diff options
Diffstat (limited to 'poky/meta/classes/cve-check.bbclass')
-rw-r--r-- | poky/meta/classes/cve-check.bbclass | 136 |
1 files changed, 81 insertions, 55 deletions
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 3729d9cba8..1b4910f737 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -48,6 +48,7 @@ CVE_CHECK_COPY_FILES ??= "1" CVE_CHECK_CREATE_MANIFEST ??= "1" CVE_CHECK_REPORT_PATCHED ??= "1" +CVE_CHECK_SHOW_WARNINGS ??= "1" # Provide text output CVE_CHECK_FORMAT_TEXT ??= "1" @@ -82,7 +83,7 @@ CVE_VERSION_SUFFIX ??= "" def generate_json_report(d, out_path, link_path): if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")): import json - from oe.cve_check import cve_check_merge_jsons + from oe.cve_check import cve_check_merge_jsons, update_symlinks bb.note("Generating JSON CVE summary") index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH") @@ -98,14 +99,12 @@ def generate_json_report(d, out_path, link_path): with open(out_path, "w") as f: json.dump(summary, f, indent=2) - if link_path != out_path: - if os.path.exists(os.path.realpath(link_path)): - os.remove(link_path) - os.symlink(os.path.basename(out_path), link_path) + update_symlinks(out_path, link_path) python cve_save_summary_handler () { import shutil import datetime + from oe.cve_check import update_symlinks cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE") @@ -118,14 +117,9 @@ python cve_save_summary_handler () { if os.path.exists(cve_tmp_file): shutil.copyfile(cve_tmp_file, cve_summary_file) - - if cve_summary_file and os.path.exists(cve_summary_file): - cvefile_link = os.path.join(cvelogpath, cve_summary_name) - # if the paths are the same don't create the link - if cvefile_link != cve_summary_file: - if os.path.exists(os.path.realpath(cvefile_link)): - os.remove(cvefile_link) - os.symlink(os.path.basename(cve_summary_file), cvefile_link) + cvefile_link = os.path.join(cvelogpath, cve_summary_name) + update_symlinks(cve_summary_file, cvefile_link) + bb.plain("Complete CVE report summary created at: %s" % cvefile_link) if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": json_summary_link_name = os.path.join(cvelogpath, d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON")) @@ -178,7 +172,9 @@ python cve_check_write_rootfs_manifest () { """ import shutil - from oe.cve_check import cve_check_merge_jsons + import json + from oe.rootfs import image_list_installed_packages + from oe.cve_check import cve_check_merge_jsons, update_symlinks if d.getVar("CVE_CHECK_COPY_FILES") == "1": deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") @@ -188,32 +184,63 @@ python cve_check_write_rootfs_manifest () { if os.path.exists(deploy_file_json): bb.utils.remove(deploy_file_json) - if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): - bb.note("Writing rootfs CVE manifest") - deploy_dir = d.getVar("DEPLOY_DIR_IMAGE") - link_name = d.getVar("IMAGE_LINK_NAME") + # Create a list of relevant recipies + recipies = set() + for pkg in list(image_list_installed_packages(d)): + pkg_info = os.path.join(d.getVar('PKGDATA_DIR'), + 'runtime-reverse', pkg) + pkg_data = oe.packagedata.read_pkgdatafile(pkg_info) + recipies.add(pkg_data["PN"]) + + bb.note("Writing rootfs CVE manifest") + deploy_dir = d.getVar("DEPLOY_DIR_IMAGE") + link_name = d.getVar("IMAGE_LINK_NAME") + + json_data = {"version":"1", "package": []} + text_data = "" + enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1" + enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1" + + save_pn = d.getVar("PN") + + for pkg in recipies: + # To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate + # it with the different PN names set each time. + d.setVar("PN", pkg) + if enable_text: + pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE") + if os.path.exists(pkgfilepath): + with open(pkgfilepath) as pfile: + text_data += pfile.read() + + if enable_json: + pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") + if os.path.exists(pkgfilepath): + with open(pkgfilepath) as j: + data = json.load(j) + cve_check_merge_jsons(json_data, data) + + d.setVar("PN", save_pn) + + if enable_text: + link_path = os.path.join(deploy_dir, "%s.cve" % link_name) manifest_name = d.getVar("CVE_CHECK_MANIFEST") - cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE") - - bb.utils.mkdirhier(os.path.dirname(manifest_name)) - shutil.copyfile(cve_tmp_file, manifest_name) - - if manifest_name and os.path.exists(manifest_name): - manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name) - # if they are the same don't create the link - if manifest_link != manifest_name: - # If we already have another manifest, update symlinks - if os.path.exists(os.path.realpath(manifest_link)): - os.remove(manifest_link) - os.symlink(os.path.basename(manifest_name), manifest_link) - bb.plain("Image CVE report stored in: %s" % manifest_name) - - if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": - link_path = os.path.join(deploy_dir, "%s.json" % link_name) - manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON") - bb.note("Generating JSON CVE manifest") - generate_json_report(d, manifest_path, link_path) - bb.plain("Image CVE JSON report stored in: %s" % link_path) + + with open(manifest_name, "w") as f: + f.write(text_data) + + update_symlinks(manifest_name, link_path) + bb.plain("Image CVE report stored in: %s" % manifest_name) + + if enable_json: + link_path = os.path.join(deploy_dir, "%s.json" % link_name) + manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON") + + with open(manifest_name, "w") as f: + json.dump(json_data, f, indent=2) + + update_symlinks(manifest_name, link_path) + bb.plain("Image CVE JSON report stored in: %s" % manifest_name) } ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" @@ -237,7 +264,7 @@ def check_cves(d, patched_cves): products = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) if not products: - return ([], [], [], {}) + return ([], [], [], []) pv = d.getVar("CVE_VERSION").split("+git")[0] # If the recipe has been skipped/ignored we return empty lists @@ -405,26 +432,25 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) - if unpatched_cves: + if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) - if write_string: - with open(cve_file, "w") as f: - bb.note("Writing file %s with CVE information" % cve_file) - f.write(write_string) + with open(cve_file, "w") as f: + bb.note("Writing file %s with CVE information" % cve_file) + f.write(write_string) - if d.getVar("CVE_CHECK_COPY_FILES") == "1": - deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") - bb.utils.mkdirhier(os.path.dirname(deploy_file)) - with open(deploy_file, "w") as f: - f.write(write_string) + if d.getVar("CVE_CHECK_COPY_FILES") == "1": + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") + bb.utils.mkdirhier(os.path.dirname(deploy_file)) + with open(deploy_file, "w") as f: + f.write(write_string) - if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": - cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") - bb.utils.mkdirhier(cvelogpath) + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + bb.utils.mkdirhier(cvelogpath) - with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: - f.write("%s" % write_string) + with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: + f.write("%s" % write_string) def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file): """ |