From d887c24d5af0f570a259985fa99af5c56158fcfa Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Thu, 9 Feb 2017 21:38:33 +0200 Subject: cve-check-tool: Use CA cert bundle in correct sysroot Native libcurl looks for CA certs in the wrong place by default. * Add patch that allows overriding the default CA certificate location. Patch is originally from meta-security-isafw. * Use the new --cacert to set the correct CA bundle path (From OE-Core rev: 73bd11d5190a072064128cc13b4537154d07b129) Signed-off-by: Jussi Kukkonen Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb') diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb index c78af6728c..fcd3182931 100644 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6" SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ file://check-for-malloc_trim-before-using-it.patch \ file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ + file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ " SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" @@ -39,7 +40,8 @@ do_populate_cve_db() { [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" bbdebug 2 "Updating cve-check-tool database located in $cve_dir" - if cve-check-update -d "$cve_dir" ; then + # --cacert works around curl-native not finding the CA bundle + if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file" else bbwarn "Error in executing cve-check-update" -- cgit v1.2.3-54-g00ecf