diff options
Diffstat (limited to 'meta/classes/cve-check.bbclass')
-rw-r--r-- | meta/classes/cve-check.bbclass | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 112ee3379d..a95e810605 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -20,7 +20,7 @@ # the only method to check against CVEs. Running this tool # doesn't guarantee your packages are free of CVEs. -# The product name that the CVE database uses. Defaults to BPN, but may need to +# The product name that the CVE database uses defaults to BPN, but may need to # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff). CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" @@ -56,11 +56,11 @@ CVE_CHECK_WHITELIST ?= "" # Layers to be excluded CVE_CHECK_LAYER_EXCLUDELIST ??= "" -# Layers to be included +# Layers to be included CVE_CHECK_LAYER_INCLUDELIST ??= "" -# set to "alphabetical" for version using single alphabetical character as increament release +# set to "alphabetical" for version using single alphabetical character as increment release CVE_VERSION_SUFFIX ??= "" python cve_save_summary_handler () { @@ -110,6 +110,7 @@ python do_cve_check () { } addtask cve_check before do_build after do_fetch +do_cve_check[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}" do_cve_check[depends] = "cve-update-db-native:do_fetch" do_cve_check[nostamp] = "1" @@ -142,6 +143,7 @@ python cve_check_write_rootfs_manifest () { manifest_name = d.getVar("CVE_CHECK_MANIFEST") cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE") + bb.utils.mkdirhier(os.path.dirname(manifest_name)) shutil.copyfile(cve_tmp_file, manifest_name) if manifest_name and os.path.exists(manifest_name): @@ -166,9 +168,12 @@ def get_patches_cves(d): pn = d.getVar("PN") cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") - # Matches last CVE-1234-211432 in the file name, also if written - # with small letters. Not supporting multiple CVE id's in a single - # file name. + # Matches the last "CVE-YYYY-ID" in the file name, also if written + # in lowercase. Possible to have multiple CVE IDs in a single + # file name, but only the last one will be detected from the file name. + # However, patch files contents addressing multiple CVE IDs are supported + # (cve_match regular expression) + cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") patched_cves = set() @@ -230,7 +235,7 @@ def check_cves(d, patched_cves): return ([], [], []) pv = d.getVar("CVE_VERSION").split("+git")[0] - # If the recipe has been whitlisted we return empty lists + # If the recipe has been whitelisted we return empty lists if pn in d.getVar("CVE_CHECK_PN_WHITELIST").split(): bb.note("Recipe has been whitelisted, skipping check") return ([], [], []) @@ -355,7 +360,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): if include_layers and layer not in include_layers: return - nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" + nvd_link = "https://nvd.nist.gov/vuln/detail/" write_string = "" unpatched_cves = [] bb.utils.mkdirhier(os.path.dirname(cve_file)) |