[OE-core] [PATCH] cve-check: allow filtering out patched issues
Burton, Ross
ross.burton at intel.com
Thu Feb 14 21:03:43 UTC 2019
The report explicitly lists would-be-vulnerable-but-patches issues and
marks them as such, so why can't you just ignore them in the report?
Ross
On Thu, 14 Feb 2019 at 19:18, Dan Dedrick <dan.dedrick at gmail.com> wrote:
>
> It can be useful to filter out patched issues since they are no longer
> vulnerable. This makes it easier to sift through what CVEs still might
> need to be fixed.
>
> Signed-off-by: Dan Dedrick <ddedrick at lexmark.com>
> ---
> meta/classes/cve-check.bbclass | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 743bc08a4f..a486d686ae 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -35,6 +35,7 @@ CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
> CVE_CHECK_MANIFEST ?= "${DEPLOY_DIR_IMAGE}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
> CVE_CHECK_COPY_FILES ??= "1"
> CVE_CHECK_CREATE_MANIFEST ??= "1"
> +CVE_CHECK_EXCLUDE_PATCHED ??= "0"
>
> # Whitelist for packages (PN)
> CVE_CHECK_PN_WHITELIST = "\
> @@ -54,6 +55,8 @@ python do_cve_check () {
> if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
> patched_cves = get_patches_cves(d)
> patched, unpatched = check_cves(d, patched_cves)
> + if d.getVar("CVE_CHECK_EXCLUDE_PATCHED") == "1":
> + patched = []
> if patched or unpatched:
> cve_data = get_cve_info(d, patched + unpatched)
> cve_write_data(d, patched, unpatched, cve_data)
> --
> 2.20.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list