[PATCH] cve-check: show whitelisted status

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH] cve-check: show whitelisted status
@ 2020-03-06  2:27 chee.yang.lee
  2020-03-08 12:22 ` Adrian Bunk
  0 siblings, 1 reply; 2+ messages in thread
From: chee.yang.lee @ 2020-03-06  2:27 UTC (permalink / raw)
  To: openembedded-core

From: Chee Yang Lee <chee.yang.lee@intel.com>

change whitelisted CVE status from "Patched" to "Whitelisted".

[Yocto #13687]

Signed-off-by: Chee Yang Lee <chee.yang.lee@intel.com>
---
 meta/classes/cve-check.bbclass | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 7412436..7f98da6 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -56,10 +56,10 @@ python do_cve_check () {
             patched_cves = get_patches_cves(d)
         except FileNotFoundError:
             bb.fatal("Failure in searching patches")
-        patched, unpatched = check_cves(d, patched_cves)
+        whitelisted, patched, unpatched = check_cves(d, patched_cves)
         if patched or unpatched:
             cve_data = get_cve_info(d, patched + unpatched)
-            cve_write_data(d, patched, unpatched, cve_data)
+            cve_write_data(d, patched, unpatched, whitelisted, cve_data)
     else:
         bb.note("No CVE database found, skipping CVE check")
 
@@ -263,7 +263,7 @@ def check_cves(d, patched_cves):
 
     conn.close()
 
-    return (list(patched_cves), cves_unpatched)
+    return (list(cve_whitelist), list(patched_cves), cves_unpatched)
 
 def get_cve_info(d, cves):
     """
@@ -287,7 +287,7 @@ def get_cve_info(d, cves):
     conn.close()
     return cve_data
 
-def cve_write_data(d, patched, unpatched, cve_data):
+def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
     """
     Write CVE information in WORKDIR; and to CVE_CHECK_DIR, and
     CVE manifest if enabled.
@@ -303,7 +303,9 @@ def cve_write_data(d, patched, unpatched, cve_data):
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s\n" % d.getVar("PV")
         write_string += "CVE: %s\n" % cve
-        if cve in patched:
+        if cve in whitelisted:
+            write_string += "CVE STATUS: Whitelisted\n"
+        elif cve in patched:
             write_string += "CVE STATUS: Patched\n"
         else:
             unpatched_cves.append(cve)
-- 
2.7.4



^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] cve-check: show whitelisted status
  2020-03-06  2:27 [PATCH] cve-check: show whitelisted status chee.yang.lee
@ 2020-03-08 12:22 ` Adrian Bunk
  0 siblings, 0 replies; 2+ messages in thread
From: Adrian Bunk @ 2020-03-08 12:22 UTC (permalink / raw)
  To: chee.yang.lee; +Cc: openembedded-core

On Fri, Mar 06, 2020 at 10:27:26AM +0800, chee.yang.lee@intel.com wrote:
> From: Chee Yang Lee <chee.yang.lee@intel.com>
> 
> change whitelisted CVE status from "Patched" to "Whitelisted".
>...

Thanks a lot for working on this.

>...
> index 7412436..7f98da6 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -56,10 +56,10 @@ python do_cve_check () {
>              patched_cves = get_patches_cves(d)
>          except FileNotFoundError:
>              bb.fatal("Failure in searching patches")
> -        patched, unpatched = check_cves(d, patched_cves)
> +        whitelisted, patched, unpatched = check_cves(d, patched_cves)
>...

Unfortunately this doesn't work:

$ . oe-init-build-env
$ echo 'INHERIT += "cve-check"' >> conf/local.conf
$ bitbake core-image-minimal
...
ERROR: glibc-locale-2.31-r0 do_cve_check: Error executing a python function in exec_python_func() autogenerated:

The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_python_func() autogenerated', lineno: 2, function: <module>
     0001:
 *** 0002:do_cve_check(d)
     0003:
File: '/tmp/poky/meta/classes/cve-check.bbclass', lineno: 59, function: do_cve_check
     0055:        try:
     0056:            patched_cves = get_patches_cves(d)
     0057:        except FileNotFoundError:
     0058:            bb.fatal("Failure in searching patches")
 *** 0059:        whitelisted, patched, unpatched = check_cves(d, patched_cves)
     0060:        if patched or unpatched:
     0061:            cve_data = get_cve_info(d, patched + unpatched)
     0062:            cve_write_data(d, patched, unpatched, whitelisted, cve_data)
     0063:    else:
Exception: ValueError: not enough values to unpack (expected 3, got 2)

ERROR: Logfile of failure stored in: /tmp/poky/build/tmp/work/core2-64-poky-linux/glibc-locale/2.31-r0/temp/log.do_cve_check.3713
ERROR: Task (/tmp/poky/meta/recipes-core/glibc/glibc-locale_2.31.bb:do_cve_check) failed with exit code '1'


cu
Adrian


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-03-08 12:22 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-03-06  2:27 [PATCH] cve-check: show whitelisted status chee.yang.lee
2020-03-08 12:22 ` Adrian Bunk

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox