[OE-core] [PATCH RFC CFH][sumo 27/47] cve-update-db-native: fix https proxy issues

Mikko Rapeli mikko.rapeli at bmw.de
Wed Nov 6 15:37:42 UTC 2019


From: Chin Huat Ang <chin.huat.ang at intel.com>

When https_proxy is set, use proxy opener to open CVE metadata and
database URLs, otherwise fallback to the urllib.request.urlopen.

Also fix a minor issue where the json database which has been gzip
decompressed as byte object should be decoded as utf-8 string as
expected by update_db.

(From OE-Core rev: 95438d52b732bec217301fbfc2fb019bbc3707c8)

Signed-off-by: Chin Huat Ang <chin.huat.ang at intel.com>
Signed-off-by: Richard Purdie <richard.purdie at linuxfoundation.org>
---
 meta/recipes-core/meta/cve-update-db-native.bb | 41 +++++++++++++++++++-------
 1 file changed, 30 insertions(+), 11 deletions(-)

diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb
index a06b74a..9fbe686 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -17,7 +17,7 @@ python do_populate_cve_db() {
     Update NVD database with json data feed
     """
 
-    import sqlite3, urllib, shutil, gzip
+    import sqlite3, urllib, urllib.parse, shutil, gzip
     from datetime import date
 
     BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-"
@@ -27,6 +27,16 @@ python do_populate_cve_db() {
     db_file = os.path.join(db_dir, 'nvdcve_1.0.db')
     json_tmpfile = os.path.join(db_dir, 'nvd.json.gz')
     proxy = d.getVar("https_proxy")
+
+    if proxy:
+        # instantiate an opener but do not install it as the global
+        # opener unless if we're really sure it's applicable for all
+        # urllib requests
+        proxy_handler = urllib.request.ProxyHandler({'https': proxy})
+        proxy_opener = urllib.request.build_opener(proxy_handler)
+    else:
+        proxy_opener = None
+
     cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a')
 
     if not os.path.isdir(db_dir):
@@ -44,11 +54,17 @@ python do_populate_cve_db() {
         json_url = year_url + ".json.gz"
 
         # Retrieve meta last modified date
-        req = urllib.request.Request(meta_url)
-        if proxy:
-            req.set_proxy(proxy, 'https')
-        with urllib.request.urlopen(req) as r:
-            for l in r.read().decode("utf-8").splitlines():
+
+        response = None
+
+        if proxy_opener:
+            response = proxy_opener.open(meta_url)
+        else:
+            req = urllib.request.Request(meta_url)
+            response = urllib.request.urlopen(req)
+
+        if response:
+            for l in response.read().decode("utf-8").splitlines():
                 key, value = l.split(":", 1)
                 if key == "lastModifiedDate":
                     last_modified = value
@@ -66,11 +82,14 @@ python do_populate_cve_db() {
 
             # Update db with current year json file
             try:
-                req = urllib.request.Request(json_url)
-                if proxy:
-                    req.set_proxy(proxy, 'https')
-                with urllib.request.urlopen(req) as r:
-                    update_db(c, gzip.decompress(r.read()))
+                if proxy_opener:
+                    response = proxy_opener.open(json_url)
+                else:
+                    req = urllib.request.Request(json_url)
+                    response = urllib.request.urlopen(req)
+
+                if response:
+                    update_db(c, gzip.decompress(response.read()).decode('utf-8'))
                 c.execute("insert or replace into META values (?, ?)", [year, last_modified])
             except urllib.error.URLError as e:
                 cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
-- 
1.9.1



More information about the Openembedded-core mailing list