On Wed, Jul 20, 2022 at 12:19 AM, Marta Rybczynska wrote:
>
> On Tue, Jul 12, 2022 at 12:28 PM akash hadke via
> lists.openembedded.org <[email protected]>
> wrote:
>
>> Add an anonymous function to get patched CVEs from the recipe
>> and set the value to 'CVE_PATCHED' variable
>> This variable later can be used to do CVE data processing
>> outside of bitbake
>>
>> Also, introduce a new variable 'CVE_CHECK_WITH_DB' default set
>> to '0', when it is set to non zero value it avoids CVE scan for
>> unpatched CVEs from NVD DB.
>> It will work as the second operational mode for cve-check.bbclass
>> which only exports the data.
>>
>> Signed-off-by: Akash Hadke <[email protected]>
>> ---
>> meta/classes/cve-check.bbclass | 15 +++++++++++++--
>> 1 file changed, 13 insertions(+), 2 deletions(-)
>>
>> diff --git a/meta/classes/cve-check.bbclass
>> b/meta/classes/cve-check.bbclass
>> index da7f93371c..b7f7ca73e5 100644
>> --- a/meta/classes/cve-check.bbclass
>> +++ b/meta/classes/cve-check.bbclass
>> @@ -82,6 +82,12 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
>> # set to "alphabetical" for version using single alphabetical character as
>> increment release
>> CVE_VERSION_SUFFIX ??= ""
>>
>> +# set to "1" for avoiding full scan for unpatched CVEs
>> +CVE_CHECK_WITH_DB ??= "0"
>
> The default behavior is now to check with the database, so this should be
> at "1"
> by default.
Ok, I will update it once all discussion is completed.
>
>
>> +
>> +# Patched CVEs from recipe will be assigned to this variable
>> +CVE_PATCHED ??= ""
>> +
>> def generate_json_report(d, out_path, link_path):
>> if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
>> import json
>> @@ -133,13 +139,18 @@ python cve_save_summary_handler () {
>> addhandler cve_save_summary_handler
>> cve_save_summary_handler[eventmask] = "bb.event.BuildCompleted"
>>
>> +python() {
>> + from oe.cve_check import get_patched_cves
>> + d.setVar('CVE_PATCHED', " ".join(get_patched_cves(d)))
>> +}
>> +
>> python do_cve_check () {
>> """
>> Check recipe for patched and unpatched CVEs
>> """
>> from oe.cve_check import get_patched_cves
>>
>> - if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
>> + if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")) and
>> d.getVar("CVE_CHECK_WITH_DB") == "0":
>> try:
>> patched_cves = get_patched_cves(d)
>> except FileNotFoundError:
>
> Instead of the anonymous function, you could add a condition here.
If I use a condition instead of an anonymous function, I will not be able to
get the value of the CVE_PATCHED variable in other tasks. The value will be
accessed only in the cve_check task. Hence I used the anonymous function.
As per my understanding, this is the only way, please let me know if there is
any other way to achieve this.
>
>
> Regards,
> Marta
BR,
Akash
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#168293):
https://lists.openembedded.org/g/openembedded-core/message/168293
Mute This Topic: https://lists.openembedded.org/mt/92329911/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
