diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/classes/cve-check.bbclass')
| -rw-r--r-- | import-layers/yocto-poky/meta/classes/cve-check.bbclass | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/import-layers/yocto-poky/meta/classes/cve-check.bbclass b/import-layers/yocto-poky/meta/classes/cve-check.bbclass index 13ec62ec9b..bc2f03f7dd 100644 --- a/import-layers/yocto-poky/meta/classes/cve-check.bbclass +++ b/import-layers/yocto-poky/meta/classes/cve-check.bbclass @@ -83,6 +83,11 @@ python cve_check_write_rootfs_manifest () { import shutil + if d.getVar("CVE_CHECK_COPY_FILES") == "1": + deploy_file = os.path.join(d.getVar("CVE_CHECK_DIR"), d.getVar("PN")) + if os.path.exists(deploy_file): + bb.utils.remove(deploy_file) + if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): bb.note("Writing rootfs CVE manifest") deploy_dir = d.getVar("DEPLOY_DIR_IMAGE") @@ -102,6 +107,7 @@ python cve_check_write_rootfs_manifest () { } ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" +do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" def get_patches_cves(d): """ @@ -112,10 +118,24 @@ def get_patches_cves(d): pn = d.getVar("PN") cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+") + + # Matches last CVE-1234-211432 in the file name, also if written + # with small letters. Not supporting multiple CVE id's in a single + # file name. + cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)") + patched_cves = set() bb.debug(2, "Looking for patches that solves CVEs for %s" % pn) for url in src_patches(d): patch_file = bb.fetch.decodeurl(url)[2] + + # Check patch file name for CVE ID + fname_match = cve_file_name_match.search(patch_file) + if fname_match: + cve = fname_match.group(1).upper() + patched_cves.add(cve) + bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file)) + with open(patch_file, "r", encoding="utf-8") as f: try: patch_text = f.read() @@ -134,7 +154,7 @@ def get_patches_cves(d): for cve in cves.split(): bb.debug(2, "Patch %s solves %s" % (patch_file, cve)) patched_cves.add(cve) - else: + elif not fname_match: bb.debug(2, "Patch %s doesn't solve CVEs" % patch_file) return patched_cves @@ -149,7 +169,7 @@ def check_cves(d, patched_cves): cves_patched = [] cves_unpatched = [] bpn = d.getVar("CVE_PRODUCT") - pv = d.getVar("PV").split("git+")[0] + pv = d.getVar("PV").split("+git")[0] cves = " ".join(patched_cves) cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) @@ -171,7 +191,7 @@ def check_cves(d, patched_cves): f.write("%s,%s,%s," % (bpn, pv, cves)) cmd.append(faux) - output = subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode("utf-8") + output = subprocess.check_output(cmd).decode("utf-8") bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output)) except subprocess.CalledProcessError as e: bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output)) |