diff options
| author |   Joshua Watt <JPEWhacker@gmail.com> | 2022-08-30 10:59:39 -0500 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2022-09-07 04:40:43 -1000 |
| commit | 374dd13db2c4fa92793f12c93d68d09304f77c17 (patch) | |
| tree | 74d4bd2e8146e3869e8827366251b4c445320e3d | |
| parent | 7028803d7d10c0b041a7bda16f9d9261f220459f (diff) | |
| download | openembedded-core-contrib-374dd13db2c4fa92793f12c93d68d09304f77c17.tar.gz | |
classes: cve-check: Get shared database lock
The CVE check database needs to have a shared lock acquired on it before
it is accessed. This to prevent cve-update-db-native from deleting the
database file out from underneath it.
[YOCTO #14899]
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 20a9911b73df62a0d0d1884e57085f13ac5016dd)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 9eb9a95574..c0d4e2a972 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -138,17 +138,18 @@ python do_cve_check () { """ from oe.cve_check import get_patched_cves - if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): - try: - patched_cves = get_patched_cves(d) - except FileNotFoundError: - bb.fatal("Failure in searching patches") - whitelisted, patched, unpatched, status = check_cves(d, patched_cves) - if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): - cve_data = get_cve_info(d, patched + unpatched + whitelisted) - cve_write_data(d, patched, unpatched, whitelisted, cve_data, status) - else: - bb.note("No CVE database found, skipping CVE check") + with bb.utils.fileslocked([d.getVar("CVE_CHECK_DB_FILE_LOCK")], shared=True): + if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): + try: + patched_cves = get_patched_cves(d) + except FileNotFoundError: + bb.fatal("Failure in searching patches") + ignored, patched, unpatched, status = check_cves(d, patched_cves) + if patched or unpatched or (d.getVar("CVE_CHECK_COVERAGE") == "1" and status): + cve_data = get_cve_info(d, patched + unpatched + ignored) + cve_write_data(d, patched, unpatched, ignored, cve_data, status) + else: + bb.note("No CVE database found, skipping CVE check") } |