* [PATCH 0/1] cve-check.bbclass: make warning contain CVE IDs @ 2017-05-09 9:13 Chen Qi 2017-05-09 9:13 ` [PATCH 1/1] " Chen Qi 0 siblings, 1 reply; 4+ messages in thread From: Chen Qi @ 2017-05-09 9:13 UTC (permalink / raw) To: openembedded-core The following changes since commit 381897c64069ea43d595380a3ae913bcc79cf7e1: build-appliance-image: Update to master head revision (2017-05-01 08:56:47 +0100) are available in the git repository at: git://git.pokylinux.org/poky-contrib ChenQi/cve-check-warning http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=ChenQi/cve-check-warning Chen Qi (1): cve-check.bbclass: make warning contain CVE IDs meta/classes/cve-check.bbclass | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) -- 1.9.1 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/1] cve-check.bbclass: make warning contain CVE IDs 2017-05-09 9:13 [PATCH 0/1] cve-check.bbclass: make warning contain CVE IDs Chen Qi @ 2017-05-09 9:13 ` Chen Qi 2017-05-09 9:17 ` Joshua Lock 0 siblings, 1 reply; 4+ messages in thread From: Chen Qi @ 2017-05-09 9:13 UTC (permalink / raw) To: openembedded-core When warning users about unpatched CVE, we'd better put CVE IDs into the warning message, so that it would be more straight forward for the user to know which CVEs are not patched. So instead of: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log. We should have: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log. Signed-off-by: Chen Qi <Qi.Chen@windriver.com> --- meta/classes/cve-check.bbclass | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 0e4294f..496d744 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -234,7 +234,8 @@ def cve_write_data(d, patched, unpatched, cve_data): cve_file = d.getVar("CVE_CHECK_LOCAL_FILE") nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" write_string = "" - first_alert = True + has_unpatched_cve = False + unpatched_cves = [] bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR")) for cve in sorted(cve_data): @@ -244,15 +245,17 @@ def cve_write_data(d, patched, unpatched, cve_data): if cve in patched: write_string += "CVE STATUS: Patched\n" else: + unpatched_cves.append(cve) write_string += "CVE STATUS: Unpatched\n" - if first_alert: - bb.warn("Found unpatched CVE, for more information check %s" % cve_file) - first_alert = False + has_unpatched_cve = True write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"] write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) + if has_unpatched_cve: + bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) + with open(cve_file, "w") as f: bb.note("Writing file %s with CVE information" % cve_file) f.write(write_string) -- 1.9.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] cve-check.bbclass: make warning contain CVE IDs 2017-05-09 9:13 ` [PATCH 1/1] " Chen Qi @ 2017-05-09 9:17 ` Joshua Lock 2017-05-09 9:25 ` ChenQi 0 siblings, 1 reply; 4+ messages in thread From: Joshua Lock @ 2017-05-09 9:17 UTC (permalink / raw) To: Chen Qi, openembedded-core On Tue, 2017-05-09 at 17:13 +0800, Chen Qi wrote: > When warning users about unpatched CVE, we'd better put CVE IDs into > the warning message, so that it would be more straight forward for > the > user to know which CVEs are not patched. > > So instead of: > WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for > more information check /path/to/workdir/cve/cve.log. > We should have: > WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE- > 2017-7869), for more information check /path/to/workdir/cve/cve.log. > > Signed-off-by: Chen Qi <Qi.Chen@windriver.com> > --- > meta/classes/cve-check.bbclass | 11 +++++++---- > 1 file changed, 7 insertions(+), 4 deletions(-) > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve- > check.bbclass > index 0e4294f..496d744 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -234,7 +234,8 @@ def cve_write_data(d, patched, unpatched, > cve_data): > cve_file = d.getVar("CVE_CHECK_LOCAL_FILE") > nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" > write_string = "" > - first_alert = True > + has_unpatched_cve = False > + unpatched_cves = [] > bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR")) > > for cve in sorted(cve_data): > @@ -244,15 +245,17 @@ def cve_write_data(d, patched, unpatched, > cve_data): > if cve in patched: > write_string += "CVE STATUS: Patched\n" > else: > + unpatched_cves.append(cve) > write_string += "CVE STATUS: Unpatched\n" > - if first_alert: > - bb.warn("Found unpatched CVE, for more information > check %s" % cve_file) > - first_alert = False > + has_unpatched_cve = True > write_string += "CVE SUMMARY: %s\n" % > cve_data[cve]["summary"] > write_string += "CVSS v2 BASE SCORE: %s\n" % > cve_data[cve]["score"] > write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] > write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, > cve) > > + if has_unpatched_cve: There's no need for the has_unpatched_cve variable, you can just test whether the unpatched_cves list is empty: >>> foo = [] >>> bar = [1, 2, 3] >>> if foo: ... print("foo") ... >>> if bar: ... print("bar") ... bar Your conditional can just be: + if unpatched_cve: > + bb.warn("Found unpatched CVE (%s), for more information > check %s" % (" ".join(unpatched_cves),cve_file)) > + > with open(cve_file, "w") as f: > bb.note("Writing file %s with CVE information" % cve_file) > f.write(write_string) > -- > 1.9.1 > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH 1/1] cve-check.bbclass: make warning contain CVE IDs 2017-05-09 9:17 ` Joshua Lock @ 2017-05-09 9:25 ` ChenQi 0 siblings, 0 replies; 4+ messages in thread From: ChenQi @ 2017-05-09 9:25 UTC (permalink / raw) To: Joshua Lock, openembedded-core On 05/09/2017 05:17 PM, Joshua Lock wrote: > On Tue, 2017-05-09 at 17:13 +0800, Chen Qi wrote: >> When warning users about unpatched CVE, we'd better put CVE IDs into >> the warning message, so that it would be more straight forward for >> the >> user to know which CVEs are not patched. >> >> So instead of: >> WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for >> more information check /path/to/workdir/cve/cve.log. >> We should have: >> WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE- >> 2017-7869), for more information check /path/to/workdir/cve/cve.log. >> >> Signed-off-by: Chen Qi <Qi.Chen@windriver.com> >> --- >> meta/classes/cve-check.bbclass | 11 +++++++---- >> 1 file changed, 7 insertions(+), 4 deletions(-) >> >> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve- >> check.bbclass >> index 0e4294f..496d744 100644 >> --- a/meta/classes/cve-check.bbclass >> +++ b/meta/classes/cve-check.bbclass >> @@ -234,7 +234,8 @@ def cve_write_data(d, patched, unpatched, >> cve_data): >> cve_file = d.getVar("CVE_CHECK_LOCAL_FILE") >> nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId=" >> write_string = "" >> - first_alert = True >> + has_unpatched_cve = False >> + unpatched_cves = [] >> bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR")) >> >> for cve in sorted(cve_data): >> @@ -244,15 +245,17 @@ def cve_write_data(d, patched, unpatched, >> cve_data): >> if cve in patched: >> write_string += "CVE STATUS: Patched\n" >> else: >> + unpatched_cves.append(cve) >> write_string += "CVE STATUS: Unpatched\n" >> - if first_alert: >> - bb.warn("Found unpatched CVE, for more information >> check %s" % cve_file) >> - first_alert = False >> + has_unpatched_cve = True >> write_string += "CVE SUMMARY: %s\n" % >> cve_data[cve]["summary"] >> write_string += "CVSS v2 BASE SCORE: %s\n" % >> cve_data[cve]["score"] >> write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] >> write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, >> cve) >> >> + if has_unpatched_cve: > There's no need for the has_unpatched_cve variable, you can just test > whether the unpatched_cves list is empty: > >>>> foo = [] >>>> bar = [1, 2, 3] >>>> if foo: > ... print("foo") > ... >>>> if bar: > ... print("bar") > ... > bar > > Your conditional can just be: > > + if unpatched_cve: Thanks a lot. I'll send out V2. Best Regards, Chen Qi >> + bb.warn("Found unpatched CVE (%s), for more information >> check %s" % (" ".join(unpatched_cves),cve_file)) >> + >> with open(cve_file, "w") as f: >> bb.note("Writing file %s with CVE information" % cve_file) >> f.write(write_string) >> -- >> 1.9.1 >> ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-05-09 9:23 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-05-09 9:13 [PATCH 0/1] cve-check.bbclass: make warning contain CVE IDs Chen Qi 2017-05-09 9:13 ` [PATCH 1/1] " Chen Qi 2017-05-09 9:17 ` Joshua Lock 2017-05-09 9:25 ` ChenQi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox