diff options
author | Ross Burton <ross.burton@arm.com> | 2023-11-03 13:28:11 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-11-13 05:34:11 -1000 |
commit | 32a19dfbaac38cd4864281a1131ac65e1216318f (patch) | |
tree | 78d342351408dfd6ac176e337f71a08f530ce100 /meta/lib | |
parent | e3574760ee59c1ca7d2698f09ddd37ee568f04f3 (diff) | |
download | openembedded-core-contrib-32a19dfbaac38cd4864281a1131ac65e1216318f.tar.gz |
cve-check: don't warn if a patch is remote
We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time. The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.
Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0251cad677579f5b4dcc25fa2f8552c6040ac2cf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/lib')
-rw-r--r-- | meta/lib/oe/cve_check.py | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index a91d691c30..ed4af18ced 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -114,11 +114,6 @@ def get_patched_cves(d): for url in oe.patch.src_patches(d): patch_file = bb.fetch.decodeurl(url)[2] - # Remote compressed patches may not be unpacked, so silently ignore them - if not os.path.isfile(patch_file): - bb.warn("%s does not exist, cannot extract CVE list" % patch_file) - continue - # Check patch file name for CVE ID fname_match = cve_file_name_match.search(patch_file) if fname_match: @@ -126,6 +121,12 @@ def get_patched_cves(d): patched_cves.add(cve) bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + # Remote patches won't be present and compressed patches won't be + # unpacked, so say we're not scanning them + if not os.path.isfile(patch_file): + bb.note("%s is remote or compressed, not scanning content" % patch_file) + continue + with open(patch_file, "r", encoding="utf-8") as f: try: patch_text = f.read() |