[PATCH] cve-check.bbclass: do not download the CVE DB in package-specific tasks

[PATCH] cve-check.bbclass: do not download the CVE DB in package-specific tasks

[Konstantin Shemyak]

Disable downloading of the vulnerability DB in do_check_cves() task.

When invoked in this task, cve-check-tool attempts re-download of the CVE DB
if the latter is older than certain threshold. While reasonable for a
stand-alone CVE checker, this behavior can cause errors in parallel builds
if the build time is longer than this threshold: 
* Other tasks might be using the DB.
* Several packages can start the download of the same file at the same time.

This check is not really needed, as the DB has been downloaded by
cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build().
The DB will be at most (threshold + build_time) old.

Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com>
---
 meta/classes/cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 4d99838..12ad3e5 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -179,7 +179,7 @@ def check_cves(d, patched_cves):
     cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
     cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
     cve_cmd = "cve-check-tool"
-    cmd = [cve_cmd, "--no-html", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
+    cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
 
     # If the recipe has been whitlisted we return empty lists
     if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
-- 
2.10.1

Re: [PATCH] cve-check.bbclass: do not download the CVE DB in package-specific tasks

[Mikko.Rapeli]

On Mon, Aug 13, 2018 at 10:23:28AM +0300, Konstantin Shemyak wrote:
> Disable downloading of the vulnerability DB in do_check_cves() task.
> 
> When invoked in this task, cve-check-tool attempts re-download of the CVE DB
> if the latter is older than certain threshold. While reasonable for a
> stand-alone CVE checker, this behavior can cause errors in parallel builds
> if the build time is longer than this threshold: 
> * Other tasks might be using the DB.
> * Several packages can start the download of the same file at the same time.
> 
> This check is not really needed, as the DB has been downloaded by
> cve_check_tool:do_populate_cve_db() which is a prerequisite of any do_build().
> The DB will be at most (threshold + build_time) old.
> 
> Signed-off-by: Konstantin Shemyak <konstantin.shemyak@ge.com>
> ---
>  meta/classes/cve-check.bbclass | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 4d99838..12ad3e5 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -179,7 +179,7 @@ def check_cves(d, patched_cves):
>      cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
>      cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
>      cve_cmd = "cve-check-tool"
> -    cmd = [cve_cmd, "--no-html", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
> +    cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir]
>  
>      # If the recipe has been whitlisted we return empty lists
>      if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split():
> -- 

ACK.

Reviewed-by: Mikko Rapeli <mikko.rapeli@bmw.de>