diff options
Diffstat (limited to 'meta/classes/cve-check.bbclass')
-rw-r--r-- | meta/classes/cve-check.bbclass | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 379f7121cc..1e7e8dd441 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -170,18 +170,19 @@ def check_cves(d, patched_cves): | |||
170 | 170 | ||
171 | cves_unpatched = [] | 171 | cves_unpatched = [] |
172 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) | 172 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) |
173 | bpn = d.getVar("CVE_PRODUCT").split() | 173 | products = d.getVar("CVE_PRODUCT").split() |
174 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) | 174 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) |
175 | if len(bpn) == 0: | 175 | if not products: |
176 | return ([], []) | 176 | return ([], []) |
177 | pv = d.getVar("CVE_VERSION").split("+git")[0] | 177 | pv = d.getVar("CVE_VERSION").split("+git")[0] |
178 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | ||
179 | 178 | ||
180 | # If the recipe has been whitlisted we return empty lists | 179 | # If the recipe has been whitlisted we return empty lists |
181 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): | 180 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): |
182 | bb.note("Recipe has been whitelisted, skipping check") | 181 | bb.note("Recipe has been whitelisted, skipping check") |
183 | return ([], []) | 182 | return ([], []) |
184 | 183 | ||
184 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | ||
185 | |||
185 | import sqlite3 | 186 | import sqlite3 |
186 | db_file = d.getVar("CVE_CHECK_DB_FILE") | 187 | db_file = d.getVar("CVE_CHECK_DB_FILE") |
187 | conn = sqlite3.connect(db_file) | 188 | conn = sqlite3.connect(db_file) |
@@ -190,8 +191,8 @@ def check_cves(d, patched_cves): | |||
190 | query = """SELECT * FROM PRODUCTS WHERE | 191 | query = """SELECT * FROM PRODUCTS WHERE |
191 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR | 192 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR |
192 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" | 193 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" |
193 | for idx in range(len(bpn)): | 194 | for product in products: |
194 | for row in c.execute(query.format(bpn[idx],pv)): | 195 | for row in c.execute(query.format(product, pv)): |
195 | cve = row[1] | 196 | cve = row[1] |
196 | version = row[4] | 197 | version = row[4] |
197 | 198 | ||
@@ -200,15 +201,15 @@ def check_cves(d, patched_cves): | |||
200 | except: | 201 | except: |
201 | discardVersion = True | 202 | discardVersion = True |
202 | 203 | ||
203 | if pv in cve_whitelist.get(cve,[]): | 204 | if pv in cve_whitelist.get(cve, []): |
204 | bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) | 205 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) |
205 | elif cve in patched_cves: | 206 | elif cve in patched_cves: |
206 | bb.note("%s has been patched" % (cve)) | 207 | bb.note("%s has been patched" % (cve)) |
207 | elif discardVersion: | 208 | elif discardVersion: |
208 | bb.debug(2, "Do not consider version %s " % (version)) | 209 | bb.debug(2, "Do not consider version %s " % (version)) |
209 | else: | 210 | else: |
210 | cves_unpatched.append(cve) | 211 | cves_unpatched.append(cve) |
211 | bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) | 212 | bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) |
212 | conn.close() | 213 | conn.close() |
213 | 214 | ||
214 | return (list(patched_cves), cves_unpatched) | 215 | return (list(patched_cves), cves_unpatched) |