[PATCH V2 0/1] cve-check.bbclass: make warning contain CVE IDs

Openembedded Core Discussions
 help / color / mirror / Atom feed

* [PATCH V2 0/1] cve-check.bbclass: make warning contain CVE IDs
@ 2017-05-09  9:31 Chen Qi
  2017-05-09  9:31 ` [PATCH V2 1/1] " Chen Qi
  0 siblings, 1 reply; 2+ messages in thread
From: Chen Qi @ 2017-05-09  9:31 UTC (permalink / raw)
  To: openembedded-core

The following changes since commit 381897c64069ea43d595380a3ae913bcc79cf7e1:

  build-appliance-image: Update to master head revision (2017-05-01 08:56:47 +0100)

are available in the git repository at:

  git://git.pokylinux.org/poky-contrib ChenQi/cve-check-warning
  http://git.pokylinux.org/cgit.cgi/poky-contrib/log/?h=ChenQi/cve-check-warning

Chen Qi (1):
  cve-check.bbclass: make warning contain CVE IDs

 meta/classes/cve-check.bbclass | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

-- 
1.9.1



^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH V2 1/1] cve-check.bbclass: make warning contain CVE IDs
  2017-05-09  9:31 [PATCH V2 0/1] cve-check.bbclass: make warning contain CVE IDs Chen Qi
@ 2017-05-09  9:31 ` Chen Qi
  0 siblings, 0 replies; 2+ messages in thread
From: Chen Qi @ 2017-05-09  9:31 UTC (permalink / raw)
  To: openembedded-core

When warning users about unpatched CVE, we'd better put CVE IDs into
the warning message, so that it would be more straight forward for the
user to know which CVEs are not patched.

So instead of:
  WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log.
We should have:
  WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log.

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
---
 meta/classes/cve-check.bbclass | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 0e4294f..3a9e227 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -234,7 +234,7 @@ def cve_write_data(d, patched, unpatched, cve_data):
     cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
     nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
     write_string = ""
-    first_alert = True
+    unpatched_cves = []
     bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
 
     for cve in sorted(cve_data):
@@ -244,15 +244,16 @@ def cve_write_data(d, patched, unpatched, cve_data):
         if cve in patched:
             write_string += "CVE STATUS: Patched\n"
         else:
+            unpatched_cves.append(cve)
             write_string += "CVE STATUS: Unpatched\n"
-            if first_alert:
-                bb.warn("Found unpatched CVE, for more information check %s" % cve_file)
-                first_alert = False
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
         write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
         write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
 
+    if unpatched_cves:
+        bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
+
     with open(cve_file, "w") as f:
         bb.note("Writing file %s with CVE information" % cve_file)
         f.write(write_string)
-- 
1.9.1



^ permalink raw reply related	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-05-09  9:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-09  9:31 [PATCH V2 0/1] cve-check.bbclass: make warning contain CVE IDs Chen Qi
2017-05-09  9:31 ` [PATCH V2 1/1] " Chen Qi

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox