1 files changed, 39 insertions, 0 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index 4f1d80f050..dbaa0b373a 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -179,3 +179,42 @@ def update_symlinks(target_path, link_path):
        if os.path.exists(os.path.realpath(link_path)):
            os.remove(link_path)
        os.symlink(os.path.basename(target_path), link_path)
+def convert_cve_version(version):
+    """
+    This function converts from CVE format to Yocto version format.
+    eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
+    Unless it is redefined using CVE_VERSION in the recipe,
+    cve_check uses the version in the name of the recipe (${PV})
+    to check vulnerabilities against a CVE in the database downloaded from NVD.
+    When the version has an update, i.e.
+    "p1" in OpenSSH 8.3p1,
+    "-rc1" in linux kernel 6.2-rc1,
+    the database stores the version as version_update (8.3_p1, 6.2_rc1).
+    Therefore, we must transform this version before comparing to the
+    recipe version.
+    In this case, the parameter of the function is 8.3_p1.
+    If the version uses the Release Candidate format, "rc",
+    this function replaces the '_' by '-'.
+    If the version uses the Update format, "p",
+    this function removes the '_' completely.
+    """
+    import re
+    matches = re.match('^([0-9.]+)_((p|rc)[0-9]+)$', version)
+    if not matches:
+        return version
+    version = matches.group(1)
+    update = matches.group(2)
+    if matches.group(3) == "rc":
+        return version + '-' + update
+    return version + update

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 4f1d80f050..dbaa0b373a 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py
@@ -179,3 +179,42 @@ def update_symlinks(target_path, link_path):
179	if os.path.exists(os.path.realpath(link_path)):	179	if os.path.exists(os.path.realpath(link_path)):
180	os.remove(link_path)	180	os.remove(link_path)
181	os.symlink(os.path.basename(target_path), link_path)	181	os.symlink(os.path.basename(target_path), link_path)
		182
		183
		184	def convert_cve_version(version):
		185	"""
		186	This function converts from CVE format to Yocto version format.
		187	eg 8.3_p1 -> 8.3p1, 6.2_rc1 -> 6.2-rc1
		188
		189	Unless it is redefined using CVE_VERSION in the recipe,
		190	cve_check uses the version in the name of the recipe (${PV})
		191	to check vulnerabilities against a CVE in the database downloaded from NVD.
		192
		193	When the version has an update, i.e.
		194	"p1" in OpenSSH 8.3p1,
		195	"-rc1" in linux kernel 6.2-rc1,
		196	the database stores the version as version_update (8.3_p1, 6.2_rc1).
		197	Therefore, we must transform this version before comparing to the
		198	recipe version.
		199
		200	In this case, the parameter of the function is 8.3_p1.
		201	If the version uses the Release Candidate format, "rc",
		202	this function replaces the '_' by '-'.
		203	If the version uses the Update format, "p",
		204	this function removes the '_' completely.
		205	"""
		206	import re
		207
		208	matches = re.match('^([0-9.]+)_((p\|rc)[0-9]+)$', version)
		209
		210	if not matches:
		211	return version
		212
		213	version = matches.group(1)
		214	update = matches.group(2)
		215
		216	if matches.group(3) == "rc":
		217	return version + '-' + update
		218
		219	return version + update
		220