diff options
| author |   Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-07-18 14:41:18 +0200 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-07-18 23:34:41 +0100 |
| commit | 7069302a4ccbb5b72e1902f284cf078516fd7294 (patch) | |
| tree | 957068553c4942d374c819ed2b11adf30d2a300b /meta/classes/cve-check.bbclass | |
| parent | 92f34fbe321040db3dc0431dd464747324058e2e (diff) | |
| download | openembedded-core-contrib-7069302a4ccbb5b72e1902f284cf078516fd7294.tar.gz | |
cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
CVE_CHECK_WHITELIST does not contain version anymore, as it was not
used. This variable should be set per recipe.
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes/cve-check.bbclass')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 22 |
1 files changed, 11 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index e8668b2566..512d4c7302 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -39,15 +39,12 @@ CVE_CHECK_CREATE_MANIFEST ??= "1" # Whitelist for packages (PN) CVE_CHECK_PN_WHITELIST ?= "" -# Whitelist for CVE and version of package. If a CVE is found then the PV is -# compared with the version list, and if found the CVE is considered -# patched. -# -# The value should be valid Python in this format: -# { -# 'CVE-2014-2524': ('6.3','5.2') -# } -CVE_CHECK_CVE_WHITELIST ?= "{}" +# Whitelist for CVE. If a CVE is found, then it is considered patched. +# The value is a string containing space separated CVE values: +# +# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234' +# +CVE_CHECK_WHITELIST ?= "" python do_cve_check () { """ @@ -185,7 +182,10 @@ def check_cves(d, patched_cves): bb.note("Recipe has been whitelisted, skipping check") return ([], []) - cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) + old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") + if old_cve_whitelist: + bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.") + cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() import sqlite3 db_file = d.getVar("CVE_CHECK_DB_FILE") @@ -206,7 +206,7 @@ def check_cves(d, patched_cves): version_end = row[6] operator_end = row[7] - if pv in cve_whitelist.get(cve, []): + if cve in cve_whitelist: bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) elif cve in patched_cves: bb.note("%s has been patched" % (cve)) |