diff options
| author |   Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-06-19 15:59:39 +0200 |
|---|---|---|
| committer |   Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-06-20 13:14:21 +0100 |
| commit | 95f0d11e21ad476efb4b46c87a8c94730d7c355f (patch) | |
| tree | 810751df79f3cb178889a8ddd7134feb3818f323 /meta/classes | |
| parent | 05fb9db63372d32e6ab3cb56186d7bcb09e26b43 (diff) | |
| download | openembedded-core-contrib-95f0d11e21ad476efb4b46c87a8c94730d7c355f.tar.gz | |
cve-check: Manage CVE_PRODUCT with more than one name
In some rare cases (eg. curl recipe) the CVE_PRODUCT contains more than
one name.
(From OE-Core rev: 7f62a20b32a3d42f04ec58786a7d0db68ef1bb05)
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
| -rw-r--r-- | meta/classes/cve-check.bbclass | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 28619c7bd4..e7540b8c1f 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -168,9 +168,10 @@ def check_cves(d, patched_cves): import ast, csv, tempfile, subprocess, io cves_unpatched = [] - bpn = d.getVar("CVE_PRODUCT") + # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) + bpn = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) - if not bpn: + if len(bpn) == 0: return ([], []) pv = d.getVar("CVE_VERSION").split("+git")[0] cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) @@ -184,16 +185,18 @@ def check_cves(d, patched_cves): db_file = d.getVar("CVE_CHECK_DB_FILE") conn = sqlite3.connect(db_file) c = conn.cursor() + query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" - for row in c.execute(query % (bpn,pv)): - cve = row[1] - if pv in cve_whitelist.get(cve,[]): - bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve)) - elif cve in patched_cves: - bb.note("%s has been patched" % (cve)) - else: - cves_unpatched.append(cve) - bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve)) + for idx in range(len(bpn)): + for row in c.execute(query % (bpn[idx],pv)): + cve = row[1] + if pv in cve_whitelist.get(cve,[]): + bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) + elif cve in patched_cves: + bb.note("%s has been patched" % (cve)) + else: + cves_unpatched.append(cve) + bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) conn.close() return (list(patched_cves), cves_unpatched) |