Re: [OE-core] [PATCH] cve-check.bbclass: do not download the CVE DB in package-specific tasks
On Mon, Aug 13, 2018 at 10:23:28AM +0300, Konstantin Shemyak wrote: > Disable downloading of the vulnerability DB in do_check_cves() task. > > When invoked in this task, cve-check-tool attempts re-download of the CVE DB > if the latter is older than certain threshold. While reasonable for a > stand-alone CVE checker, this behavior can cause errors in parallel builds > if the build time is longer than this threshold: > * Other tasks might be using the DB. > * Several packages can start the download of the same file at the same time. > > This check is not really needed, as the DB has been downloaded by > cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build(). > The DB will be at most (threshold + build_time) old. > > Signed-off-by: Konstantin Shemyak > --- > meta/classes/cve-check.bbclass | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass > index 4d99838..12ad3e5 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -179,7 +179,7 @@ def check_cves(d, patched_cves): > cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") > cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) > cve_cmd = "cve-check-tool" > -cmd = [cve_cmd, "--no-html", "--csv", "--not-affected", "-t", "faux", > "-d", cve_db_dir] > +cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", > "-t", "faux", "-d", cve_db_dir] > > # If the recipe has been whitlisted we return empty lists > if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): > -- ACK. Reviewed-by: Mikko Rapeli -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] cve-check.bbclass: do not download the CVE DB in package-specific tasks
Disable downloading of the vulnerability DB in do_check_cves() task. When invoked in this task, cve-check-tool attempts re-download of the CVE DB if the latter is older than certain threshold. While reasonable for a stand-alone CVE checker, this behavior can cause errors in parallel builds if the build time is longer than this threshold: * Other tasks might be using the DB. * Several packages can start the download of the same file at the same time. This check is not really needed, as the DB has been downloaded by cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build(). The DB will be at most (threshold + build_time) old. Signed-off-by: Konstantin Shemyak --- meta/classes/cve-check.bbclass | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 4d99838..12ad3e5 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -179,7 +179,7 @@ def check_cves(d, patched_cves): cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) cve_cmd = "cve-check-tool" -cmd = [cve_cmd, "--no-html", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir] +cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir] # If the recipe has been whitlisted we return empty lists if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): -- 2.10.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core