diff options
Diffstat (limited to 'meta/lib/oe/cve_check.py')
| -rw-r--r-- | meta/lib/oe/cve_check.py | 39 |
1 files changed, 30 insertions, 9 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index ed5c714cb8..5edd34a2d9 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py | |||
| @@ -132,8 +132,8 @@ def get_patched_cves(d): | |||
| 132 | 132 | ||
| 133 | # Search for additional patched CVEs | 133 | # Search for additional patched CVEs |
| 134 | for cve in (d.getVarFlags("CVE_STATUS") or {}): | 134 | for cve in (d.getVarFlags("CVE_STATUS") or {}): |
| 135 | decoded_status, _, _ = decode_cve_status(d, cve) | 135 | decoded_status = decode_cve_status(d, cve) |
| 136 | if decoded_status == "Patched": | 136 | if 'mapping' in decoded_status and decoded_status['mapping'] == "Patched": |
| 137 | bb.debug(2, "CVE %s is additionally patched" % cve) | 137 | bb.debug(2, "CVE %s is additionally patched" % cve) |
| 138 | patched_cves.add(cve) | 138 | patched_cves.add(cve) |
| 139 | 139 | ||
| @@ -227,19 +227,40 @@ def convert_cve_version(version): | |||
| 227 | 227 | ||
| 228 | def decode_cve_status(d, cve): | 228 | def decode_cve_status(d, cve): |
| 229 | """ | 229 | """ |
| 230 | Convert CVE_STATUS into status, detail and description. | 230 | Convert CVE_STATUS into status, vendor, product, detail and description. |
| 231 | """ | 231 | """ |
| 232 | status = d.getVarFlag("CVE_STATUS", cve) | 232 | status = d.getVarFlag("CVE_STATUS", cve) |
| 233 | if not status: | 233 | if not status: |
| 234 | return ("", "", "") | 234 | return {} |
| 235 | |||
| 236 | status_split = status.split(':', 5) | ||
| 237 | status_out = {} | ||
| 238 | status_out["detail"] = status_split[0] | ||
| 239 | product = "*" | ||
| 240 | vendor = "*" | ||
| 241 | description = "" | ||
| 242 | if len(status_split) >= 4 and status_split[1].strip() == "cpe": | ||
| 243 | # Both vendor and product are mandatory if cpe: present, the syntax is then: | ||
| 244 | # detail: cpe:vendor:product:description | ||
| 245 | vendor = status_split[2].strip() | ||
| 246 | product = status_split[3].strip() | ||
| 247 | description = status_split[4].strip() | ||
| 248 | elif len(status_split) >= 2 and status_split[1].strip() == "cpe": | ||
| 249 | # Malformed CPE | ||
| 250 | bb.warn('Invalid CPE information for CVE_STATUS[%s] = "%s", not setting CPE' % (detail, cve, status)) | ||
| 251 | else: | ||
| 252 | # Other case: no CPE, the syntax is then: | ||
| 253 | # detail: description | ||
| 254 | description = status_split[len(status_split)-1].strip() if (len(status_split) > 1) else "" | ||
| 235 | 255 | ||
| 236 | status_split = status.split(':', 1) | 256 | status_out["vendor"] = vendor |
| 237 | detail = status_split[0] | 257 | status_out["product"] = product |
| 238 | description = status_split[1].strip() if (len(status_split) > 1) else "" | 258 | status_out["description"] = description |
| 239 | 259 | ||
| 240 | status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", detail) | 260 | status_mapping = d.getVarFlag("CVE_CHECK_STATUSMAP", status_out['detail']) |
| 241 | if status_mapping is None: | 261 | if status_mapping is None: |
| 242 | bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) | 262 | bb.warn('Invalid detail "%s" for CVE_STATUS[%s] = "%s", fallback to Unpatched' % (detail, cve, status)) |
| 243 | status_mapping = "Unpatched" | 263 | status_mapping = "Unpatched" |
| 264 | status_out["mapping"] = status_mapping | ||
| 244 | 265 | ||
| 245 | return (status_mapping, detail, description) | 266 | return status_out |