<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux/poky.git/meta/classes/cve-check.bbclass, branch mickledore-4.2.3</title>
<subtitle>Mirror of git.yoctoproject.org/poky</subtitle>
<id>https://git.enea.com/cgit/linux/poky.git/atom?h=mickledore-4.2.3</id>
<link rel='self' href='https://git.enea.com/cgit/linux/poky.git/atom?h=mickledore-4.2.3'/>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/'/>
<updated>2023-04-01T10:36:26+00:00</updated>
<entry>
<title>cve-update-nvd2-native: new CVE database fetcher</title>
<updated>2023-04-01T10:36:26+00:00</updated>
<author>
<name>Marta Rybczynska</name>
<email>rybczynska@gmail.com</email>
</author>
<published>2023-03-29T10:02:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=15dc92a4b19baedbb9bfa95fbe2c8b6a7c9987c8'/>
<id>urn:sha1:15dc92a4b19baedbb9bfa95fbe2c8b6a7c9987c8</id>
<content type='text'>
Add new fetcher for the NVD database using the 2.0 API [1].
The implementation changes as little as possible, keeping the current
database format (but using a different database file for the transition
period), with a notable exception of not using the META table.

Minor changes that could be visible:
- the database starts in 1999 instead of 2002
- the complete fetch is longer (30 minutes typically)

[1] https://nvd.nist.gov/developers/vulnerabilities

(From OE-Core rev: fb62c4c3dbca4e58f7ce6cf29d4b630a06411a97)

Signed-off-by: Marta Rybczynska &lt;marta.rybczynska@syslinbit.com&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: Fix false negative version issue</title>
<updated>2023-03-30T11:30:38+00:00</updated>
<author>
<name>Geoffrey GIRY</name>
<email>geoffrey.giry@smile.fr</email>
</author>
<published>2023-03-28T10:23:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=81740facf458a5a3326c0cfca20ebf75d8fe91d0'/>
<id>urn:sha1:81740facf458a5a3326c0cfca20ebf75d8fe91d0</id>
<content type='text'>
NVD DB store version and update in the same value, separated by '_'.
The proposed patch check if the version from NVD DB contains a "_",
ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.

[YOCTO #14127]

Reviewed-by: Yoann CONGAL &lt;yoann.congal@smile.fr&gt;
(From OE-Core rev: 7d00f6ec578084a0a0e5caf36241d53036d996c4)

Signed-off-by: Geoffrey GIRY &lt;geoffrey.giry@smile.fr&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: write the cve manifest to IMGDEPLOYDIR</title>
<updated>2023-01-18T16:42:28+00:00</updated>
<author>
<name>Jermain Horsman</name>
<email>jermain.horsman@nedap.com</email>
</author>
<published>2023-01-16T11:46:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=14a852c273c43dbf04d6502c5cbbe5768d165c5d'/>
<id>urn:sha1:14a852c273c43dbf04d6502c5cbbe5768d165c5d</id>
<content type='text'>
When building an image cve_check_write_rootfs_manifest() would sometimes fail
with a FileNotFoundError when writing the manifest.cve due to the parent
directory (DEPLOY_DIR_IMAGE) not (yet) existing.

The image task will provide the manifest in the deploy directory afterwards,
so other recipes depending on the manifest being in DEPLOY_DIR_IMAGE should
continue to function properly.

(From OE-Core rev: 00fb2aae22ce0d7ff5f3f8766fa770eeb4e73483)

Signed-off-by: Jermain Horsman &lt;jermain.horsman@nedap.com&gt;
Signed-off-by: Luca Ceresoli &lt;luca.ceresoli@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: close cursors as soon as possible</title>
<updated>2022-09-02T14:58:25+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2022-08-26T17:35:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=3cca59a9bcba1cad84f788e0f6ae09bc00c00ed7'/>
<id>urn:sha1:3cca59a9bcba1cad84f788e0f6ae09bc00c00ed7</id>
<content type='text'>
We can have multiple processes reading the database at the same time, and
cursors only release their locks when they're garbage collected.

This might be the cause of random sqlite errors on the autobuilder, so
explicitly close the cursors when we're done with them.

(From OE-Core rev: 5d2e90e4a58217a943ec21140bc2ecdd4357a98a)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Luca Ceresoli &lt;luca.ceresoli@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>classes: cve-check: Get shared database lock</title>
<updated>2022-08-31T09:40:07+00:00</updated>
<author>
<name>Joshua Watt</name>
<email>JPEWhacker@gmail.com</email>
</author>
<published>2022-08-30T15:59:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=a19e278f2ec5fed8b4647c7541254bcb96bcdabc'/>
<id>urn:sha1:a19e278f2ec5fed8b4647c7541254bcb96bcdabc</id>
<content type='text'>
The CVE check database needs to have a shared lock acquired on it before
it is accessed. This to prevent cve-update-db-native from deleting the
database file out from underneath it.

[YOCTO #14899]

(From OE-Core rev: 20a9911b73df62a0d0d1884e57085f13ac5016dd)

Signed-off-by: Joshua Watt &lt;JPEWhacker@gmail.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>classes: Add SPDX license identifiers</title>
<updated>2022-08-12T10:58:01+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2022-08-10T17:55:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=ff525695f27ce2d9033f6f03f6b22fe06aa01960'/>
<id>urn:sha1:ff525695f27ce2d9033f6f03f6b22fe06aa01960</id>
<content type='text'>
As stated in our top level license files, the license is MIT unless
otherwise stated. Add SPDX identifers accordingly. Replace older
license statementa with the standardised syntax. Also drop "All
Rights Reserved" expression as it isn't used now, doesn't mean anything
and is confusing.

(From OE-Core rev: 081a391fe09a21265881e39a2a496e4e10b4f80b)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>classes: Add copyright statements to files without one</title>
<updated>2022-08-12T10:58:01+00:00</updated>
<author>
<name>Richard Purdie</name>
<email>richard.purdie@linuxfoundation.org</email>
</author>
<published>2022-08-10T17:21:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=971d5f7b81d535b2da0ae51a54f9ba6641f18304'/>
<id>urn:sha1:971d5f7b81d535b2da0ae51a54f9ba6641f18304</id>
<content type='text'>
Where there isn't a copyright statement, add one to make it explicit.
Also drop editor config lines where they were present.

(From OE-Core rev: 880c1ea3edc8edef974e65b2d424fc36809ea034)

Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: hook cleanup to the BuildCompleted event, not CookerExit</title>
<updated>2022-06-30T09:27:17+00:00</updated>
<author>
<name>Ross Burton</name>
<email>ross.burton@arm.com</email>
</author>
<published>2022-06-29T15:15:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=271909fa4bd0658d97fb4395c41f0340995fa2a8'/>
<id>urn:sha1:271909fa4bd0658d97fb4395c41f0340995fa2a8</id>
<content type='text'>
The cve-check class writes temporary files to preserve state across the
build, and cleans them up in a CookerExit handler.

However, in memory-resident builds the cooker won't exit in between
builds, so the state isn't cleared and the CVE report generation fails:

NOTE: Generating JSON CVE summary
ERROR: Error adding the same package twice

Easily solved by hooking to BuildCompleted, instead of CookerExit.

(From OE-Core rev: fccdcfd301de281a427bfee48d8ff47fa07b7259)

Signed-off-by: Ross Burton &lt;ross.burton@arm.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: add support for Ignored CVEs</title>
<updated>2022-06-17T16:57:44+00:00</updated>
<author>
<name>Marta Rybczynska</name>
<email>rybczynska@gmail.com</email>
</author>
<published>2022-06-15T13:20:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=112299ddae36e51acd802f908e8526cf48c59a49'/>
<id>urn:sha1:112299ddae36e51acd802f908e8526cf48c59a49</id>
<content type='text'>
Ignored CVEs aren't patched, but do not apply in our configuration
for some reason. Up till now they were only partially supported
and reported as "Patched".

This patch adds separate reporting of Ignored CVEs. The variable
CVE_CHECK_REPORT_PATCHED now manages reporting of both patched
and ignored CVEs.

(From OE-Core rev: c773102d4828fc4ddd1024f6115d577e23f1afe4)

Signed-off-by: Marta Rybczynska &lt;marta.rybczynska@huawei.com&gt;
Signed-off-by: Alexandre Belloni &lt;alexandre.belloni@bootlin.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
<entry>
<title>cve-check: fix return type in check_cves</title>
<updated>2022-06-06T12:36:05+00:00</updated>
<author>
<name>Marta Rybczynska</name>
<email>rybczynska@gmail.com</email>
</author>
<published>2022-06-03T08:56:14+00:00</published>
<link rel='alternate' type='text/html' href='https://git.enea.com/cgit/linux/poky.git/commit/?id=2916a71be26a84bbf0d60fcc2e73c0602df66bbf'/>
<id>urn:sha1:2916a71be26a84bbf0d60fcc2e73c0602df66bbf</id>
<content type='text'>
Make empty return types in check_cvs the same for all code paths.

(From OE-Core rev: f86393c93dec47b24e837d0c4c5761a716ecdbb6)

Signed-off-by: Marta Rybczynska &lt;marta.rybczynska@huawei.com&gt;
Signed-off-by: Richard Purdie &lt;richard.purdie@linuxfoundation.org&gt;
</content>
</entry>
</feed>
