diff options
| author | Peter Marko <peter.marko@siemens.com> | 2025-04-17 11:34:56 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2025-04-24 11:27:06 +0100 |
| commit | 9fd08fcd9450e89be8877d348658d3eeb4f9bf05 (patch) | |
| tree | 194fc44f1ed723839a35d3196769910414b6d81f | |
| parent | f68e3e49d4f55e7c451450ffa3e33eb111ec5249 (diff) | |
| download | poky-9fd08fcd9450e89be8877d348658d3eeb4f9bf05.tar.gz | |
cve-check: extract extending CVE_STATUS to library function
The same code for extending CVE_STATUS by CVE_CHECK_IGNORE and
CVE_STATUS_GROUPS is used on multiple places.
Create a library funtion to have the code on single place and ready for
reuse by additional classes.
(From OE-Core rev: 45e18f4270d084d81c21b1e5a4a601ce975d8a77)
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 17 | ||||
| -rw-r--r-- | meta/classes/vex.bbclass | 17 | ||||
| -rw-r--r-- | meta/lib/oe/cve_check.py | 22 |
3 files changed, 26 insertions, 30 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 555fdaad77..1aef00d297 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -104,21 +104,8 @@ CVE_CHECK_LAYER_INCLUDELIST ??= "" | |||
| 104 | CVE_VERSION_SUFFIX ??= "" | 104 | CVE_VERSION_SUFFIX ??= "" |
| 105 | 105 | ||
| 106 | python () { | 106 | python () { |
| 107 | # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS | 107 | from oe.cve_check import extend_cve_status |
| 108 | cve_check_ignore = d.getVar("CVE_CHECK_IGNORE") | 108 | extend_cve_status(d) |
| 109 | if cve_check_ignore: | ||
| 110 | bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS") | ||
| 111 | for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split(): | ||
| 112 | d.setVarFlag("CVE_STATUS", cve, "ignored") | ||
| 113 | |||
| 114 | # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once | ||
| 115 | for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split(): | ||
| 116 | cve_group = d.getVar(cve_status_group) | ||
| 117 | if cve_group is not None: | ||
| 118 | for cve in cve_group.split(): | ||
| 119 | d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) | ||
| 120 | else: | ||
| 121 | bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) | ||
| 122 | 109 | ||
| 123 | nvd_database_type = d.getVar("NVD_DB_VERSION") | 110 | nvd_database_type = d.getVar("NVD_DB_VERSION") |
| 124 | if nvd_database_type not in ("NVD1", "NVD2", "FKIE"): | 111 | if nvd_database_type not in ("NVD1", "NVD2", "FKIE"): |
diff --git a/meta/classes/vex.bbclass b/meta/classes/vex.bbclass index 01d4e52051..905d67b47d 100644 --- a/meta/classes/vex.bbclass +++ b/meta/classes/vex.bbclass | |||
| @@ -76,21 +76,8 @@ python () { | |||
| 76 | if bb.data.inherits_class("cve-check", d): | 76 | if bb.data.inherits_class("cve-check", d): |
| 77 | raise bb.parse.SkipRecipe("Skipping recipe: found incompatible combination of cve-check and vex enabled at the same time.") | 77 | raise bb.parse.SkipRecipe("Skipping recipe: found incompatible combination of cve-check and vex enabled at the same time.") |
| 78 | 78 | ||
| 79 | # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS | 79 | from oe.cve_check import extend_cve_status |
| 80 | cve_check_ignore = d.getVar("CVE_CHECK_IGNORE") | 80 | extend_cve_status(d) |
| 81 | if cve_check_ignore: | ||
| 82 | bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS") | ||
| 83 | for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split(): | ||
| 84 | d.setVarFlag("CVE_STATUS", cve, "ignored") | ||
| 85 | |||
| 86 | # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once | ||
| 87 | for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split(): | ||
| 88 | cve_group = d.getVar(cve_status_group) | ||
| 89 | if cve_group is not None: | ||
| 90 | for cve in cve_group.split(): | ||
| 91 | d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) | ||
| 92 | else: | ||
| 93 | bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) | ||
| 94 | } | 81 | } |
| 95 | 82 | ||
| 96 | def generate_json_report(d, out_path, link_path): | 83 | def generate_json_report(d, out_path, link_path): |
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 5ace3cf553..ae194f27cf 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py | |||
| @@ -354,3 +354,25 @@ def has_cve_product_match(detailed_status, products): | |||
| 354 | 354 | ||
| 355 | #if no match, return False | 355 | #if no match, return False |
| 356 | return False | 356 | return False |
| 357 | |||
| 358 | def extend_cve_status(d): | ||
| 359 | # do this only once in case multiple classes use this | ||
| 360 | if d.getVar("CVE_STATUS_EXTENDED"): | ||
| 361 | return | ||
| 362 | d.setVar("CVE_STATUS_EXTENDED", "1") | ||
| 363 | |||
| 364 | # Fallback all CVEs from CVE_CHECK_IGNORE to CVE_STATUS | ||
| 365 | cve_check_ignore = d.getVar("CVE_CHECK_IGNORE") | ||
| 366 | if cve_check_ignore: | ||
| 367 | bb.warn("CVE_CHECK_IGNORE is deprecated in favor of CVE_STATUS") | ||
| 368 | for cve in (d.getVar("CVE_CHECK_IGNORE") or "").split(): | ||
| 369 | d.setVarFlag("CVE_STATUS", cve, "ignored") | ||
| 370 | |||
| 371 | # Process CVE_STATUS_GROUPS to set multiple statuses and optional detail or description at once | ||
| 372 | for cve_status_group in (d.getVar("CVE_STATUS_GROUPS") or "").split(): | ||
| 373 | cve_group = d.getVar(cve_status_group) | ||
| 374 | if cve_group is not None: | ||
| 375 | for cve in cve_group.split(): | ||
| 376 | d.setVarFlag("CVE_STATUS", cve, d.getVarFlag(cve_status_group, "status")) | ||
| 377 | else: | ||
| 378 | bb.warn("CVE_STATUS_GROUPS contains undefined variable %s" % cve_status_group) | ||