diff options
| author | Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-07-03 11:35:06 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-05 12:00:20 +0100 |
| commit | 4a68a44f56c725914cfa721993a2ea8a3dc6ebd5 (patch) | |
| tree | 3cf1d843f0466b395ff94bb67a9499e59f641cbb /meta | |
| parent | a61354e965561b5d108d89864b5f9c8d15fbee39 (diff) | |
| download | poky-4a68a44f56c725914cfa721993a2ea8a3dc6ebd5.tar.gz | |
cve-update-db: Catch request.urlopen errors.
If the NVD url is not accessible, print a warning on top of the CVE
report, and continue. The database will not be fully updated, but
cve_check can still run on the previous database.
(From OE-Core rev: 0325dd72714f0b447558084f481b77f0ec850eed)
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 5 | ||||
| -rw-r--r-- | meta/recipes-core/meta/cve-update-db.bb | 30 |
2 files changed, 24 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 1e7e8dd441..81071e3f19 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -51,14 +51,15 @@ python do_cve_check () { | |||
| 51 | Check recipe for patched and unpatched CVEs | 51 | Check recipe for patched and unpatched CVEs |
| 52 | """ | 52 | """ |
| 53 | 53 | ||
| 54 | if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): | 54 | if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): |
| 55 | patched_cves = get_patches_cves(d) | 55 | patched_cves = get_patches_cves(d) |
| 56 | patched, unpatched = check_cves(d, patched_cves) | 56 | patched, unpatched = check_cves(d, patched_cves) |
| 57 | if patched or unpatched: | 57 | if patched or unpatched: |
| 58 | cve_data = get_cve_info(d, patched + unpatched) | 58 | cve_data = get_cve_info(d, patched + unpatched) |
| 59 | cve_write_data(d, patched, unpatched, cve_data) | 59 | cve_write_data(d, patched, unpatched, cve_data) |
| 60 | else: | 60 | else: |
| 61 | bb.note("Failed to update CVE database, skipping CVE check") | 61 | bb.note("No CVE database found, skipping CVE check") |
| 62 | |||
| 62 | } | 63 | } |
| 63 | 64 | ||
| 64 | addtask cve_check after do_unpack before do_build | 65 | addtask cve_check after do_unpack before do_build |
diff --git a/meta/recipes-core/meta/cve-update-db.bb b/meta/recipes-core/meta/cve-update-db.bb index 3e5bae8b1d..ae8f1a958b 100644 --- a/meta/recipes-core/meta/cve-update-db.bb +++ b/meta/recipes-core/meta/cve-update-db.bb | |||
| @@ -28,6 +28,7 @@ python do_populate_cve_db() { | |||
| 28 | db_file = db_dir + '/nvd-json.db' | 28 | db_file = db_dir + '/nvd-json.db' |
| 29 | json_tmpfile = db_dir + '/nvd.json.gz' | 29 | json_tmpfile = db_dir + '/nvd.json.gz' |
| 30 | proxy = d.getVar("https_proxy") | 30 | proxy = d.getVar("https_proxy") |
| 31 | cve_f = open(d.getVar("TMPDIR") + '/cve_check', 'a') | ||
| 31 | 32 | ||
| 32 | if not os.path.isdir(db_dir): | 33 | if not os.path.isdir(db_dir): |
| 33 | os.mkdir(db_dir) | 34 | os.mkdir(db_dir) |
| @@ -47,9 +48,13 @@ python do_populate_cve_db() { | |||
| 47 | req = urllib.request.Request(meta_url) | 48 | req = urllib.request.Request(meta_url) |
| 48 | if proxy: | 49 | if proxy: |
| 49 | req.set_proxy(proxy, 'https') | 50 | req.set_proxy(proxy, 'https') |
| 50 | with urllib.request.urlopen(req) as r: | 51 | try: |
| 51 | date_line = str(r.read().splitlines()[0]) | 52 | with urllib.request.urlopen(req, timeout=1) as r: |
| 52 | last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1) | 53 | date_line = str(r.read().splitlines()[0]) |
| 54 | last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1) | ||
| 55 | except: | ||
| 56 | cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') | ||
| 57 | break | ||
| 53 | 58 | ||
| 54 | # Compare with current db last modified date | 59 | # Compare with current db last modified date |
| 55 | c.execute("select DATE from META where YEAR = '%d'" % year) | 60 | c.execute("select DATE from META where YEAR = '%d'" % year) |
| @@ -59,19 +64,26 @@ python do_populate_cve_db() { | |||
| 59 | req = urllib.request.Request(json_url) | 64 | req = urllib.request.Request(json_url) |
| 60 | if proxy: | 65 | if proxy: |
| 61 | req.set_proxy(proxy, 'https') | 66 | req.set_proxy(proxy, 'https') |
| 62 | with urllib.request.urlopen(req) as r, open(json_tmpfile, 'wb') as tmpfile: | 67 | try: |
| 63 | shutil.copyfileobj(r, tmpfile) | 68 | with urllib.request.urlopen(req, timeout=1) as r, \ |
| 69 | open(json_tmpfile, 'wb') as tmpfile: | ||
| 70 | shutil.copyfileobj(r, tmpfile) | ||
| 71 | except: | ||
| 72 | cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') | ||
| 73 | break | ||
| 74 | |||
| 64 | with gzip.open(json_tmpfile, 'rt') as jsonfile: | 75 | with gzip.open(json_tmpfile, 'rt') as jsonfile: |
| 65 | update_db(c, jsonfile) | 76 | update_db(c, jsonfile) |
| 66 | c.execute("insert or replace into META values (?, ?)", | 77 | c.execute("insert or replace into META values (?, ?)", |
| 67 | [year, last_modified]) | 78 | [year, last_modified]) |
| 68 | 79 | ||
| 80 | # Update success, set the date to cve_check file. | ||
| 81 | if year == date.today().year: | ||
| 82 | cve_f.write('CVE database update : %s\n\n' % date.today()) | ||
| 83 | |||
| 84 | cve_f.close() | ||
| 69 | conn.commit() | 85 | conn.commit() |
| 70 | conn.close() | 86 | conn.close() |
| 71 | |||
| 72 | cve_check_tmp_file = d.getVar("TMPDIR") + '/cve_check' | ||
| 73 | with open(cve_check_tmp_file, 'a'): | ||
| 74 | os.utime(cve_check_tmp_file, None) | ||
| 75 | } | 87 | } |
| 76 | 88 | ||
| 77 | # DJB2 hash algorithm | 89 | # DJB2 hash algorithm |