summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
authorPierre Le Magourou <pierre.lemagourou@softbankrobotics.com>2019-07-03 11:35:06 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-07-05 12:00:20 +0100
commit4a68a44f56c725914cfa721993a2ea8a3dc6ebd5 (patch)
tree3cf1d843f0466b395ff94bb67a9499e59f641cbb /meta
parenta61354e965561b5d108d89864b5f9c8d15fbee39 (diff)
downloadpoky-4a68a44f56c725914cfa721993a2ea8a3dc6ebd5.tar.gz
cve-update-db: Catch request.urlopen errors.
If the NVD url is not accessible, print a warning on top of the CVE report, and continue. The database will not be fully updated, but cve_check can still run on the previous database. (From OE-Core rev: 0325dd72714f0b447558084f481b77f0ec850eed) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
-rw-r--r--meta/classes/cve-check.bbclass5
-rw-r--r--meta/recipes-core/meta/cve-update-db.bb30
2 files changed, 24 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1e7e8dd441..81071e3f19 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -51,14 +51,15 @@ python do_cve_check () {
51 Check recipe for patched and unpatched CVEs 51 Check recipe for patched and unpatched CVEs
52 """ 52 """
53 53
54 if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): 54 if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
55 patched_cves = get_patches_cves(d) 55 patched_cves = get_patches_cves(d)
56 patched, unpatched = check_cves(d, patched_cves) 56 patched, unpatched = check_cves(d, patched_cves)
57 if patched or unpatched: 57 if patched or unpatched:
58 cve_data = get_cve_info(d, patched + unpatched) 58 cve_data = get_cve_info(d, patched + unpatched)
59 cve_write_data(d, patched, unpatched, cve_data) 59 cve_write_data(d, patched, unpatched, cve_data)
60 else: 60 else:
61 bb.note("Failed to update CVE database, skipping CVE check") 61 bb.note("No CVE database found, skipping CVE check")
62
62} 63}
63 64
64addtask cve_check after do_unpack before do_build 65addtask cve_check after do_unpack before do_build
diff --git a/meta/recipes-core/meta/cve-update-db.bb b/meta/recipes-core/meta/cve-update-db.bb
index 3e5bae8b1d..ae8f1a958b 100644
--- a/meta/recipes-core/meta/cve-update-db.bb
+++ b/meta/recipes-core/meta/cve-update-db.bb
@@ -28,6 +28,7 @@ python do_populate_cve_db() {
28 db_file = db_dir + '/nvd-json.db' 28 db_file = db_dir + '/nvd-json.db'
29 json_tmpfile = db_dir + '/nvd.json.gz' 29 json_tmpfile = db_dir + '/nvd.json.gz'
30 proxy = d.getVar("https_proxy") 30 proxy = d.getVar("https_proxy")
31 cve_f = open(d.getVar("TMPDIR") + '/cve_check', 'a')
31 32
32 if not os.path.isdir(db_dir): 33 if not os.path.isdir(db_dir):
33 os.mkdir(db_dir) 34 os.mkdir(db_dir)
@@ -47,9 +48,13 @@ python do_populate_cve_db() {
47 req = urllib.request.Request(meta_url) 48 req = urllib.request.Request(meta_url)
48 if proxy: 49 if proxy:
49 req.set_proxy(proxy, 'https') 50 req.set_proxy(proxy, 'https')
50 with urllib.request.urlopen(req) as r: 51 try:
51 date_line = str(r.read().splitlines()[0]) 52 with urllib.request.urlopen(req, timeout=1) as r:
52 last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1) 53 date_line = str(r.read().splitlines()[0])
54 last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1)
55 except:
56 cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
57 break
53 58
54 # Compare with current db last modified date 59 # Compare with current db last modified date
55 c.execute("select DATE from META where YEAR = '%d'" % year) 60 c.execute("select DATE from META where YEAR = '%d'" % year)
@@ -59,19 +64,26 @@ python do_populate_cve_db() {
59 req = urllib.request.Request(json_url) 64 req = urllib.request.Request(json_url)
60 if proxy: 65 if proxy:
61 req.set_proxy(proxy, 'https') 66 req.set_proxy(proxy, 'https')
62 with urllib.request.urlopen(req) as r, open(json_tmpfile, 'wb') as tmpfile: 67 try:
63 shutil.copyfileobj(r, tmpfile) 68 with urllib.request.urlopen(req, timeout=1) as r, \
69 open(json_tmpfile, 'wb') as tmpfile:
70 shutil.copyfileobj(r, tmpfile)
71 except:
72 cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
73 break
74
64 with gzip.open(json_tmpfile, 'rt') as jsonfile: 75 with gzip.open(json_tmpfile, 'rt') as jsonfile:
65 update_db(c, jsonfile) 76 update_db(c, jsonfile)
66 c.execute("insert or replace into META values (?, ?)", 77 c.execute("insert or replace into META values (?, ?)",
67 [year, last_modified]) 78 [year, last_modified])
68 79
80 # Update success, set the date to cve_check file.
81 if year == date.today().year:
82 cve_f.write('CVE database update : %s\n\n' % date.today())
83
84 cve_f.close()
69 conn.commit() 85 conn.commit()
70 conn.close() 86 conn.close()
71
72 cve_check_tmp_file = d.getVar("TMPDIR") + '/cve_check'
73 with open(cve_check_tmp_file, 'a'):
74 os.utime(cve_check_tmp_file, None)
75} 87}
76 88
77# DJB2 hash algorithm 89# DJB2 hash algorithm