linux/poky.git/meta/classes/cve-check.bbclass, branch hardknott-next

cve-check: add include/exclude layers

2021-02-09T08:56:10+00:00

There are times when exluding or including a layer may be desired. This provide the framwork for that via two variables. The default is all layers in bblayers. CVE_CHECK_LAYER_INCLUDELIST CVE_CHECK_LAYER_EXCLUDELIST (From OE-Core rev: 5fdde65ef58b4c1048839e4f9462b34bab36fc22) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie

cve-check.bbclass: add layer to cve log

2021-02-09T08:56:10+00:00

Lets include whcih layer a package belongs to and add it to the cve logs (From OE-Core rev: 00d965bb42dc427749a4c3985af56ceffff80457) Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie

cve_check: add CVE_VERSION_SUFFIX to indicate suffix in versioning

2021-01-30T10:41:04+00:00

add CVE_VERSION_SUFFIX to indicate the version suffix type, currently works in two value, "alphabetical" if the version string uses single alphabetical character suffix as incremental release, blank to not consider the unidentified suffixes. This can be expand when more suffix pattern identified. refactor cve_check.Version class to use functools and add parameter to handle suffix condition. Also update testcases to cover new changes. (From OE-Core rev: 5dfd5ad5144708b474ef31eaa89a846c57be8ac0) Signed-off-by: Lee Chee Yang Signed-off-by: Richard Purdie

cve-check: replace Looseversion with custom version class

2021-01-23T17:08:54+00:00

The way distutils.version.LooseVersion compare version are tricky, it treat all these ( "1.0-beta2", "1.0-rc1", "1.0A", "1.0p2" and "1.0pre1") as greater version than "1.0". This might be right for "1.0A" and "1.0p1" but not for the rest, also these version could be confusing, the "p" in "1.0p1" can be "pre" or "patched" version or even other meaning. Replace Looseversion with custom class, it uses regex to capture common version format like "1.1.1" or tag format using date like "2020-12-12" as release section, check for following known string/tags ( beta, rc, pre, dev, alpha, preview) as pre-release section, any other trailing characters are difficult to understand/define so ignore them. Compare release section and pre-release section saperately. included selftest for the version class. [YOCTO#14127] (From OE-Core rev: 6ced85e9ddd3569240f1e8b82130d1ac0fffbc40) Signed-off-by: Lee Chee Yang Signed-off-by: Richard Purdie

cve-check: show real PN/PV

2020-11-24T10:27:45+00:00

The output currently shows the remapped product and version fields, which may not be the actual recipe name/version. As this report is about recipes, use the real values. (From OE-Core rev: 18827d7f40db4a4f92680bd59ca655cca373ad65) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

cve-check: add CVE_CHECK_REPORT_PATCHED variable to suppress reporting of patched CVEs

2020-09-30T14:01:51+00:00

Default behavior is not changed. To suppress patched CVEs, set: CVE_CHECK_REPORT_PATCHED = "" (From OE-Core rev: 05bd9f1f006cf94cf5324f96df29cd5862abaf45) Signed-off-by: Chris Laplante Signed-off-by: Richard Purdie

cve-check: introduce CVE_CHECK_RECIPE_FILE variable to allow changing of per-recipe check file

2020-09-30T14:01:51+00:00

The addition of this variable also makes it possible to change the output suffix of the check files, e.g. in local.conf: CVE_CHECK_MANIFEST_append = ".txt" CVE_CHECK_RECIPE_FILE_append = ".txt" (From OE-Core rev: 0d40f1482c6d87785ae47c46c2305e1df46f459a) Signed-off-by: Chris Laplante Signed-off-by: Richard Purdie

cve-update-db-native: use fetch task

2020-09-12T13:49:00+00:00

Instead of inventing a new task to fetch the CVE data, use the existing fetch task. (From OE-Core rev: f5f97d33a1703d75b9fd9760f2c7767081538e00) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie

cve-check: avoid FileNotFoundError if no do_cve_check task has run

2020-09-10T12:48:26+00:00

For example, if you just run 'bitbake cve-update-db-native' in a clean build system, |cve_tmp_file| won't exist yet. (From OE-Core rev: dd4473f3d8e1c1a587b6de660775e4b46ddc5fad) Signed-off-by: Chris Laplante Signed-off-by: Richard Purdie

cve-check/cve-update-db-native: use lockfile to fix usage under multiconfig

2020-09-10T12:48:26+00:00

Previously CVE_CHECK_DB_FILE / CVE_CHECK_DB_DIR was the same across multiconfigs which led to a race condition wherein multiple cve-update-db-native:do_populate_cve_db tasks could attempt to write to the same sqlite database. This led to the following task failure: Error executing a python function in exec_python_func() autogenerated: The stack trace of python calls that resulted in this exception/failure was: File: 'exec_python_func() autogenerated', lineno: 2, function: 0001: *** 0002:do_populate_cve_db(d) 0003: File: '/mnt/data/agent/work/74f119cccb44f133/yocto/sources/poky/meta/recipes-core/meta/cve-update-db-native.bb', lineno: 103, function: do_populate_cve_db 0099: if year == date.today().year: 0100: cve_f.write('CVE database update : %s\n\n' % date.today()) 0101: 0102: cve_f.close() *** 0103: conn.commit() 0104: conn.close() 0105:} 0106: 0107:def initialize_db(c): Exception: sqlite3.OperationalError: disk I/O error Use a lockfile to ensure multiple tasks don't step over each other. (From OE-Core rev: 24e9380643a2ae3fcae193519cb64aedaf682153) Signed-off-by: Chris Laplante Signed-off-by: Richard Purdie