On Wed, Jul 20, 2022 at 12:19 AM, Marta Rybczynska wrote:<br />
<blockquote>On Tue, Jul 12, 2022 at 12:28 PM akash hadke via<br />lists.openembedded.org &lt;akash.hadke=kpit.com@lists.openembedded.org&gt;<br />wrote:<br />
<blockquote>Add an anonymous function to get patched CVEs from the recipe<br />and set the value to 'CVE_PATCHED' variable<br />This variable later can be used to do CVE data processing<br />outside of bitbake<br /><br />Also, introduce a new variable 'CVE_CHECK_WITH_DB' default set<br />to '0', when it is set to non zero value it avoids CVE scan for<br />unpatched CVEs from NVD DB.<br />It will work as the second operational mode for cve-check.bbclass<br />which only exports the data.<br /><br />Signed-off-by: Akash Hadke &lt;akash.hadke@kpit.com&gt;<br />---<br />meta/classes/cve-check.bbclass | 15 +++++++++++++--<br />1 file changed, 13 insertions(+), 2 deletions(-)<br /><br />diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass<br />index da7f93371c..b7f7ca73e5 100644<br />--- a/meta/classes/cve-check.bbclass<br />+++ b/meta/classes/cve-check.bbclass<br />@@ -82,6 +82,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""<br /># set to "alphabetical" for version using single alphabetical character as increment release<br />CVE_VERSION_SUFFIX ??= ""<br /><br />+# set to "1" for avoiding full scan for unpatched CVEs<br />+CVE_CHECK_WITH_DB ??= "0"</blockquote>
The default behavior is now to check with the database, so this should be at "1"<br />by default.</blockquote>
Ok, I will update it once all discussion is completed.<br /><br />
<blockquote>
<blockquote>+<br />+# Patched CVEs from recipe will be assigned to this variable<br />+CVE_PATCHED ??= ""<br />+<br />def generate_json_report(d, out_path, link_path):<br />if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):<br />import json<br />@@ -133,13 +139,18 @@ python cve_save_summary_handler () {<br />addhandler cve_save_summary_handler<br />cve_save_summary_handler[eventmask] = "bb.event.BuildCompleted"<br /><br />+python() {<br />+ from oe.cve_check import get_patched_cves<br />+ d.setVar('CVE_PATCHED', " ".join(get_patched_cves(d)))<br />+}<br />+<br />python do_cve_check () {<br />"""<br />Check recipe for patched and unpatched CVEs<br />"""<br />from oe.cve_check import get_patched_cves<br /><br />- if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):<br />+ if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")) and d.getVar("CVE_CHECK_WITH_DB") == "0":<br />try:<br />patched_cves = get_patched_cves(d)<br />except FileNotFoundError:</blockquote>
Instead of the anonymous function, you could add a condition here.</blockquote>
If I use a condition instead of an anonymous function, I will not be able to get the value of the CVE_PATCHED variable in other tasks. The value will be accessed only in the cve_check task. Hence I used the anonymous function.<br />As per my understanding, this is the only way, please let me know if there is any other way to achieve this.<br /><br />
<blockquote><br />Regards,<br />Marta</blockquote>
BR,<br />Akash