From 0325dd72714f0b447558084f481b77f0ec850eed Mon Sep 17 00:00:00 2001 From: Pierre Le Magourou Date: Wed, 3 Jul 2019 11:35:06 +0200 Subject: cve-update-db: Catch request.urlopen errors. If the NVD url is not accessible, print a warning on top of the CVE report, and continue. The database will not be fully updated, but cve_check can still run on the previous database. Signed-off-by: Pierre Le Magourou Signed-off-by: Richard Purdie --- meta/classes/cve-check.bbclass | 5 +++-- meta/recipes-core/meta/cve-update-db.bb | 30 +++++++++++++++++++++--------- 2 files changed, 24 insertions(+), 11 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 1e7e8dd441..81071e3f19 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -51,14 +51,15 @@ python do_cve_check () { Check recipe for patched and unpatched CVEs """ - if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): + if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): patched_cves = get_patches_cves(d) patched, unpatched = check_cves(d, patched_cves) if patched or unpatched: cve_data = get_cve_info(d, patched + unpatched) cve_write_data(d, patched, unpatched, cve_data) else: - bb.note("Failed to update CVE database, skipping CVE check") + bb.note("No CVE database found, skipping CVE check") + } addtask cve_check after do_unpack before do_build diff --git a/meta/recipes-core/meta/cve-update-db.bb b/meta/recipes-core/meta/cve-update-db.bb index 3e5bae8b1d..ae8f1a958b 100644 --- a/meta/recipes-core/meta/cve-update-db.bb +++ b/meta/recipes-core/meta/cve-update-db.bb @@ -28,6 +28,7 @@ python do_populate_cve_db() { db_file = db_dir + '/nvd-json.db' json_tmpfile = db_dir + '/nvd.json.gz' proxy = d.getVar("https_proxy") + cve_f = open(d.getVar("TMPDIR") + '/cve_check', 'a') if not os.path.isdir(db_dir): os.mkdir(db_dir) @@ -47,9 +48,13 @@ python do_populate_cve_db() { req = urllib.request.Request(meta_url) if proxy: req.set_proxy(proxy, 'https') - with urllib.request.urlopen(req) as r: - date_line = str(r.read().splitlines()[0]) - last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1) + try: + with urllib.request.urlopen(req, timeout=1) as r: + date_line = str(r.read().splitlines()[0]) + last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1) + except: + cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') + break # Compare with current db last modified date c.execute("select DATE from META where YEAR = '%d'" % year) @@ -59,19 +64,26 @@ python do_populate_cve_db() { req = urllib.request.Request(json_url) if proxy: req.set_proxy(proxy, 'https') - with urllib.request.urlopen(req) as r, open(json_tmpfile, 'wb') as tmpfile: - shutil.copyfileobj(r, tmpfile) + try: + with urllib.request.urlopen(req, timeout=1) as r, \ + open(json_tmpfile, 'wb') as tmpfile: + shutil.copyfileobj(r, tmpfile) + except: + cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n') + break + with gzip.open(json_tmpfile, 'rt') as jsonfile: update_db(c, jsonfile) c.execute("insert or replace into META values (?, ?)", [year, last_modified]) + # Update success, set the date to cve_check file. + if year == date.today().year: + cve_f.write('CVE database update : %s\n\n' % date.today()) + + cve_f.close() conn.commit() conn.close() - - cve_check_tmp_file = d.getVar("TMPDIR") + '/cve_check' - with open(cve_check_tmp_file, 'a'): - os.utime(cve_check_tmp_file, None) } # DJB2 hash algorithm -- cgit 1.2.3-korg