summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRoss Burton <ross.burton@intel.com>2019-12-08 20:35:48 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2019-12-16 23:11:10 +0000
commit1675f9638ab6387f492cefa9eac106f627722e12 (patch)
tree14e1fbda5c33f38bfdef53cc6831d98892b0185e
parent593fe7e35267f665dbb37cc0abcc82be55ac67f8 (diff)
downloadpoky-1675f9638ab6387f492cefa9eac106f627722e12.tar.gz
poky-1675f9638ab6387f492cefa9eac106f627722e12.tar.bz2
poky-1675f9638ab6387f492cefa9eac106f627722e12.zip
cve-check: ensure all known CVEs are in the report
CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) (From OE-Core rev: 9d01a64844998d98fcfcebbe8580422094cd2dde) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass9
1 files changed, 7 insertions, 2 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c00d2910be..f87bcc9dc6 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -208,12 +208,14 @@ def check_cves(d, patched_cves):
if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
+ # TODO: this should be in the report as 'whitelisted'
+ patched_cves.add(cve)
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
else:
to_append = False
if (operator_start == '=' and pv == version_start):
- cves_unpatched.append(cve)
+ to_append = True
else:
if operator_start:
try:
@@ -243,8 +245,11 @@ def check_cves(d, patched_cves):
to_append = to_append_start or to_append_end
if to_append:
+ bb.note("%s-%s is vulnerable to %s" % (product, pv, cve))
cves_unpatched.append(cve)
- bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve))
+ else:
+ bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve))
+ patched_cves.add(cve)
conn.close()
return (list(patched_cves), cves_unpatched)