diff options
Diffstat (limited to 'meta/classes/cve-check.bbclass')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 56ba8bceef..6b8376bf17 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -31,8 +31,9 @@ | |||
| 31 | CVE_PRODUCT ??= "${BPN}" | 31 | CVE_PRODUCT ??= "${BPN}" |
| 32 | CVE_VERSION ??= "${PV}" | 32 | CVE_VERSION ??= "${PV}" |
| 33 | 33 | ||
| 34 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" | 34 | CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db" |
| 35 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-1.db" | 35 | CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" |
| 36 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" | ||
| 36 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" | 37 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" |
| 37 | 38 | ||
| 38 | CVE_CHECK_LOG ?= "${T}/cve.log" | 39 | CVE_CHECK_LOG ?= "${T}/cve.log" |
| @@ -49,7 +50,8 @@ CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve" | |||
| 49 | CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}" | 50 | CVE_CHECK_RECIPE_FILE ?= "${CVE_CHECK_DIR}/${PN}" |
| 50 | CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json" | 51 | CVE_CHECK_RECIPE_FILE_JSON ?= "${CVE_CHECK_DIR}/${PN}_cve.json" |
| 51 | CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.cve" | 52 | CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.cve" |
| 52 | CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.json" | 53 | CVE_CHECK_MANIFEST_JSON_SUFFIX ?= "json" |
| 54 | CVE_CHECK_MANIFEST_JSON ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}.${CVE_CHECK_MANIFEST_JSON_SUFFIX}" | ||
| 53 | CVE_CHECK_COPY_FILES ??= "1" | 55 | CVE_CHECK_COPY_FILES ??= "1" |
| 54 | CVE_CHECK_CREATE_MANIFEST ??= "1" | 56 | CVE_CHECK_CREATE_MANIFEST ??= "1" |
| 55 | 57 | ||
| @@ -197,7 +199,7 @@ python do_cve_check () { | |||
| 197 | } | 199 | } |
| 198 | 200 | ||
| 199 | addtask cve_check before do_build | 201 | addtask cve_check before do_build |
| 200 | do_cve_check[depends] = "cve-update-nvd2-native:do_fetch" | 202 | do_cve_check[depends] = "cve-update-nvd2-native:do_unpack" |
| 201 | do_cve_check[nostamp] = "1" | 203 | do_cve_check[nostamp] = "1" |
| 202 | 204 | ||
| 203 | python cve_check_cleanup () { | 205 | python cve_check_cleanup () { |
| @@ -268,23 +270,27 @@ python cve_check_write_rootfs_manifest () { | |||
| 268 | d.setVar("PN", save_pn) | 270 | d.setVar("PN", save_pn) |
| 269 | 271 | ||
| 270 | if enable_text: | 272 | if enable_text: |
| 271 | link_path = os.path.join(deploy_dir, "%s.cve" % link_name) | ||
| 272 | manifest_name = d.getVar("CVE_CHECK_MANIFEST") | 273 | manifest_name = d.getVar("CVE_CHECK_MANIFEST") |
| 273 | 274 | ||
| 274 | with open(manifest_name, "w") as f: | 275 | with open(manifest_name, "w") as f: |
| 275 | f.write(text_data) | 276 | f.write(text_data) |
| 276 | 277 | ||
| 277 | update_symlinks(manifest_name, link_path) | 278 | if link_name: |
| 279 | link_path = os.path.join(deploy_dir, "%s.cve" % link_name) | ||
| 280 | update_symlinks(manifest_name, link_path) | ||
| 278 | bb.plain("Image CVE report stored in: %s" % manifest_name) | 281 | bb.plain("Image CVE report stored in: %s" % manifest_name) |
| 279 | 282 | ||
| 280 | if enable_json: | 283 | if enable_json: |
| 281 | link_path = os.path.join(deploy_dir, "%s.json" % link_name) | 284 | manifest_name_suffix = d.getVar("CVE_CHECK_MANIFEST_JSON_SUFFIX") |
| 282 | manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON") | 285 | manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON") |
| 283 | 286 | ||
| 284 | with open(manifest_name, "w") as f: | 287 | with open(manifest_name, "w") as f: |
| 285 | json.dump(json_data, f, indent=2) | 288 | json.dump(json_data, f, indent=2) |
| 286 | 289 | ||
| 287 | update_symlinks(manifest_name, link_path) | 290 | if link_name: |
| 291 | link_path = os.path.join(deploy_dir, "%s.%s" % (link_name, manifest_name_suffix)) | ||
| 292 | update_symlinks(manifest_name, link_path) | ||
| 293 | |||
| 288 | bb.plain("Image CVE JSON report stored in: %s" % manifest_name) | 294 | bb.plain("Image CVE JSON report stored in: %s" % manifest_name) |
| 289 | } | 295 | } |
| 290 | 296 | ||
| @@ -445,9 +451,10 @@ def get_cve_info(d, cves): | |||
| 445 | cve_data[row[0]]["summary"] = row[1] | 451 | cve_data[row[0]]["summary"] = row[1] |
| 446 | cve_data[row[0]]["scorev2"] = row[2] | 452 | cve_data[row[0]]["scorev2"] = row[2] |
| 447 | cve_data[row[0]]["scorev3"] = row[3] | 453 | cve_data[row[0]]["scorev3"] = row[3] |
| 448 | cve_data[row[0]]["modified"] = row[4] | 454 | cve_data[row[0]]["scorev4"] = row[4] |
| 449 | cve_data[row[0]]["vector"] = row[5] | 455 | cve_data[row[0]]["modified"] = row[5] |
| 450 | cve_data[row[0]]["vectorString"] = row[6] | 456 | cve_data[row[0]]["vector"] = row[6] |
| 457 | cve_data[row[0]]["vectorString"] = row[7] | ||
| 451 | cursor.close() | 458 | cursor.close() |
| 452 | conn.close() | 459 | conn.close() |
| 453 | return cve_data | 460 | return cve_data |
| @@ -512,6 +519,7 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): | |||
| 512 | write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] | 519 | write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] |
| 513 | write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] | 520 | write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] |
| 514 | write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] | 521 | write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] |
| 522 | write_string += "CVSS v4 BASE SCORE: %s\n" % cve_data[cve]["scorev4"] | ||
| 515 | write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] | 523 | write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] |
| 516 | write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"] | 524 | write_string += "VECTORSTRING: %s\n" % cve_data[cve]["vectorString"] |
| 517 | write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) | 525 | write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) |
| @@ -629,6 +637,7 @@ def cve_write_data_json(d, patched, unpatched, ignored, cve_data, cve_status): | |||
| 629 | "summary" : cve_data[cve]["summary"], | 637 | "summary" : cve_data[cve]["summary"], |
| 630 | "scorev2" : cve_data[cve]["scorev2"], | 638 | "scorev2" : cve_data[cve]["scorev2"], |
| 631 | "scorev3" : cve_data[cve]["scorev3"], | 639 | "scorev3" : cve_data[cve]["scorev3"], |
| 640 | "scorev4" : cve_data[cve]["scorev4"], | ||
| 632 | "vector" : cve_data[cve]["vector"], | 641 | "vector" : cve_data[cve]["vector"], |
| 633 | "vectorString" : cve_data[cve]["vectorString"], | 642 | "vectorString" : cve_data[cve]["vectorString"], |
| 634 | "status" : status, | 643 | "status" : status, |