From 67a89b3a42c2e0c2bbb8c443bef45de03411a44b Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Wed, 6 Nov 2019 17:37:32 +0200 Subject: cve-check: allow comparison of Vendor as well as Product Some product names are too vague to be searched without also matching the vendor, for example Flex could be the parser compiler we ship, or Adobe Flex, or Apache Flex, or IBM Flex. If entries in CVE_PRODUCT contain a colon then split it as vendor:product to improve the search. Also don't use .format() to construct SQL as that can lead to security issues. Instead, use ? placeholders and lets sqlite3 handle the escaping. (From OE-Core rev: e6bf90009877d00243417898700d2320fd87b39c) (From OE-Core rev: 0851d68b4679a7035029d28091d9a6b21d266c99) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/classes/cve-check.bbclass | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 2a1381604a..e8668b2566 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -190,12 +190,16 @@ def check_cves(d, patched_cves): import sqlite3 db_file = d.getVar("CVE_CHECK_DB_FILE") conn = sqlite3.connect(db_file) - c = conn.cursor() - - query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';" for product in products: - for row in c.execute(query.format(product, pv)): + c = conn.cursor() + if ":" in product: + vendor, product = product.split(":", 1) + c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor)) + else: + c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,)) + + for row in c: cve = row[1] version_start = row[4] operator_start = row[5] -- cgit v1.2.3-54-g00ecf