diff options
| author | Ross Burton <ross.burton@arm.com> | 2024-01-22 14:04:03 +0000 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2024-03-07 08:32:54 -1000 |
| commit | a5b6f5e8bc01b3bf61c658ce787796b7c9e6535f (patch) | |
| tree | 87d77f083908c60aa577580fc187502f5c4b6ae4 /meta/lib | |
| parent | eef037bf723b58ec3ce6dcb85da68219a16b7120 (diff) | |
| download | poky-a5b6f5e8bc01b3bf61c658ce787796b7c9e6535f.tar.gz | |
cve_check: cleanup logging
Primarily list the number of patches found, useful when debugging.
Also clean up some bad escaping that caused warnings and use
re.IGNORECASE instead of manually doing case-insenstive rang matches.
(From OE-Core rev: 1745208bc08037497ad9de1be15a3cc4a22ceff5)
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 10acc75b7f3387b968bacd51aade6a8dc11a463f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/lib')
| -rw-r--r-- | meta/lib/oe/cve_check.py | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 65b1358ffc..ca2b393116 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py | |||
| @@ -73,20 +73,19 @@ def get_patched_cves(d): | |||
| 73 | import re | 73 | import re |
| 74 | import oe.patch | 74 | import oe.patch |
| 75 | 75 | ||
| 76 | pn = d.getVar("PN") | 76 | cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+") |
| 77 | cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") | ||
| 78 | 77 | ||
| 79 | # Matches the last "CVE-YYYY-ID" in the file name, also if written | 78 | # Matches the last "CVE-YYYY-ID" in the file name, also if written |
| 80 | # in lowercase. Possible to have multiple CVE IDs in a single | 79 | # in lowercase. Possible to have multiple CVE IDs in a single |
| 81 | # file name, but only the last one will be detected from the file name. | 80 | # file name, but only the last one will be detected from the file name. |
| 82 | # However, patch files contents addressing multiple CVE IDs are supported | 81 | # However, patch files contents addressing multiple CVE IDs are supported |
| 83 | # (cve_match regular expression) | 82 | # (cve_match regular expression) |
| 84 | 83 | cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) | |
| 85 | cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") | ||
| 86 | 84 | ||
| 87 | patched_cves = set() | 85 | patched_cves = set() |
| 88 | bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) | 86 | patches = oe.patch.src_patches(d) |
| 89 | for url in oe.patch.src_patches(d): | 87 | bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) |
| 88 | for url in patches: | ||
| 90 | patch_file = bb.fetch.decodeurl(url)[2] | 89 | patch_file = bb.fetch.decodeurl(url)[2] |
| 91 | 90 | ||
| 92 | # Check patch file name for CVE ID | 91 | # Check patch file name for CVE ID |
| @@ -94,7 +93,7 @@ def get_patched_cves(d): | |||
| 94 | if fname_match: | 93 | if fname_match: |
| 95 | cve = fname_match.group(1).upper() | 94 | cve = fname_match.group(1).upper() |
| 96 | patched_cves.add(cve) | 95 | patched_cves.add(cve) |
| 97 | bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) | 96 | bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) |
| 98 | 97 | ||
| 99 | # Remote patches won't be present and compressed patches won't be | 98 | # Remote patches won't be present and compressed patches won't be |
| 100 | # unpacked, so say we're not scanning them | 99 | # unpacked, so say we're not scanning them |