diff options
author | Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> | 2019-06-19 15:59:39 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-06-19 23:08:59 +0100 |
commit | 7f62a20b32a3d42f04ec58786a7d0db68ef1bb05 (patch) | |
tree | 71ef4e28eff73d309658391d0fca66f5b5f4504d /meta/classes | |
parent | bc144b028f6f51252f4359248f6921028bcb6780 (diff) | |
download | openembedded-core-contrib-7f62a20b32a3d42f04ec58786a7d0db68ef1bb05.tar.gz |
cve-check: Manage CVE_PRODUCT with more than one name
In some rare cases (eg. curl recipe) the CVE_PRODUCT contains more than
one name.
Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
-rw-r--r-- | meta/classes/cve-check.bbclass | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 28619c7bd4..e7540b8c1f 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -168,9 +168,10 @@ def check_cves(d, patched_cves): import ast, csv, tempfile, subprocess, io cves_unpatched = [] - bpn = d.getVar("CVE_PRODUCT") + # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) + bpn = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) - if not bpn: + if len(bpn) == 0: return ([], []) pv = d.getVar("CVE_VERSION").split("+git")[0] cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) @@ -184,16 +185,18 @@ def check_cves(d, patched_cves): db_file = d.getVar("CVE_CHECK_DB_FILE") conn = sqlite3.connect(db_file) c = conn.cursor() + query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';" - for row in c.execute(query % (bpn,pv)): - cve = row[1] - if pv in cve_whitelist.get(cve,[]): - bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve)) - elif cve in patched_cves: - bb.note("%s has been patched" % (cve)) - else: - cves_unpatched.append(cve) - bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve)) + for idx in range(len(bpn)): + for row in c.execute(query % (bpn[idx],pv)): + cve = row[1] + if pv in cve_whitelist.get(cve,[]): + bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) + elif cve in patched_cves: + bb.note("%s has been patched" % (cve)) + else: + cves_unpatched.append(cve) + bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) conn.close() return (list(patched_cves), cves_unpatched) |