From: <Mikko.Rapeli@bmw.de>
To: <konstantin.shemyak@ge.com>
Cc: openembedded-core@lists.openembedded.org
Subject: Re: [PATCH] cve-check.bbclass: do not download the CVE DB in package-specific tasks
Date: Mon, 13 Aug 2018 09:12:37 +0000 [thread overview]
Message-ID: <20180813091233.GZ8291@hiutale> (raw)
In-Reply-To: <20180813072328.107451-1-konstantin.shemyak@ge.com>
On Mon, Aug 13, 2018 at 10:23:28AM +0300, Konstantin Shemyak wrote:
> Disable downloading of the vulnerability DB in do_check_cves() task.
>
> When invoked in this task, cve-check-tool attempts re-download of the CVE DB
> if the latter is older than certain threshold. While reasonable for a
> stand-alone CVE checker, this behavior can cause errors in parallel builds
> if the build time is longer than this threshold:
> * Other tasks might be using the DB.
> * Several packages can start the download of the same file at the same time.
>
> This check is not really needed, as the DB has been downloaded by
> cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build().
> The DB will be at most (threshold + build_time) old.
>
> Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com>
> ---
> meta/classes/cve-check.bbclass | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 4d99838..12ad3e5 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -179,7 +179,7 @@ def check_cves(d, patched_cves):
> cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
> cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
> cve_cmd = "cve-check-tool"
> - cmd = [cve_cmd, "--no-html", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
> + cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
>
> # If the recipe has been whitlisted we return empty lists
> if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
> --
ACK.
Reviewed-by: Mikko Rapeli <mikko.rapeli@bmw.de>
prev parent reply other threads:[~2018-08-13 9:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-13 7:23 [PATCH] cve-check.bbclass: do not download the CVE DB in package-specific tasks Konstantin Shemyak
2018-08-13 9:12 ` Mikko.Rapeli [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180813091233.GZ8291@hiutale \
--to=mikko.rapeli@bmw.de \
--cc=konstantin.shemyak@ge.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox