1 files changed, 0 insertions, 215 deletions
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
deleted file mode 100644
index 3d8ebd1bd2..0000000000
--- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
+++ /dev/null
@@ -1,215 +0,0 @@
-From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
-From: Jussi Kukkonen <jussi.kukkonen@intel.com>
-Date: Thu, 9 Feb 2017 14:51:28 +0200
-Subject: [PATCH] curl: allow overriding default CA certificate file
-Similar to curl, --cacert can now be used in cve-check-tool and
-cve-check-update to override the default CA certificate file. Useful
-in cases where the system default is unsuitable (for example,
-out-dated) or broken (as in OE's current native libcurl, which embeds
-a path string from one build host and then uses it on another although
-the right path may have become something different).
-Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
-Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
-Took Patrick Ohlys original patch from meta-security-isafw, rebased
-on top of other patches.
-Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
- src/library/cve-check-tool.h |  1 +
- src/library/fetch.c          | 10 +++++++++-
- src/library/fetch.h          |  3 ++-
- src/main.c                   |  5 ++++-
- src/update-main.c            |  4 +++-
- src/update.c                 | 12 +++++++-----
- src/update.h                 |  2 +-
- 7 files changed, 27 insertions(+), 10 deletions(-)
-diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
-index e4bb5b1..f89eade 100644
--- a/src/library/cve-check-tool.h
-+++ b/src/library/cve-check-tool.h
-@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
-     bool bugs;                          /**<Whether bug tracking is enabled */
-     GHashTable *mapping;                /**<CVE Mapping */
-     const char *output_file;            /**<Output file, if any */
-+    const char *cacert_file;            /**<Non-default SSL certificate file, if any */
- } CveCheckTool;
- 
- /**
-diff --git a/src/library/fetch.c b/src/library/fetch.c
-index 0fe6d76..8f998c3 100644
--- a/src/library/fetch.c
-+++ b/src/library/fetch.c
-@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
- }
- 
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-                      unsigned int start_percent, unsigned int end_percent)
-+                      unsigned int start_percent, unsigned int end_percent,
-+                      const char *cacert_file)
- {
-         FetchStatus ret = FETCH_STATUS_FAIL;
-         CURLcode res;
-@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-                 return ret;
-         }
- 
-+        if (cacert_file) {
-+                res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
-+                if (res != CURLE_OK) {
-+                        goto bail;
-+                }
-+        }
-+
-         if (stat(target, &st) == 0) {
-                 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
-                 if (res != CURLE_OK) {
-diff --git a/src/library/fetch.h b/src/library/fetch.h
-index 4cce5d1..836c7d7 100644
--- a/src/library/fetch.h
-+++ b/src/library/fetch.h
-@@ -29,7 +29,8 @@ typedef enum {
-  * @return A FetchStatus, indicating the operation taken
-  */
- FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
-                      unsigned int this_percent, unsigned int next_percent);
-+                      unsigned int this_percent, unsigned int next_percent,
-+                      const char *cacert_file);
- 
- /**
-  * Attempt to extract the given gzipped file
-diff --git a/src/main.c b/src/main.c
-index 8e6f158..ae69d47 100644
--- a/src/main.c
-+++ b/src/main.c
-@@ -280,6 +280,7 @@ static bool csv_mode = false;
- static char *modified_stamp = NULL;
- static gchar *mapping_file = NULL;
- static gchar *output_file = NULL;
-+static gchar *cacert_file = NULL;
- 
- static GOptionEntry _entries[] = {
-         { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
-@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
-         { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
-         { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
-         { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
-+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
-         { .short_name = 0 }
- };
- 
-@@ -492,6 +494,7 @@ int main(int argc, char **argv)
- 
-         quiet = csv_mode || !no_html;
-         self->output_file = output_file;
-+        self->cacert_file = cacert_file;
- 
-         if (!csv_mode && self->output_file) {
-                 quiet = false;
-@@ -530,7 +533,7 @@ int main(int argc, char **argv)
-                 if (status) {
-                         fprintf(stderr, "Update of db forced\n");
-                         cve_db_unlock();
-                        if (!update_db(quiet, db_path->str)) {
-+                        if (!update_db(quiet, db_path->str, self->cacert_file)) {
-                                 fprintf(stderr, "DB update failure\n");
-                                 goto cleanup;
-                         }
-diff --git a/src/update-main.c b/src/update-main.c
-index 2379cfa..c52d9d0 100644
--- a/src/update-main.c
-+++ b/src/update-main.c
-@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
- static gchar *nvds = NULL;
- static bool _show_version = false;
- static bool _quiet = false;
-+static const char *_cacert_file = NULL;
- 
- static GOptionEntry _entries[] = {
-         { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
-         { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
-         { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
-+        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
-         { .short_name = 0 }
- };
- 
-@@ -88,7 +90,7 @@ int main(int argc, char **argv)
-                 goto end;
-         }
- 
-        if (update_db(_quiet, db_path->str)) {
-+        if (update_db(_quiet, db_path->str, _cacert_file)) {
-                 ret = EXIT_SUCCESS;
-         } else {
-                 fprintf(stderr, "Failed to update database\n");
-diff --git a/src/update.c b/src/update.c
-index 070560a..8cb4a39 100644
--- a/src/update.c
-+++ b/src/update.c
-@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
- 
- static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
-                            bool db_exist, bool verbose,
-                           unsigned int this_percent, unsigned int next_percent)
-+                           unsigned int this_percent, unsigned int next_percent,
-+                           const char *cacert_file)
- {
-         const char nvd_uri[] = URI_PREFIX;
-         autofree(cve_string) *uri_meta = NULL;
-@@ -331,14 +332,14 @@ refetch:
-         }
- 
-         /* Fetch NVD META file */
-        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
-+        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
-         if (st == FETCH_STATUS_FAIL) {
-                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
-                 return -1;
-         }
- 
-         /* Fetch NVD XML file */
-        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
-+        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
-         switch (st) {
-         case FETCH_STATUS_FAIL:
-                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
-@@ -391,7 +392,7 @@ refetch:
-         return 0;
- }
- 
-bool update_db(bool quiet, const char *db_file)
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file)
- {
-         autofree(char) *db_dir = NULL;
-         autofree(CveDB) *cve_db = NULL;
-@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
-                 if (!quiet)
-                         fprintf(stderr, "completed: %u%%\r", start_percent);
-                 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
-                                     start_percent, end_percent);
-+                                     start_percent, end_percent,
-+                                     cacert_file);
-                 switch (rc) {
-                 case 0:
-                         if (!quiet)
-diff --git a/src/update.h b/src/update.h
-index b8e9911..ceea0c3 100644
--- a/src/update.h
-+++ b/src/update.h
-@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
- 
- int update_required(const char *db_file);
- 
-bool update_db(bool quiet, const char *db_file);
-+bool update_db(bool quiet, const char *db_file, const char *cacert_file);
- 
- 
- /*
-- 
-2.1.4

diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch deleted file mode 100644 index 3d8ebd1bd2..0000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch +++ /dev/null
@@ -1,215 +0,0 @@
1	From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
2	From: Jussi Kukkonen <jussi.kukkonen@intel.com>
3	Date: Thu, 9 Feb 2017 14:51:28 +0200
4	Subject: [PATCH] curl: allow overriding default CA certificate file
5
6	Similar to curl, --cacert can now be used in cve-check-tool and
7	cve-check-update to override the default CA certificate file. Useful
8	in cases where the system default is unsuitable (for example,
9	out-dated) or broken (as in OE's current native libcurl, which embeds
10	a path string from one build host and then uses it on another although
11	the right path may have become something different).
12
13	Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
14
15	Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
16
17
18	Took Patrick Ohlys original patch from meta-security-isafw, rebased
19	on top of other patches.
20
21	Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
22	---
23	src/library/cve-check-tool.h \| 1 +
24	src/library/fetch.c \| 10 +++++++++-
25	src/library/fetch.h \| 3 ++-
26	src/main.c \| 5 ++++-
27	src/update-main.c \| 4 +++-
28	src/update.c \| 12 +++++++-----
29	src/update.h \| 2 +-
30	7 files changed, 27 insertions(+), 10 deletions(-)
31
32	diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
33	index e4bb5b1..f89eade 100644
34	--- a/src/library/cve-check-tool.h
35	+++ b/src/library/cve-check-tool.h
36	@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
37	bool bugs; /*<Whether bug tracking is enabled /
38	GHashTable mapping; /<CVE Mapping /
39	const char output_file; /<Output file, if any /
40	+ const char cacert_file; /<Non-default SSL certificate file, if any /
41	} CveCheckTool;
42
43	/**
44	diff --git a/src/library/fetch.c b/src/library/fetch.c
45	index 0fe6d76..8f998c3 100644
46	--- a/src/library/fetch.c
47	+++ b/src/library/fetch.c
48	@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
49	}
50
51	FetchStatus fetch_uri(const char uri, const char target, bool verbose,
52	- unsigned int start_percent, unsigned int end_percent)
53	+ unsigned int start_percent, unsigned int end_percent,
54	+ const char *cacert_file)
55	{
56	FetchStatus ret = FETCH_STATUS_FAIL;
57	CURLcode res;
58	@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char uri, const char target, bool verbose,
59	return ret;
60	}
61
62	+ if (cacert_file) {
63	+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
64	+ if (res != CURLE_OK) {
65	+ goto bail;
66	+ }
67	+ }
68	+
69	if (stat(target, &st) == 0) {
70	res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
71	if (res != CURLE_OK) {
72	diff --git a/src/library/fetch.h b/src/library/fetch.h
73	index 4cce5d1..836c7d7 100644
74	--- a/src/library/fetch.h
75	+++ b/src/library/fetch.h
76	@@ -29,7 +29,8 @@ typedef enum {
77	* @return A FetchStatus, indicating the operation taken
78	*/
79	FetchStatus fetch_uri(const char uri, const char target, bool verbose,
80	- unsigned int this_percent, unsigned int next_percent);
81	+ unsigned int this_percent, unsigned int next_percent,
82	+ const char *cacert_file);
83
84	/**
85	* Attempt to extract the given gzipped file
86	diff --git a/src/main.c b/src/main.c
87	index 8e6f158..ae69d47 100644
88	--- a/src/main.c
89	+++ b/src/main.c
90	@@ -280,6 +280,7 @@ static bool csv_mode = false;
91	static char *modified_stamp = NULL;
92	static gchar *mapping_file = NULL;
93	static gchar *output_file = NULL;
94	+static gchar *cacert_file = NULL;
95
96	static GOptionEntry _entries[] = {
97	{ "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
98	@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
99	{ "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
100	{ "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
101	{ "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
102	+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
103	{ .short_name = 0 }
104	};
105
106	@@ -492,6 +494,7 @@ int main(int argc, char **argv)
107
108	quiet = csv_mode \|\| !no_html;
109	self->output_file = output_file;
110	+ self->cacert_file = cacert_file;
111
112	if (!csv_mode && self->output_file) {
113	quiet = false;
114	@@ -530,7 +533,7 @@ int main(int argc, char **argv)
115	if (status) {
116	fprintf(stderr, "Update of db forced\n");
117	cve_db_unlock();
118	- if (!update_db(quiet, db_path->str)) {
119	+ if (!update_db(quiet, db_path->str, self->cacert_file)) {
120	fprintf(stderr, "DB update failure\n");
121	goto cleanup;
122	}
123	diff --git a/src/update-main.c b/src/update-main.c
124	index 2379cfa..c52d9d0 100644
125	--- a/src/update-main.c
126	+++ b/src/update-main.c
127	@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
128	static gchar *nvds = NULL;
129	static bool _show_version = false;
130	static bool _quiet = false;
131	+static const char *_cacert_file = NULL;
132
133	static GOptionEntry _entries[] = {
134	{ "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
135	{ "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
136	{ "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
137	+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
138	{ .short_name = 0 }
139	};
140
141	@@ -88,7 +90,7 @@ int main(int argc, char **argv)
142	goto end;
143	}
144
145	- if (update_db(_quiet, db_path->str)) {
146	+ if (update_db(_quiet, db_path->str, _cacert_file)) {
147	ret = EXIT_SUCCESS;
148	} else {
149	fprintf(stderr, "Failed to update database\n");
150	diff --git a/src/update.c b/src/update.c
151	index 070560a..8cb4a39 100644
152	--- a/src/update.c
153	+++ b/src/update.c
154	@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
155
156	static int do_fetch_update(int year, const char db_dir, CveDB cve_db,
157	bool db_exist, bool verbose,
158	- unsigned int this_percent, unsigned int next_percent)
159	+ unsigned int this_percent, unsigned int next_percent,
160	+ const char *cacert_file)
161	{
162	const char nvd_uri[] = URI_PREFIX;
163	autofree(cve_string) *uri_meta = NULL;
164	@@ -331,14 +332,14 @@ refetch:
165	}
166
167	/* Fetch NVD META file */
168	- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
169	+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
170	if (st == FETCH_STATUS_FAIL) {
171	fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
172	return -1;
173	}
174
175	/* Fetch NVD XML file */
176	- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
177	+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
178	switch (st) {
179	case FETCH_STATUS_FAIL:
180	fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
181	@@ -391,7 +392,7 @@ refetch:
182	return 0;
183	}
184
185	-bool update_db(bool quiet, const char *db_file)
186	+bool update_db(bool quiet, const char db_file, const char cacert_file)
187	{
188	autofree(char) *db_dir = NULL;
189	autofree(CveDB) *cve_db = NULL;
190	@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
191	if (!quiet)
192	fprintf(stderr, "completed: %u%%\r", start_percent);
193	rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
194	- start_percent, end_percent);
195	+ start_percent, end_percent,
196	+ cacert_file);
197	switch (rc) {
198	case 0:
199	if (!quiet)
200	diff --git a/src/update.h b/src/update.h
201	index b8e9911..ceea0c3 100644
202	--- a/src/update.h
203	+++ b/src/update.h
204	@@ -15,7 +15,7 @@ cve_string get_db_path(const char path);
205
206	int update_required(const char *db_file);
207
208	-bool update_db(bool quiet, const char *db_file);
209	+bool update_db(bool quiet, const char db_file, const char cacert_file);
210
211
212	/*
213	--
214	2.1.4
215