diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/classes/cve-check.bbclass | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 28619c7bd4..e7540b8c1f 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -168,9 +168,10 @@ def check_cves(d, patched_cves): | |||
168 | import ast, csv, tempfile, subprocess, io | 168 | import ast, csv, tempfile, subprocess, io |
169 | 169 | ||
170 | cves_unpatched = [] | 170 | cves_unpatched = [] |
171 | bpn = d.getVar("CVE_PRODUCT") | 171 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) |
172 | bpn = d.getVar("CVE_PRODUCT").split() | ||
172 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) | 173 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) |
173 | if not bpn: | 174 | if len(bpn) == 0: |
174 | return ([], []) | 175 | return ([], []) |
175 | pv = d.getVar("CVE_VERSION").split("+git")[0] | 176 | pv = d.getVar("CVE_VERSION").split("+git")[0] |
176 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | 177 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) |
@@ -184,16 +185,18 @@ def check_cves(d, patched_cves): | |||
184 | db_file = d.getVar("CVE_CHECK_DB_FILE") | 185 | db_file = d.getVar("CVE_CHECK_DB_FILE") |
185 | conn = sqlite3.connect(db_file) | 186 | conn = sqlite3.connect(db_file) |
186 | c = conn.cursor() | 187 | c = conn.cursor() |
188 | |||
187 | query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" | 189 | query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" |
188 | for row in c.execute(query % (bpn,pv)): | 190 | for idx in range(len(bpn)): |
189 | cve = row[1] | 191 | for row in c.execute(query % (bpn[idx],pv)): |
190 | if pv in cve_whitelist.get(cve,[]): | 192 | cve = row[1] |
191 | bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve)) | 193 | if pv in cve_whitelist.get(cve,[]): |
192 | elif cve in patched_cves: | 194 | bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) |
193 | bb.note("%s has been patched" % (cve)) | 195 | elif cve in patched_cves: |
194 | else: | 196 | bb.note("%s has been patched" % (cve)) |
195 | cves_unpatched.append(cve) | 197 | else: |
196 | bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve)) | 198 | cves_unpatched.append(cve) |
199 | bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) | ||
197 | conn.close() | 200 | conn.close() |
198 | 201 | ||
199 | return (list(patched_cves), cves_unpatched) | 202 | return (list(patched_cves), cves_unpatched) |