[OE-core] [PATCH 1/1] cve-check.bbclass: make warning contain CVE IDs

ChenQi Qi.Chen at windriver.com
Tue May 9 09:25:19 UTC 2017 

On 05/09/2017 05:17 PM, Joshua Lock wrote:
> On Tue, 2017-05-09 at 17:13 +0800, Chen Qi wrote:
>> When warning users about unpatched CVE, we'd better put CVE IDs into
>> the warning message, so that it would be more straight forward for
>> the
>> user to know which CVEs are not patched.
>>
>> So instead of:
>>    WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for
>> more information check /path/to/workdir/cve/cve.log.
>> We should have:
>>    WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-
>> 2017-7869), for more information check /path/to/workdir/cve/cve.log.
>>
>> Signed-off-by: Chen Qi <Qi.Chen at windriver.com>
>> ---
>>   meta/classes/cve-check.bbclass | 11 +++++++----
>>   1 file changed, 7 insertions(+), 4 deletions(-)
>>
>> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-
>> check.bbclass
>> index 0e4294f..496d744 100644
>> --- a/meta/classes/cve-check.bbclass
>> +++ b/meta/classes/cve-check.bbclass
>> @@ -234,7 +234,8 @@ def cve_write_data(d, patched, unpatched,
>> cve_data):
>>       cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
>>       nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
>>       write_string = ""
>> -    first_alert = True
>> +    has_unpatched_cve = False
>> +    unpatched_cves = []
>>       bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
>>   
>>       for cve in sorted(cve_data):
>> @@ -244,15 +245,17 @@ def cve_write_data(d, patched, unpatched,
>> cve_data):
>>           if cve in patched:
>>               write_string += "CVE STATUS: Patched\n"
>>           else:
>> +            unpatched_cves.append(cve)
>>               write_string += "CVE STATUS: Unpatched\n"
>> -            if first_alert:
>> -                bb.warn("Found unpatched CVE, for more information
>> check %s" % cve_file)
>> -                first_alert = False
>> +            has_unpatched_cve = True
>>           write_string += "CVE SUMMARY: %s\n" %
>> cve_data[cve]["summary"]
>>           write_string += "CVSS v2 BASE SCORE: %s\n" %
>> cve_data[cve]["score"]
>>           write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
>>           write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link,
>> cve)
>>   
>> +    if has_unpatched_cve:
> There's no need for the has_unpatched_cve variable, you can just test
> whether the unpatched_cves list is empty:
>
>>>> foo = []
>>>> bar = [1, 2, 3]
>>>> if foo:
> ...   print("foo")
> ...
>>>> if bar:
> ...   print("bar")
> ...
> bar
>
> Your conditional can just be:
>
>    + if unpatched_cve:

Thanks a lot.
I'll send out V2.

Best Regards,
Chen Qi

>> +        bb.warn("Found unpatched CVE (%s), for more information
>> check %s" % (" ".join(unpatched_cves),cve_file))
>> +
>>       with open(cve_file, "w") as f:
>>           bb.note("Writing file %s with CVE information" % cve_file)
>>           f.write(write_string)
>> -- 
>> 1.9.1
>>

More information about the Openembedded-core mailing list