summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-11-24 15:50:15 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-11-25 21:37:40 +0000
commitc1cbb6fd15b28adda0f743d390930bf5221842d7 (patch)
tree523d6eafc568bd23f350f03271258d8dcd4bb0d7 /meta
parent1f4750c47fe2f2612f835b4808df72d8df3cd000 (diff)
downloadpoky-c1cbb6fd15b28adda0f743d390930bf5221842d7.tar.gz
cve-check: fetch CVE data once at a time instead of in a single call
This code used to construct a single SQL statement that fetched the NVD data for every CVE requested. For recipes such as the kernel where there are over 2000 CVEs to report this can hit the variable count limit and the query fails with "sqlite3.OperationalError: too many SQL variables". The default limit is 999 variables, but some distributions such as Debian set the default to 250000. As the NVD table has an index on the ID column, whilst requesting the data CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time different is insignificant: 0.05s verses 0.01s on my machine. (From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99) (From OE-Core rev: 3ded9a64c95ae02df7562fc69e2af08c150d2452) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/classes/cve-check.bbclass20
1 files changed, 10 insertions, 10 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e95716d9de..19ed5548b3 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -267,17 +267,17 @@ def get_cve_info(d, cves):
267 267
268 cve_data = {} 268 cve_data = {}
269 conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE")) 269 conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE"))
270 placeholders = ",".join("?" * len(cves))
271 query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders
272 for row in conn.execute(query, tuple(cves)):
273 cve_data[row[0]] = {}
274 cve_data[row[0]]["summary"] = row[1]
275 cve_data[row[0]]["scorev2"] = row[2]
276 cve_data[row[0]]["scorev3"] = row[3]
277 cve_data[row[0]]["modified"] = row[4]
278 cve_data[row[0]]["vector"] = row[5]
279 conn.close()
280 270
271 for cve in cves:
272 for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)):
273 cve_data[row[0]] = {}
274 cve_data[row[0]]["summary"] = row[1]
275 cve_data[row[0]]["scorev2"] = row[2]
276 cve_data[row[0]]["scorev3"] = row[3]
277 cve_data[row[0]]["modified"] = row[4]
278 cve_data[row[0]]["vector"] = row[5]
279
280 conn.close()
281 return cve_data 281 return cve_data
282 282
283def cve_write_data(d, patched, unpatched, cve_data): 283def cve_write_data(d, patched, unpatched, cve_data):