aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMikko Rapeli <mikko.rapeli@bmw.de>2017-07-20 16:23:11 +0300
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-07-24 09:12:28 +0100
commitdb8815abe3db60b0510fb378bf6d82172c2f2768 (patch)
treefffc47f1839c0fe6fecc0409775cc274ce6760e5
parent6650bd1b9c770b01525356f9a1fabd758360ee8f (diff)
downloadopenembedded-core-contrib-db8815abe3db60b0510fb378bf6d82172c2f2768.tar.gz
cve-check.bbclass: use "+git" as separator in PV instead of "git+"
PV is the recipe major version number. cve-check tries to map that to NVD database release versions of the component. If the recipe sources are taken from git, the PV can be automatically modified to include git details, but the syntax is like 233+gitAUTOINC+a1e2ef7ec9. In CVE checks we want to remove the git details and just use the major version information, in this example 233. Thus use "+git" as the separator and use the first part before the separator as SW product version number in CVE check. Fixes version number for e.g. systemd recipe. If systemd PV is 233+gitAUTOINC+a1e2ef7ec9 there will be no matches from CVE database where latest release mentioned is plain 233. If the filter is set to +git, then CVE PV is 233 and issues like this are detected by do_cve_check: https://nvd.nist.gov/vuln/detail/CVE-2017-1000082 Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com>
-rw-r--r--meta/classes/cve-check.bbclass2
1 files changed, 1 insertions, 1 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 8dde4a2cf1..f44bbed6ac 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -155,7 +155,7 @@ def check_cves(d, patched_cves):
cves_patched = []
cves_unpatched = []
bpn = d.getVar("CVE_PRODUCT")
- pv = d.getVar("PV").split("git+")[0]
+ pv = d.getVar("PV").split("+git")[0]
cves = " ".join(patched_cves)
cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))