1 files changed, 39 insertions, 0 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index f40f16d7ab..42a77872e9 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -173,3 +173,42 @@ def update_symlinks(target_path, link_path):
        if os.path.exists(os.path.realpath(link_path)):
            os.remove(link_path)
        os.symlink(os.path.basename(target_path), link_path)
+def convert_cve_version(version):
+    """
+    This function converts from CVE format to Yocto version format.
+    eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
+    Unless it is redefined using CVE_VERSION in the recipe,
+    cve_check uses the version in the name of the recipe (${PV})
+    to check vulnerabilities against a CVE in the database downloaded from NVD.
+    When the version has an update, i.e.
+    "p1" in OpenSSH 8.3p1,
+    "-rc1" in linux kernel 6.2-rc1,
+    the database stores the version as version_update (8.3_p1, 6.2_rc1).
+    Therefore, we must transform this version before comparing to the
+    recipe version.
+    In this case, the parameter of the function is 8.3_p1.
+    If the version uses the Release Candidate format, "rc",
+    this function replaces the '_' by '-'.
+    If the version uses the Update format, "p",
+    this function removes the '_' completely.
+    """
+    import re
+    matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)
+    if not matches:
+        return version
+    version = matches.group(1)
+    update = matches.group(2)
+    if matches.group(3) == "rc":
+        return version + '-' + update
+    return version + update

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index f40f16d7ab..42a77872e9 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py
@@ -173,3 +173,42 @@ def update_symlinks(target_path, link_path):
173	if os.path.exists(os.path.realpath(link_path)):	173	if os.path.exists(os.path.realpath(link_path)):
174	os.remove(link_path)	174	os.remove(link_path)
175	os.symlink(os.path.basename(target_path), link_path)	175	os.symlink(os.path.basename(target_path), link_path)
		176
		177
		178	def convert_cve_version(version):
		179	"""
		180	This function converts from CVE format to Yocto version format.
		181	eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
		182
		183	Unless it is redefined using CVE_VERSION in the recipe,
		184	cve_check uses the version in the name of the recipe (${PV})
		185	to check vulnerabilities against a CVE in the database downloaded from NVD.
		186
		187	When the version has an update, i.e.
		188	"p1" in OpenSSH 8.3p1,
		189	"-rc1" in linux kernel 6.2-rc1,
		190	the database stores the version as version_update (8.3_p1, 6.2_rc1).
		191	Therefore, we must transform this version before comparing to the
		192	recipe version.
		193
		194	In this case, the parameter of the function is 8.3_p1.
		195	If the version uses the Release Candidate format, "rc",
		196	this function replaces the '_' by '-'.
		197	If the version uses the Update format, "p",
		198	this function removes the '_' completely.
		199	"""
		200	import re
		201
		202	matches = re.match('^([0-9.]+)_((p\|rc)[0-9]+)$', version)
		203
		204	if not matches:
		205	return version
		206
		207	version = matches.group(1)
		208	update = matches.group(2)
		209
		210	if matches.group(3) == "rc":
		211	return version + '-' + update
		212
		213	return version + update
		214