From 7ffa4d4044b9288eefa44fcc80c246a4def2435b Mon Sep 17 00:00:00 2001 From: Ross Burton Date: Fri, 3 Nov 2023 13:28:11 +0000 Subject: cve-check: don't warn if a patch is remote We don't make do_cve_check depend on do_unpack because that would be a waste of time 99% of the time. The compromise here is that we can't scan remote patches for issues, but this isn't a problem so downgrade the warning to a note. Also move the check for CVEs in the filename before the local file check so that even with remote patches, we still check for CVE references in the name. (From OE-Core rev: 0251cad677579f5b4dcc25fa2f8552c6040ac2cf) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/lib/oe/cve_check.py | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'meta/lib') diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index c0ab22d25e..3fa77bf9a7 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -95,11 +95,6 @@ def get_patched_cves(d): for url in oe.patch.src_patches(d): patch_file = bb.fetch.decodeurl(url)[2] - # Remote compressed patches may not be unpacked, so silently ignore them - if not os.path.isfile(patch_file): - bb.warn("%s does not exist, cannot extract CVE list" % patch_file) - continue - # Check patch file name for CVE ID fname_match = cve_file_name_match.search(patch_file) if fname_match: @@ -107,6 +102,12 @@ def get_patched_cves(d): patched_cves.add(cve) bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + # Remote patches won't be present and compressed patches won't be + # unpacked, so say we're not scanning them + if not os.path.isfile(patch_file): + bb.note("%s is remote or compressed, not scanning content" % patch_file) + continue + with open(patch_file, "r", encoding="utf-8") as f: try: patch_text = f.read() -- cgit v1.2.3-54-g00ecf