diff options
Diffstat (limited to 'poky/meta/classes/cve-check.bbclass')
-rw-r--r-- | poky/meta/classes/cve-check.bbclass | 35 |
1 files changed, 30 insertions, 5 deletions
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index d843e7c4ac..112ee3379d 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -53,6 +53,16 @@ CVE_CHECK_PN_WHITELIST ?= "" # CVE_CHECK_WHITELIST ?= "" +# Layers to be excluded +CVE_CHECK_LAYER_EXCLUDELIST ??= "" + +# Layers to be included +CVE_CHECK_LAYER_INCLUDELIST ??= "" + + +# set to "alphabetical" for version using single alphabetical character as increament release +CVE_VERSION_SUFFIX ??= "" + python cve_save_summary_handler () { import shutil import datetime @@ -206,10 +216,11 @@ def check_cves(d, patched_cves): """ Connect to the NVD database and find unpatched cves. """ - from distutils.version import LooseVersion + from oe.cve_check import Version pn = d.getVar("PN") real_pv = d.getVar("PV") + suffix = d.getVar("CVE_VERSION_SUFFIX") cves_unpatched = [] # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) @@ -263,8 +274,8 @@ def check_cves(d, patched_cves): else: if operator_start: try: - vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) - vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) + vulnerable_start = (operator_start == '>=' and Version(pv,suffix) >= Version(version_start,suffix)) + vulnerable_start |= (operator_start == '>' and Version(pv,suffix) > Version(version_start,suffix)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) @@ -274,8 +285,8 @@ def check_cves(d, patched_cves): if operator_end: try: - vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) - vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) + vulnerable_end = (operator_end == '<=' and Version(pv,suffix) <= Version(version_end,suffix) ) + vulnerable_end |= (operator_end == '<' and Version(pv,suffix) < Version(version_end,suffix) ) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_end, version_end, cve)) @@ -330,7 +341,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): CVE manifest if enabled. """ + cve_file = d.getVar("CVE_CHECK_LOG") + fdir_name = d.getVar("FILE_DIRNAME") + layer = fdir_name.split("/")[-3] + + include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split() + exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split() + + if exclude_layers and layer in exclude_layers: + return + + if include_layers and layer not in include_layers: + return + nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" write_string = "" unpatched_cves = [] @@ -340,6 +364,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data): is_patched = cve in patched if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"): continue + write_string += "LAYER: %s\n" % layer write_string += "PACKAGE NAME: %s\n" % d.getVar("PN") write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV")) write_string += "CVE: %s\n" % cve |