[oe-commits] [openembedded-core] 19/49: cve-check: allow comparison of Vendor as well as Product

git at git.openembedded.org git at git.openembedded.org
Wed Nov 6 20:45:06 UTC 2019 

This is an automated email from the git hooks/post-receive script.

rpurdie pushed a commit to branch sumo-next
in repository openembedded-core.

commit 0851d68b4679a7035029d28091d9a6b21d266c99
Author: Ross Burton <ross.burton at intel.com>
AuthorDate: Wed Nov 6 17:37:32 2019 +0200

    cve-check: allow comparison of Vendor as well as Product
    
    Some product names are too vague to be searched without also matching the
    vendor, for example Flex could be the parser compiler we ship, or Adobe Flex, or
    Apache Flex, or IBM Flex.
    
    If entries in CVE_PRODUCT contain a colon then split it as vendor:product to improve the search.
    
    Also don't use .format() to construct SQL as that can lead to security
    issues. Instead, use ? placeholders and lets sqlite3 handle the escaping.
    
    (From OE-Core rev: e6bf90009877d00243417898700d2320fd87b39c)
    
    Signed-off-by: Ross Burton <ross.burton at intel.com>
    Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 meta/classes/cve-check.bbclass | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 2a13816..e8668b2 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -190,12 +190,16 @@ def check_cves(d, patched_cves):
     import sqlite3
     db_file = d.getVar("CVE_CHECK_DB_FILE")
     conn = sqlite3.connect(db_file)
-    c = conn.cursor()
-
-    query = "SELECT * FROM PRODUCTS WHERE PRODUCT IS '{0}';"
 
     for product in products:
-        for row in c.execute(query.format(product, pv)):
+        c = conn.cursor()
+        if ":" in product:
+            vendor, product = product.split(":", 1)
+            c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor))
+        else:
+            c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,))
+
+        for row in c:
             cve = row[1]
             version_start = row[4]
             operator_start = row[5]

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.

More information about the Openembedded-commits mailing list