diff options
| author | Richard Purdie <richard.purdie@linuxfoundation.org> | 2024-08-13 05:16:38 -0700 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-11-11 06:19:18 -0800 |
| commit | 2252b53ac6ddae74bf2430ced32da6da740e2a2d (patch) | |
| tree | f0fcb5b8dec539deba58a8af8870c6600ebdc709 | |
| parent | 249617857b17761b11a58b27caa336e0a0481e55 (diff) | |
| download | poky-2252b53ac6ddae74bf2430ced32da6da740e2a2d.tar.gz | |
cve_check: Use a local copy of the database during builds
Rtaher than trying to use a sqlite database over NFS from DL_DIR, work from
a local copy in STAGING DIR after fetching.
(From OE-Core rev: 9b6363994e5715f1d08b98956befd8915c128e85)
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 03596904392d257572a905a182b92c780d636744)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 7 | ||||
| -rw-r--r-- | meta/recipes-core/meta/cve-update-nvd2-native.bb | 18 |
2 files changed, 17 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index dd9847f366..ac13b0a863 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -25,8 +25,9 @@ | |||
| 25 | CVE_PRODUCT ??= "${BPN}" | 25 | CVE_PRODUCT ??= "${BPN}" |
| 26 | CVE_VERSION ??= "${PV}" | 26 | CVE_VERSION ??= "${PV}" |
| 27 | 27 | ||
| 28 | CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" | 28 | CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db" |
| 29 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-2.db" | 29 | CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK" |
| 30 | CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}" | ||
| 30 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" | 31 | CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock" |
| 31 | 32 | ||
| 32 | CVE_CHECK_LOG ?= "${T}/cve.log" | 33 | CVE_CHECK_LOG ?= "${T}/cve.log" |
| @@ -157,7 +158,7 @@ python do_cve_check () { | |||
| 157 | } | 158 | } |
| 158 | 159 | ||
| 159 | addtask cve_check before do_build | 160 | addtask cve_check before do_build |
| 160 | do_cve_check[depends] = "cve-update-nvd2-native:do_fetch" | 161 | do_cve_check[depends] = "cve-update-nvd2-native:do_unpack" |
| 161 | do_cve_check[nostamp] = "1" | 162 | do_cve_check[nostamp] = "1" |
| 162 | 163 | ||
| 163 | python cve_check_cleanup () { | 164 | python cve_check_cleanup () { |
diff --git a/meta/recipes-core/meta/cve-update-nvd2-native.bb b/meta/recipes-core/meta/cve-update-nvd2-native.bb index b4c46ef756..dc742df06d 100644 --- a/meta/recipes-core/meta/cve-update-nvd2-native.bb +++ b/meta/recipes-core/meta/cve-update-nvd2-native.bb | |||
| @@ -8,7 +8,6 @@ INHIBIT_DEFAULT_DEPS = "1" | |||
| 8 | 8 | ||
| 9 | inherit native | 9 | inherit native |
| 10 | 10 | ||
| 11 | deltask do_unpack | ||
| 12 | deltask do_patch | 11 | deltask do_patch |
| 13 | deltask do_configure | 12 | deltask do_configure |
| 14 | deltask do_compile | 13 | deltask do_compile |
| @@ -35,7 +34,9 @@ CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000" | |||
| 35 | # Number of attempts for each http query to nvd server before giving up | 34 | # Number of attempts for each http query to nvd server before giving up |
| 36 | CVE_DB_UPDATE_ATTEMPTS ?= "5" | 35 | CVE_DB_UPDATE_ATTEMPTS ?= "5" |
| 37 | 36 | ||
| 38 | CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db" | 37 | CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK/${CVE_CHECK_DB_FILENAME}" |
| 38 | CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock" | ||
| 39 | CVE_CHECK_DB_TEMP_FILE ?= "${CVE_CHECK_DB_FILE}.tmp" | ||
| 39 | 40 | ||
| 40 | python () { | 41 | python () { |
| 41 | if not bb.data.inherits_class("cve-check", d): | 42 | if not bb.data.inherits_class("cve-check", d): |
| @@ -52,9 +53,9 @@ python do_fetch() { | |||
| 52 | 53 | ||
| 53 | bb.utils.export_proxies(d) | 54 | bb.utils.export_proxies(d) |
| 54 | 55 | ||
| 55 | db_file = d.getVar("CVE_CHECK_DB_FILE") | 56 | db_file = d.getVar("CVE_CHECK_DB_DLDIR_FILE") |
| 56 | db_dir = os.path.dirname(db_file) | 57 | db_dir = os.path.dirname(db_file) |
| 57 | db_tmp_file = d.getVar("CVE_DB_TEMP_FILE") | 58 | db_tmp_file = d.getVar("CVE_CHECK_DB_TEMP_FILE") |
| 58 | 59 | ||
| 59 | cleanup_db_download(db_file, db_tmp_file) | 60 | cleanup_db_download(db_file, db_tmp_file) |
| 60 | # By default let's update the whole database (since time 0) | 61 | # By default let's update the whole database (since time 0) |
| @@ -77,6 +78,7 @@ python do_fetch() { | |||
| 77 | pass | 78 | pass |
| 78 | 79 | ||
| 79 | bb.utils.mkdirhier(db_dir) | 80 | bb.utils.mkdirhier(db_dir) |
| 81 | bb.utils.mkdirhier(os.path.dirname(db_tmp_file)) | ||
| 80 | if os.path.exists(db_file): | 82 | if os.path.exists(db_file): |
| 81 | shutil.copy2(db_file, db_tmp_file) | 83 | shutil.copy2(db_file, db_tmp_file) |
| 82 | 84 | ||
| @@ -89,10 +91,16 @@ python do_fetch() { | |||
| 89 | os.remove(db_tmp_file) | 91 | os.remove(db_tmp_file) |
| 90 | } | 92 | } |
| 91 | 93 | ||
| 92 | do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" | 94 | do_fetch[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK}" |
| 93 | do_fetch[file-checksums] = "" | 95 | do_fetch[file-checksums] = "" |
| 94 | do_fetch[vardeps] = "" | 96 | do_fetch[vardeps] = "" |
| 95 | 97 | ||
| 98 | python do_unpack() { | ||
| 99 | import shutil | ||
| 100 | shutil.copyfile(d.getVar("CVE_CHECK_DB_DLDIR_FILE"), d.getVar("CVE_CHECK_DB_FILE")) | ||
| 101 | } | ||
| 102 | do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} ${CVE_CHECK_DB_FILE_LOCK}" | ||
| 103 | |||
| 96 | def cleanup_db_download(db_file, db_tmp_file): | 104 | def cleanup_db_download(db_file, db_tmp_file): |
| 97 | """ | 105 | """ |
| 98 | Cleanup the download space from possible failed downloads | 106 | Cleanup the download space from possible failed downloads |