diff options
| author | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-08-04 09:52:42 +0100 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-08-05 14:31:57 +0100 |
| commit | 0731d49014cae5615c434534554f670090a519f9 (patch) | |
| tree | 8542245e6c72e50714d9a6fad134f8e7faa3e6e0 | |
| parent | 6c1e2d7971bf3b720aa9ad0893c0831d3e996d74 (diff) | |
| download | poky-0731d49014cae5615c434534554f670090a519f9.tar.gz | |
cve_check: Use a local copy of the database during builds
Rtaher than trying to use a sqlite database over NFS from DL_DIR, work from
a local copy in STAGING DIR after fetching.
(From OE-Core rev: 03596904392d257572a905a182b92c780d636744)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 7 | ||||
| -rw-r--r-- | meta/recipes-core/meta/cve-update-nvd2-native.bb | 18 |
2 files changed, 17 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 93a2a1413d..c946de29a4 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -31,8 +31,9 @@ | |||
| 31 | CVE_PRODUCT ??= "${BPN}" | 31 | CVE_PRODUCT ??= "${BPN}" |
| 32 | CVE_VERSION ??= "${PV}" | 32 | CVE_VERSION ??= "${PV}" |
| 33 | 33 | ||
| 34 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" | 34 | CVE_CHECK_DB_FILENAME ?= "nvdcve_2-1.db" |
| 35 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-1.db" | 35 | CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" |
| 36 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" | ||
| 36 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" | 37 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" |
| 37 | 38 | ||
| 38 | CVE_CHECK_LOG ?= "${T}/cve.log" | 39 | CVE_CHECK_LOG ?= "${T}/cve.log" |
| @@ -198,7 +199,7 @@ python do_cve_check () { | |||
| 198 | } | 199 | } |
| 199 | 200 | ||
| 200 | addtask cve_check before do_build | 201 | addtask cve_check before do_build |
| 201 | do_cve_check[depends] = "cve-update-nvd2-native:do_fetch" | 202 | do_cve_check[depends] = "cve-update-nvd2-native:do_unpack" |
| 202 | do_cve_check[nostamp] = "1" | 203 | do_cve_check[nostamp] = "1" |
| 203 | 204 | ||
| 204 | python cve_check_cleanup () { | 205 | python cve_check_cleanup () { |
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index 1901641965..2d23d28c3e 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb | |||
| @@ -8,7 +8,6 @@ INHIBIT_DEFAULT_DEPS = "1" | |||
| 8 | 8 | ||
| 9 | inherit native | 9 | inherit native |
| 10 | 10 | ||
| 11 | deltask do_unpack | ||
| 12 | deltask do_patch | 11 | deltask do_patch |
| 13 | deltask do_configure | 12 | deltask do_configure |
| 14 | deltask do_compile | 13 | deltask do_compile |
| @@ -35,7 +34,9 @@ CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000" | |||
| 35 | # Number of attempts for each http query to nvd server before giving up | 34 | # Number of attempts for each http query to nvd server before giving up |
| 36 | CVE_DB_UPDATE_ATTEMPTS ?= "5" | 35 | CVE_DB_UPDATE_ATTEMPTS ?= "5" |
| 37 | 36 | ||
| 38 | CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db" | 37 | CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK/${CVE_CHECK_DB_FILENAME}" |
| 38 | CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock" | ||
| 39 | CVE_CHECK_DB_TEMP_FILE ?= "${CVE_CHECK_DB_FILE}.tmp" | ||
| 39 | 40 | ||
| 40 | python () { | 41 | python () { |
| 41 | if not bb.data.inherits_class("cve-check", d): | 42 | if not bb.data.inherits_class("cve-check", d): |
| @@ -52,9 +53,9 @@ python do_fetch() { | |||
| 52 | 53 | ||
| 53 | bb.utils.export_proxies(d) | 54 | bb.utils.export_proxies(d) |
| 54 | 55 | ||
| 55 | db_file = d.getVar("CVE_CHECK_DB_FILE") | 56 | db_file = d.getVar("CVE_CHECK_DB_DLDIR_FILE") |
| 56 | db_dir = os.path.dirname(db_file) | 57 | db_dir = os.path.dirname(db_file) |
| 57 | db_tmp_file = d.getVar("CVE_DB_TEMP_FILE") | 58 | db_tmp_file = d.getVar("CVE_CHECK_DB_TEMP_FILE") |
| 58 | 59 | ||
| 59 | cleanup_db_download(db_file, db_tmp_file) | 60 | cleanup_db_download(db_file, db_tmp_file) |
| 60 | # By default let's update the whole database (since time 0) | 61 | # By default let's update the whole database (since time 0) |
| @@ -77,6 +78,7 @@ python do_fetch() { | |||
| 77 | pass | 78 | pass |
| 78 | 79 | ||
| 79 | bb.utils.mkdirhier(db_dir) | 80 | bb.utils.mkdirhier(db_dir) |
| 81 | bb.utils.mkdirhier(os.path.dirname(db_tmp_file)) | ||
| 80 | if os.path.exists(db_file): | 82 | if os.path.exists(db_file): |
| 81 | shutil.copy2(db_file, db_tmp_file) | 83 | shutil.copy2(db_file, db_tmp_file) |
| 82 | 84 | ||
| @@ -89,10 +91,16 @@ python do_fetch() { | |||
| 89 | os.remove(db_tmp_file) | 91 | os.remove(db_tmp_file) |
| 90 | } | 92 | } |
| 91 | 93 | ||
| 92 | do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" | 94 | do_fetch[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK}" |
| 93 | do_fetch[file-checksums] = "" | 95 | do_fetch[file-checksums] = "" |
| 94 | do_fetch[vardeps] = "" | 96 | do_fetch[vardeps] = "" |
| 95 | 97 | ||
| 98 | python do_unpack() { | ||
| 99 | import shutil | ||
| 100 | shutil.copyfile(d.getVar("CVE_CHECK_DB_DLDIR_FILE"), d.getVar("CVE_CHECK_DB_FILE")) | ||
| 101 | } | ||
| 102 | do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} ${CVE_CHECK_DB_FILE_LOCK}" | ||
| 103 | |||
| 96 | def cleanup_db_download(db_file, db_tmp_file): | 104 | def cleanup_db_download(db_file, db_tmp_file): |
| 97 | """ | 105 | """ |
| 98 | Cleanup the download space from possible failed downloads | 106 | Cleanup the download space from possible failed downloads |