diff options
author | Ross Burton <ross.burton@arm.com> | 2024-01-22 14:04:03 +0000 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2024-03-03 11:56:20 -1000 |
commit | 1745208bc08037497ad9de1be15a3cc4a22ceff5 (patch) | |
tree | e9e8f9c3adfb8b202e46a3f1b00112abc14ef539 | |
parent | 6488fc1a8ffa68268d9d4b71cb017eeb9a645cbe (diff) | |
download | openembedded-core-1745208bc08037497ad9de1be15a3cc4a22ceff5.tar.gz |
cve_check: cleanup logging
Primarily list the number of patches found, useful when debugging.
Also clean up some bad escaping that caused warnings and use
re.IGNORECASE instead of manually doing case-insenstive rang matches.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 10acc75b7f3387b968bacd51aade6a8dc11a463f)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
-rw-r--r-- | meta/lib/oe/cve_check.py | 13 |
1 files changed, 6 insertions, 7 deletions
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index 65b1358ffc..ca2b393116 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -73,20 +73,19 @@ def get_patched_cves(d): import re import oe.patch - pn = d.getVar("PN") - cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") + cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+") # Matches the last "CVE-YYYY-ID" in the file name, also if written # in lowercase. Possible to have multiple CVE IDs in a single # file name, but only the last one will be detected from the file name. # However, patch files contents addressing multiple CVE IDs are supported # (cve_match regular expression) - - cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") + cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE) patched_cves = set() - bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) - for url in oe.patch.src_patches(d): + patches = oe.patch.src_patches(d) + bb.debug(2, "Scanning %d patches for CVEs" % len(patches)) + for url in patches: patch_file = bb.fetch.decodeurl(url)[2] # Check patch file name for CVE ID @@ -94,7 +93,7 @@ def get_patched_cves(d): if fname_match: cve = fname_match.group(1).upper() patched_cves.add(cve) - bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file)) # Remote patches won't be present and compressed patches won't be # unpacked, so say we're not scanning them |