summaryrefslogtreecommitdiffstats
path: root/meta/lib/oeqa/selftest/cases/cve_check.py
Commit message (Collapse)AuthorAgeFilesLines
* cve-check: Fix false negative version issueGeoffrey GIRY2023-04-141-0/+19
| | | | | | | | | | | | | | | | NVD DB store version and update in the same value, separated by '_'. The proposed patch check if the version from NVD DB contains a "_", ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison. [YOCTO #14127] Reviewed-by: Yoann CONGAL <yoann.congal@smile.fr> (From OE-Core rev: eb439b1283b60e6665694ff28c89fbd633eda6b0) Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> (cherry picked from commit 7d00f6ec578084a0a0e5caf36241d53036d996c4) Signed-off-by: Steve Sakoman <steve@sakoman.com>
* oeqa/selftest/cve_check: add tests for Ignored and partial reportsMarta Rybczynska2022-07-081-0/+82
| | | | | | | | | | | | | | Add testcases for partial reports with CVE_CHECK_REPORT_PATCHED and Ignored CVEs. (From OE-Core rev: 577d297babd7b399f631c8a95155265f08c5e193) Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry-picked from 3f7639b90004973782a2e74925fd2e9a764c1090) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* oeqa/selftest/cve_check: add tests for recipe and image reportsRoss Burton2022-05-281-1/+76
| | | | | | | | | | | | | | | | Add a test to verify that the JSON reports are generated correctly for both single recipe builds and image builds. More tests are needed, but this is better than nothing. (From OE-Core rev: add860e1a69f848097bbc511137a62d5746e5019) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit df0f35555b09c4bc75470eb45ec9c74e6587d460) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: CVE_VERSION_SUFFIX to work with patched releaseLee Chee Yang2021-03-281-0/+8
| | | | | | | | | | | | | | | | CVE_VERSION_SUFFIX in "patch" to treat version string with suffix "pX" or "patchX" as patched release. also update testcases to cover this changes and set CVE_VERSION_SUFFIX for sudo. (From OE-Core rev: d75f95a09e5e85eb759e748f9e0fee1c5fa1b318) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 8076815fc2ffc8f632e73527ce2b7d158a29e9ea) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioningLee Chee Yang2021-02-101-1/+10
| | | | | | | | | | | | | | | | | | | | | add CVE_VERSION_SUFFIX to indicate the version suffix type, currently works in two value, "alphabetical" if the version string uses single alphabetical character suffix as incremental release, blank to not consider the unidentified suffixes. This can be expand when more suffix pattern identified. refactor cve_check.Version class to use functools and add parameter to handle suffix condition. Also update testcases to cover new changes. (From OE-Core rev: 37a40c30709bf80c74948f47361b2be2c646c9d8) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 5dfd5ad5144708b474ef31eaa89a846c57be8ac0) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: replace Looseversion with custom version classLee Chee Yang2021-02-101-0/+27
The way distutils.version.LooseVersion compare version are tricky, it treat all these ( "1.0-beta2", "1.0-rc1", "1.0A", "1.0p2" and "1.0pre1") as greater version than "1.0". This might be right for "1.0A" and "1.0p1" but not for the rest, also these version could be confusing, the "p" in "1.0p1" can be "pre" or "patched" version or even other meaning. Replace Looseversion with custom class, it uses regex to capture common version format like "1.1.1" or tag format using date like "2020-12-12" as release section, check for following known string/tags ( beta, rc, pre, dev, alpha, preview) as pre-release section, any other trailing characters are difficult to understand/define so ignore them. Compare release section and pre-release section saperately. included selftest for the version class. [YOCTO#14127] (From OE-Core rev: 294baea424472341d2ec880f13699076315d8274) Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 6ced85e9ddd3569240f1e8b82130d1ac0fffbc40) Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-05-21 12:35:00 +0000