summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorMikko Rapeli <mikko.rapeli@bmw.de>2017-09-04 09:22:14 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-09-05 15:01:02 +0100
commitbeb089b23627f084695f17802ffc5af192bbdbee (patch)
tree32f3df3f1932d68b019ee89b30d60d171ac7cec5 /meta
parentf30adee451c28ffd19f30adb9bc88c76281a7ad5 (diff)
downloadpoky-beb089b23627f084695f17802ffc5af192bbdbee.tar.gz
cve-check.bbclass: detect patched CVE's also from patch file names
While poky master branch has been fixed so that all CVE patch files have the: CVE: CVE-2017-1234556 strings in the patch comments, many older versions of poky and other meta layers are not, but the CVE patches quite often have the CVE id in the patch file name. If the CVE: string also found, there are no duplicates in the report. (From OE-Core rev: 5ee5b0c66627c9e974c838b86e2e659c2f601f2a) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/classes/cve-check.bbclass16
1 files changed, 15 insertions, 1 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f44bbed6ac..bc2f03f7dd 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -118,10 +118,24 @@ def get_patches_cves(d):
118 118
119 pn = d.getVar("PN") 119 pn = d.getVar("PN")
120 cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") 120 cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
121
122 # Matches last CVE-1234-211432 in the file name, also if written
123 # with small letters. Not supporting multiple CVE id's in a single
124 # file name.
125 cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
126
121 patched_cves = set() 127 patched_cves = set()
122 bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) 128 bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
123 for url in src_patches(d): 129 for url in src_patches(d):
124 patch_file = bb.fetch.decodeurl(url)[2] 130 patch_file = bb.fetch.decodeurl(url)[2]
131
132 # Check patch file name for CVE ID
133 fname_match = cve_file_name_match.search(patch_file)
134 if fname_match:
135 cve = fname_match.group(1).upper()
136 patched_cves.add(cve)
137 bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
138
125 with open(patch_file, "r", encoding="utf-8") as f: 139 with open(patch_file, "r", encoding="utf-8") as f:
126 try: 140 try:
127 patch_text = f.read() 141 patch_text = f.read()
@@ -140,7 +154,7 @@ def get_patches_cves(d):
140 for cve in cves.split(): 154 for cve in cves.split():
141 bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) 155 bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
142 patched_cves.add(cve) 156 patched_cves.add(cve)
143 else: 157 elif not fname_match:
144 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) 158 bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
145 159
146 return patched_cves 160 return patched_cves