From: Akash Hadke <akash.hadke@kpit.com>
To: openembedded-core@lists.openembedded.org
Cc: ranjitsinh.rathod@kpit.com
Subject: [poky][master][kirkstone][PATCH] cve-check.bbclass: Add anonymous function to get patched CVEs from recipe
Date: Tue, 12 Jul 2022 12:27:29 +0200 [thread overview]
Message-ID: <20220712102729.24407-1-akash.hadke@kpit.com> (raw)
Add an anonymous function to get patched CVEs from the recipe
and set the value to 'CVE_PATCHED' variable
This variable later can be used to do CVE data processing
outside of bitbake
Also, introduce a new variable 'CVE_CHECK_WITH_DB' default set
to '0', when it is set to non zero value it avoids CVE scan for
unpatched CVEs from NVD DB.
It will work as the second operational mode for cve-check.bbclass
which only exports the data.
Signed-off-by: Akash Hadke <akash.hadke@kpit.com>
---
meta/classes/cve-check.bbclass | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index da7f93371c..b7f7ca73e5 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -82,6 +82,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
+# set to "1" for avoiding full scan for unpatched CVEs
+CVE_CHECK_WITH_DB ??= "0"
+
+# Patched CVEs from recipe will be assigned to this variable
+CVE_PATCHED ??= ""
+
def generate_json_report(d, out_path, link_path):
if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
import json
@@ -133,13 +139,18 @@ python cve_save_summary_handler () {
addhandler cve_save_summary_handler
cve_save_summary_handler[eventmask] = "bb.event.BuildCompleted"
+python() {
+ from oe.cve_check import get_patched_cves
+ d.setVar('CVE_PATCHED', " ".join(get_patched_cves(d)))
+}
+
python do_cve_check () {
"""
Check recipe for patched and unpatched CVEs
"""
from oe.cve_check import get_patched_cves
- if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
+ if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")) and d.getVar("CVE_CHECK_WITH_DB") == "0":
try:
patched_cves = get_patched_cves(d)
except FileNotFoundError:
@@ -154,7 +165,7 @@ python do_cve_check () {
}
addtask cve_check before do_build
-do_cve_check[depends] = "cve-update-db-native:do_fetch"
+do_cve_check[depends] = "${@'cve-update-db-native:do_fetch' if d.getVar('CVE_CHECK_WITH_DB') == '0' else ''}"
do_cve_check[nostamp] = "1"
python cve_check_cleanup () {
--
2.17.1
next reply other threads:[~2022-07-12 10:28 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-12 10:27 Akash Hadke [this message]
2022-07-12 11:00 ` [OE-core] [poky][master][kirkstone][PATCH] cve-check.bbclass: Add anonymous function to get patched CVEs from recipe Ross Burton
2022-07-12 11:21 ` akash hadke
2022-07-18 15:16 ` [OE-core] " Ross Burton
2022-07-19 7:54 ` akash hadke
2022-07-20 11:41 ` [OE-core] " Ross Burton
2022-07-21 10:37 ` akash hadke
2022-07-19 18:49 ` [OE-core] " Marta Rybczynska
2022-07-20 7:47 ` akash hadke
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220712102729.24407-1-akash.hadke@kpit.com \
--to=akash.hadke@kpit.com \
--cc=openembedded-core@lists.openembedded.org \
--cc=ranjitsinh.rathod@kpit.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox