summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* git: set CVE vendor to git-scmsumo-nextRoss Burton2019-11-071-0/+2
| | | | | | | | | | | There's a Jenkins plugin for Git. (From OE-Core rev: f2adf5e4d3e9afc6d45665bbe728c69d195a46ef) (From OE-Core rev: a28d17187dd4c7ac6aa7e5d28f3cfc0c9060bd94) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* subversion: set CVE vendor to ApacheRoss Burton2019-11-071-0/+2
| | | | | | | | | | | | | | There's a Jenkins plugin for Subversion. (From OE-Core rev: ac115c3b5f1dcb95fb7d39537693fe0dcd330451) (From OE-Core rev: 457d52c1a86bad074e174e2004c54ac5be1728bd) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-devtools/subversion/subversion_1.12.0.bb
* boost: set CVE vendor to BoostRoss Burton2019-11-071-0/+2
| | | | | | | | | | | There's a Boost module for Drupal. (From OE-Core rev: 30ff8bb6502d45549c698be052a1caf4cb5c611f) (From OE-Core rev: 44c521f7cb04e0cd308489ae2ba05349ab1d3987) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ed: set CVE vendor to avoid false positivesRoss Burton2019-11-071-0/+2
| | | | | | | | | | | | (From OE-Core rev: 2c3d689e4f78d8ea00b1bd2239af80c8fe038074) (From OE-Core rev: 6faf4f340ea8c2b11d609584897a7f5447abc2a0) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-extended/ed/ed_1.15.bb
* rsync: fix CVEs for included zlibAnuj Mittal2019-11-075-1/+395
| | | | | | | | | | | | | | | | | | | | | rsync includes its own copy of zlib and doesn't recommend linking with the system version [1]. Import CVE fixes that impact zlib version 1.2.8 [2] that is currently used by rsync. [1] https://git.samba.org/rsync.git/?p=rsync.git;a=blob;f=zlib/README.rsync [2] https://nvd.nist.gov/vuln/search/results?form_type=Advanced&cves=on&cpe_version=cpe%3a%2fa%3agnu%3azlib%3a1.2.8 (From OE-Core rev: a55fbb4cb489853dfb0b4553f6e187c3f3633f48) (From OE-Core rev: 1ce0a922853b6136a019763b64e58194bb0df00f) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-devtools/rsync/rsync_3.1.3.bb
* openssl: set CVE vendor to opensslAnuj Mittal2019-11-072-0/+4
| | | | | | | | | | | | | | Differentiate it from openssl gem for Ruby. (From OE-Core rev: 2ec481b19d6c9c20ce6573de77ae89e576d6b8cb) (From OE-Core rev: a879a194aae0f1e97f3683f5ce01eaa8b5c0dd15) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-connectivity/openssl/openssl_1.1.1c.bb
* libpng: whitelist CVE-2019-17371Ross Burton2019-11-071-0/+3
| | | | | | | | | | | | | | | This is actually a memory leak in gif2png 2.x, so whitelist it in the libpng recipe. (From OE-Core rev: 341e43ebd935daeb592cb073bf00f80c49a8ec2d) (From OE-Core rev: 581fa36d300fda00ae50c07b038fe847887f7ed3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-multimedia/libpng/libpng_1.6.37.bb
* procps: whitelist CVE-2018-1121Ross Burton2019-11-071-0/+3
| | | | | | | | | | | | | | | | This CVE is about race conditions in 'ps' which make it unsuitable for security audits. As these race conditions are unavoidable ps shouldn't be used for security auditing, so this isn't a valid CVE. (From OE-Core rev: b3fa0654abf9ac32f683ac174e453ea5e64b6cb8) (From OE-Core rev: 618a3203d53d33e6403386f1204bcaf327b68f37) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-extended/procps/procps_3.3.15.bb
* libpam: set CVE_PRODUCTRoss Burton2019-11-071-0/+2
| | | | | | | | | | | | (From OE-Core rev: f1d5273d53d66b217f3d4975f5cb5eb367b1aab1) (From OE-Core rev: 2395ae4a332928de3f5fcb840ef196e7a7d77386) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-extended/pam/libpam_1.3.1.bb
* webkitgtk: set CVE_PRODUCTChen Qi2019-11-071-0/+2
| | | | | | | | | | | | (From OE-Core rev: 43aaa117386490c822b824974fb095bd0d3ce1a3) (From OE-Core rev: 76b3996974de8ca8729d7d262b1c90cd2def02d5) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-sato/webkit/webkitgtk_2.24.0.bb
* flex: set CVE_PRODUCT to include vendorRoss Burton2019-11-071-0/+3
| | | | | | | | | | | | | | There are many projects called Flex and they have CVEs, so also set the vendor to remove these false positives. (From OE-Core rev: 0598ccdcb31e16f1d1227197591b10ba441fcfe2) (From OE-Core rev: 22544792c5b3bd9be0af7c2b7c6dd7e68aa00f83) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* libxfont2: set CVE_PRODUCTChen Qi2019-11-071-0/+2
| | | | | | | | | (From OE-Core rev: 066fa83eeaaa34e5b901dc4b82ad607d0fa78f0b) (From OE-Core rev: add14ed1970ff70f4dc71720986e13887da9fffa) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* squashfs-tools: set CVE_PRODUCTChen Qi2019-11-071-0/+2
| | | | | | | | | (From OE-Core rev: 8f03a33f61a94e9b8d8232283204588ce18b45a0) (From OE-Core rev: 5ebaa9b41501c64e939b671b37dc616e98d2a803) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* ghostscript: set CVE_PRODUCTChen Qi2019-11-071-0/+3
| | | | | | | | | | | | (From OE-Core rev: 721e69aa12dd9ee22618ef13f29fb6d28eeab9af) (From OE-Core rev: 4f905e245a02b9d8c5fe4a77271aabc41a69ba00) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-extended/ghostscript/ghostscript_9.26.bb
* libsdl: set CVE_PRODUCTChen Qi2019-11-072-0/+4
| | | | | | | | | | | | (From OE-Core rev: 1f0cca19014fef24a359d400c96d178463b2760f) (From OE-Core rev: d368ffb08bd3e3de59827e49df9c69643e002e6e) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-graphics/libsdl2/libsdl2_2.0.9.bb
* dropbear: set CVE_PRODUCTChen Qi2019-11-071-0/+2
| | | | | | | | | (From OE-Core rev: 3c247a4a166cabf7ddfea403cf272b3fb4e00872) (From OE-Core rev: 52a716ed45c9b36c893b56c4f71a84769ae67878) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* nasm: add CVE_PRODUCTChen Qi2019-11-071-0/+2
| | | | | | | | | | | | (From OE-Core rev: e61c42ee49029ae8ffec58128dd083031305d9e5) (From OE-Core rev: 29a898902b52bada1dafdf82a32d1151ed818a06) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/recipes-devtools/nasm/nasm_2.14.02.bb
* xserver-xorg: set CVE_PRODUCTChen Qi2019-11-071-0/+2
| | | | | | | | | (From OE-Core rev: 8995f2c7d6f2f6f760811976af77e949d505a5d8) (From OE-Core rev: 414fd1cd1845d05103cdc1f845acac4953c06f09) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: failure to parse versions should be more visibleRoss Burton2019-11-071-2/+2
| | | | | | (From OE-Core rev: f6a456fed7286e1304cd776bb2f740c462c9b4b1) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: ensure all known CVEs are in the reportRoss Burton2019-11-071-2/+7
| | | | | | | | | | | | | CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) (From OE-Core rev: 301887fc4b726e1040e1ff2045c70562624dc961) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: fix https proxy issuesChin Huat Ang2019-11-071-11/+30
| | | | | | | | | | | | | | | | When https_proxy is set, use proxy opener to open CVE metadata and database URLs, otherwise fallback to the urllib.request.urlopen. Also fix a minor issue where the json database which has been gzip decompressed as byte object should be decoded as utf-8 string as expected by update_db. (From OE-Core rev: 95438d52b732bec217301fbfc2fb019bbc3707c8) (From OE-Core rev: 6d3222fb7ecde524c4e033729318fb0fb80a444c) Signed-off-by: Chin Huat Ang <chin.huat.ang@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: clean up JSON fetchingRoss Burton2019-11-071-17/+12
| | | | | | | | | | | | | | | Currently the code fetches the compressed JSON, writes it to a temporary file, uncompresses that with gzip and passes the fake file object to update_db(). Instead, uncompress the gzip'd data in memory and pass the JSON directly to update_db(). (From OE-Core rev: 9422745979256c442f533770203f62ec071c18fb) (From OE-Core rev: 1d34aec479156a7dadf7867bbf0d53f12d21ef3e) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: improve metadata parsingRoss Burton2019-11-071-8/+10
| | | | | | | | | | | | | | | | | | The metadata parser is fragile: first it coerces a bytes() to a str() (so the string is b'LastModifiedDate:2019...'), assumes the first line is the date, and then uses a regex to parse (which then includes the trailing quote as part of the date). Clean this up by parsing the bytes as UTF-8 (ASCII is probably fine, but this is safer), iterate through the lines and split on colons to find the right key/value pair. (From OE-Core rev: bb4e53af33d6ca1e9346464adbdc1b39c47530f3) (From OE-Core rev: c718e073e8e9cd5df9e19dd02fcac2139758b5b7) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: use executemany() to optimise CPE insertionRoss Burton2019-11-071-53/+32
| | | | | | | | | | | | Instead of calling execute() repeatedly, rewrite the function to be a generator and use executemany() for performance. (From OE-Core rev: b309840b6aa3423b909a43499356e929c8761318) (From OE-Core rev: d248ec9764d0439eb30fdb3605e9d05ee4219348) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db: actually inherit nativeRoss Burton2019-11-071-2/+1
| | | | | | | | | | | The recipe was called -native but didn't inherit native. (From OE-Core rev: f0d822fad2a163d1ee32ed3b4c0359245140e19b) (From OE-Core rev: 5eeafcb492daf63602f0e2ed4a12f755701597d7) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: use os.path.join instead of +Ross Burton2019-11-071-4/+4
| | | | | | | | | (From OE-Core rev: 4b301030cf9cf7a981dcff85a50e915c045e3130) (From OE-Core rev: 7df7cd765e67535b72cd56eb679c6f5078c08460) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: Remove hash column from database.Pierre Le Magourou2019-11-072-20/+13
| | | | | | | | | | | | | | djb2 hash algorithm was found to do collisions, so the database was sometime missing data. Remove this hash mechanism, clear and populate elements from scratch in PRODUCTS table if the current year needs an update. (From OE-Core rev: 78de2cb39d74b030cd4ec811bf6f9a6daa003d19) (From OE-Core rev: e6541c6add1714938a81cca394886893cf24cdb0) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db: Use NVD CPE data to populate PRODUCTS tablePierre Le Magourou2019-11-071-14/+74
| | | | | | | | | | | | | | | Instead of using expanded list of affected versions that is not reliable, use the 'cpe_match' node in the 'configurations' json node. For cve-check to correctly match affected CVE, the sqlite database need to contain operator_start, operator_end and the corresponding versions fields. (From OE-Core rev: f7676e9a38d595564922e5f59acbc69c2109a78f) (From OE-Core rev: 6977d15fbc3b78958768b21f6c501e7d63be9499) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db-native: use SQL placeholders instead of format stringsRoss Burton2019-11-071-1/+1
| | | | | | | | | (From OE-Core rev: 91770338f76ef35f3c4eeac216eb9d2b3188e575) (From OE-Core rev: 075683d23018760e8b2fa0b793ceacd9027e55c3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELISTPierre Le Magourou2019-11-071-11/+11
| | | | | | | | | | | | CVE_CHECK_WHITELIST does not contain version anymore, as it was not used. This variable should be set per recipe. (From OE-Core rev: 7069302a4ccbb5b72e1902f284cf078516fd7294) (From OE-Core rev: 8dd899679fc881d02e081d1e0814252d604dd479) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: allow comparison of Vendor as well as ProductRoss Burton2019-11-071-4/+8
| | | | | | | | | | | | | | | | | | Some product names are too vague to be searched without also matching the vendor, for example Flex could be the parser compiler we ship, or Adobe Flex, or Apache Flex, or IBM Flex. If entries in CVE_PRODUCT contain a colon then split it as vendor:product to improve the search. Also don't use .format() to construct SQL as that can lead to security issues. Instead, use ? placeholders and lets sqlite3 handle the escaping. (From OE-Core rev: e6bf90009877d00243417898700d2320fd87b39c) (From OE-Core rev: 0851d68b4679a7035029d28091d9a6b21d266c99) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: initialize to_appendMikko Rapeli2019-11-071-0/+1
| | | | | | | | | | | | | Fixes build failure with core-image-minimal: Exception: UnboundLocalError: local variable 'to_append' referenced before assignment (From OE-Core rev: 270ac00cb43d0614dfe1c95f960c76e9e5fa20d4) (From OE-Core rev: 45758c900ff738e58fd37ff809960965867d79f8) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* glibc: exclude child recipes from CVE scanningRoss Burton2019-11-074-3/+10
| | | | | | | | | | | | | | | | As glibc will be scanned for CVEs, we don't need to scan glibc-locale, glibc-mtrace, and glibc-scripts which are all separate recipes for technical reasons. Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the global whitelist. (From OE-Core rev: 1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17) (From OE-Core rev: 2b9f1b654c726e7c7b2fe8710d60ca10212295f5) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check-tool: removeRoss Burton2019-11-076-565/+0
| | | | | | | | | (From OE-Core rev: 5388ed6d1378d647a65912dbd537f9ef3cb5760a) (From OE-Core rev: eb227c8885580fc08dccc005056bb1fdb691ea1d) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: remove redundant readline CVE whitelistingRoss Burton2019-11-071-4/+9
| | | | | | | | | | | | | | CVE-2014-2524 is a readline CVE that was fixed in 6.3patch3 onwards, but the tooling wasn't able to detect this version. As we now ship readline 8 we don't need to manually whitelist it, and if we did then the whitelisting should be in the readline recipe. (From OE-Core rev: 07bb8b25e172aa5c8ae96b6e8eb4ac901b835219) (From OE-Core rev: c7f23d4e53d039838536f71996ad896c977cf138) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Update unpatched CVE matchingPierre Le Magourou2019-11-071-14/+40
| | | | | | | | | | | | Now that cve-update-db added CPE information to NVD database. We can check for unpatched versions with operators '<', '<=', '>', and '>='. (From OE-Core rev: bc0195be1b15bcffe60127bc5e8b7011a853c2ed) (From OE-Core rev: 48793a3b74bfaa5ffe6191d21f64aef3720433db) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Depends on cve-update-db-nativePierre Le Magourou2019-11-073-1/+3
| | | | | | | | | | | | | | do_populate_cve_db is a native task. (From OE-Core rev: 4078da92b49946848cddebe1735f301af161e162) (From OE-Core rev: 5d6cbab419770eb556b57445fd5509339d3142b4) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/conf/distro/include/maintainers.inc
* cve-update-db: Catch request.urlopen errors.Pierre Le Magourou2019-11-072-11/+24
| | | | | | | | | | | | | If the NVD url is not accessible, print a warning on top of the CVE report, and continue. The database will not be fully updated, but cve_check can still run on the previous database. (From OE-Core rev: 0325dd72714f0b447558084f481b77f0ec850eed) (From OE-Core rev: ae743789d893e950583014f38f0ad246aa4fe034) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db: do_populate_cve_db depends on do_fetchPierre Le Magourou2019-11-071-8/+13
| | | | | | | | | | | | | | | | | To be able to populate NVD database on a fetchall (bitbake <image> --run-all=fetch), set the do_populate_cve_db task to be executed before do_fetch. Do not get CVE_CHECK_DB_DIR, CVE_CHECK_DB_FILE and CVE_CHECK_TMP_FILE variable because do_populate_cve_db can be called in a context where cve-check class is not loaded. (From OE-Core rev: 975793e3825a2a9ca6dc0e43577f680214cb7993) (From OE-Core rev: 5d265e84ef47ec6545eaa0fa64b16ccbb9e8a4ea) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db: Manage proxy if needed.Pierre Le Magourou2019-11-071-2/+9
| | | | | | | | | | | | If https_proxy environment variable is defined, manage proxy to be able to download meta and json data feeds from https://nvd.nist.gov (From OE-Core rev: 09be21f4d1793b1e26e78391f51bfc0a27b76deb) (From OE-Core rev: 3af4399ea35b5c4b87d656f09dd2afed11791f0a) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: be idiomaticRoss Burton2019-11-071-8/+9
| | | | | | | | | | | | Instead of generating a series of indexes via range(len(list)), just iterate the list. (From OE-Core rev: 27eb839ee651c2d584db42d23bcf5dd764eb33f1) (From OE-Core rev: 27ef8c40afc27ce0ae87d2fe9a973edc89133def) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db: Use std library instead of urllib3Pierre Le Magourou2019-11-071-6/+4
| | | | | | | | | | | | | urllib3 was used in this recipe but it was not set as a dependency. As it is not specifically needed, rewrite the recipe with urllib from the standard library. (From OE-Core rev: c0eabd30d7b9c2517f4ec9229640be421ecc8a5e) (From OE-Core rev: bfaee04b8a7cb0fc6e149106619a01b848fd8a98) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* flac: also add flac to CVE_PRODUCTChen Qi2019-11-071-1/+1
| | | | | | | | | | | flac uses both 'flac' and 'libflac' as cve product. (From OE-Core rev: 3a043a078f6cc89bcc097823fa37cd1311805ae7) (From OE-Core rev: c130045aff7f51ddb6c7fbde590a79207dbb4ddf) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Consider CVE that affects versions with less than operatorPierre Le Magourou2019-11-071-2/+14
| | | | | | | | | | | | | | | | In the NVD json CVE feed, affected versions can be strictly matched to a version, but they can also be matched with the operator '<='. Add a new condition in the sqlite query to match affected versions that are defined with the operator '<='. Then use LooseVersion to discard all versions that are not relevant. (From OE-Core rev: 3bf63bc60848d91e90c23f6d854d22b78832aa2d) (From OE-Core rev: 70046288894184477dcf6f7eba25b1994b88c8de) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Manage CVE_PRODUCT with more than one namePierre Le Magourou2019-11-071-11/+14
| | | | | | | | | | | | In some rare cases (eg. curl recipe) the CVE_PRODUCT contains more than one name. (From OE-Core rev: 7f62a20b32a3d42f04ec58786a7d0db68ef1bb05) (From OE-Core rev: 4f96e9ba1f4f14f312b6024711fe8da0c3041e4c) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: Remove dependency to cve-check-tool-nativePierre Le Magourou2019-11-071-45/+26
| | | | | | | | | | | Use the new update-cve-db recipe to update database. (From OE-Core rev: bc144b028f6f51252f4359248f6921028bcb6780) (From OE-Core rev: 6556bb30998d9d37f2389492eb7c15667ba4a827) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-update-db: New recipe to update CVE databasePierre Le Magourou2019-11-072-1/+122
| | | | | | | | | | | | | | | | | | | | cve-check-tool-native do_populate_cve_db task was using deprecated NVD xml data feeds, cve-update-db uses NVD json data feeds. Sqlite database schema was updated to take into account CVSSv3 CVE scores and operator in affected product versions. A new META table was added to store the last modification date of the NVD json data feeds. (From OE-Core rev: 546d14135c50c6a571dfbf3baf6e9b22ce3d58e0) (From OE-Core rev: e344a27003cc9e39058b41c0e96463f231ebf245) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Conflicts: meta/conf/distro/include/maintainers.inc
* uninative: Switch from bz2 to xzRichard Purdie2019-11-071-2/+2
| | | | | | | | | | (From OE-Core rev: 29fc9210b973be68de474e75068e4c72371afe5a) (From OE-Core rev: b6645596f2d2faf8f1fdfbedfe1edd004fbce6bc) (From OE-Core rev: 151f7fb11bb4c91dd6edaebcc63fa3c1a2cbfe8b) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* yocto-uninative: Update to 2.5 releaseRichard Purdie2019-11-071-3/+3
| | | | | | | | | | | | This includes libstdc++ changes from gcc 9.X. It also switches uninative from bz2 to xz compression. (From OE-Core rev: 7ed16ec033366aea175ac4ecf7cd82656c4141bb) (From OE-Core rev: 0bc5136608f7e3cab31ea57a4c3dd8df7eca9a4b) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* bitbake: bitbake-worker child process create group before registering ↵Ivan Efimov2019-11-071-3/+5
| | | | | | | | | | | | | | | | | | SIGTERM handler The bitbake-worker child on the SIGTERM signal handling send the SIGTERM to all processes in it's process group. In cases when the bitbake-worker child got SIGTERM after registering own SIGTERM handler and before the os.setsid() call it can send SIGTERM to unwanted processes. In the worst case during SIGTERM processing the bitbake-worker child can be in the group of the process that started BitBake itself. As a result it can kill processes that not related to BitBake at all. (Bitbake rev: 945719d852da6c787bc9115bd0aa90c429f5de07) Signed-off-by: Ivan Efimov <i.efimov@inango-systems.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-26 13:41:59 +0000