[oe-commits] [openembedded-core] 01/03: cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
git at git.openembedded.org
git at git.openembedded.org
Thu Jul 18 15:28:13 UTC 2019
This is an automated email from the git hooks/post-receive script.
rpurdie pushed a commit to branch master-next
in repository openembedded-core.
commit f955ecb8ae4534baaeb9f1e8a937bcaaf00c5b58
Author: Pierre Le Magourou <pierre.lemagourou at softbankrobotics.com>
AuthorDate: Thu Jul 18 14:41:18 2019 +0200
cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
CVE_CHECK_WHITELIST does not contain version anymore, as it was not
used. This variable should be set per recipe.
Signed-off-by: Pierre Le Magourou <pierre.lemagourou at softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
meta/classes/cve-check.bbclass | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e8668b2..512d4c7 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -39,15 +39,12 @@ CVE_CHECK_CREATE_MANIFEST ??= "1"
# Whitelist for packages (PN)
CVE_CHECK_PN_WHITELIST ?= ""
-# Whitelist for CVE and version of package. If a CVE is found then the PV is
-# compared with the version list, and if found the CVE is considered
-# patched.
-#
-# The value should be valid Python in this format:
-# {
-# 'CVE-2014-2524': ('6.3','5.2')
-# }
-CVE_CHECK_CVE_WHITELIST ?= "{}"
+# Whitelist for CVE. If a CVE is found, then it is considered patched.
+# The value is a string containing space separated CVE values:
+#
+# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
+#
+CVE_CHECK_WHITELIST ?= ""
python do_cve_check () {
"""
@@ -185,7 +182,10 @@ def check_cves(d, patched_cves):
bb.note("Recipe has been whitelisted, skipping check")
return ([], [])
- cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
+ old_cve_whitelist = d.getVar("CVE_CHECK_CVE_WHITELIST")
+ if old_cve_whitelist:
+ bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
+ cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
import sqlite3
db_file = d.getVar("CVE_CHECK_DB_FILE")
@@ -206,7 +206,7 @@ def check_cves(d, patched_cves):
version_end = row[6]
operator_end = row[7]
- if pv in cve_whitelist.get(cve, []):
+ if cve in cve_whitelist:
bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
elif cve in patched_cves:
bb.note("%s has been patched" % (cve))
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list