* [PATCH] cve-check: write empty fragment files in the text mode
@ 2022-06-03 12:17 Marta Rybczynska
2022-06-04 6:18 ` Ernst Sjöstrand
0 siblings, 1 reply; 2+ messages in thread
From: Marta Rybczynska @ 2022-06-03 12:17 UTC (permalink / raw)
To: openembedded-core, ernstp; +Cc: Marta Rybczynska, Marta Rybczynska
In the cve-check text mode output, we didn't write fragment
files if there are no CVEs (if CVE_CHECK_REPORT_PATCHED is 1),
or no unpached CVEs otherwise.
However, in a system after multiple builds,
cve_check_write_rootfs_manifest might find older files and use
them as current, what leads to incorrect reporting.
Fix it by always writing a fragment file, even if empty.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
meta/classes/cve-check.bbclass | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index c80a365819..0579d882db 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -440,23 +440,22 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data):
if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
- if write_string:
- with open(cve_file, "w") as f:
- bb.note("Writing file %s with CVE information" % cve_file)
- f.write(write_string)
+ with open(cve_file, "w") as f:
+ bb.note("Writing file %s with CVE information" % cve_file)
+ f.write(write_string)
- if d.getVar("CVE_CHECK_COPY_FILES") == "1":
- deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
- bb.utils.mkdirhier(os.path.dirname(deploy_file))
- with open(deploy_file, "w") as f:
- f.write(write_string)
+ if d.getVar("CVE_CHECK_COPY_FILES") == "1":
+ deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
+ bb.utils.mkdirhier(os.path.dirname(deploy_file))
+ with open(deploy_file, "w") as f:
+ f.write(write_string)
- if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
- cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
- bb.utils.mkdirhier(cvelogpath)
+ if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
+ cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
+ bb.utils.mkdirhier(cvelogpath)
- with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f:
- f.write("%s" % write_string)
+ with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f:
+ f.write("%s" % write_string)
def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file):
"""
--
2.33.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] cve-check: write empty fragment files in the text mode
2022-06-03 12:17 [PATCH] cve-check: write empty fragment files in the text mode Marta Rybczynska
@ 2022-06-04 6:18 ` Ernst Sjöstrand
0 siblings, 0 replies; 2+ messages in thread
From: Ernst Sjöstrand @ 2022-06-04 6:18 UTC (permalink / raw)
To: Marta Rybczynska; +Cc: OE-core, Marta Rybczynska
[-- Attachment #1: Type: text/plain, Size: 2701 bytes --]
Den fre 3 juni 2022 kl 14:17 skrev Marta Rybczynska <rybczynska@gmail.com>:
> In the cve-check text mode output, we didn't write fragment
> files if there are no CVEs (if CVE_CHECK_REPORT_PATCHED is 1),
> or no unpached CVEs otherwise.
>
> However, in a system after multiple builds,
> cve_check_write_rootfs_manifest might find older files and use
> them as current, what leads to incorrect reporting.
>
> Fix it by always writing a fragment file, even if empty.
>
> Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
> ---
> meta/classes/cve-check.bbclass | 27 +++++++++++++--------------
> 1 file changed, 13 insertions(+), 14 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass
> b/meta/classes/cve-check.bbclass
> index c80a365819..0579d882db 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -440,23 +440,22 @@ def cve_write_data_text(d, patched, unpatched,
> ignored, cve_data):
> if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1":
> bb.warn("Found unpatched CVE (%s), for more information check %s"
> % (" ".join(unpatched_cves),cve_file))
>
> - if write_string:
> - with open(cve_file, "w") as f:
> - bb.note("Writing file %s with CVE information" % cve_file)
> - f.write(write_string)
> + with open(cve_file, "w") as f:
> + bb.note("Writing file %s with CVE information" % cve_file)
>
This note feels quite redundant now.
> + f.write(write_string)
>
> - if d.getVar("CVE_CHECK_COPY_FILES") == "1":
> - deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
> - bb.utils.mkdirhier(os.path.dirname(deploy_file))
> - with open(deploy_file, "w") as f:
> - f.write(write_string)
> + if d.getVar("CVE_CHECK_COPY_FILES") == "1":
> + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE")
> + bb.utils.mkdirhier(os.path.dirname(deploy_file))
> + with open(deploy_file, "w") as f:
> + f.write(write_string)
>
> - if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
> - cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
> - bb.utils.mkdirhier(cvelogpath)
> + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1":
> + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR")
> + bb.utils.mkdirhier(cvelogpath)
>
> - with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f:
> - f.write("%s" % write_string)
> + with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f:
> + f.write("%s" % write_string)
>
> def cve_check_write_json_output(d, output, direct_file, deploy_file,
> manifest_file):
> """
> --
> 2.33.0
>
>
[-- Attachment #2: Type: text/html, Size: 3977 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-06-04 6:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-03 12:17 [PATCH] cve-check: write empty fragment files in the text mode Marta Rybczynska
2022-06-04 6:18 ` Ernst Sjöstrand
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.