[OE-core] [PATCH 1/1] cve-check.bbclass: make warning contain CVE IDs
Joshua Lock
joshua.g.lock at linux.intel.com
Tue May 9 09:17:28 UTC 2017
On Tue, 2017-05-09 at 17:13 +0800, Chen Qi wrote:
> When warning users about unpatched CVE, we'd better put CVE IDs into
> the warning message, so that it would be more straight forward for
> the
> user to know which CVEs are not patched.
>
> So instead of:
> WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for
> more information check /path/to/workdir/cve/cve.log.
> We should have:
> WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-
> 2017-7869), for more information check /path/to/workdir/cve/cve.log.
>
> Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
> ---
> meta/classes/cve-check.bbclass | 11 +++++++----
> 1 file changed, 7 insertions(+), 4 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-
> check.bbclass
> index 0e4294f..496d744 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -234,7 +234,8 @@ def cve_write_data(d, patched, unpatched,
> cve_data):
> cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
> nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
> write_string = ""
> - first_alert = True
> + has_unpatched_cve = False
> + unpatched_cves = []
> bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
>
> for cve in sorted(cve_data):
> @@ -244,15 +245,17 @@ def cve_write_data(d, patched, unpatched,
> cve_data):
> if cve in patched:
> write_string += "CVE STATUS: Patched\n"
> else:
> + unpatched_cves.append(cve)
> write_string += "CVE STATUS: Unpatched\n"
> - if first_alert:
> - bb.warn("Found unpatched CVE, for more information
> check %s" % cve_file)
> - first_alert = False
> + has_unpatched_cve = True
> write_string += "CVE SUMMARY: %s\n" %
> cve_data[cve]["summary"]
> write_string += "CVSS v2 BASE SCORE: %s\n" %
> cve_data[cve]["score"]
> write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
> write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link,
> cve)
>
> + if has_unpatched_cve:
There's no need for the has_unpatched_cve variable, you can just test
whether the unpatched_cves list is empty:
>>> foo = []
>>> bar = [1, 2, 3]
>>> if foo:
... print("foo")
...
>>> if bar:
... print("bar")
...
bar
Your conditional can just be:
+ if unpatched_cve:
> + bb.warn("Found unpatched CVE (%s), for more information
> check %s" % (" ".join(unpatched_cves),cve_file))
> +
> with open(cve_file, "w") as f:
> bb.note("Writing file %s with CVE information" % cve_file)
> f.write(write_string)
> --
> 1.9.1
>
More information about the Openembedded-core
mailing list