[OE-core] [PATCH] cve-check: allow filtering out patched issues

Thu Feb 14 19:17:06 UTC 2019

It can be useful to filter out patched issues since they are no longer
vulnerable. This makes it easier to sift through what CVEs still might
need to be fixed.

Signed-off-by: Dan Dedrick <ddedrick at lexmark.com>
---
 meta/classes/cve-check.bbclass | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 743bc08a4f..a486d686ae 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -35,6 +35,7 @@ CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
 CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
 CVE_CHECK_COPY_FILES ??= "1"
 CVE_CHECK_CREATE_MANIFEST ??= "1"
+CVE_CHECK_EXCLUDE_PATCHED ??= "0"
 
 # Whitelist for packages (PN)
 CVE_CHECK_PN_WHITELIST = "\
@@ -54,6 +55,8 @@ python do_cve_check () {
     if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
         patched_cves = get_patches_cves(d)
         patched, unpatched = check_cves(d, patched_cves)
+        if d.getVar("CVE_CHECK_EXCLUDE_PATCHED") == "1":
+            patched = []
         if patched or unpatched:
             cve_data = get_cve_info(d, patched + unpatched)
             cve_write_data(d, patched, unpatched, cve_data)
-- 
2.20.1

