[PATCH 3/4] cve-check: Manage CVE_PRODUCT with more than one name

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pierre Le Magourou <lemagoup@gmail.com>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 3/4] cve-check: Manage CVE_PRODUCT with more than one name
Date: Wed, 19 Jun 2019 15:59:39 +0200	[thread overview]
Message-ID: <20190619135940.18544-3-lemagoup@gmail.com> (raw)
In-Reply-To: <20190619135940.18544-1-lemagoup@gmail.com>

From: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>

In some rare cases (eg. curl recipe) the CVE_PRODUCT contains more than
one name.

Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
---
 meta/classes/cve-check.bbclass | 25 ++++++++++++++-----------
 1 file changed, 14 insertions(+), 11 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 28619c7bd4..e7540b8c1f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -168,9 +168,10 @@ def check_cves(d, patched_cves):
     import ast, csv, tempfile, subprocess, io
 
     cves_unpatched = []
-    bpn = d.getVar("CVE_PRODUCT")
+    # CVE_PRODUCT can contain more than one product (eg. curl/libcurl)
+    bpn = d.getVar("CVE_PRODUCT").split()
     # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
-    if not bpn:
+    if len(bpn) == 0:
         return ([], [])
     pv = d.getVar("CVE_VERSION").split("+git")[0]
     cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
@@ -184,16 +185,18 @@ def check_cves(d, patched_cves):
     db_file = d.getVar("CVE_CHECK_DB_FILE")
     conn = sqlite3.connect(db_file)
     c = conn.cursor()
+
     query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '%s' AND VERSION IS '%s';"
-    for row in c.execute(query % (bpn,pv)):
-        cve = row[1]
-        if pv in cve_whitelist.get(cve,[]):
-            bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve))
-        elif cve in patched_cves:
-            bb.note("%s has been patched" % (cve))
-        else:
-            cves_unpatched.append(cve)
-            bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve))
+    for idx in range(len(bpn)):
+        for row in c.execute(query % (bpn[idx],pv)):
+            cve = row[1]
+            if pv in cve_whitelist.get(cve,[]):
+                bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve))
+            elif cve in patched_cves:
+                bb.note("%s has been patched" % (cve))
+            else:
+                cves_unpatched.append(cve)
+                bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve))
     conn.close()
 
     return (list(patched_cves), cves_unpatched)
-- 
2.11.0

next prev parent reply	other threads:[~2019-06-19 14:00 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-19 13:59 [PATCH 1/4] cve-update-db: New recipe to update CVE database Pierre Le Magourou
2019-06-19 13:59 ` [PATCH 2/4] cve-check: Remove dependency to cve-check-tool-native Pierre Le Magourou
2019-06-19 14:59   ` Burton, Ross
2019-06-19 15:58     ` Pierre Le Magourou
2019-06-19 13:59 ` Pierre Le Magourou [this message]
2019-06-19 13:59 ` [PATCH 4/4] cve-check: Consider CVE that affects versions with less than operator Pierre Le Magourou
2019-06-19 20:21 ` [PATCH 1/4] cve-update-db: New recipe to update CVE database Adrian Bunk
2019-06-20  9:36   ` Pierre Le Magourou
2019-06-21 11:03     ` Mikko.Rapeli
2019-06-21 11:42       ` Alexander Kanavin
2019-06-21 11:48         ` Mikko.Rapeli
2019-06-21 12:03           ` Alexander Kanavin
2019-06-21 12:15             ` Mikko.Rapeli
2019-06-21 12:29       ` Burton, Ross
2019-06-21 13:01         ` Mikko.Rapeli
2019-06-25  8:48           ` Pierre Le Magourou
2019-06-25 12:54             ` Burton, Ross
2019-06-24  8:32         ` Pierre Le Magourou
2019-06-24  9:46           ` Burton, Ross
2019-06-27  7:31 ` Richard Purdie
2019-06-27  9:10   ` Pierre Le Magourou

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:28619c7bd dfblob:e7540b8c1 )
 OR (
bs:"[PATCH 3/4] cve-check: Manage CVE_PRODUCT with more than one name" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190619135940.18544-3-lemagoup@gmail.com \
    --to=lemagoup@gmail.com \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.