On Tue, Jul 12, 2022 at 12:28 PM akash hadke via lists.openembedded.org <akash.hadke=kpit....@lists.openembedded.org> wrote: > > Add an anonymous function to get patched CVEs from the recipe > and set the value to 'CVE_PATCHED' variable > This variable later can be used to do CVE data processing > outside of bitbake > > Also, introduce a new variable 'CVE_CHECK_WITH_DB' default set > to '0', when it is set to non zero value it avoids CVE scan for > unpatched CVEs from NVD DB. > It will work as the second operational mode for cve-check.bbclass > which only exports the data. > > Signed-off-by: Akash Hadke <akash.ha...@kpit.com> > --- > meta/classes/cve-check.bbclass | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass > index da7f93371c..b7f7ca73e5 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -82,6 +82,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= "" > # set to "alphabetical" for version using single alphabetical character as > increment release > CVE_VERSION_SUFFIX ??= "" > > +# set to "1" for avoiding full scan for unpatched CVEs > +CVE_CHECK_WITH_DB ??= "0"
The default behavior is now to check with the database, so this should be at "1" by default. > + > +# Patched CVEs from recipe will be assigned to this variable > +CVE_PATCHED ??= "" > + > def generate_json_report(d, out_path, link_path): > if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")): > import json > @@ -133,13 +139,18 @@ python cve_save_summary_handler () { > addhandler cve_save_summary_handler > cve_save_summary_handler[eventmask] = "bb.event.BuildCompleted" > > +python() { > + from oe.cve_check import get_patched_cves > + d.setVar('CVE_PATCHED', " ".join(get_patched_cves(d))) > +} > + > python do_cve_check () { > """ > Check recipe for patched and unpatched CVEs > """ > from oe.cve_check import get_patched_cves > > - if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")): > + if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")) and > d.getVar("CVE_CHECK_WITH_DB") == "0": > try: > patched_cves = get_patched_cves(d) > except FileNotFoundError: Instead of the anonymous function, you could add a condition here. Regards, Marta
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#168286): https://lists.openembedded.org/g/openembedded-core/message/168286 Mute This Topic: https://lists.openembedded.org/mt/92329911/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-