[PATCH 0/5] cve-check improvements

[PATCH 0/5] cve-check improvements

[Peter Marko]

Hi,

this series of patches fixes some issues with cve-check functionality.

Peter Marko (5):
  cve-check: honor RM_OLD_IMAGE flag
  cve-check: add do_rootfs dependency on cve-check
  cve-check: do not parse error output
  cve-check: clean cve-check recipe result before re-building
  cve-check-tool: fix crash on exceptions

 meta/classes/cve-check.bbclass                     | 10 ++++-
 .../cve-check-tool/cve-check-tool_5.6.4.bb         |  1 +
 ...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ++++++++++++++++++++++
 3 files changed, 60 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch

-- 
2.1.4

[PATCH 1/5] cve-check: honor RM_OLD_IMAGE flag

[Peter Marko]

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 3a9e227..d8ac412 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -96,6 +96,8 @@ python cve_check_write_rootfs_manifest () {
             manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name)
             # If we already have another manifest, update symlinks
             if os.path.exists(os.path.realpath(manifest_link)):
+                if d.getVar('RM_OLD_IMAGE') == "1":
+                    os.remove(os.path.realpath(manifest_link))
                 os.remove(manifest_link)
             os.symlink(os.path.basename(manifest_name), manifest_link)
             bb.plain("Image CVE report stored in: %s" % manifest_name)
-- 
2.1.4

Re: [PATCH 1/5] cve-check: honor RM_OLD_IMAGE flag

[Marko, Peter]

> +                if d.getVar('RM_OLD_IMAGE') == "1":
> +                    os.remove(os.path.realpath(manifest_link))

I have been working with Krogoth and ported my changes to master.
It seems this flag is no longer supported, thus this commit is wrong (or good only for backporting to Krogoth).
I'll remove it in v2 as soon as I get feedback on the other commits, too.

Peter

[PATCH 2/5] cve-check: add do_rootfs dependency on cve-check

[Peter Marko]

Since do_rootfs depends on cve-check results of all recipes,
we need to recursively depend on recipe do_cve_check.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index d8ac412..f851ec4 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -104,6 +104,7 @@ python cve_check_write_rootfs_manifest () {
 }
 
 ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
+do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 
 def get_patches_cves(d):
     """
-- 
2.1.4

[PATCH 3/5] cve-check: do not parse error output

[Peter Marko]

Sometimes there are control messages in cve-check-tool printed to
stderr. These lead to parsing error and thus failed build.
This can happen for instance when cve database needs to be
refreshed during build.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index f851ec4..9007a6e 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -174,7 +174,7 @@ def check_cves(d, patched_cves):
             f.write("%s,%s,%s," % (bpn, pv, cves))
         cmd.append(faux)
 
-        output = subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode("utf-8")
+        output = subprocess.check_output(cmd).decode("utf-8")
         bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
     except subprocess.CalledProcessError as e:
         bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
-- 
2.1.4

[PATCH 4/5] cve-check: clean cve-check recipe result before re-building

[Peter Marko]

If there is cve report for a recipe in previous build and there
is no result for current one, old cves are kept in CVE_CHECK_DIR.
This happens on version upgrade or when cve/recipe is whitelisted.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 9007a6e..21f3225 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -83,6 +83,11 @@ python cve_check_write_rootfs_manifest () {
 
     import shutil
 
+    if d.getVar("CVE_CHECK_COPY_FILES") == "1":
+        deploy_file = os.path.join(d.getVar("CVE_CHECK_DIR"), d.getVar("PN"))
+        if os.path.exists(deploy_file):
+            bb.utils.remove(deploy_file)
+
     if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
         bb.note("Writing rootfs CVE manifest")
         deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
-- 
2.1.4

[PATCH 5/5] cve-check-tool: fix crash on exceptions

[Peter Marko]

This fixes cve-check-tool crashes on exceptions.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../cve-check-tool/cve-check-tool_5.6.4.bb         |  1 +
 ...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index 1f906ee..4829b11 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -11,6 +11,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
            file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
            file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
            file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
+           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
           "
 
 SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
new file mode 100644
index 0000000..4a82cf2
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
@@ -0,0 +1,50 @@
+From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
+From: Peter Marko <peter.marko@siemens.com>
+Date: Thu, 13 Apr 2017 23:09:52 +0200
+Subject: [PATCH] Fix freeing memory allocated by sqlite
+
+Upstream-Status: Backport
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core.c b/src/core.c
+index 6263031..6788f16 100644
+--- a/src/core.c
++++ b/src/core.c
+@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
+         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+         if (rc != SQLITE_OK) {
+                 fprintf(stderr, "ensure_table(): %s\n", err);
+-                free(err);
++                sqlite3_free(err);
+                 return false;
+         }
+         
+@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
+         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+         if (rc != SQLITE_OK) {
+                 fprintf(stderr, "ensure_table(): %s\n", err);
+-                free(err);
++                sqlite3_free(err);
+                 return false;
+         }
+ 
+@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
+         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+         if (rc != SQLITE_OK) {
+                 fprintf(stderr, "ensure_table(): %s\n", err);
+-                free(err);
++                sqlite3_free(err);
+                 return false;
+         }
+         if (err) {
+-                free(err);
++                sqlite3_free(err);
+         }
+ 
+         return true;
+-- 
+2.1.4
+
-- 
2.1.4

[PATCH v2 0/4] cve-check improvements

[Peter Marko]

Hi,

this series of patches fixes some issues with cve-check functionality.

v2: drop patch for RM_OLD_IMAGE handling

Peter Marko (4):
  cve-check: add do_rootfs dependency on cve-check
  cve-check: do not parse error output
  cve-check: clean cve-check recipe result before re-building
  cve-check-tool: fix crash on exceptions

 meta/classes/cve-check.bbclass                     |  8 +++-
 .../cve-check-tool/cve-check-tool_5.6.4.bb         |  1 +
 ...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ++++++++++++++++++++++
 3 files changed, 58 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch

-- 
2.1.4

[PATCH v2 1/4] cve-check: add do_rootfs dependency on cve-check

[Peter Marko]

Since do_rootfs depends on cve-check results of all recipes,
we need to recursively depend on recipe do_cve_check.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 3a9e227..660fe7a 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -102,6 +102,7 @@ python cve_check_write_rootfs_manifest () {
 }
 
 ROOTFS_POSTPROCESS_COMMAND_prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
+do_rootfs[recrdeptask] += "${@'do_cve_check' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
 
 def get_patches_cves(d):
     """
-- 
2.1.4

[PATCH v2 2/4] cve-check: do not parse error output

[Peter Marko]

Sometimes there are control messages in cve-check-tool printed to
stderr. These lead to parsing error and thus failed build.
This can happen for instance when cve database needs to be
refreshed during build.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 660fe7a..1f0b691 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -172,7 +172,7 @@ def check_cves(d, patched_cves):
             f.write("%s,%s,%s," % (bpn, pv, cves))
         cmd.append(faux)
 
-        output = subprocess.check_output(cmd, stderr=subprocess.STDOUT).decode("utf-8")
+        output = subprocess.check_output(cmd).decode("utf-8")
         bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output))
     except subprocess.CalledProcessError as e:
         bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output))
-- 
2.1.4

[PATCH v2 3/4] cve-check: clean cve-check recipe result before re-building

[Peter Marko]

If there is cve report for a recipe in previous build and there
is no result for current one, old cves are kept in CVE_CHECK_DIR.
This happens on version upgrade or when cve/recipe is whitelisted.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 meta/classes/cve-check.bbclass | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1f0b691..6f5b0f5 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -83,6 +83,11 @@ python cve_check_write_rootfs_manifest () {
 
     import shutil
 
+    if d.getVar("CVE_CHECK_COPY_FILES") == "1":
+        deploy_file = os.path.join(d.getVar("CVE_CHECK_DIR"), d.getVar("PN"))
+        if os.path.exists(deploy_file):
+            bb.utils.remove(deploy_file)
+
     if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
         bb.note("Writing rootfs CVE manifest")
         deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
-- 
2.1.4

[PATCH v2 4/4] cve-check-tool: fix crash on exceptions

[Peter Marko]

This fixes cve-check-tool crashes on exceptions.

Signed-off-by: Peter Marko <peter.marko@siemens.com>
---
 .../cve-check-tool/cve-check-tool_5.6.4.bb         |  1 +
 ...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index 1f906ee..4829b11 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -11,6 +11,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
            file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
            file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
            file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
+           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
           "
 
 SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
new file mode 100644
index 0000000..4a82cf2
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
@@ -0,0 +1,50 @@
+From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
+From: Peter Marko <peter.marko@siemens.com>
+Date: Thu, 13 Apr 2017 23:09:52 +0200
+Subject: [PATCH] Fix freeing memory allocated by sqlite
+
+Upstream-Status: Backport
+Signed-off-by: Peter Marko <peter.marko@siemens.com>
+---
+ src/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/src/core.c b/src/core.c
+index 6263031..6788f16 100644
+--- a/src/core.c
++++ b/src/core.c
+@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
+         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+         if (rc != SQLITE_OK) {
+                 fprintf(stderr, "ensure_table(): %s\n", err);
+-                free(err);
++                sqlite3_free(err);
+                 return false;
+         }
+         
+@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
+         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+         if (rc != SQLITE_OK) {
+                 fprintf(stderr, "ensure_table(): %s\n", err);
+-                free(err);
++                sqlite3_free(err);
+                 return false;
+         }
+ 
+@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
+         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
+         if (rc != SQLITE_OK) {
+                 fprintf(stderr, "ensure_table(): %s\n", err);
+-                free(err);
++                sqlite3_free(err);
+                 return false;
+         }
+         if (err) {
+-                free(err);
++                sqlite3_free(err);
+         }
+ 
+         return true;
+-- 
+2.1.4
+
-- 
2.1.4

Re: [PATCH v2 4/4] cve-check-tool: fix crash on exceptions

[Leonardo Sandoval]

the commit shortlog does not match what the patch is doing, unless the
new replaced function is the one avoiding exceptions..




On Wed, 2017-06-07 at 08:04 +0200, Peter Marko wrote:
> This fixes cve-check-tool crashes on exceptions.
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  .../cve-check-tool/cve-check-tool_5.6.4.bb         |  1 +
>  ...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 ++++++++++++++++++++++
>  2 files changed, 51 insertions(+)
>  create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
> 
> diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> index 1f906ee..4829b11 100644
> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> @@ -11,6 +11,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
>             file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
>             file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
>             file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
> +           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
>            "
>  
>  SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
> new file mode 100644
> index 0000000..4a82cf2
> --- /dev/null
> +++ b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch
> @@ -0,0 +1,50 @@
> +From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001
> +From: Peter Marko <peter.marko@siemens.com>
> +Date: Thu, 13 Apr 2017 23:09:52 +0200
> +Subject: [PATCH] Fix freeing memory allocated by sqlite
> +
> +Upstream-Status: Backport
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + src/core.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/core.c b/src/core.c
> +index 6263031..6788f16 100644
> +--- a/src/core.c
> ++++ b/src/core.c
> +@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
> +         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> +         if (rc != SQLITE_OK) {
> +                 fprintf(stderr, "ensure_table(): %s\n", err);
> +-                free(err);
> ++                sqlite3_free(err);
> +                 return false;
> +         }
> +         
> +@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
> +         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> +         if (rc != SQLITE_OK) {
> +                 fprintf(stderr, "ensure_table(): %s\n", err);
> +-                free(err);
> ++                sqlite3_free(err);
> +                 return false;
> +         }
> + 
> +@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
> +         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> +         if (rc != SQLITE_OK) {
> +                 fprintf(stderr, "ensure_table(): %s\n", err);
> +-                free(err);
> ++                sqlite3_free(err);
> +                 return false;
> +         }
> +         if (err) {
> +-                free(err);
> ++                sqlite3_free(err);
> +         }
> + 
> +         return true;
> +-- 
> +2.1.4
> +
> -- 
> 2.1.4
> 

Re: [PATCH v2 4/4] cve-check-tool: fix crash on exceptions

[Marko, Peter]

> the commit shortlog does not match what the patch is doing, unless the new replaced function is the one avoiding exceptions..

The fixed issue is tracked under https://github.com/ikeydoherty/cve-check-tool/issues/60
It says "crash on bad pointer free".
It fixes crash when freeing invalid pointer, which happened on sqlite exceptions.

If necessary, I can update the commit message with longer explanation.

On Wed, 2017-06-07 at 08:04 +0200, Peter Marko wrote:
> This fixes cve-check-tool crashes on exceptions.
> 
> Signed-off-by: Peter Marko <peter.marko@siemens.com>
> ---
>  .../cve-check-tool/cve-check-tool_5.6.4.bb         |  1 +
>  ...01-Fix-freeing-memory-allocated-by-sqlite.patch | 50 
> ++++++++++++++++++++++
>  2 files changed, 51 insertions(+)
>  create mode 100644 
> meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-all
> ocated-by-sqlite.patch
> 
> diff --git 
> a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb 
> b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> index 1f906ee..4829b11 100644
> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> @@ -11,6 +11,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
>             file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
>             file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
>             
> file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch 
> \
> +           file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \
>            "
>  
>  SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
> diff --git 
> a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-a
> llocated-by-sqlite.patch 
> b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-a
> llocated-by-sqlite.patch
> new file mode 100644
> index 0000000..4a82cf2
> --- /dev/null
> +++ b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memo
> +++ ry-allocated-by-sqlite.patch
> @@ -0,0 +1,50 @@
> +From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 
> +2001
> +From: Peter Marko <peter.marko@siemens.com>
> +Date: Thu, 13 Apr 2017 23:09:52 +0200
> +Subject: [PATCH] Fix freeing memory allocated by sqlite
> +
> +Upstream-Status: Backport
> +Signed-off-by: Peter Marko <peter.marko@siemens.com>
> +---
> + src/core.c | 8 ++++----
> + 1 file changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/src/core.c b/src/core.c
> +index 6263031..6788f16 100644
> +--- a/src/core.c
> ++++ b/src/core.c
> +@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)
> +         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> +         if (rc != SQLITE_OK) {
> +                 fprintf(stderr, "ensure_table(): %s\n", err);
> +-                free(err);
> ++                sqlite3_free(err);
> +                 return false;
> +         }
> +         
> +@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)
> +         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> +         if (rc != SQLITE_OK) {
> +                 fprintf(stderr, "ensure_table(): %s\n", err);
> +-                free(err);
> ++                sqlite3_free(err);
> +                 return false;
> +         }
> + 
> +@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)
> +         rc = sqlite3_exec(self->db, query, NULL, NULL, &err);
> +         if (rc != SQLITE_OK) {
> +                 fprintf(stderr, "ensure_table(): %s\n", err);
> +-                free(err);
> ++                sqlite3_free(err);
> +                 return false;
> +         }
> +         if (err) {
> +-                free(err);
> ++                sqlite3_free(err);
> +         }
> + 
> +         return true;
> +--
> +2.1.4
> +
> --
> 2.1.4
>