Add an anonymous function to get patched CVEs from the recipe and set the value to 'CVE_PATCHED' variable This variable later can be used to do CVE data processing outside of bitbake
Also, introduce a new variable 'CVE_CHECK_WITH_DB' default set to '0', when it is set to non zero value it avoids CVE scan for unpatched CVEs from NVD DB. It will work as the second operational mode for cve-check.bbclass which only exports the data. Signed-off-by: Akash Hadke <[email protected]> --- meta/classes/cve-check.bbclass | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index da7f93371c..b7f7ca73e5 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -82,6 +82,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= "" # set to "alphabetical" for version using single alphabetical character as increment release CVE_VERSION_SUFFIX ??= "" +# set to "1" for avoiding full scan for unpatched CVEs +CVE_CHECK_WITH_DB ??= "0" + +# Patched CVEs from recipe will be assigned to this variable +CVE_PATCHED ??= "" + def generate_json_report(d, out_path, link_path): if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")): import json @@ -133,13 +139,18 @@ python cve_save_summary_handler () { addhandler cve_save_summary_handler cve_save_summary_handler[eventmask] = "bb.event.BuildCompleted" +python() { + from oe.cve_check import get_patched_cves + d.setVar('CVE_PATCHED', " ".join(get_patched_cves(d))) +} + python do_cve_check () { """ Check recipe for patched and unpatched CVEs """ from oe.cve_check import get_patched_cves - if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): + if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")) and d.getVar("CVE_CHECK_WITH_DB") == "0": try: patched_cves = get_patched_cves(d) except FileNotFoundError: @@ -154,7 +165,7 @@ python do_cve_check () { } addtask cve_check before do_build -do_cve_check[depends] = "cve-update-db-native:do_fetch" +do_cve_check[depends] = "${@'cve-update-db-native:do_fetch' if d.getVar('CVE_CHECK_WITH_DB') == '0' else ''}" do_cve_check[nostamp] = "1" python cve_check_cleanup () { -- 2.17.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#167917): https://lists.openembedded.org/g/openembedded-core/message/167917 Mute This Topic: https://lists.openembedded.org/mt/92329911/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
