From 1c7d6584a7811b7785ae5c1e378f14b5ba0971cf Mon Sep 17 00:00:00 2001 From: takeshi_hoshina Date: Mon, 2 Nov 2020 11:07:33 +0900 Subject: basesystem-jj recipes --- external/poky/meta/classes/cve-check.bbclass | 33 ++++++++++++++++++---------- 1 file changed, 21 insertions(+), 12 deletions(-) (limited to 'external/poky/meta/classes/cve-check.bbclass') diff --git a/external/poky/meta/classes/cve-check.bbclass b/external/poky/meta/classes/cve-check.bbclass index 19ed5548..514897e8 100644 --- a/external/poky/meta/classes/cve-check.bbclass +++ b/external/poky/meta/classes/cve-check.bbclass @@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" -CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.0.db" +CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_1.1.db" CVE_CHECK_LOG ?= "${T}/cve.log" CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" @@ -52,17 +52,20 @@ python do_cve_check () { """ if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): - patched_cves = get_patches_cves(d) - patched, unpatched = check_cves(d, patched_cves) + try: + patched_cves = get_patches_cves(d) + except FileNotFoundError: + bb.fatal("Failure in searching patches") + whitelisted, patched, unpatched = check_cves(d, patched_cves) if patched or unpatched: cve_data = get_cve_info(d, patched + unpatched) - cve_write_data(d, patched, unpatched, cve_data) + cve_write_data(d, patched, unpatched, whitelisted, cve_data) else: bb.note("No CVE database found, skipping CVE check") } -addtask cve_check before do_build +addtask cve_check before do_build after do_fetch do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db" do_cve_check[nostamp] = "1" @@ -129,6 +132,10 @@ def get_patches_cves(d): for url in src_patches(d): patch_file = bb.fetch.decodeurl(url)[2] + if not os.path.isfile(patch_file): + bb.error("File Not found: %s" % patch_file) + raise FileNotFoundError + # Check patch file name for CVE ID fname_match = cve_file_name_match.search(patch_file) if fname_match: @@ -172,13 +179,13 @@ def check_cves(d, patched_cves): products = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) if not products: - return ([], []) + return ([], [], []) pv = d.getVar("CVE_VERSION").split("+git")[0] # If the recipe has been whitlisted we return empty lists if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): bb.note("Recipe has been whitelisted, skipping check") - return ([], []) + return ([], [], []) old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST") if old_cve_whitelist: @@ -214,7 +221,7 @@ def check_cves(d, patched_cves): (_, _, _, version_start, operator_start, version_end, operator_end) = row #bb.debug(2, "Evaluating row " + str(row)) - if (operator_start == '=' and pv == version_start): + if (operator_start == '=' and pv == version_start) or version_start == '-': vulnerable = True else: if operator_start: @@ -256,7 +263,7 @@ def check_cves(d, patched_cves): conn.close() - return (list(patched_cves), cves_unpatched) + return (list(cve_whitelist), list(patched_cves), cves_unpatched) def get_cve_info(d, cves): """ @@ -280,7 +287,7 @@ def get_cve_info(d, cves): conn.close() return cve_data -def cve_write_data(d, patched, unpatched, cve_data): +def cve_write_data(d, patched, unpatched, whitelisted, cve_data): """ Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and CVE manifest if enabled. @@ -294,9 +301,11 @@ def cve_write_data(d, patched, unpatched, cve_data): for cve in sorted(cve_data): write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") - write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV") + write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve - if cve in patched: + if cve in whitelisted: + write_string += "CVE STATUS: Whitelisted\n" + elif cve in patched: write_string += "CVE STATUS: Patched\n" else: unpatched_cves.append(cve) -- cgit 1.2.3-korg