diff options
| -rw-r--r-- | meta/classes/cve-check.bbclass | 17 |
1 files changed, 9 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 379f7121cc..1e7e8dd441 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -170,18 +170,19 @@ def check_cves(d, patched_cves): | |||
| 170 | 170 | ||
| 171 | cves_unpatched = [] | 171 | cves_unpatched = [] |
| 172 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) | 172 | # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) |
| 173 | bpn = d.getVar("CVE_PRODUCT").split() | 173 | products = d.getVar("CVE_PRODUCT").split() |
| 174 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) | 174 | # If this has been unset then we're not scanning for CVEs here (for example, image recipes) |
| 175 | if len(bpn) == 0: | 175 | if not products: |
| 176 | return ([], []) | 176 | return ([], []) |
| 177 | pv = d.getVar("CVE_VERSION").split("+git")[0] | 177 | pv = d.getVar("CVE_VERSION").split("+git")[0] |
| 178 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | ||
| 179 | 178 | ||
| 180 | # If the recipe has been whitlisted we return empty lists | 179 | # If the recipe has been whitlisted we return empty lists |
| 181 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): | 180 | if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): |
| 182 | bb.note("Recipe has been whitelisted, skipping check") | 181 | bb.note("Recipe has been whitelisted, skipping check") |
| 183 | return ([], []) | 182 | return ([], []) |
| 184 | 183 | ||
| 184 | cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) | ||
| 185 | |||
| 185 | import sqlite3 | 186 | import sqlite3 |
| 186 | db_file = d.getVar("CVE_CHECK_DB_FILE") | 187 | db_file = d.getVar("CVE_CHECK_DB_FILE") |
| 187 | conn = sqlite3.connect(db_file) | 188 | conn = sqlite3.connect(db_file) |
| @@ -190,8 +191,8 @@ def check_cves(d, patched_cves): | |||
| 190 | query = """SELECT * FROM PRODUCTS WHERE | 191 | query = """SELECT * FROM PRODUCTS WHERE |
| 191 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR | 192 | (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR |
| 192 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" | 193 | (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" |
| 193 | for idx in range(len(bpn)): | 194 | for product in products: |
| 194 | for row in c.execute(query.format(bpn[idx],pv)): | 195 | for row in c.execute(query.format(product, pv)): |
| 195 | cve = row[1] | 196 | cve = row[1] |
| 196 | version = row[4] | 197 | version = row[4] |
| 197 | 198 | ||
| @@ -200,15 +201,15 @@ def check_cves(d, patched_cves): | |||
| 200 | except: | 201 | except: |
| 201 | discardVersion = True | 202 | discardVersion = True |
| 202 | 203 | ||
| 203 | if pv in cve_whitelist.get(cve,[]): | 204 | if pv in cve_whitelist.get(cve, []): |
| 204 | bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) | 205 | bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) |
| 205 | elif cve in patched_cves: | 206 | elif cve in patched_cves: |
| 206 | bb.note("%s has been patched" % (cve)) | 207 | bb.note("%s has been patched" % (cve)) |
| 207 | elif discardVersion: | 208 | elif discardVersion: |
| 208 | bb.debug(2, "Do not consider version %s " % (version)) | 209 | bb.debug(2, "Do not consider version %s " % (version)) |
| 209 | else: | 210 | else: |
| 210 | cves_unpatched.append(cve) | 211 | cves_unpatched.append(cve) |
| 211 | bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) | 212 | bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) |
| 212 | conn.close() | 213 | conn.close() |
| 213 | 214 | ||
| 214 | return (list(patched_cves), cves_unpatched) | 215 | return (list(patched_cves), cves_unpatched) |