file="${CVE_CHECK_TMP_FILE}"
40
41	[ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"
42	[ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
43
44	unused="${@bb.utils.export_proxies(d)}"
45	bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
46	# --cacert works around curl-native not finding the CA bundle
47	if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
48	printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
49	else
50	bbwarn "Error in executing cve-check-update"
51	if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then
52	bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"
53	fi
54	fi
55	}
56
57	addtask populate_cve_db after do_populate_sysroot
58	do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"
59	do_populate_cve_db[nostamp] = "1"
60	do_populate_cve_db[progress] = "percent"
61
62	BBCLASSEXTEND = "native nativesdk"