summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChen Qi <Qi.Chen@windriver.com>2017-05-09 17:31:36 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-05-18 14:01:37 +0100
commitad46069e7b58f2fba373131716f28407816fa1a6 (patch)
treeae642a5cf4f433688610c180b2a5b4ed1ce91c74
parent50ed224ebc8d88a900febdc78013fa0c791d71cf (diff)
downloadopenembedded-core-contrib-ad46069e7b58f2fba373131716f28407816fa1a6.tar.gz
openembedded-core-contrib-ad46069e7b58f2fba373131716f28407816fa1a6.tar.bz2
openembedded-core-contrib-ad46069e7b58f2fba373131716f28407816fa1a6.zip
cve-check.bbclass: make warning contain CVE IDs
When warning users about unpatched CVE, we'd better put CVE IDs into the warning message, so that it would be more straight forward for the user to know which CVEs are not patched. So instead of: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log. We should have: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r--meta/classes/cve-check.bbclass9
1 files changed, 5 insertions, 4 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 0e4294fdc4..3a9e227288 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -234,7 +234,7 @@ def cve_write_data(d, patched, unpatched, cve_data):
cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
write_string = ""
- first_alert = True
+ unpatched_cves = []
bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
for cve in sorted(cve_data):
@@ -244,15 +244,16 @@ def cve_write_data(d, patched, unpatched, cve_data):
if cve in patched:
write_string += "CVE STATUS: Patched\n"
else:
+ unpatched_cves.append(cve)
write_string += "CVE STATUS: Unpatched\n"
- if first_alert:
- bb.warn("Found unpatched CVE, for more information check %s" % cve_file)
- first_alert = False
write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
+ if unpatched_cves:
+ bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
+
with open(cve_file, "w") as f:
bb.note("Writing file %s with CVE information" % cve_file)
f.write(write_string)