diff options
author | Konstantin Shemyak <konstantin.shemyak@ge.com> | 2018-08-13 10:23:28 +0300 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-08-15 21:45:58 +0100 |
commit | f7e24cc377b00f2341cd3168bbd0201828547255 (patch) | |
tree | 367504ed001da10615b937150df5f19c546f6482 /meta | |
parent | 7f93c8bc4a6e441f1b91824878ffec46ccd21a30 (diff) | |
download | poky-f7e24cc377b00f2341cd3168bbd0201828547255.tar.gz |
cve-check.bbclass: do not download the CVE DB in package-specific tasks
Disable downloading of the vulnerability DB in do_check_cves() task.
When invoked in this task, cve-check-tool attempts re-download of the CVE DB
if the latter is older than certain threshold. While reasonable for a
stand-alone CVE checker, this behavior can cause errors in parallel builds
if the build time is longer than this threshold:
* Other tasks might be using the DB.
* Several packages can start the download of the same file at the same time.
This check is not really needed, as the DB has been downloaded by
cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build().
The DB will be at most (threshold + build_time) old.
(From OE-Core rev: 125789b6ee6d47ab84192230f63971c4e22418ba)
Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r-- | meta/classes/cve-check.bbclass | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 4d998388b4..12ad3e5c5c 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -179,7 +179,7 @@ def check_cves(d, patched_cves): | |||
179 | cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") | 179 | cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") |
180 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | 180 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) |
181 | cve_cmd = "cve-check-tool" | 181 | cve_cmd = "cve-check-tool" |
182 | cmd = [cve_cmd, "--no-html", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir] | 182 | cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir] |
183 | 183 | ||
184 | # If the recipe has been whitlisted we return empty lists | 184 | # If the recipe has been whitlisted we return empty lists |
185 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): | 185 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): |