Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=warrior-21.0.3 2019-09-30T15:44:42+00:00 2019-09-30T15:44:42+00:00 Ross Burton ross.burton@intel.com 2019-09-25T11:11:02+00:00 urn:sha1:411624fa506a74eba7f1b1e159bd1a2286aa6686 As detailed at [1] the XML feeds provided by NIST are being discontinued on October 9th 2019. As cve-check-tool uses these feeds, cve-check.bbclass will be inoperable after this date. To ensure that cve-check continues working, backport the following commits from master to move away from the unmaintained cve-check-tool to our own Python code that fetches the JSON: 546d14135c5 cve-update-db: New recipe to update CVE database bc144b028f6 cve-check: Remove dependency to cve-check-tool-native 7f62a20b32a cve-check: Manage CVE_PRODUCT with more than one name 3bf63bc6084 cve-check: Consider CVE that affects versions with less than operator c0eabd30d7b cve-update-db: Use std library instead of urllib3 27eb839ee65 cve-check: be idiomatic 09be21f4d17 cve-update-db: Manage proxy if needed. 975793e3825 cve-update-db: do_populate_cve_db depends on do_fetch 0325dd72714 cve-update-db: Catch request.urlopen errors. 4078da92b49 cve-check: Depends on cve-update-db-native f7676e9a38d cve-update-db: Use NVD CPE data to populate PRODUCTS table bc0195be1b1 cve-check: Update unpatched CVE matching c807c2a6409 cve-update-db-native: Skip recipe when cve-check class is not loaded. 07bb8b25e17 cve-check: remove redundant readline CVE whitelisting 5388ed6d137 cve-check-tool: remove 270ac00cb43 cve-check.bbclass: initialize to_append e6bf9000987 cve-check: allow comparison of Vendor as well as Product 91770338f76 cve-update-db-native: use SQL placeholders instead of format strings 7069302a4cc cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST 78de2cb39d7 cve-update-db-native: Remove hash column from database. 4b301030cf9 cve-update-db-native: use os.path.join instead of + f0d822fad2a cve-update-db: actually inherit native b309840b6aa cve-update-db-native: use executemany() to optimise CPE insertion bb4e53af33d cve-update-db-native: improve metadata parsing 94227459792 cve-update-db-native: clean up JSON fetching 95438d52b73 cve-update-db-native: fix https proxy issues 1f9a963b9ff glibc: exclude child recipes from CVE scanning [1] https://nvd.nist.gov/General/News/XML-Vulnerability-Feed-Retirement (From OE-Core rev: 8c87e78547c598cada1bce92e7b25d85b994e2eb) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-02-24T10:31:46+00:00 Konstantin Shemyak konstantin.shemyak@ge.com 2018-02-19T14:35:54+00:00 urn:sha1:2e07b1c0bb6e88cd0338b477ab9e69b1fe605e6c The binary 'cve-check-update' downloads the CVE database from the Internet. If the system is behind a web proxy, the download fails, as proxy-related variables are not exported. In turn, 'cve-check-tool' does not connect to the network and correspondingly does not need exported proxies. Exported all proxy-related environment variables to 'cve-check-update' and removed the unneeded export from 'cve-check-tool'. (From OE-Core rev: 17db210975c740aff12732c511cf4fb32b507365) Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-09-11T16:30:29+00:00 Mikko Rapeli mikko.rapeli@bmw.de 2017-09-06T11:08:16+00:00 urn:sha1:4efeceb8a672dd9372820daa143903a934e4d20a It is perfectly fine to execute cve_check tasks against a cached CVE database during a BB_NO_NETWORK build. (From OE-Core rev: acc9994a77972c49a98aabbfd579973885c95f10) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-08-19T21:15:38+00:00 Jussi Kukkonen jussi.kukkonen@intel.com 2017-08-18T12:38:16+00:00 urn:sha1:a09aa675bb8757a677c3f8289b459aa4a064aa34 CURL_FORMAT_OFF_T does not seem to exist anymore, use CURL_FORMAT_CURL_OFF_T instead. This works with old and new curl. (From OE-Core rev: 5548f9c87c6a10cda2baf6f198762380e55f6ae2) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-06-12T14:08:30+00:00 Peter Marko peter.marko@siemens.com 2017-06-07T06:04:31+00:00 urn:sha1:5a9cc41a3bbe3f955bf570d99f6474aa44b23d25 This fixes cve-check-tool crashes on exceptions. (From OE-Core rev: 06bea09755ebda9bcfa49bf87249f80cb019157e) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-05-18T13:01:48+00:00 Chen Qi Qi.Chen@windriver.com 2017-05-08T03:12:11+00:00 urn:sha1:ef506f58da3a95fba2696df749b2b81f9c118847 CVE checking in OE didn't work as do_populate_cve_db failed with the following error message. [snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent Backport a patch to fix this error. (From OE-Core rev: ee55b5685aaa4be92d6d51f8641a559d4e34ce64) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-02-15T17:29:56+00:00 Jussi Kukkonen jussi.kukkonen@intel.com 2017-02-09T19:38:33+00:00 urn:sha1:d887c24d5af0f570a259985fa99af5c56158fcfa Native libcurl looks for CA certs in the wrong place by default. * Add patch that allows overriding the default CA certificate location. Patch is originally from meta-security-isafw. * Use the new --cacert to set the correct CA bundle path (From OE-Core rev: 73bd11d5190a072064128cc13b4537154d07b129) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2017-02-15T17:29:56+00:00 Jussi Kukkonen jussi.kukkonen@intel.com 2017-02-09T19:38:32+00:00 urn:sha1:ea616d122676e7d5bbf606b7dbfa8f62c63d4a27 * Use --enable-relative-plugins so cve-check-tool looks for loadable modules relative to binary location instead of hard-coding a wrong sysroot location * do_populate_cve_db() assumes that the binary cve-check-update is in the sysroot. Ensure that this is true by adding a task dependency (From OE-Core rev: 2da6b01893d0afe8750bd0b12a8d55aafa82f58c) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-10-28T15:15:18+00:00 Alexander Kanavin alexander.kanavin@linux.intel.com 2016-10-18T12:11:49+00:00 urn:sha1:2fda4c9b2eaf2ceb800789969f576554f4803f72 (From OE-Core rev: 4f96180ef525ad2b2cad935bd7253a5a0a079ff4) Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-09-30T15:51:15+00:00 André Draszik git@andred.net 2016-09-28T12:05:45+00:00 urn:sha1:e01466f91c58aefe7f280bd3a653ea20230692d0 We add a patch to report the progress, and at the same time inform bitbake that progress can be extracted via the simple 'percent' progress handler. (From OE-Core rev: 145a29ca99d9fec5eff97d77c8cff6356fe88ba5) Signed-off-by: André Draszik <git@andred.net> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>