On Wed, Jul 20, 2022 at 12:19 AM, Marta Rybczynska wrote: > > On Tue, Jul 12, 2022 at 12:28 PM akash hadke via > lists.openembedded.org > wrote: > >> Add an anonymous function to get patched CVEs from the recipe >> and set the value to 'CVE_PATCHED' variable >> This variable later can be used to do CVE data processing >> outside of bitbake >> >> Also, introduce a new variable 'CVE_CHECK_WITH_DB' default set >> to '0', when it is set to non zero value it avoids CVE scan for >> unpatched CVEs from NVD DB. >> It will work as the second operational mode for cve-check.bbclass >> which only exports the data. >> >> Signed-off-by: Akash Hadke >> --- >> meta/classes/cve-check.bbclass | 15 +++++++++++++-- >> 1 file changed, 13 insertions(+), 2 deletions(-) >> >> diff --git a/meta/classes/cve-check.bbclass >> b/meta/classes/cve-check.bbclass >> index da7f93371c..b7f7ca73e5 100644 >> --- a/meta/classes/cve-check.bbclass >> +++ b/meta/classes/cve-check.bbclass >> @@ -82,6 +82,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= "" >> # set to "alphabetical" for version using single alphabetical character as >> increment release >> CVE_VERSION_SUFFIX ??= "" >> >> +# set to "1" for avoiding full scan for unpatched CVEs >> +CVE_CHECK_WITH_DB ??= "0" > > The default behavior is now to check with the database, so this should be > at "1" > by default. Ok, I will update it once all discussion is completed. > > >> + >> +# Patched CVEs from recipe will be assigned to this variable >> +CVE_PATCHED ??= "" >> + >> def generate_json_report(d, out_path, link_path): >> if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")): >> import json >> @@ -133,13 +139,18 @@ python cve_save_summary_handler () { >> addhandler cve_save_summary_handler >> cve_save_summary_handler[eventmask] = "bb.event.BuildCompleted" >> >> +python() { >> + from oe.cve_check import get_patched_cves >> + d.setVar('CVE_PATCHED', " ".join(get_patched_cves(d))) >> +} >> + >> python do_cve_check () { >> """ >> Check recipe for patched and unpatched CVEs >> """ >> from oe.cve_check import get_patched_cves >> >> - if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): >> + if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")) and >> d.getVar("CVE_CHECK_WITH_DB") == "0": >> try: >> patched_cves = get_patched_cves(d) >> except FileNotFoundError: > > Instead of the anonymous function, you could add a condition here. If I use a condition instead of an anonymous function, I will not be able to get the value of the CVE_PATCHED variable in other tasks. The value will be accessed only in the cve_check task. Hence I used the anonymous function. As per my understanding, this is the only way, please let me know if there is any other way to achieve this. > > > Regards, > Marta BR, Akash