[OE-core] [PATCH 1/1] cve-check.bbclass: make warning contain CVE IDs

Joshua Lock joshua.g.lock at linux.intel.com
Tue May 9 09:17:28 UTC 2017 

On Tue, 2017-05-09 at 17:13 +0800, Chen Qi wrote:
> When warning users about unpatched CVE, we'd better put CVE IDs into
> the warning message, so that it would be more straight forward for
> the
> user to know which CVEs are not patched.
> 
> So instead of:
>   WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for
> more information check /path/to/workdir/cve/cve.log.
> We should have:
>   WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-
> 2017-7869), for more information check /path/to/workdir/cve/cve.log.
> 
> Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
> ---
>  meta/classes/cve-check.bbclass | 11 +++++++----
>  1 file changed, 7 insertions(+), 4 deletions(-)
> 
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-
> check.bbclass
> index 0e4294f..496d744 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -234,7 +234,8 @@ def cve_write_data(d, patched, unpatched,
> cve_data):
>      cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
>      nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
>      write_string = ""
> -    first_alert = True
> +    has_unpatched_cve = False
> +    unpatched_cves = []
>      bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
>  
>      for cve in sorted(cve_data):
> @@ -244,15 +245,17 @@ def cve_write_data(d, patched, unpatched,
> cve_data):
>          if cve in patched:
>              write_string += "CVE STATUS: Patched\n"
>          else:
> +            unpatched_cves.append(cve)
>              write_string += "CVE STATUS: Unpatched\n"
> -            if first_alert:
> -                bb.warn("Found unpatched CVE, for more information
> check %s" % cve_file)
> -                first_alert = False
> +            has_unpatched_cve = True
>          write_string += "CVE SUMMARY: %s\n" %
> cve_data[cve]["summary"]
>          write_string += "CVSS v2 BASE SCORE: %s\n" %
> cve_data[cve]["score"]
>          write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
>          write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link,
> cve)
>  
> +    if has_unpatched_cve:

There's no need for the has_unpatched_cve variable, you can just test
whether the unpatched_cves list is empty:

>>> foo = []
>>> bar = [1, 2, 3]
>>> if foo:
...   print("foo")
... 
>>> if bar:
...   print("bar")
... 
bar

Your conditional can just be:

  + if unpatched_cve:
> +        bb.warn("Found unpatched CVE (%s), for more information
> check %s" % (" ".join(unpatched_cves),cve_file))
> +
>      with open(cve_file, "w") as f:
>          bb.note("Writing file %s with CVE information" % cve_file)
>          f.write(write_string)
> -- 
> 1.9.1
>

More information about the Openembedded-core mailing list