summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/classes/cve-check.bbclass16
1 files changed, 14 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e7540b8c1f..379f7121cc 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -166,6 +166,7 @@ def check_cves(d, patched_cves):
166 Connect to the NVD database and find unpatched cves. 166 Connect to the NVD database and find unpatched cves.
167 """ 167 """
168 import ast, csv, tempfile, subprocess, io 168 import ast, csv, tempfile, subprocess, io
169 from distutils.version import LooseVersion
169 170
170 cves_unpatched = [] 171 cves_unpatched = []
171 # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) 172 # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
@@ -186,14 +187,25 @@ def check_cves(d, patched_cves):
186 conn = sqlite3.connect(db_file) 187 conn = sqlite3.connect(db_file)
187 c = conn.cursor() 188 c = conn.cursor()
188 189
189 query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" 190 query = """SELECT * FROM PRODUCTS WHERE
191 (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR
192 (PRODUCT IS '{0}' AND OPERATOR IS '<=');"""
190 for idx in range(len(bpn)): 193 for idx in range(len(bpn)):
191 for row in c.execute(query % (bpn[idx],pv)): 194 for row in c.execute(query.format(bpn[idx],pv)):
192 cve = row[1] 195 cve = row[1]
196 version = row[4]
197
198 try:
199 discardVersion = LooseVersion(version) < LooseVersion(pv)
200 except:
201 discardVersion = True
202
193 if pv in cve_whitelist.get(cve,[]): 203 if pv in cve_whitelist.get(cve,[]):
194 bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) 204 bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
195 elif cve in patched_cves: 205 elif cve in patched_cves:
196 bb.note("%s has been patched" % (cve)) 206 bb.note("%s has been patched" % (cve))
207 elif discardVersion:
208 bb.debug(2, "Do not consider version %s " % (version))
197 else: 209 else:
198 cves_unpatched.append(cve) 210 cves_unpatched.append(cve)
199 bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) 211 bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))