All of lore.kernel.org
 help / color / mirror / Atom feed
From: Mikko Rapeli <mikko.rapeli@bmw.de>
To: openembedded-core@lists.openembedded.org
Subject: [PATCH RFC CFH][sumo 18/47] cve-check: Replace CVE_CHECK_CVE_WHITELIST by CVE_CHECK_WHITELIST
Date: Wed,  6 Nov 2019 17:37:33 +0200	[thread overview]
Message-ID: <3d1470373e6c36e6a6cb1df15d86dc73670b7d63.1573047194.git.mikko.rapeli@bmw.de> (raw)
In-Reply-To: <cover.1573047194.git.mikko.rapeli@bmw.de>
In-Reply-To: <cover.1573047194.git.mikko.rapeli@bmw.de>

From: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>

CVE_CHECK_WHITELIST does not contain version anymore, as it was not
used. This variable should be set per recipe.

(From OE-Core rev: 7069302a4ccbb5b72e1902f284cf078516fd7294)

Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/classes/cve-check.bbclass | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index e8668b2..512d4c7 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -39,15 +39,12 @@ CVE_CHECK_CREATE_MANIFEST ??= "1"
 # Whitelist for packages (PN)
 CVE_CHECK_PN_WHITELIST ?= ""
 
-# Whitelist for CVE and version of package. If a CVE is found then the PV is
-# compared with the version list, and if found the CVE is considered
-# patched.
-#
-# The value should be valid Python in this format:
-# {
-#   'CVE-2014-2524': ('6.3','5.2')
-# }
-CVE_CHECK_CVE_WHITELIST ?= "{}"
+# Whitelist for CVE. If a CVE is found, then it is considered patched.
+# The value is a string containing space separated CVE values:
+# 
+# CVE_CHECK_WHITELIST = 'CVE-2014-2524 CVE-2018-1234'
+# 
+CVE_CHECK_WHITELIST ?= ""
 
 python do_cve_check () {
     """
@@ -185,7 +182,10 @@ def check_cves(d, patched_cves):
         bb.note("Recipe has been whitelisted, skipping check")
         return ([], [])
 
-    cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
+    old_cve_whitelist =  d.getVar("CVE_CHECK_CVE_WHITELIST")
+    if old_cve_whitelist:
+        bb.warn("CVE_CHECK_CVE_WHITELIST is deprecated, please use CVE_CHECK_WHITELIST.")
+    cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split()
 
     import sqlite3
     db_file = d.getVar("CVE_CHECK_DB_FILE")
@@ -206,7 +206,7 @@ def check_cves(d, patched_cves):
             version_end = row[6]
             operator_end = row[7]
 
-            if pv in cve_whitelist.get(cve, []):
+            if cve in cve_whitelist:
                 bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve))
             elif cve in patched_cves:
                 bb.note("%s has been patched" % (cve))
-- 
1.9.1



  parent reply	other threads:[~2019-11-06 15:38 UTC|newest]

Thread overview: 62+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-06 15:37 [PATCH RFC CFH][sumo 00/47] CVE check backport Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 01/47] cve-update-db: New recipe to update CVE database Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 02/47] cve-check: Remove dependency to cve-check-tool-native Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 03/47] cve-check: Manage CVE_PRODUCT with more than one name Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 04/47] cve-check: Consider CVE that affects versions with less than operator Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 05/47] flac: also add flac to CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 06/47] cve-update-db: Use std library instead of urllib3 Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 07/47] cve-check: be idiomatic Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 08/47] cve-update-db: Manage proxy if needed Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 09/47] cve-update-db: do_populate_cve_db depends on do_fetch Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 10/47] cve-update-db: Catch request.urlopen errors Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 11/47] cve-check: Depends on cve-update-db-native Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 12/47] cve-check: Update unpatched CVE matching Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 13/47] cve-check: remove redundant readline CVE whitelisting Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 14/47] cve-check-tool: remove Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 15/47] glibc: exclude child recipes from CVE scanning Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 16/47] cve-check.bbclass: initialize to_append Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 17/47] cve-check: allow comparison of Vendor as well as Product Mikko Rapeli
2019-11-06 15:37 ` Mikko Rapeli [this message]
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 19/47] cve-update-db-native: use SQL placeholders instead of format strings Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 20/47] cve-update-db: Use NVD CPE data to populate PRODUCTS table Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 21/47] cve-update-db-native: Remove hash column from database Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 22/47] cve-update-db-native: use os.path.join instead of + Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 23/47] cve-update-db: actually inherit native Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 24/47] cve-update-db-native: use executemany() to optimise CPE insertion Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 25/47] cve-update-db-native: improve metadata parsing Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 26/47] cve-update-db-native: clean up JSON fetching Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 27/47] cve-update-db-native: fix https proxy issues Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 28/47] cve-check: ensure all known CVEs are in the report Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 29/47] cve-check: failure to parse versions should be more visible Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 30/47] xserver-xorg: set CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 31/47] nasm: add CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 32/47] dropbear: set CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 33/47] libsdl: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 34/47] ghostscript: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 35/47] squashfs-tools: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 36/47] libxfont2: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 37/47] flex: set CVE_PRODUCT to include vendor Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 38/47] webkitgtk: set CVE_PRODUCT Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 39/47] libpam: " Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 40/47] procps: whitelist CVE-2018-1121 Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 41/47] libpng: whitelist CVE-2019-17371 Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 42/47] openssl: set CVE vendor to openssl Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 43/47] rsync: fix CVEs for included zlib Mikko Rapeli
2019-11-06 15:37 ` [PATCH RFC CFH][sumo 44/47] ed: set CVE vendor to avoid false positives Mikko Rapeli
2019-11-06 15:38 ` [PATCH RFC CFH][sumo 45/47] boost: set CVE vendor to Boost Mikko Rapeli
2019-11-06 15:38 ` [PATCH RFC CFH][sumo 46/47] subversion: set CVE vendor to Apache Mikko Rapeli
2019-11-06 15:38 ` [PATCH RFC CFH][sumo 47/47] git: set CVE vendor to git-scm Mikko Rapeli
2019-11-06 17:32 ` ✗ patchtest: failure for CVE check backport Patchwork
2019-11-06 21:46 ` [PATCH RFC CFH][sumo 00/47] " akuster808
2019-11-07  9:14   ` Mikko.Rapeli
2019-11-07 15:03   ` Richard Purdie
2019-11-07 15:55     ` akuster808
2019-11-07 16:32       ` Richard Purdie
2019-11-11 10:42         ` Adrian Bunk
2019-11-11 13:12           ` Richard Purdie
2019-11-11 14:14             ` Adrian Bunk
2019-11-11 15:54               ` Khem Raj
2019-11-11 16:13                 ` Adrian Bunk
2019-11-07 11:13 ` Adrian Bunk
2019-11-07 12:13   ` Mikko.Rapeli
2019-11-07 14:47     ` Adrian Bunk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=3d1470373e6c36e6a6cb1df15d86dc73670b7d63.1573047194.git.mikko.rapeli@bmw.de \
    --to=mikko.rapeli@bmw.de \
    --cc=openembedded-core@lists.openembedded.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.