diff options
| author | Marta Rybczynska <rybczynska@gmail.com> | 2025-02-13 06:57:53 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2025-02-18 11:56:04 +0000 |
| commit | 52dc3286dfc15b3fba18a66325a9e50bebaaa0d2 (patch) | |
| tree | 441b062694369844be7b306e7a39453aa90353ba /meta | |
| parent | 0486af6e3cefeeb705ec7c7a0938623fc25d9fee (diff) | |
| download | poky-52dc3286dfc15b3fba18a66325a9e50bebaaa0d2.tar.gz | |
cve-check: allow feed choice
Allow choice of one of three feeds and update task dependencies
accordingly. All feeds contain data from NVD and are stored in
different files.
Set the NVD_DB_VERSION variable to choose feed:
NVD2 (default) - the NVD feed with API version 2
NVD1 - the NVD JSON feed (deprecated)
FKIE - the FKIE-CAD feed reconstruction
In case of malformed database feed name, we default to NVD2 and show
an error.
(From OE-Core rev: f265812bfb6797aee10e7be42865736c9ff3478f)
Signed-off-by: Marta Rybczynska <marta.rybczynska@ygreky.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 14 |
1 files changed, 12 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 6e10dd915a..90097cfde8 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -31,7 +31,12 @@ | |||
| 31 | CVE_PRODUCT ??= "${BPN}" | 31 | CVE_PRODUCT ??= "${BPN}" |
| 32 | CVE_VERSION ??= "${PV}" | 32 | CVE_VERSION ??= "${PV}" |
| 33 | 33 | ||
| 34 | CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db" | 34 | # Possible database sources: NVD1, NVD2, FKIE |
| 35 | NVD_DB_VERSION ?= "NVD2" | ||
| 36 | |||
| 37 | # Use different file names for each database source, as they synchronize at different moments, so may be slightly different | ||
| 38 | CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'nvdcve_1-3.db' if d.getVar('NVD_DB_VERSION') == 'NVD1' else 'nvdfkie_1-1.db'}" | ||
| 39 | CVE_CHECK_DB_FETCHER ?= "${@'cve-update-nvd2-native' if d.getVar('NVD_DB_VERSION') == 'NVD2' else 'cve-update-db-native'}" | ||
| 35 | CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" | 40 | CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" |
| 36 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" | 41 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" |
| 37 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" | 42 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" |
| @@ -114,6 +119,11 @@ python () { | |||
| 114 | d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) | 119 | d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) |
| 115 | else: | 120 | else: |
| 116 | bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) | 121 | bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) |
| 122 | |||
| 123 | nvd_database_type = d.getVar("NVD_DB_VERSION") | ||
| 124 | if nvd_database_type not in ("NVD1", "NVD2", "FKIE"): | ||
| 125 | bb.erroronce("Malformed NVD_DB_VERSION, must be one of: NVD1, NVD2, FKIE. Defaulting to NVD2") | ||
| 126 | d.setVar("NVD_DB_VERSION", "NVD2") | ||
| 117 | } | 127 | } |
| 118 | 128 | ||
| 119 | def generate_json_report(d, out_path, link_path): | 129 | def generate_json_report(d, out_path, link_path): |
| @@ -182,7 +192,7 @@ python do_cve_check () { | |||
| 182 | } | 192 | } |
| 183 | 193 | ||
| 184 | addtask cve_check before do_build | 194 | addtask cve_check before do_build |
| 185 | do_cve_check[depends] = "cve-update-nvd2-native:do_unpack" | 195 | do_cve_check[depends] = "${CVE_CHECK_DB_FETCHER}:do_unpack" |
| 186 | do_cve_check[nostamp] = "1" | 196 | do_cve_check[nostamp] = "1" |
| 187 | 197 | ||
| 188 | python cve_check_cleanup () { | 198 | python cve_check_cleanup () { |