diff options
Diffstat (limited to 'meta/classes')
-rw-r--r-- | meta/classes/cve-check.bbclass | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index e8668b2566..512d4c7302 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -39,15 +39,12 @@ CVE_CHECK_CREATE_MANIFEST ??= "1" | |||
39 | # Whitelist for packages (PN) | 39 | # Whitelist for packages (PN) |
40 | CVE_CHECK_PN_WHITELIST ?= "" | 40 | CVE_CHECK_PN_WHITELIST ?= "" |
41 | 41 | ||
42 | # Whitelist for CVE and version of package. If a CVE is found then the PV is | 42 | # Whitelist for CVE. If a CVE is found, then it is considered patched. |
43 | # compared with the version list, and if found the CVE is considered | 43 | # The value is a string containing space separated CVE values: |
44 | # patched. | 44 | # |
45 | # | 45 | # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' |
46 | # The value should be valid Python in this format: | 46 | # |
47 | # { | 47 | CVE_CHECK_WHITELIST ?= "" |
48 | # 'CVE-2014-2524': ('6.3','5.2') | ||
49 | # } | ||
50 | CVE_CHECK_CVE_WHITELIST ?= "{}" | ||
51 | 48 | ||
52 | python do_cve_check () { | 49 | python do_cve_check () { |
53 | """ | 50 | """ |
@@ -185,7 +182,10 @@ def check_cves(d, patched_cves): | |||
185 | bb.note("Recipe has been whitelisted, skipping check") | 182 | bb.note("Recipe has been whitelisted, skipping check") |
186 | return ([], []) | 183 | return ([], []) |
187 | 184 | ||
188 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | 185 | old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") |
186 | if old_cve_whitelist: | ||
187 | bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.") | ||
188 | cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() | ||
189 | 189 | ||
190 | import sqlite3 | 190 | import sqlite3 |
191 | db_file = d.getVar("CVE_CHECK_DB_FILE") | 191 | db_file = d.getVar("CVE_CHECK_DB_FILE") |
@@ -206,7 +206,7 @@ def check_cves(d, patched_cves): | |||
206 | version_end = row[6] | 206 | version_end = row[6] |
207 | operator_end = row[7] | 207 | operator_end = row[7] |
208 | 208 | ||
209 | if pv in cve_whitelist.get(cve, []): | 209 | if cve in cve_whitelist: |
210 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) | 210 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) |
211 | elif cve in patched_cves: | 211 | elif cve in patched_cves: |
212 | bb.note("%s has been patched" % (cve)) | 212 | bb.note("%s has been patched" % (cve)) |