diff options
author | Saul Wold <Saul.Wold@windriver.com> | 2022-03-09 09:40:52 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-03-09 17:51:17 +0000 |
commit | f408068e5d7998ae165f3002e51bc54b380b8099 (patch) | |
tree | 0c64a165132ce9b8dc766dfc68ed194a17907ee7 /meta/classes/cve-check.bbclass | |
parent | 85695054ee9fe194d8b5cb3e8ad5b04ac99f6c29 (diff) | |
download | openembedded-core-contrib-f408068e5d7998ae165f3002e51bc54b380b8099.tar.gz |
meta/scripts: Improve internal variable naming
Update internal variable names to improve the terms used.
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/cve-check.bbclass')
-rw-r--r-- | meta/classes/cve-check.bbclass | 31 |
1 files changed, 16 insertions, 15 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 079d09a76f..dfad10c22b 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -43,11 +43,12 @@ CVE_CHECK_CREATE_MANIFEST ??= "1" CVE_CHECK_REPORT_PATCHED ??= "1" -# Whitelist for packages (PN) +# Skip CVE Check for packages (PN) CVE_CHECK_SKIP_RECIPE ?= "" -# Whitelist for CVE. If a CVE is found, then it is considered patched. -# The value is a string containing space separated CVE values: +# Ingore the check for a given list of CVEs. If a CVE is found, +# then it is considered patched. The value is a string containing +# space separated CVE values: # # CVE_CHECK_IGNORE = 'CVE-2014-2524 CVE-2018-1234' # @@ -101,10 +102,10 @@ python do_cve_check () { patched_cves = get_patched_cves(d) except FileNotFoundError: bb.fatal("Failure in searching patches") - whitelisted, patched, unpatched = check_cves(d, patched_cves) + ignored, patched, unpatched = check_cves(d, patched_cves) if patched or unpatched: cve_data = get_cve_info(d, patched + unpatched) - cve_write_data(d, patched, unpatched, whitelisted, cve_data) + cve_write_data(d, patched, unpatched, ignored, cve_data) else: bb.note("No CVE database found, skipping CVE check") @@ -176,12 +177,12 @@ def check_cves(d, patched_cves): return ([], [], []) pv = d.getVar("CVE_VERSION").split("+git")[0] - # If the recipe has been whitelisted we return empty lists + # If the recipe has been skipped/ignored we return empty lists if pn in d.getVar("CVE_CHECK_SKIP_RECIPE").split(): - bb.note("Recipe has been whitelisted, skipping check") + bb.note("Recipe has been skipped by cve-check") return ([], [], []) - cve_whitelist = d.getVar("CVE_CHECK_IGNORE").split() + cve_ignore = d.getVar("CVE_CHECK_IGNORE").split() import sqlite3 db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") @@ -198,9 +199,9 @@ def check_cves(d, patched_cves): for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): cve = cverow[0] - if cve in cve_whitelist: - bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) - # TODO: this should be in the report as 'whitelisted' + if cve in cve_ignore: + bb.note("%s-%s has been ignored for %s" % (product, pv, cve)) + # TODO: this should be in the report as 'ignored' patched_cves.add(cve) continue elif cve in patched_cves: @@ -254,7 +255,7 @@ def check_cves(d, patched_cves): conn.close() - return (list(cve_whitelist), list(patched_cves), cves_unpatched) + return (list(cve_ignore), list(patched_cves), cves_unpatched) def get_cve_info(d, cves): """ @@ -279,7 +280,7 @@ def get_cve_info(d, cves): conn.close() return cve_data -def cve_write_data(d, patched, unpatched, whitelisted, cve_data): +def cve_write_data(d, patched, unpatched, ignored, cve_data): """ Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and CVE manifest if enabled. @@ -312,8 +313,8 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve - if cve in whitelisted: - write_string += "CVE STATUS: Whitelisted\n" + if cve in ignored: + write_string += "CVE STATUS: Ignored\n" elif is_patched: write_string += "CVE STATUS: Patched\n" else: |