[PATCH 1/3] cve-check: allow recipes to override the product name

[PATCH 1/3] cve-check: allow recipes to override the product name

[Ross Burton]

Add a new variable CVE_PRODUCT for the product name to look up in the NVD
database.  Default this to BPN, but allow recipes such as tiff (which is libtiff
in NVD) to override it.

Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 meta/classes/cve-check.bbclass | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index b0febfb..75b8fa9 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -20,6 +20,10 @@
 # the only method to check against CVEs. Running this tool
 # doesn't guarantee your packages are free of CVEs.
 
+# The product name that the CVE database uses.  Defaults to BPN, but may need to
+# be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
+CVE_PRODUCT ?= "${BPN}"
+
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
 
@@ -144,7 +148,7 @@ def check_cves(d, patched_cves):
 
     cves_patched = []
     cves_unpatched = []
-    bpn = d.getVar("BPN", True)
+    bpn = d.getVar("CVE_PRODUCT")
     pv = d.getVar("PV", True).split("git+")[0]
     cves = " ".join(patched_cves)
     cve_db_dir = d.getVar("CVE_CHECK_DB_DIR", True)
-- 
2.8.1

[PATCH 2/3] tiff: set CVE_PRODUCT

[Ross Burton]

This is 'libtiff' in NVD.

Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 meta/recipes-multimedia/libtiff/tiff_4.0.6.bb | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
index 5fccde9..963d4b3 100644
--- a/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
+++ b/meta/recipes-multimedia/libtiff/tiff_4.0.6.bb
@@ -2,6 +2,8 @@ SUMMARY = "Provides support for the Tag Image File Format (TIFF)"
 LICENSE = "BSD-2-Clause"
 LIC_FILES_CHKSUM = "file://COPYRIGHT;md5=34da3db46fab7501992f9615d7e158cf"
 
+CVE_PRODUCT = "libtiff"
+
 SRC_URI = "http://download.osgeo.org/libtiff/tiff-${PV}.tar.gz \
            file://libtool2.patch \
            file://CVE-2015-8665_8683.patch \
-- 
2.8.1

[PATCH 3/3] curl: set CVE_PRODUCT

[Ross Burton]

This is 'libcurl' in NVD.

Signed-off-by: Ross Burton <ross.burton@intel.com>
---
 meta/recipes-support/curl/curl_7.51.0.bb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/recipes-support/curl/curl_7.51.0.bb b/meta/recipes-support/curl/curl_7.51.0.bb
index e1a996b..a9589b8 100644
--- a/meta/recipes-support/curl/curl_7.51.0.bb
+++ b/meta/recipes-support/curl/curl_7.51.0.bb
@@ -17,6 +17,7 @@ SRC_URI += " file://configure_ac.patch"
 SRC_URI[md5sum] = "09a7c5769a7eae676d5e2c86d51f167e"
 SRC_URI[sha256sum] = "7f8240048907e5030f67be0a6129bc4b333783b9cca1391026d700835a788dde"
 
+CVE_PRODUCT = "libcurl"
 inherit autotools pkgconfig binconfig multilib_header
 
 PACKAGECONFIG ??= "${@bb.utils.contains("DISTRO_FEATURES", "ipv6", "ipv6", "", d)} gnutls proxy zlib"
-- 
2.8.1

Re: [PATCH 1/3] cve-check: allow recipes to override the product name

[Mariano Lopez]

On 07/12/16 10:50, Ross Burton wrote:
> Add a new variable CVE_PRODUCT for the product name to look up in the NVD
> database.  Default this to BPN, but allow recipes such as tiff (which is libtiff
> in NVD) to override it.
>
> Signed-off-by: Ross Burton <ross.burton@intel.com>
>
I like the idea to be able to override the name that cve-check-tool
checks. The only drawback would be the burden of adding these to needed
recipes. This is still better to have to guess the correct name, or to
check PROVIDES or RPROVIDES, there are just too much corner cases. So
this solution has my approval.