Re: [OE-core] [poky][master][kirkstone][PATCH] cve-check.bbclass: Add anonymous function to get patched CVEs from recipe

Tue, 19 Jul 2022 11:49:54 -0700 

On Tue, Jul 12, 2022 at 12:28 PM akash hadke via
lists.openembedded.org <akash.hadke=kpit....@lists.openembedded.org>
wrote:
>
> Add an anonymous function to get patched CVEs from the recipe
> and set the value to 'CVE_PATCHED' variable
> This variable later can be used to do CVE data processing
> outside of bitbake
>
> Also, introduce a new variable 'CVE_CHECK_WITH_DB' default set
> to '0', when it is set to non zero value it avoids CVE scan for
> unpatched CVEs from NVD DB.
> It will work as the second operational mode for cve-check.bbclass
> which only exports the data.
>
> Signed-off-by: Akash Hadke <akash.ha...@kpit.com>
> ---
>  meta/classes/cve-check.bbclass | 15 +++++++++++++--
>  1 file changed, 13 insertions(+), 2 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index da7f93371c..b7f7ca73e5 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -82,6 +82,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
>  # set to "alphabetical" for version using single alphabetical character as 
> increment release
>  CVE_VERSION_SUFFIX ??= ""
>
> +# set to "1" for avoiding full scan for unpatched CVEs
> +CVE_CHECK_WITH_DB ??= "0"

The default behavior is now to check with the database, so this should be at "1"
by default.

> +
> +# Patched CVEs from recipe will be assigned to this variable
> +CVE_PATCHED ??= ""
> +
>  def generate_json_report(d, out_path, link_path):
>      if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
>          import json
> @@ -133,13 +139,18 @@ python cve_save_summary_handler () {
>  addhandler cve_save_summary_handler
>  cve_save_summary_handler[eventmask] = "bb.event.BuildCompleted"
>
> +python() {
> +    from oe.cve_check import get_patched_cves
> +    d.setVar('CVE_PATCHED', " ".join(get_patched_cves(d)))
> +}
> +
>  python do_cve_check () {
>      """
>      Check recipe for patched and unpatched CVEs
>      """
>      from oe.cve_check import get_patched_cves
>
> -    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
> +    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")) and 
> d.getVar("CVE_CHECK_WITH_DB") == "0":
>          try:
>              patched_cves = get_patched_cves(d)
>          except FileNotFoundError:

Instead of the anonymous function, you could add a condition here.


Regards,
Marta

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#168286): 
https://lists.openembedded.org/g/openembedded-core/message/168286
Mute This Topic: https://lists.openembedded.org/mt/92329911/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to