diff options
| author | Chris Laplante <chris.laplante@agilent.com> | 2020-09-29 11:57:46 -0400 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-03-04 17:39:08 +0000 |
| commit | 95886950fb29fc68d9b71d6ebc2532ee96418a7e (patch) | |
| tree | 6ea25c95a9b500c4610c7d0d2d0cc15e08a9a3b2 /meta | |
| parent | 51400abb8a2caa310f8516a7038ed765a465806c (diff) | |
| download | poky-95886950fb29fc68d9b71d6ebc2532ee96418a7e.tar.gz | |
cve-check: add CVE_CHECK_REPORT_PATCHED variable to suppress reporting of patched CVEs
Default behavior is not changed. To suppress patched CVEs, set:
CVE_CHECK_REPORT_PATCHED = ""
(From OE-Core rev: cdbed91b1e23d6373a759e87fcadb85a37fead8d)
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 05bd9f1f006cf94cf5324f96df29cd5862abaf45)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 259852876c..edb704b187 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -41,14 +41,16 @@ CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve | |||
| 41 | CVE_CHECK_COPY_FILES ??= "1" | 41 | CVE_CHECK_COPY_FILES ??= "1" |
| 42 | CVE_CHECK_CREATE_MANIFEST ??= "1" | 42 | CVE_CHECK_CREATE_MANIFEST ??= "1" |
| 43 | 43 | ||
| 44 | CVE_CHECK_REPORT_PATCHED ??= "1" | ||
| 45 | |||
| 44 | # Whitelist for packages (PN) | 46 | # Whitelist for packages (PN) |
| 45 | CVE_CHECK_PN_WHITELIST ?= "" | 47 | CVE_CHECK_PN_WHITELIST ?= "" |
| 46 | 48 | ||
| 47 | # Whitelist for CVE. If a CVE is found, then it is considered patched. | 49 | # Whitelist for CVE. If a CVE is found, then it is considered patched. |
| 48 | # The value is a string containing space separated CVE values: | 50 | # The value is a string containing space separated CVE values: |
| 49 | # | 51 | # |
| 50 | # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' | 52 | # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' |
| 51 | # | 53 | # |
| 52 | CVE_CHECK_WHITELIST ?= "" | 54 | CVE_CHECK_WHITELIST ?= "" |
| 53 | 55 | ||
| 54 | # set to "alphabetical" for version using single alphabetical character as increament release | 56 | # set to "alphabetical" for version using single alphabetical character as increament release |
| @@ -339,12 +341,15 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | |||
| 339 | bb.utils.mkdirhier(os.path.dirname(cve_file)) | 341 | bb.utils.mkdirhier(os.path.dirname(cve_file)) |
| 340 | 342 | ||
| 341 | for cve in sorted(cve_data): | 343 | for cve in sorted(cve_data): |
| 344 | is_patched = cve in patched | ||
| 345 | if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): | ||
| 346 | continue | ||
| 342 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") | 347 | write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") |
| 343 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) | 348 | write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) |
| 344 | write_string += "CVE: %s\n" % cve | 349 | write_string += "CVE: %s\n" % cve |
| 345 | if cve in whitelisted: | 350 | if cve in whitelisted: |
| 346 | write_string += "CVE STATUS: Whitelisted\n" | 351 | write_string += "CVE STATUS: Whitelisted\n" |
| 347 | elif cve in patched: | 352 | elif is_patched: |
| 348 | write_string += "CVE STATUS: Patched\n" | 353 | write_string += "CVE STATUS: Patched\n" |
| 349 | else: | 354 | else: |
| 350 | unpatched_cves.append(cve) | 355 | unpatched_cves.append(cve) |
| @@ -358,19 +363,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): | |||
| 358 | if unpatched_cves: | 363 | if unpatched_cves: |
| 359 | bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) | 364 | bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) |
| 360 | 365 | ||
| 361 | with open(cve_file, "w") as f: | 366 | if write_string: |
| 362 | bb.note("Writing file %s with CVE information" % cve_file) | 367 | with open(cve_file, "w") as f: |
| 363 | f.write(write_string) | 368 | bb.note("Writing file %s with CVE information" % cve_file) |
| 364 | |||
| 365 | if d.getVar("CVE_CHECK_COPY_FILES") == "1": | ||
| 366 | deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") | ||
| 367 | bb.utils.mkdirhier(os.path.dirname(deploy_file)) | ||
| 368 | with open(deploy_file, "w") as f: | ||
| 369 | f.write(write_string) | 369 | f.write(write_string) |
| 370 | 370 | ||
| 371 | if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": | 371 | if d.getVar("CVE_CHECK_COPY_FILES") == "1": |
| 372 | cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") | 372 | deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") |
| 373 | bb.utils.mkdirhier(cvelogpath) | 373 | bb.utils.mkdirhier(os.path.dirname(deploy_file)) |
| 374 | with open(deploy_file, "w") as f: | ||
| 375 | f.write(write_string) | ||
| 376 | |||
| 377 | if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": | ||
| 378 | cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") | ||
| 379 | bb.utils.mkdirhier(cvelogpath) | ||
| 374 | 380 | ||
| 375 | with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: | 381 | with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: |
| 376 | f.write("%s" % write_string) | 382 | f.write("%s" % write_string) |