All of lore.kernel.org
 help / color / mirror / Atom feed
* [V2][PATCH] cve-check.bbclass: allow skiping non pbn
@ 2021-02-15 22:42 akuster
  2021-02-16  8:37 ` [OE-core] " Mikko Rapeli
  2021-02-18 16:51 ` Ross Burton
  0 siblings, 2 replies; 3+ messages in thread
From: akuster @ 2021-02-15 22:42 UTC (permalink / raw)
  To: openembedded-core

I don't see the point in logging native, nativesdk etc.
The bottom line is the BPN has the issue.

Allow folks to filter out those other package name variations via
CVE_CHECK_MANIFEST_FILTER

Signed-off-by: Armin Kuster <akuster808@gmail.com>

--
[V2]
rename varible to CVE_CHECK_FILTER_BUILD_TOOLS
---
 meta/classes/cve-check.bbclass | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 112ee3379d3..1bed815d8e4 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -59,6 +59,7 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
 # Layers to be included 
 CVE_CHECK_LAYER_INCLUDELIST ??= ""
 
+CVE_CHECK_FILTER_BUILD_TOOLS ??="0"
 
 # set to "alphabetical" for version using single alphabetical character as increament release
 CVE_VERSION_SUFFIX ??= ""
@@ -96,6 +97,13 @@ python do_cve_check () {
     """
 
     if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
+        if d.getVar("CVE_CHECK_FILTER_BUILD_TOOLS") == "1":
+            # drop native, nativesdk, cross, etc
+            bpn = d.getVar("BPN")
+            pn = d.getVar("PN")
+            if bpn != pn:
+               return
+
         try:
             patched_cves = get_patches_cves(d)
         except FileNotFoundError:
@@ -164,6 +172,7 @@ def get_patches_cves(d):
     import re
 
     pn = d.getVar("PN")
+
     cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
 
     # Matches last CVE-1234-211432 in the file name, also if written
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [OE-core] [V2][PATCH] cve-check.bbclass: allow skiping non pbn
  2021-02-15 22:42 [V2][PATCH] cve-check.bbclass: allow skiping non pbn akuster
@ 2021-02-16  8:37 ` Mikko Rapeli
  2021-02-18 16:51 ` Ross Burton
  1 sibling, 0 replies; 3+ messages in thread
From: Mikko Rapeli @ 2021-02-16  8:37 UTC (permalink / raw)
  To: akuster808; +Cc: openembedded-core

Hi,

On Mon, Feb 15, 2021 at 10:42:54PM +0000, akuster wrote:
> I don't see the point in logging native, nativesdk etc.
> The bottom line is the BPN has the issue.

There have been several cases where different build targets
were applying different patches, e.g. CVE patched not applied
in -native or -nativesdk build of the recipe.

That aside, I think this patch is ok.

> Allow folks to filter out those other package name variations via
> CVE_CHECK_MANIFEST_FILTER
> 
> Signed-off-by: Armin Kuster <akuster808@gmail.com>
> 
> --
> [V2]
> rename varible to CVE_CHECK_FILTER_BUILD_TOOLS
> ---
>  meta/classes/cve-check.bbclass | 9 +++++++++
>  1 file changed, 9 insertions(+)
> 
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 112ee3379d3..1bed815d8e4 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -59,6 +59,7 @@ CVE_CHECK_LAYER_EXCLUDELIST ??= ""
>  # Layers to be included 
>  CVE_CHECK_LAYER_INCLUDELIST ??= ""
>
> +CVE_CHECK_FILTER_BUILD_TOOLS ??="0"
>
>  # set to "alphabetical" for version using single alphabetical character as increament release
>  CVE_VERSION_SUFFIX ??= ""
> @@ -96,6 +97,13 @@ python do_cve_check () {
>      """
>
>      if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
> +        if d.getVar("CVE_CHECK_FILTER_BUILD_TOOLS") == "1":
> +            # drop native, nativesdk, cross, etc
> +            bpn = d.getVar("BPN")
> +            pn = d.getVar("PN")
> +            if bpn != pn:
> +               return
> +
>          try:
>              patched_cves = get_patches_cves(d)
>          except FileNotFoundError:
> @@ -164,6 +172,7 @@ def get_patches_cves(d):
>      import re
>
>      pn = d.getVar("PN")
> +

This hunk is not needed.

For the rest, Acked-by: Mikko Rapeli <mikko.rapeli@bmw.de>

Cheers,

-Mikko

>      cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
>
>      # Matches last CVE-1234-211432 in the file name, also if written
> -- 
> 2.25.1
> 

> 
> 
> 

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [OE-core] [V2][PATCH] cve-check.bbclass: allow skiping non pbn
  2021-02-15 22:42 [V2][PATCH] cve-check.bbclass: allow skiping non pbn akuster
  2021-02-16  8:37 ` [OE-core] " Mikko Rapeli
@ 2021-02-18 16:51 ` Ross Burton
  1 sibling, 0 replies; 3+ messages in thread
From: Ross Burton @ 2021-02-18 16:51 UTC (permalink / raw)
  To: akuster; +Cc: OE-core

On Mon, 15 Feb 2021 at 22:43, akuster <akuster808@gmail.com> wrote:
> I don't see the point in logging native, nativesdk etc.
> The bottom line is the BPN has the issue.

Unless the base recipe doesn't exist, for example it's nativesdk or
native specific.

Whilst native is build tool and so arguably not as relevant, nativesdk
very much is a deployed artefact.

Ross

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-02-18 16:52 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-15 22:42 [V2][PATCH] cve-check.bbclass: allow skiping non pbn akuster
2021-02-16  8:37 ` [OE-core] " Mikko Rapeli
2021-02-18 16:51 ` Ross Burton

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.