subtree updates

poky: 492205ea83..94dfcaff64: Alejandro Hernandez Samaniego (1): baremetal-helloworld: Enable RISC-V 32 port Alexandre Belloni (1): oeqa/runtime/cases: make date.DateTest.test_date more reliable Anton Blanchard (3): libjpeg-turbo: Handle powerpc64le without Altivec kmod: use nonarch_base_libdir for depmod.d and modprobe.d pixman: Handle PowerPC without Altivec Changqing Li (1): libconvert-asn1-perl: 0.27 -> 0.31 Chen Qi (4): convert-overrides.py: also convert comments without a leading whitespace meta: use new override syntax in comments multilib.bbclass: fix new override syntax for virtclass-multilib util-linux: add back manpages related settings Daniel Gomez (1): docs: fix typo in releases Dmitry Baryshkov (1): linux-firmware: add more Qualcomm firmware packages Dragos-Marian Panait (1): util-linux: fix CVE-2021-37600 Joe Slater (1): terminal.bbclass: force bash for devshell Jon Mason (1): tune-cortexm*: add support for all Arm Cortex-M processors Jose Quaresma (1): sstate.bbclass: fix error handling when sstate mirrors is ro Joshua Watt (2): classes/cve-check: Move get_patches_cves to library lib/packagedata: Fix for new overrides Khem Raj (4): glibc: Upgrade to 2.34 release glibc: Remove obsolete --enable-stackguard-randomization glibc: Drop DUMMY_LOCALE_T define patch glibc: Add missing symlinks for libpthread and librt dev files Michael Halstead (1): releases: update to include 3.1.10 Michael Opdenacker (12): manuals: mention license information in footer manuals: further documentation for cve-check cve-check: remove deprecated CVE_CHECK_CVE_WHITELIST bsp-guide: overrides syntax updates dev-manual: overrides syntax updates kernel-dev manual: overrides syntax updates ref-manual: overrides syntax updates sdk-manual: overrides syntax updates test-manual: overrides syntax updates sdk-manual: reference obsolete reference to ADT Manuals: replace "file name" by "filename" dev-manual: fix grammar in post-install script explanations Nisha Parrakat (1): dbus_%.bbappend: stop using selinux_set_mapping Olaf Mandel (1): kickstart: document which options accept units Patrick Williams (3): pixman: re-disable iwmmxt systemd: add zstd PACKAGECONFIG systemd: set zstd as default PACKAGECONFIG Paul Barker (2): u-boot: Package extlinux.conf separately pypi: Allow override of PyPI archive name Quentin Schulz (3): insane.bbclass: fix new override syntax migration docs: fix new override syntax migration docs: overview-manual: concepts: remove long-gone BBHASHDEPS variable Richard Purdie (6): test-manual: Add extra detail to YP Compatible section migration-3.4: Add extra notes to override syntax changes ruby: Fix DEBUG_PREFIX_MAP in LDFLAGS issue gettext: Fix reproducibility issue with LDFLAGS curl: Fix reproducibility issue with LDFLAGS libtool: Fix lto option passing for reproducible builds Ross Burton (11): e2fsprogs: ensure small images have 256-byte inodes wic: don't forcibly pass -T default parted: drop unneeded ld-is-gold patch parted: update patch status buildtools-tarball: add testsdk task oeqa/sdk: add some buildtools tests bitbake: utils: add environment updating context manager bitbake: fetch2: expose environment variable names that need to be exported bitbake: fetch2/wget: ensure all variables are set when calling urllib bitbake: fetch2/wget: fetch securely by default tar: ignore node-tar CVEs Thomas Perrot (2): kernel-fitimage: images should not be signed with the same keys as the configurations oeqa/selftest/fitimage: update tests to use two keys Tim Orling (3): python3-scons{-native}: upgrade 4.1.0 -> 4.2.0 perl: do_create_rdepends_inc override syntax package.bbclass: FILER* override syntax Tom Rini (2): common-tasks: Add a summary to the end of the bbappend example manuals: Rename the "Using .bbappend Files in Your Layer" section Tony Battersby (2): bitbake.conf: add DEBUG_PREFIX_MAP to TARGET_LDFLAGS ruby: Fix reproducibility issue with LDFLAGS Tony Tascioglu (1): valgrind: skip broken ptests for glibc 2.34 Vyacheslav Yurkov (7): lib/oe: add generic functions for overlayfs overlayfs.bbclass: generate overlayfs mount units rootfs-postcommands: add QA check for overlayfs systemd-machine-units: add bbappend for meta-selftest overlayfs: meta-selftest recipe oeqa/selftest: overlayfs unit tests MAINTAINERS: add overlayfs maintainer Yi Zhao (3): dbus: add PACKAGECONFIG for audit and selinux glib-2.0: add PACKAGECONFIG for selinux shadow: add PACKAGECONFIG for audit and selinux hongxu (1): sdk: fix relocate symlink failed wangmy (1): ell: upgrade 0.41 -> 0.42 meta-raspberrypi: c7f4c739a3..32921fc9bd: Omer Akram (1): linux-firmware-rpidistro: fix wifi driver loading on cm4 Otavio Salvador (1): rpi-config: Allow setting hdmi_cvt meta-openembedded: 3cf2475ea0..a13db91f19: Changqing Li (1): ndpi: fix CVE-2021-36082 Chen Qi (1): Convert to new override syntax using latest convert-overrides.py script Dmitry Baryshkov (1): image_types_sparse: fix sparse image generation Geoff Parker (1): cifs-utils: typo fix fakse --> false Kai Kang (2): libdbi-perl: fix CVE-2014-10402 python3-m2crypto: fix for new overrides syntax Khem Raj (1): packagegroup-meta-oe: Add ttf-ipa Leon Anavi (15): python3-astroid: Upgrade 2.6.5 -> 2.6.6 python3-gast: Upgrade 0.5.1 -> 0.5.2 python3-greenlet: Upgrade 1.1.0 -> 1.1.1 python3-bitarray: Upgrade 2.2.3 -> 2.2.5 python3-send2trash: Upgrade 1.7.1 -> 1.8.0 python3-zeroconf: Upgrade 0.33.2 -> 0.34.3 python3-aiohue: Upgrade 2.5.1 -> 2.6.1 python3-configargparse: Upgrade 1.5.1 -> 1.5.2 python3-pycurl: Upgrade 7.43.0.6 -> 7.44.0 python3-distro: Upgrade 1.5.0 -> 1.6.0 python3-google-api-core: Upgrade 1.30.0 -> 1.31.1 python3-google-auth: Upgrade 1.32.0 -> 1.34.0 python3-google-api-python-client: Upgrade 2.12.0 -> 2.15.0 python3-huey: Upgrade 2.3.2 -> 2.4.0 python3-apply-defaults: Upgrade 0.1.4 -> 0.1.6 Martin Jansa (1): python3-grpcio: make sure that GRPC_CFLAGS is expanded to empty Michael Opdenacker (3): vorbis-tools: update to 1.4.2 (latest in 1.4.x series) bigbuckbunny-1080p: fix sample video URL opus-tools: update to 0.2, move to meta-multimedia and fix license Mingli Yu (3): jemalloc: fix the race during do_install jemalloc: add ptest support jemalloc: improve the ptest output Naveen Saini (1): python3-defusedxml: extend recipe to add native support Philippe Coval (1): mycroft: Install more tools needed by scripts Tony Battersby (3): curlpp: fix QA Issue after LDFLAGS change ldns: fix QA Issue after LDFLAGS change tcsh: fix compile error after LDFLAGS change Yi Zhao (5): audit: upgrade 3.0.3 -> 3.0.4 augeas: rename PACKAGECONFIG[libselinux] to PACKAGECONFIG[selinux] network-manager-applet: add selinux to PACKAGECONFIG if enable selinux distro feature networkmanager: add PACKAGECONFIG for audit and selinux augeas: add selinux to PACKAGECONFIG if enable selinux distro feature leimaohui (1): ttf-ipa: Added a new font. wangmy (1): iwd: upgrade 1.15 -> 1.16 zangrc (1): python3-humanize: upgrade 3.10.0 -> 3.11.0 zhengruoqin (3): python3-engineio: upgrade 4.2.0 -> 4.2.1 python3-ipython: upgrade 7.25.0 -> 7.26.0 python3-isort: upgrade 5.9.2 -> 5.9.3 Signed-off-by: Patrick Williams <patrick@stwcx.xyz> Change-Id: I7a8bd19709f465db51254ed3fcaf2486fe64dcaf
author: Patrick Williams <patrick@stwcx.xyz> 2021-08-16 22:03:13 +0300
committer: Patrick Williams <patrick@stwcx.xyz> 2021-08-17 03:53:26 +0300
commit: 0ca19ccf045e022d8a24d26afbf346ab7f2f519f (patch)
tree: 2732b2bd7700fba730c034a547a2e0751696f2ce /poky/meta/classes/cve-check.bbclass
parent: 23ca3ffa9de533fecc0fcd48fea85e365c323370 (diff)
download: openbmc-0ca19ccf045e022d8a24d26afbf346ab7f2f519f.tar.xz
1 files changed, 2 insertions, 63 deletions
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass
index 6582f97151..70d1988a70 100644
--- a/poky/meta/classes/cve-check.bbclass
+++ b/poky/meta/classes/cve-check.bbclass
@@ -94,10 +94,11 @@ python do_cve_check () {
     """
     Check recipe for patched and unpatched CVEs
     """
+    from oe.cve_check import get_patched_cves
 
     if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
         try:
-            patched_cves = get_patches_cves(d)
+            patched_cves = get_patched_cves(d)
         except FileNotFoundError:
             bb.fatal("Failure in searching patches")
         whitelisted, patched, unpatched = check_cves(d, patched_cves)
@@ -156,65 +157,6 @@ python cve_check_write_rootfs_manifest () {
 ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 
-def get_patches_cves(d):
-    """
-    Get patches that solve CVEs using the "CVE: " tag.
-    """
-
-    import re
-
-    pn = d.getVar("PN")
-    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
-
-    # Matches the last "CVE-YYYY-ID" in the file name, also if written
-    # in lowercase. Possible to have multiple CVE IDs in a single
-    # file name, but only the last one will be detected from the file name.
-    # However, patch files contents addressing multiple CVE IDs are supported
-    # (cve_match regular expression)
-
-    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
-
-    patched_cves = set()
-    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
-    for url in src_patches(d):
-        patch_file = bb.fetch.decodeurl(url)[2]
-
-        if not os.path.isfile(patch_file):
-            bb.error("File Not found: %s" % patch_file)
-            raise FileNotFoundError
-
-        # Check patch file name for CVE ID
-        fname_match = cve_file_name_match.search(patch_file)
-        if fname_match:
-            cve = fname_match.group(1).upper()
-            patched_cves.add(cve)
-            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
-
-        with open(patch_file, "r", encoding="utf-8") as f:
-            try:
-                patch_text = f.read()
-            except UnicodeDecodeError:
-                bb.debug(1, "Failed to read patch %s using UTF-8 encoding"
-                        " trying with iso8859-1" %  patch_file)
-                f.close()
-                with open(patch_file, "r", encoding="iso8859-1") as f:
-                    patch_text = f.read()
-
-        # Search for one or more "CVE: " lines
-        text_match = False
-        for match in cve_match.finditer(patch_text):
-            # Get only the CVEs without the "CVE: " tag
-            cves = patch_text[match.start()+5:match.end()]
-            for cve in cves.split():
-                bb.debug(2, "Patch %s solves %s" % (patch_file, cve))
-                patched_cves.add(cve)
-                text_match = True
-
-        if not fname_match and not text_match:
-            bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file)
-
-    return patched_cves
-
 def check_cves(d, patched_cves):
     """
     Connect to the NVD database and find unpatched cves.
@@ -238,9 +180,6 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been whitelisted, skipping check")
         return ([], [], [])
 
-    old_cve_whitelist =  d.getVar("CVE_CHECK_CVE_WHITELIST")
-    if old_cve_whitelist:
-        bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
     cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
 
     import sqlite3
author	Patrick Williams <patrick@stwcx.xyz>	2021-08-16 22:03:13 +0300
committer	Patrick Williams <patrick@stwcx.xyz>	2021-08-17 03:53:26 +0300
commit	0ca19ccf045e022d8a24d26afbf346ab7f2f519f (patch)
tree	2732b2bd7700fba730c034a547a2e0751696f2ce /poky/meta/classes/cve-check.bbclass
parent	23ca3ffa9de533fecc0fcd48fea85e365c323370 (diff)
download	openbmc-0ca19ccf045e022d8a24d26afbf346ab7f2f519f.tar.xz