diff options
| author |   Chris Laplante <chris.laplante@agilent.com> | 2020-09-29 11:57:46 -0400 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2020-09-30 15:01:47 +0100 |
| commit | 05bd9f1f006cf94cf5324f96df29cd5862abaf45 (patch) | |
| tree | 1f2f51da20ef3d24aa5977f7fe61ebbd9ffec9f2 /meta/classes/cve-check.bbclass | |
| parent | 0d40f1482c6d87785ae47c46c2305e1df46f459a (diff) | |
| download | openembedded-core-contrib-05bd9f1f006cf94cf5324f96df29cd5862abaf45.tar.gz | |
cve-check: add CVE_CHECK_REPORT_PATCHED variable to suppress reporting of patched CVEs
Default behavior is not changed. To suppress patched CVEs, set:
CVE_CHECK_REPORT_PATCHED = ""
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/cve-check.bbclass')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 38 |
1 files changed, 22 insertions, 16 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index df28a93687..25cefda92e 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -41,14 +41,16 @@ CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve CVE_CHECK_COPY_FILES ??= "1" CVE_CHECK_CREATE_MANIFEST ??= "1" +CVE_CHECK_REPORT_PATCHED ??= "1" + # Whitelist for packages (PN) CVE_CHECK_PN_WHITELIST ?= "" # Whitelist for CVE. If a CVE is found, then it is considered patched. # The value is a string containing space separated CVE values: -# +# # CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' -# +# CVE_CHECK_WHITELIST ?= "" python cve_save_summary_handler () { @@ -332,12 +334,15 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): bb.utils.mkdirhier(os.path.dirname(cve_file)) for cve in sorted(cve_data): + is_patched = cve in patched + if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): + continue write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve if cve in whitelisted: write_string += "CVE STATUS: Whitelisted\n" - elif cve in patched: + elif is_patched: write_string += "CVE STATUS: Patched\n" else: unpatched_cves.append(cve) @@ -351,19 +356,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): if unpatched_cves: bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) - with open(cve_file, "w") as f: - bb.note("Writing file %s with CVE information" % cve_file) - f.write(write_string) - - if d.getVar("CVE_CHECK_COPY_FILES") == "1": - deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") - bb.utils.mkdirhier(os.path.dirname(deploy_file)) - with open(deploy_file, "w") as f: + if write_string: + with open(cve_file, "w") as f: + bb.note("Writing file %s with CVE information" % cve_file) f.write(write_string) - if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": - cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") - bb.utils.mkdirhier(cvelogpath) + if d.getVar("CVE_CHECK_COPY_FILES") == "1": + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") + bb.utils.mkdirhier(os.path.dirname(deploy_file)) + with open(deploy_file, "w") as f: + f.write(write_string) + + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + bb.utils.mkdirhier(cvelogpath) - with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: - f.write("%s" % write_string) + with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: + f.write("%s" % write_string) |