[OE-core] [PATCH] cve-check: allow filtering out patched issues
Dan Dedrick
dan.dedrick at gmail.com
Thu Feb 14 19:17:06 UTC 2019
It can be useful to filter out patched issues since they are no longer
vulnerable. This makes it easier to sift through what CVEs still might
need to be fixed.
Signed-off-by: Dan Dedrick <ddedrick at lexmark.com>
---
meta/classes/cve-check.bbclass | 3 +++
1 file changed, 3 insertions(+)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 743bc08a4f..a486d686ae 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -35,6 +35,7 @@ CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
CVE_CHECK_COPY_FILES ??= "1"
CVE_CHECK_CREATE_MANIFEST ??= "1"
+CVE_CHECK_EXCLUDE_PATCHED ??= "0"
# Whitelist for packages (PN)
CVE_CHECK_PN_WHITELIST = "\
@@ -54,6 +55,8 @@ python do_cve_check () {
if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
patched_cves = get_patches_cves(d)
patched, unpatched = check_cves(d, patched_cves)
+ if d.getVar("CVE_CHECK_EXCLUDE_PATCHED") == "1":
+ patched = []
if patched or unpatched:
cve_data = get_cve_info(d, patched + unpatched)
cve_write_data(d, patched, unpatched, cve_data)
--
2.20.1
More information about the Openembedded-core
mailing list