diff options
| -rw-r--r-- | meta/classes/cve-check.bbclass | 16 |
1 files changed, 14 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index e7540b8c1f..379f7121cc 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -166,6 +166,7 @@ def check_cves(d, patched_cves): Connect to the NVD database and find unpatched cves. """ import ast, csv, tempfile, subprocess, io + from distutils.version import LooseVersion cves_unpatched = [] # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) @@ -186,14 +187,25 @@ def check_cves(d, patched_cves): conn = sqlite3.connect(db_file) c = conn.cursor() - query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" + query = """SELECT * FROM PRODUCTS WHERE + (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR + (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" for idx in range(len(bpn)): - for row in c.execute(query % (bpn[idx],pv)): + for row in c.execute(query.format(bpn[idx],pv)): cve = row[1] + version = row[4] + + try: + discardVersion = LooseVersion(version) < LooseVersion(pv) + except: + discardVersion = True + if pv in cve_whitelist.get(cve,[]): bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) elif cve in patched_cves: bb.note("%s has been patched" % (cve)) + elif discardVersion: + bb.debug(2, "Do not consider version %s " % (version)) else: cves_unpatched.append(cve) bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) |