diff options
-rw-r--r-- | meta/classes/cve-check.bbclass | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index e7540b8c1f..379f7121cc 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -166,6 +166,7 @@ def check_cves(d, patched_cves): | |||
166 | Connect to the NVD database and find unpatched cves. | 166 | Connect to the NVD database and find unpatched cves. |
167 | """ | 167 | """ |
168 | import ast, csv, tempfile, subprocess, io | 168 | import ast, csv, tempfile, subprocess, io |
169 | from distutils.version import LooseVersion | ||
169 | 170 | ||
170 | cves_unpatched = [] | 171 | cves_unpatched = [] |
171 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) | 172 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) |
@@ -186,14 +187,25 @@ def check_cves(d, patched_cves): | |||
186 | conn = sqlite3.connect(db_file) | 187 | conn = sqlite3.connect(db_file) |
187 | c = conn.cursor() | 188 | c = conn.cursor() |
188 | 189 | ||
189 | query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" | 190 | query = """SELECT * FROM PRODUCTS WHERE |
191 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR | ||
192 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" | ||
190 | for idx in range(len(bpn)): | 193 | for idx in range(len(bpn)): |
191 | for row in c.execute(query % (bpn[idx],pv)): | 194 | for row in c.execute(query.format(bpn[idx],pv)): |
192 | cve = row[1] | 195 | cve = row[1] |
196 | version = row[4] | ||
197 | |||
198 | try: | ||
199 | discardVersion = LooseVersion(version) < LooseVersion(pv) | ||
200 | except: | ||
201 | discardVersion = True | ||
202 | |||
193 | if pv in cve_whitelist.get(cve,[]): | 203 | if pv in cve_whitelist.get(cve,[]): |
194 | bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) | 204 | bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) |
195 | elif cve in patched_cves: | 205 | elif cve in patched_cves: |
196 | bb.note("%s has been patched" % (cve)) | 206 | bb.note("%s has been patched" % (cve)) |
207 | elif discardVersion: | ||
208 | bb.debug(2, "Do not consider version %s " % (version)) | ||
197 | else: | 209 | else: |
198 | cves_unpatched.append(cve) | 210 | cves_unpatched.append(cve) |
199 | bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) | 211 | bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) |