| Message ID | 20190716124650.22236-1-ross.burton@intel.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | cve-check-tool: remove | expand |
May be add a line about why it is being removed On Tue, Jul 16, 2019 at 5:46 AM Ross Burton <ross.burton@intel.com> wrote: > Signed-off-by: Ross Burton <ross.burton@intel.com> > --- > .../cve-check-tool/cve-check-tool_5.6.4.bb | 62 ----- > ...x-freeing-memory-allocated-by-sqlite.patch | 50 ---- > ...erriding-default-CA-certificate-file.patch | 215 ------------------ > ...s-in-percent-when-downloading-CVE-db.patch | 135 ----------- > ...omputed-vs-expected-sha256-digit-str.patch | 52 ----- > ...heck-for-malloc_trim-before-using-it.patch | 51 ----- > 6 files changed, 565 deletions(-) > delete mode 100644 meta/recipes-devtools/cve-check-tool/ > cve-check-tool_5.6.4.bb > delete mode 100644 > meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch > delete mode 100644 > meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch > delete mode 100644 > meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch > delete mode 100644 > meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch > delete mode 100644 > meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch > > diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > deleted file mode 100644 > index 1c84fb1cf2d..00000000000 > --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > +++ /dev/null > @@ -1,62 +0,0 @@ > -SUMMARY = "cve-check-tool" > -DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\ > -The tool will identify potentially vunlnerable software packages within > Linux distributions through version matching." > -HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool" > -SECTION = "Development/Tools" > -LICENSE = "GPL-2.0+" > -LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6" > - > -SRC_URI = " > https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz > \ > - file://check-for-malloc_trim-before-using-it.patch \ > - > file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ > - > file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ > - > file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \ > - file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \ > - " > - > -SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" > -SRC_URI[sha256sum] = > "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b" > - > -UPSTREAM_CHECK_URI = " > https://github.com/ikeydoherty/cve-check-tool/releases" > - > -DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl > ca-certificates" > - > -RDEPENDS_${PN} = "ca-certificates" > - > -inherit pkgconfig autotools > - > -EXTRA_OECONF = "--disable-coverage --enable-relative-plugins" > -CFLAGS_append = " -Wno-error=pedantic" > - > -do_populate_cve_db() { > - if [ "${BB_NO_NETWORK}" = "1" ] ; then > - bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool > database, new CVEs won't be detected" > - return > - fi > - > - # In case we don't inherit cve-check class, use default values > defined in the class. > - cve_dir="${CVE_CHECK_DB_DIR}" > - cve_file="${CVE_CHECK_TMP_FILE}" > - > - [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK" > - [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" > - > - unused="${@bb.utils.export_proxies(d)}" > - bbdebug 2 "Updating cve-check-tool database located in $cve_dir" > - # --cacert works around curl-native not finding the CA bundle > - if cve-check-update --cacert > ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then > - printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date > --utc +'%F %T')" > "$cve_file" > - else > - bbwarn "Error in executing cve-check-update" > - if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" > -ne 0 ] ; then > - bbwarn "Failed to update cve-check-tool database, CVEs won't > be checked" > - fi > - fi > -} > - > -addtask populate_cve_db after do_populate_sysroot > -do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot" > -do_populate_cve_db[nostamp] = "1" > -do_populate_cve_db[progress] = "percent" > - > -BBCLASSEXTEND = "native nativesdk" > diff --git > a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch > b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch > deleted file mode 100644 > index 4a82cf2dded..00000000000 > --- > a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch > +++ /dev/null > @@ -1,50 +0,0 @@ > -From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001 > -From: Peter Marko <peter.marko@siemens.com> > -Date: Thu, 13 Apr 2017 23:09:52 +0200 > -Subject: [PATCH] Fix freeing memory allocated by sqlite > - > -Upstream-Status: Backport > -Signed-off-by: Peter Marko <peter.marko@siemens.com> > ---- > - src/core.c | 8 ++++---- > - 1 file changed, 4 insertions(+), 4 deletions(-) > - > -diff --git a/src/core.c b/src/core.c > -index 6263031..6788f16 100644 > ---- a/src/core.c > -+++ b/src/core.c > -@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self) > - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); > - if (rc != SQLITE_OK) { > - fprintf(stderr, "ensure_table(): %s\n", err); > -- free(err); > -+ sqlite3_free(err); > - return false; > - } > - > -@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self) > - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); > - if (rc != SQLITE_OK) { > - fprintf(stderr, "ensure_table(): %s\n", err); > -- free(err); > -+ sqlite3_free(err); > - return false; > - } > - > -@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self) > - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); > - if (rc != SQLITE_OK) { > - fprintf(stderr, "ensure_table(): %s\n", err); > -- free(err); > -+ sqlite3_free(err); > - return false; > - } > - if (err) { > -- free(err); > -+ sqlite3_free(err); > - } > - > - return true; > --- > -2.1.4 > - > diff --git > a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch > b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch > deleted file mode 100644 > index 3d8ebd1bd26..00000000000 > --- > a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch > +++ /dev/null > @@ -1,215 +0,0 @@ > -From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001 > -From: Jussi Kukkonen <jussi.kukkonen@intel.com> > -Date: Thu, 9 Feb 2017 14:51:28 +0200 > -Subject: [PATCH] curl: allow overriding default CA certificate file > - > -Similar to curl, --cacert can now be used in cve-check-tool and > -cve-check-update to override the default CA certificate file. Useful > -in cases where the system default is unsuitable (for example, > -out-dated) or broken (as in OE's current native libcurl, which embeds > -a path string from one build host and then uses it on another although > -the right path may have become something different). > - > -Upstream-Status: Submitted [ > https://github.com/ikeydoherty/cve-check-tool/pull/45] > - > -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> > - > - > -Took Patrick Ohlys original patch from meta-security-isafw, rebased > -on top of other patches. > - > -Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> > ---- > - src/library/cve-check-tool.h | 1 + > - src/library/fetch.c | 10 +++++++++- > - src/library/fetch.h | 3 ++- > - src/main.c | 5 ++++- > - src/update-main.c | 4 +++- > - src/update.c | 12 +++++++----- > - src/update.h | 2 +- > - 7 files changed, 27 insertions(+), 10 deletions(-) > - > -diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h > -index e4bb5b1..f89eade 100644 > ---- a/src/library/cve-check-tool.h > -+++ b/src/library/cve-check-tool.h > -@@ -43,6 +43,7 @@ typedef struct CveCheckTool { > - bool bugs; /**<Whether bug tracking is > enabled */ > - GHashTable *mapping; /**<CVE Mapping */ > - const char *output_file; /**<Output file, if any */ > -+ const char *cacert_file; /**<Non-default SSL certificate > file, if any */ > - } CveCheckTool; > - > - /** > -diff --git a/src/library/fetch.c b/src/library/fetch.c > -index 0fe6d76..8f998c3 100644 > ---- a/src/library/fetch.c > -+++ b/src/library/fetch.c > -@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t > dltotal, curl_off_t dlnow > - } > - > - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, > -- unsigned int start_percent, unsigned int > end_percent) > -+ unsigned int start_percent, unsigned int > end_percent, > -+ const char *cacert_file) > - { > - FetchStatus ret = FETCH_STATUS_FAIL; > - CURLcode res; > -@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char > *target, bool verbose, > - return ret; > - } > - > -+ if (cacert_file) { > -+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, > cacert_file); > -+ if (res != CURLE_OK) { > -+ goto bail; > -+ } > -+ } > -+ > - if (stat(target, &st) == 0) { > - res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, > CURL_TIMECOND_IFMODSINCE); > - if (res != CURLE_OK) { > -diff --git a/src/library/fetch.h b/src/library/fetch.h > -index 4cce5d1..836c7d7 100644 > ---- a/src/library/fetch.h > -+++ b/src/library/fetch.h > -@@ -29,7 +29,8 @@ typedef enum { > - * @return A FetchStatus, indicating the operation taken > - */ > - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, > -- unsigned int this_percent, unsigned int > next_percent); > -+ unsigned int this_percent, unsigned int > next_percent, > -+ const char *cacert_file); > - > - /** > - * Attempt to extract the given gzipped file > -diff --git a/src/main.c b/src/main.c > -index 8e6f158..ae69d47 100644 > ---- a/src/main.c > -+++ b/src/main.c > -@@ -280,6 +280,7 @@ static bool csv_mode = false; > - static char *modified_stamp = NULL; > - static gchar *mapping_file = NULL; > - static gchar *output_file = NULL; > -+static gchar *cacert_file = NULL; > - > - static GOptionEntry _entries[] = { > - { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide > patched/addressed CVEs", NULL }, > -@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = { > - { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV > formatted data only", NULL }, > - { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path > to a mapping file", NULL}, > - { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, > "Path to the output file (output plugin specific)", NULL}, > -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to > the combined SSL certificates file (system default is used if not set)", > NULL}, > - { .short_name = 0 } > - }; > - > -@@ -492,6 +494,7 @@ int main(int argc, char **argv) > - > - quiet = csv_mode || !no_html; > - self->output_file = output_file; > -+ self->cacert_file = cacert_file; > - > - if (!csv_mode && self->output_file) { > - quiet = false; > -@@ -530,7 +533,7 @@ int main(int argc, char **argv) > - if (status) { > - fprintf(stderr, "Update of db forced\n"); > - cve_db_unlock(); > -- if (!update_db(quiet, db_path->str)) { > -+ if (!update_db(quiet, db_path->str, > self->cacert_file)) { > - fprintf(stderr, "DB update failure\n"); > - goto cleanup; > - } > -diff --git a/src/update-main.c b/src/update-main.c > -index 2379cfa..c52d9d0 100644 > ---- a/src/update-main.c > -+++ b/src/update-main.c > -@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the > License, or\n\ > - static gchar *nvds = NULL; > - static bool _show_version = false; > - static bool _quiet = false; > -+static const char *_cacert_file = NULL; > - > - static GOptionEntry _entries[] = { > - { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory > in filesystem", NULL }, > - { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show > version", NULL }, > - { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", > NULL }, > -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to > the combined SSL certificates file (system default is used if not set)", > NULL}, > - { .short_name = 0 } > - }; > - > -@@ -88,7 +90,7 @@ int main(int argc, char **argv) > - goto end; > - } > - > -- if (update_db(_quiet, db_path->str)) { > -+ if (update_db(_quiet, db_path->str, _cacert_file)) { > - ret = EXIT_SUCCESS; > - } else { > - fprintf(stderr, "Failed to update database\n"); > -diff --git a/src/update.c b/src/update.c > -index 070560a..8cb4a39 100644 > ---- a/src/update.c > -+++ b/src/update.c > -@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char > *update_fname, bool ok) > - > - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, > - bool db_exist, bool verbose, > -- unsigned int this_percent, unsigned int > next_percent) > -+ unsigned int this_percent, unsigned int > next_percent, > -+ const char *cacert_file) > - { > - const char nvd_uri[] = URI_PREFIX; > - autofree(cve_string) *uri_meta = NULL; > -@@ -331,14 +332,14 @@ refetch: > - } > - > - /* Fetch NVD META file */ > -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, > this_percent, this_percent); > -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, > this_percent, this_percent, cacert_file); > - if (st == FETCH_STATUS_FAIL) { > - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); > - return -1; > - } > - > - /* Fetch NVD XML file */ > -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, > this_percent, next_percent); > -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, > this_percent, next_percent, cacert_file); > - switch (st) { > - case FETCH_STATUS_FAIL: > - fprintf(stderr, "Failed to fetch %s\n", > uri_data_gz->str); > -@@ -391,7 +392,7 @@ refetch: > - return 0; > - } > - > --bool update_db(bool quiet, const char *db_file) > -+bool update_db(bool quiet, const char *db_file, const char *cacert_file) > - { > - autofree(char) *db_dir = NULL; > - autofree(CveDB) *cve_db = NULL; > -@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file) > - if (!quiet) > - fprintf(stderr, "completed: %u%%\r", > start_percent); > - rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, > -- start_percent, end_percent); > -+ start_percent, end_percent, > -+ cacert_file); > - switch (rc) { > - case 0: > - if (!quiet) > -diff --git a/src/update.h b/src/update.h > -index b8e9911..ceea0c3 100644 > ---- a/src/update.h > -+++ b/src/update.h > -@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path); > - > - int update_required(const char *db_file); > - > --bool update_db(bool quiet, const char *db_file); > -+bool update_db(bool quiet, const char *db_file, const char *cacert_file); > - > - > - /* > --- > -2.1.4 > - > diff --git > a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch > b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch > deleted file mode 100644 > index 8ea6f686e3f..00000000000 > --- > a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch > +++ /dev/null > @@ -1,135 +0,0 @@ > -From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001 > -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net> > -Date: Mon, 26 Sep 2016 12:12:41 +0100 > -Subject: [PATCH] print progress in percent when downloading CVE db > -MIME-Version: 1.0 > -Content-Type: text/plain; charset=UTF-8 > -Content-Transfer-Encoding: 8bit > - > -Upstream-Status: Pending > -Signed-off-by: André Draszik <git@andred.net> > ---- > - src/library/fetch.c | 28 +++++++++++++++++++++++++++- > - src/library/fetch.h | 3 ++- > - src/update.c | 16 ++++++++++++---- > - 3 files changed, 41 insertions(+), 6 deletions(-) > - > -diff --git a/src/library/fetch.c b/src/library/fetch.c > -index 06d4b30..0fe6d76 100644 > ---- a/src/library/fetch.c > -+++ b/src/library/fetch.c > -@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, > size_t nmemb, struct fetch_t *f > - return fwrite(ptr, size, nmemb, f->f); > - } > - > --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose) > -+struct percent_t { > -+ unsigned int start; > -+ unsigned int end; > -+}; > -+ > -+static int progress_callback_new(void *ptr, curl_off_t dltotal, > curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow) > -+{ > -+ (void) ultotal; > -+ (void) ulnow; > -+ > -+ struct percent_t *percent = (struct percent_t *) ptr; > -+ > -+ if (dltotal && percent && percent->end >= percent->start) { > -+ unsigned int diff = percent->end - percent->start; > -+ if (diff) { > -+ fprintf(stderr,"completed: > %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal)); > -+ } > -+ } > -+ > -+ return 0; > -+} > -+ > -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, > -+ unsigned int start_percent, unsigned int > end_percent) > - { > - FetchStatus ret = FETCH_STATUS_FAIL; > - CURLcode res; > - struct stat st; > - CURL *curl = NULL; > - struct fetch_t *f = NULL; > -+ struct percent_t percent = { .start = start_percent, .end = > end_percent }; > - > - curl = curl_easy_init(); > - if (!curl) { > -@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char > *target, bool verbose) > - } > - if (verbose) { > - (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L); > -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, > &percent); > -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, > progress_callback_new); > - } > - res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, > (curl_write_callback)write_func); > - if (res != CURLE_OK) { > -diff --git a/src/library/fetch.h b/src/library/fetch.h > -index 70c3779..4cce5d1 100644 > ---- a/src/library/fetch.h > -+++ b/src/library/fetch.h > -@@ -28,7 +28,8 @@ typedef enum { > - * @param verbose Whether to be verbose > - * @return A FetchStatus, indicating the operation taken > - */ > --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose); > -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, > -+ unsigned int this_percent, unsigned int > next_percent); > - > - /** > - * Attempt to extract the given gzipped file > -diff --git a/src/update.c b/src/update.c > -index 30fbe96..eaeeefd 100644 > ---- a/src/update.c > -+++ b/src/update.c > -@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char > *update_fname, bool ok) > - } > - > - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, > -- bool db_exist, bool verbose) > -+ bool db_exist, bool verbose, > -+ unsigned int this_percent, unsigned int > next_percent) > - { > - const char nvd_uri[] = URI_PREFIX; > - autofree(cve_string) *uri_meta = NULL; > -@@ -330,14 +331,14 @@ refetch: > - } > - > - /* Fetch NVD META file */ > -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose); > -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, > this_percent, this_percent); > - if (st == FETCH_STATUS_FAIL) { > - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); > - return -1; > - } > - > - /* Fetch NVD XML file */ > -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose); > -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, > this_percent, next_percent); > - switch (st) { > - case FETCH_STATUS_FAIL: > - fprintf(stderr, "Failed to fetch %s\n", > uri_data_gz->str); > -@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file) > - for (int i = YEAR_START; i <= year+1; i++) { > - int y = i > year ? -1 : i; > - int rc; > -+ unsigned int start_percent = ((i+0 - YEAR_START) * 100) > / (year+2 - YEAR_START); > -+ unsigned int end_percent = ((i+1 - YEAR_START) * 100) / > (year+2 - YEAR_START); > - > -- rc = do_fetch_update(y, db_dir, cve_db, db_exist, > !quiet); > -+ if (!quiet) > -+ fprintf(stderr, "completed: %u%%\r", > start_percent); > -+ rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, > -+ start_percent, end_percent); > - switch (rc) { > - case 0: > -+ if (!quiet) > -+ fprintf(stderr,"completed: %u%%\r", > end_percent); > - continue; > - case ENOMEM: > - goto oom; > --- > -2.9.3 > - > diff --git > a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch > b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch > deleted file mode 100644 > index 458c0cc84e5..00000000000 > --- > a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch > +++ /dev/null > @@ -1,52 +0,0 @@ > -From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 > -From: Sergey Popovich <popovich_sergei@mail.ua> > -Date: Fri, 21 Apr 2017 07:32:23 -0700 > -Subject: [PATCH] update: Compare computed vs expected sha256 digit string > - ignoring case > - > -We produce sha256 digest string using %x snprintf() > -qualifier for each byte of digest which uses alphabetic > -characters from "a" to "f" in lower case to represent > -integer values from 10 to 15. > - > -Previously all of the NVD META files supply sha256 > -digest string for corresponding XML file in lower case. > - > -However due to some reason this changed recently to > -provide digest digits in upper case causing fetched > -data consistency checks to fail. This prevents database > -from being updated periodically. > - > -While commit c4f6e94 (update: Do not treat sha256 failure > -as fatal if requested) adds useful option to skip > -digest validation at all and thus provides workaround for > -this situation, it might be unacceptable for some > -deployments where we need to ensure that downloaded > -data is consistent before start parsing it and update > -SQLite database. > - > -Use strcasecmp() to compare two digest strings case > -insensitively and addressing this case. > - > -Upstream-Status: Backport > -Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> > ---- > - src/update.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/src/update.c b/src/update.c > -index 8588f38..3cc6b67 100644 > ---- a/src/update.c > -+++ b/src/update.c > -@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const > char *data) > - snprintf(&csum_data[idx], len, "%02hhx", digest[i]); > - } > - > -- ret = streq(csum_meta, csum_data); > -+ ret = !strcasecmp(csum_meta, csum_data); > - > - err_unmap: > - munmap(buffer, length); > --- > -2.11.0 > - > diff --git > a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch > b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch > deleted file mode 100644 > index 0774ad946a4..00000000000 > --- > a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch > +++ /dev/null > @@ -1,51 +0,0 @@ > -From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001 > -From: Khem Raj <raj.khem@gmail.com> > -Date: Mon, 22 Aug 2016 22:54:24 -0700 > -Subject: [PATCH] Check for malloc_trim before using it > - > -malloc_trim is gnu specific and not all libc > -implement it, threfore write a configure check > -to poke for it first and use the define to > -guard its use. > - > -Helps in compiling on musl based systems > - > -Signed-off-by: Khem Raj <raj.khem@gmail.com> > ---- > -Upstream-Status: Submitted [ > https://github.com/ikeydoherty/cve-check-tool/pull/48] > - configure.ac | 2 ++ > - src/core.c | 4 ++-- > - 2 files changed, 4 insertions(+), 2 deletions(-) > - > -diff --git a/configure.ac b/configure.ac > -index d3b66ce..79c3542 100644 > ---- a/configure.ac > -+++ b/configure.ac > -@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0]) > - m4_define([openssl_required_version],[1.0.0]) > - # TODO: Set minimum sqlite > - > -+AC_CHECK_FUNCS_ONCE(malloc_trim) > -+ > - PKG_CHECK_MODULES(CVE_CHECK_TOOL, > - [ > - glib-2.0 >= glib_required_version, > -diff --git a/src/core.c b/src/core.c > -index 6263031..0d5df29 100644 > ---- a/src/core.c > -+++ b/src/core.c > -@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname) > - } > - > - b = true; > -- > -+#ifdef HAVE_MALLOC_TRIM > - malloc_trim(0); > -- > -+#endif > - xmlFreeTextReader(r); > - if (fd) { > - close(fd); > --- > -2.9.3 > - > -- > 2.20.1 > > <div><div dir="auto">May be add a line about why it is being removed </div></div><div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Jul 16, 2019 at 5:46 AM Ross Burton <<a href="mailto:ross.burton@intel.com">ross.burton@intel.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Signed-off-by: Ross Burton <<a href="mailto:ross.burton@intel.com" target="_blank">ross.burton@intel.com</a>><br> ---<br> .../cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a> | 62 -----<br> ...x-freeing-memory-allocated-by-sqlite.patch | 50 ----<br> ...erriding-default-CA-certificate-file.patch | 215 ------------------<br> ...s-in-percent-when-downloading-CVE-db.patch | 135 -----------<br> ...omputed-vs-expected-sha256-digit-str.patch | 52 -----<br> ...heck-for-malloc_trim-before-using-it.patch | 51 -----<br> 6 files changed, 565 deletions(-)<br> delete mode 100644 meta/recipes-devtools/cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a><br> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch<br> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch<br> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch<br> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch<br> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch<br> <br> diff --git a/meta/recipes-devtools/cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a> b/meta/recipes-devtools/cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a><br> deleted file mode 100644<br> index 1c84fb1cf2d..00000000000<br> --- a/meta/recipes-devtools/cve-check-tool/<a href="http://cve-check-tool_5.6.4.bb" rel="noreferrer" target="_blank">cve-check-tool_5.6.4.bb</a><br> +++ /dev/null<br> @@ -1,62 +0,0 @@<br> -SUMMARY = "cve-check-tool"<br> -DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\<br> -The tool will identify potentially vunlnerable software packages within Linux distributions through version matching."<br> -HOMEPAGE = "<a href="https://github.com/ikeydoherty/cve-check-tool" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/cve-check-tool</a>"<br> -SECTION = "Development/Tools"<br> -LICENSE = "GPL-2.0+"<br> -LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"<br> -<br> -SRC_URI = "<a href="https://github.com/ikeydoherty/$%7BBPN%7D/releases/download/v$%7BPV%7D/$%7BBP%7D.tar.xz" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz</a> \<br> - file://check-for-malloc_trim-before-using-it.patch \<br> - file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \<br> - file://0001-curl-allow-overriding-default-CA-certificate-file.patch \<br> - file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \<br> - file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \<br> - "<br> -<br> -SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"<br> -SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b"<br> -<br> -UPSTREAM_CHECK_URI = "<a href="https://github.com/ikeydoherty/cve-check-tool/releases" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/cve-check-tool/releases</a>"<br> -<br> -DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates"<br> -<br> -RDEPENDS_${PN} = "ca-certificates"<br> -<br> -inherit pkgconfig autotools<br> -<br> -EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"<br> -CFLAGS_append = " -Wno-error=pedantic"<br> -<br> -do_populate_cve_db() {<br> - if [ "${BB_NO_NETWORK}" = "1" ] ; then<br> - bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected"<br> - return<br> - fi<br> -<br> - # In case we don't inherit cve-check class, use default values defined in the class.<br> - cve_dir="${CVE_CHECK_DB_DIR}"<br> - cve_file="${CVE_CHECK_TMP_FILE}"<br> -<br> - [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK"<br> - [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"<br> -<br> - unused="${@bb.utils.export_proxies(d)}"<br> - bbdebug 2 "Updating cve-check-tool database located in $cve_dir"<br> - # --cacert works around curl-native not finding the CA bundle<br> - if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then<br> - printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"<br> - else<br> - bbwarn "Error in executing cve-check-update"<br> - if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then<br> - bbwarn "Failed to update cve-check-tool database, CVEs won't be checked"<br> - fi<br> - fi<br> -}<br> -<br> -addtask populate_cve_db after do_populate_sysroot<br> -do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"<br> -do_populate_cve_db[nostamp] = "1"<br> -do_populate_cve_db[progress] = "percent"<br> -<br> -BBCLASSEXTEND = "native nativesdk"<br> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch<br> deleted file mode 100644<br> index 4a82cf2dded..00000000000<br> --- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch<br> +++ /dev/null<br> @@ -1,50 +0,0 @@<br> -From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001<br> -From: Peter Marko <<a href="mailto:peter.marko@siemens.com" target="_blank">peter.marko@siemens.com</a>><br> -Date: Thu, 13 Apr 2017 23:09:52 +0200<br> -Subject: [PATCH] Fix freeing memory allocated by sqlite<br> -<br> -Upstream-Status: Backport<br> -Signed-off-by: Peter Marko <<a href="mailto:peter.marko@siemens.com" target="_blank">peter.marko@siemens.com</a>><br> ----<br> - src/core.c | 8 ++++----<br> - 1 file changed, 4 insertions(+), 4 deletions(-)<br> -<br> -diff --git a/src/core.c b/src/core.c<br> -index 6263031..6788f16 100644<br> ---- a/src/core.c<br> -+++ b/src/core.c<br> -@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self)<br> - rc = sqlite3_exec(self->db, query, NULL, NULL, &err);<br> - if (rc != SQLITE_OK) {<br> - fprintf(stderr, "ensure_table(): %s\n", err);<br> -- free(err);<br> -+ sqlite3_free(err);<br> - return false;<br> - }<br> - <br> -@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self)<br> - rc = sqlite3_exec(self->db, query, NULL, NULL, &err);<br> - if (rc != SQLITE_OK) {<br> - fprintf(stderr, "ensure_table(): %s\n", err);<br> -- free(err);<br> -+ sqlite3_free(err);<br> - return false;<br> - }<br> - <br> -@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self)<br> - rc = sqlite3_exec(self->db, query, NULL, NULL, &err);<br> - if (rc != SQLITE_OK) {<br> - fprintf(stderr, "ensure_table(): %s\n", err);<br> -- free(err);<br> -+ sqlite3_free(err);<br> - return false;<br> - }<br> - if (err) {<br> -- free(err);<br> -+ sqlite3_free(err);<br> - }<br> - <br> - return true;<br> --- <br> -2.1.4<br> -<br> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch<br> deleted file mode 100644<br> index 3d8ebd1bd26..00000000000<br> --- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch<br> +++ /dev/null<br> @@ -1,215 +0,0 @@<br> -From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001<br> -From: Jussi Kukkonen <<a href="mailto:jussi.kukkonen@intel.com" target="_blank">jussi.kukkonen@intel.com</a>><br> -Date: Thu, 9 Feb 2017 14:51:28 +0200<br> -Subject: [PATCH] curl: allow overriding default CA certificate file<br> -<br> -Similar to curl, --cacert can now be used in cve-check-tool and<br> -cve-check-update to override the default CA certificate file. Useful<br> -in cases where the system default is unsuitable (for example,<br> -out-dated) or broken (as in OE's current native libcurl, which embeds<br> -a path string from one build host and then uses it on another although<br> -the right path may have become something different).<br> -<br> -Upstream-Status: Submitted [<a href="https://github.com/ikeydoherty/cve-check-tool/pull/45" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/cve-check-tool/pull/45</a>]<br> -<br> -Signed-off-by: Patrick Ohly <<a href="mailto:patrick.ohly@intel.com" target="_blank">patrick.ohly@intel.com</a>><br> -<br> -<br> -Took Patrick Ohlys original patch from meta-security-isafw, rebased<br> -on top of other patches.<br> -<br> -Signed-off-by: Jussi Kukkonen <<a href="mailto:jussi.kukkonen@intel.com" target="_blank">jussi.kukkonen@intel.com</a>><br> ----<br> - src/library/cve-check-tool.h | 1 +<br> - src/library/fetch.c | 10 +++++++++-<br> - src/library/fetch.h | 3 ++-<br> - src/main.c | 5 ++++-<br> - src/update-main.c | 4 +++-<br> - src/update.c | 12 +++++++-----<br> - src/update.h | 2 +-<br> - 7 files changed, 27 insertions(+), 10 deletions(-)<br> -<br> -diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h<br> -index e4bb5b1..f89eade 100644<br> ---- a/src/library/cve-check-tool.h<br> -+++ b/src/library/cve-check-tool.h<br> -@@ -43,6 +43,7 @@ typedef struct CveCheckTool {<br> - bool bugs; /**<Whether bug tracking is enabled */<br> - GHashTable *mapping; /**<CVE Mapping */<br> - const char *output_file; /**<Output file, if any */<br> -+ const char *cacert_file; /**<Non-default SSL certificate file, if any */<br> - } CveCheckTool;<br> - <br> - /**<br> -diff --git a/src/library/fetch.c b/src/library/fetch.c<br> -index 0fe6d76..8f998c3 100644<br> ---- a/src/library/fetch.c<br> -+++ b/src/library/fetch.c<br> -@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow<br> - }<br> - <br> - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br> -- unsigned int start_percent, unsigned int end_percent)<br> -+ unsigned int start_percent, unsigned int end_percent,<br> -+ const char *cacert_file)<br> - {<br> - FetchStatus ret = FETCH_STATUS_FAIL;<br> - CURLcode res;<br> -@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br> - return ret;<br> - }<br> - <br> -+ if (cacert_file) {<br> -+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);<br> -+ if (res != CURLE_OK) {<br> -+ goto bail;<br> -+ }<br> -+ }<br> -+<br> - if (stat(target, &st) == 0) {<br> - res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);<br> - if (res != CURLE_OK) {<br> -diff --git a/src/library/fetch.h b/src/library/fetch.h<br> -index 4cce5d1..836c7d7 100644<br> ---- a/src/library/fetch.h<br> -+++ b/src/library/fetch.h<br> -@@ -29,7 +29,8 @@ typedef enum {<br> - * @return A FetchStatus, indicating the operation taken<br> - */<br> - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br> -- unsigned int this_percent, unsigned int next_percent);<br> -+ unsigned int this_percent, unsigned int next_percent,<br> -+ const char *cacert_file);<br> - <br> - /**<br> - * Attempt to extract the given gzipped file<br> -diff --git a/src/main.c b/src/main.c<br> -index 8e6f158..ae69d47 100644<br> ---- a/src/main.c<br> -+++ b/src/main.c<br> -@@ -280,6 +280,7 @@ static bool csv_mode = false;<br> - static char *modified_stamp = NULL;<br> - static gchar *mapping_file = NULL;<br> - static gchar *output_file = NULL;<br> -+static gchar *cacert_file = NULL;<br> - <br> - static GOptionEntry _entries[] = {<br> - { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },<br> -@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {<br> - { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },<br> - { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},<br> - { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},<br> -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},<br> - { .short_name = 0 }<br> - };<br> - <br> -@@ -492,6 +494,7 @@ int main(int argc, char **argv)<br> - <br> - quiet = csv_mode || !no_html;<br> - self->output_file = output_file;<br> -+ self->cacert_file = cacert_file;<br> - <br> - if (!csv_mode && self->output_file) {<br> - quiet = false;<br> -@@ -530,7 +533,7 @@ int main(int argc, char **argv)<br> - if (status) {<br> - fprintf(stderr, "Update of db forced\n");<br> - cve_db_unlock();<br> -- if (!update_db(quiet, db_path->str)) {<br> -+ if (!update_db(quiet, db_path->str, self->cacert_file)) {<br> - fprintf(stderr, "DB update failure\n");<br> - goto cleanup;<br> - }<br> -diff --git a/src/update-main.c b/src/update-main.c<br> -index 2379cfa..c52d9d0 100644<br> ---- a/src/update-main.c<br> -+++ b/src/update-main.c<br> -@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\<br> - static gchar *nvds = NULL;<br> - static bool _show_version = false;<br> - static bool _quiet = false;<br> -+static const char *_cacert_file = NULL;<br> - <br> - static GOptionEntry _entries[] = {<br> - { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },<br> - { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },<br> - { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },<br> -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},<br> - { .short_name = 0 }<br> - };<br> - <br> -@@ -88,7 +90,7 @@ int main(int argc, char **argv)<br> - goto end;<br> - }<br> - <br> -- if (update_db(_quiet, db_path->str)) {<br> -+ if (update_db(_quiet, db_path->str, _cacert_file)) {<br> - ret = EXIT_SUCCESS;<br> - } else {<br> - fprintf(stderr, "Failed to update database\n");<br> -diff --git a/src/update.c b/src/update.c<br> -index 070560a..8cb4a39 100644<br> ---- a/src/update.c<br> -+++ b/src/update.c<br> -@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)<br> - <br> - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,<br> - bool db_exist, bool verbose,<br> -- unsigned int this_percent, unsigned int next_percent)<br> -+ unsigned int this_percent, unsigned int next_percent,<br> -+ const char *cacert_file)<br> - {<br> - const char nvd_uri[] = URI_PREFIX;<br> - autofree(cve_string) *uri_meta = NULL;<br> -@@ -331,14 +332,14 @@ refetch:<br> - }<br> - <br> - /* Fetch NVD META file */<br> -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);<br> -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);<br> - if (st == FETCH_STATUS_FAIL) {<br> - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);<br> - return -1;<br> - }<br> - <br> - /* Fetch NVD XML file */<br> -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);<br> -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);<br> - switch (st) {<br> - case FETCH_STATUS_FAIL:<br> - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);<br> -@@ -391,7 +392,7 @@ refetch:<br> - return 0;<br> - }<br> - <br> --bool update_db(bool quiet, const char *db_file)<br> -+bool update_db(bool quiet, const char *db_file, const char *cacert_file)<br> - {<br> - autofree(char) *db_dir = NULL;<br> - autofree(CveDB) *cve_db = NULL;<br> -@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)<br> - if (!quiet)<br> - fprintf(stderr, "completed: %u%%\r", start_percent);<br> - rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,<br> -- start_percent, end_percent);<br> -+ start_percent, end_percent,<br> -+ cacert_file);<br> - switch (rc) {<br> - case 0:<br> - if (!quiet)<br> -diff --git a/src/update.h b/src/update.h<br> -index b8e9911..ceea0c3 100644<br> ---- a/src/update.h<br> -+++ b/src/update.h<br> -@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);<br> - <br> - int update_required(const char *db_file);<br> - <br> --bool update_db(bool quiet, const char *db_file);<br> -+bool update_db(bool quiet, const char *db_file, const char *cacert_file);<br> - <br> - <br> - /*<br> --- <br> -2.1.4<br> -<br> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch<br> deleted file mode 100644<br> index 8ea6f686e3f..00000000000<br> --- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch<br> +++ /dev/null<br> @@ -1,135 +0,0 @@<br> -From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001<br> -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <<a href="mailto:git@andred.net" target="_blank">git@andred.net</a>><br> -Date: Mon, 26 Sep 2016 12:12:41 +0100<br> -Subject: [PATCH] print progress in percent when downloading CVE db<br> -MIME-Version: 1.0<br> -Content-Type: text/plain; charset=UTF-8<br> -Content-Transfer-Encoding: 8bit<br> -<br> -Upstream-Status: Pending<br> -Signed-off-by: André Draszik <<a href="mailto:git@andred.net" target="_blank">git@andred.net</a>><br> ----<br> - src/library/fetch.c | 28 +++++++++++++++++++++++++++-<br> - src/library/fetch.h | 3 ++-<br> - src/update.c | 16 ++++++++++++----<br> - 3 files changed, 41 insertions(+), 6 deletions(-)<br> -<br> -diff --git a/src/library/fetch.c b/src/library/fetch.c<br> -index 06d4b30..0fe6d76 100644<br> ---- a/src/library/fetch.c<br> -+++ b/src/library/fetch.c<br> -@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f<br> - return fwrite(ptr, size, nmemb, f->f);<br> - }<br> - <br> --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)<br> -+struct percent_t {<br> -+ unsigned int start;<br> -+ unsigned int end;<br> -+};<br> -+<br> -+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow)<br> -+{<br> -+ (void) ultotal;<br> -+ (void) ulnow;<br> -+<br> -+ struct percent_t *percent = (struct percent_t *) ptr;<br> -+<br> -+ if (dltotal && percent && percent->end >= percent->start) {<br> -+ unsigned int diff = percent->end - percent->start;<br> -+ if (diff) {<br> -+ fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal));<br> -+ }<br> -+ }<br> -+<br> -+ return 0;<br> -+}<br> -+<br> -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br> -+ unsigned int start_percent, unsigned int end_percent)<br> - {<br> - FetchStatus ret = FETCH_STATUS_FAIL;<br> - CURLcode res;<br> - struct stat st;<br> - CURL *curl = NULL;<br> - struct fetch_t *f = NULL;<br> -+ struct percent_t percent = { .start = start_percent, .end = end_percent };<br> - <br> - curl = curl_easy_init();<br> - if (!curl) {<br> -@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose)<br> - }<br> - if (verbose) {<br> - (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L);<br> -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent);<br> -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new);<br> - }<br> - res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func);<br> - if (res != CURLE_OK) {<br> -diff --git a/src/library/fetch.h b/src/library/fetch.h<br> -index 70c3779..4cce5d1 100644<br> ---- a/src/library/fetch.h<br> -+++ b/src/library/fetch.h<br> -@@ -28,7 +28,8 @@ typedef enum {<br> - * @param verbose Whether to be verbose<br> - * @return A FetchStatus, indicating the operation taken<br> - */<br> --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose);<br> -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,<br> -+ unsigned int this_percent, unsigned int next_percent);<br> - <br> - /**<br> - * Attempt to extract the given gzipped file<br> -diff --git a/src/update.c b/src/update.c<br> -index 30fbe96..eaeeefd 100644<br> ---- a/src/update.c<br> -+++ b/src/update.c<br> -@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)<br> - }<br> - <br> - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,<br> -- bool db_exist, bool verbose)<br> -+ bool db_exist, bool verbose,<br> -+ unsigned int this_percent, unsigned int next_percent)<br> - {<br> - const char nvd_uri[] = URI_PREFIX;<br> - autofree(cve_string) *uri_meta = NULL;<br> -@@ -330,14 +331,14 @@ refetch:<br> - }<br> - <br> - /* Fetch NVD META file */<br> -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose);<br> -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);<br> - if (st == FETCH_STATUS_FAIL) {<br> - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);<br> - return -1;<br> - }<br> - <br> - /* Fetch NVD XML file */<br> -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose);<br> -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);<br> - switch (st) {<br> - case FETCH_STATUS_FAIL:<br> - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);<br> -@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file)<br> - for (int i = YEAR_START; i <= year+1; i++) {<br> - int y = i > year ? -1 : i;<br> - int rc;<br> -+ unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START);<br> -+ unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START);<br> - <br> -- rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet);<br> -+ if (!quiet)<br> -+ fprintf(stderr, "completed: %u%%\r", start_percent);<br> -+ rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,<br> -+ start_percent, end_percent);<br> - switch (rc) {<br> - case 0:<br> -+ if (!quiet)<br> -+ fprintf(stderr,"completed: %u%%\r", end_percent);<br> - continue;<br> - case ENOMEM:<br> - goto oom;<br> --- <br> -2.9.3<br> -<br> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch<br> deleted file mode 100644<br> index 458c0cc84e5..00000000000<br> --- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch<br> +++ /dev/null<br> @@ -1,52 +0,0 @@<br> -From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001<br> -From: Sergey Popovich <<a href="mailto:popovich_sergei@mail.ua" target="_blank">popovich_sergei@mail.ua</a>><br> -Date: Fri, 21 Apr 2017 07:32:23 -0700<br> -Subject: [PATCH] update: Compare computed vs expected sha256 digit string<br> - ignoring case<br> -<br> -We produce sha256 digest string using %x snprintf()<br> -qualifier for each byte of digest which uses alphabetic<br> -characters from "a" to "f" in lower case to represent<br> -integer values from 10 to 15.<br> -<br> -Previously all of the NVD META files supply sha256<br> -digest string for corresponding XML file in lower case.<br> -<br> -However due to some reason this changed recently to<br> -provide digest digits in upper case causing fetched<br> -data consistency checks to fail. This prevents database<br> -from being updated periodically.<br> -<br> -While commit c4f6e94 (update: Do not treat sha256 failure<br> -as fatal if requested) adds useful option to skip<br> -digest validation at all and thus provides workaround for<br> -this situation, it might be unacceptable for some<br> -deployments where we need to ensure that downloaded<br> -data is consistent before start parsing it and update<br> -SQLite database.<br> -<br> -Use strcasecmp() to compare two digest strings case<br> -insensitively and addressing this case.<br> -<br> -Upstream-Status: Backport<br> -Signed-off-by: Sergey Popovich <<a href="mailto:popovich_sergei@mail.ua" target="_blank">popovich_sergei@mail.ua</a>><br> ----<br> - src/update.c | 2 +-<br> - 1 file changed, 1 insertion(+), 1 deletion(-)<br> -<br> -diff --git a/src/update.c b/src/update.c<br> -index 8588f38..3cc6b67 100644<br> ---- a/src/update.c<br> -+++ b/src/update.c<br> -@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)<br> - snprintf(&csum_data[idx], len, "%02hhx", digest[i]);<br> - }<br> - <br> -- ret = streq(csum_meta, csum_data);<br> -+ ret = !strcasecmp(csum_meta, csum_data);<br> - <br> - err_unmap:<br> - munmap(buffer, length);<br> --- <br> -2.11.0<br> -<br> diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch<br> deleted file mode 100644<br> index 0774ad946a4..00000000000<br> --- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch<br> +++ /dev/null<br> @@ -1,51 +0,0 @@<br> -From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001<br> -From: Khem Raj <<a href="mailto:raj.khem@gmail.com" target="_blank">raj.khem@gmail.com</a>><br> -Date: Mon, 22 Aug 2016 22:54:24 -0700<br> -Subject: [PATCH] Check for malloc_trim before using it<br> -<br> -malloc_trim is gnu specific and not all libc<br> -implement it, threfore write a configure check<br> -to poke for it first and use the define to<br> -guard its use.<br> -<br> -Helps in compiling on musl based systems<br> -<br> -Signed-off-by: Khem Raj <<a href="mailto:raj.khem@gmail.com" target="_blank">raj.khem@gmail.com</a>><br> ----<br> -Upstream-Status: Submitted [<a href="https://github.com/ikeydoherty/cve-check-tool/pull/48" rel="noreferrer" target="_blank">https://github.com/ikeydoherty/cve-check-tool/pull/48</a>]<br> - <a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> | 2 ++<br> - src/core.c | 4 ++--<br> - 2 files changed, 4 insertions(+), 2 deletions(-)<br> -<br> -diff --git a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a> b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br> -index d3b66ce..79c3542 100644<br> ---- a/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br> -+++ b/<a href="http://configure.ac" rel="noreferrer" target="_blank">configure.ac</a><br> -@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0])<br> - m4_define([openssl_required_version],[1.0.0])<br> - # TODO: Set minimum sqlite<br> - <br> -+AC_CHECK_FUNCS_ONCE(malloc_trim)<br> -+<br> - PKG_CHECK_MODULES(CVE_CHECK_TOOL,<br> - [<br> - glib-2.0 >= glib_required_version,<br> -diff --git a/src/core.c b/src/core.c<br> -index 6263031..0d5df29 100644<br> ---- a/src/core.c<br> -+++ b/src/core.c<br> -@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname)<br> - }<br> - <br> - b = true;<br> --<br> -+#ifdef HAVE_MALLOC_TRIM<br> - malloc_trim(0);<br> --<br> -+#endif<br> - xmlFreeTextReader(r);<br> - if (fd) {<br> - close(fd);<br> --- <br> -2.9.3<br> -<br> -- <br> 2.20.1<br> <br> </blockquote></div></div> -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
Yes, I clearly meant to do that but forgot to check before posting. Ross On Tue, 16 Jul 2019 at 17:30, Khem Raj <raj.khem@gmail.com> wrote: > > May be add a line about why it is being removed > > On Tue, Jul 16, 2019 at 5:46 AM Ross Burton <ross.burton@intel.com> wrote: >> >> Signed-off-by: Ross Burton <ross.burton@intel.com> >> --- >> .../cve-check-tool/cve-check-tool_5.6.4.bb | 62 ----- >> ...x-freeing-memory-allocated-by-sqlite.patch | 50 ---- >> ...erriding-default-CA-certificate-file.patch | 215 ------------------ >> ...s-in-percent-when-downloading-CVE-db.patch | 135 ----------- >> ...omputed-vs-expected-sha256-digit-str.patch | 52 ----- >> ...heck-for-malloc_trim-before-using-it.patch | 51 ----- >> 6 files changed, 565 deletions(-) >> delete mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb >> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch >> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch >> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch >> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch >> delete mode 100644 meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch >> >> diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb >> deleted file mode 100644 >> index 1c84fb1cf2d..00000000000 >> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb >> +++ /dev/null >> @@ -1,62 +0,0 @@ >> -SUMMARY = "cve-check-tool" >> -DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\ >> -The tool will identify potentially vunlnerable software packages within Linux distributions through version matching." >> -HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool" >> -SECTION = "Development/Tools" >> -LICENSE = "GPL-2.0+" >> -LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6" >> - >> -SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ >> - file://check-for-malloc_trim-before-using-it.patch \ >> - file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ >> - file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ >> - file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \ >> - file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \ >> - " >> - >> -SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" >> -SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b" >> - >> -UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases" >> - >> -DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates" >> - >> -RDEPENDS_${PN} = "ca-certificates" >> - >> -inherit pkgconfig autotools >> - >> -EXTRA_OECONF = "--disable-coverage --enable-relative-plugins" >> -CFLAGS_append = " -Wno-error=pedantic" >> - >> -do_populate_cve_db() { >> - if [ "${BB_NO_NETWORK}" = "1" ] ; then >> - bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected" >> - return >> - fi >> - >> - # In case we don't inherit cve-check class, use default values defined in the class. >> - cve_dir="${CVE_CHECK_DB_DIR}" >> - cve_file="${CVE_CHECK_TMP_FILE}" >> - >> - [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK" >> - [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" >> - >> - unused="${@bb.utils.export_proxies(d)}" >> - bbdebug 2 "Updating cve-check-tool database located in $cve_dir" >> - # --cacert works around curl-native not finding the CA bundle >> - if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then >> - printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file" >> - else >> - bbwarn "Error in executing cve-check-update" >> - if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then >> - bbwarn "Failed to update cve-check-tool database, CVEs won't be checked" >> - fi >> - fi >> -} >> - >> -addtask populate_cve_db after do_populate_sysroot >> -do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot" >> -do_populate_cve_db[nostamp] = "1" >> -do_populate_cve_db[progress] = "percent" >> - >> -BBCLASSEXTEND = "native nativesdk" >> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch >> deleted file mode 100644 >> index 4a82cf2dded..00000000000 >> --- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch >> +++ /dev/null >> @@ -1,50 +0,0 @@ >> -From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001 >> -From: Peter Marko <peter.marko@siemens.com> >> -Date: Thu, 13 Apr 2017 23:09:52 +0200 >> -Subject: [PATCH] Fix freeing memory allocated by sqlite >> - >> -Upstream-Status: Backport >> -Signed-off-by: Peter Marko <peter.marko@siemens.com> >> ---- >> - src/core.c | 8 ++++---- >> - 1 file changed, 4 insertions(+), 4 deletions(-) >> - >> -diff --git a/src/core.c b/src/core.c >> -index 6263031..6788f16 100644 >> ---- a/src/core.c >> -+++ b/src/core.c >> -@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self) >> - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); >> - if (rc != SQLITE_OK) { >> - fprintf(stderr, "ensure_table(): %s\n", err); >> -- free(err); >> -+ sqlite3_free(err); >> - return false; >> - } >> - >> -@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self) >> - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); >> - if (rc != SQLITE_OK) { >> - fprintf(stderr, "ensure_table(): %s\n", err); >> -- free(err); >> -+ sqlite3_free(err); >> - return false; >> - } >> - >> -@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self) >> - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); >> - if (rc != SQLITE_OK) { >> - fprintf(stderr, "ensure_table(): %s\n", err); >> -- free(err); >> -+ sqlite3_free(err); >> - return false; >> - } >> - if (err) { >> -- free(err); >> -+ sqlite3_free(err); >> - } >> - >> - return true; >> --- >> -2.1.4 >> - >> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch >> deleted file mode 100644 >> index 3d8ebd1bd26..00000000000 >> --- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch >> +++ /dev/null >> @@ -1,215 +0,0 @@ >> -From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001 >> -From: Jussi Kukkonen <jussi.kukkonen@intel.com> >> -Date: Thu, 9 Feb 2017 14:51:28 +0200 >> -Subject: [PATCH] curl: allow overriding default CA certificate file >> - >> -Similar to curl, --cacert can now be used in cve-check-tool and >> -cve-check-update to override the default CA certificate file. Useful >> -in cases where the system default is unsuitable (for example, >> -out-dated) or broken (as in OE's current native libcurl, which embeds >> -a path string from one build host and then uses it on another although >> -the right path may have become something different). >> - >> -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45] >> - >> -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> >> - >> - >> -Took Patrick Ohlys original patch from meta-security-isafw, rebased >> -on top of other patches. >> - >> -Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> >> ---- >> - src/library/cve-check-tool.h | 1 + >> - src/library/fetch.c | 10 +++++++++- >> - src/library/fetch.h | 3 ++- >> - src/main.c | 5 ++++- >> - src/update-main.c | 4 +++- >> - src/update.c | 12 +++++++----- >> - src/update.h | 2 +- >> - 7 files changed, 27 insertions(+), 10 deletions(-) >> - >> -diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h >> -index e4bb5b1..f89eade 100644 >> ---- a/src/library/cve-check-tool.h >> -+++ b/src/library/cve-check-tool.h >> -@@ -43,6 +43,7 @@ typedef struct CveCheckTool { >> - bool bugs; /**<Whether bug tracking is enabled */ >> - GHashTable *mapping; /**<CVE Mapping */ >> - const char *output_file; /**<Output file, if any */ >> -+ const char *cacert_file; /**<Non-default SSL certificate file, if any */ >> - } CveCheckTool; >> - >> - /** >> -diff --git a/src/library/fetch.c b/src/library/fetch.c >> -index 0fe6d76..8f998c3 100644 >> ---- a/src/library/fetch.c >> -+++ b/src/library/fetch.c >> -@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow >> - } >> - >> - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, >> -- unsigned int start_percent, unsigned int end_percent) >> -+ unsigned int start_percent, unsigned int end_percent, >> -+ const char *cacert_file) >> - { >> - FetchStatus ret = FETCH_STATUS_FAIL; >> - CURLcode res; >> -@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, >> - return ret; >> - } >> - >> -+ if (cacert_file) { >> -+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file); >> -+ if (res != CURLE_OK) { >> -+ goto bail; >> -+ } >> -+ } >> -+ >> - if (stat(target, &st) == 0) { >> - res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE); >> - if (res != CURLE_OK) { >> -diff --git a/src/library/fetch.h b/src/library/fetch.h >> -index 4cce5d1..836c7d7 100644 >> ---- a/src/library/fetch.h >> -+++ b/src/library/fetch.h >> -@@ -29,7 +29,8 @@ typedef enum { >> - * @return A FetchStatus, indicating the operation taken >> - */ >> - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, >> -- unsigned int this_percent, unsigned int next_percent); >> -+ unsigned int this_percent, unsigned int next_percent, >> -+ const char *cacert_file); >> - >> - /** >> - * Attempt to extract the given gzipped file >> -diff --git a/src/main.c b/src/main.c >> -index 8e6f158..ae69d47 100644 >> ---- a/src/main.c >> -+++ b/src/main.c >> -@@ -280,6 +280,7 @@ static bool csv_mode = false; >> - static char *modified_stamp = NULL; >> - static gchar *mapping_file = NULL; >> - static gchar *output_file = NULL; >> -+static gchar *cacert_file = NULL; >> - >> - static GOptionEntry _entries[] = { >> - { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL }, >> -@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = { >> - { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL }, >> - { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL}, >> - { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL}, >> -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, >> - { .short_name = 0 } >> - }; >> - >> -@@ -492,6 +494,7 @@ int main(int argc, char **argv) >> - >> - quiet = csv_mode || !no_html; >> - self->output_file = output_file; >> -+ self->cacert_file = cacert_file; >> - >> - if (!csv_mode && self->output_file) { >> - quiet = false; >> -@@ -530,7 +533,7 @@ int main(int argc, char **argv) >> - if (status) { >> - fprintf(stderr, "Update of db forced\n"); >> - cve_db_unlock(); >> -- if (!update_db(quiet, db_path->str)) { >> -+ if (!update_db(quiet, db_path->str, self->cacert_file)) { >> - fprintf(stderr, "DB update failure\n"); >> - goto cleanup; >> - } >> -diff --git a/src/update-main.c b/src/update-main.c >> -index 2379cfa..c52d9d0 100644 >> ---- a/src/update-main.c >> -+++ b/src/update-main.c >> -@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\ >> - static gchar *nvds = NULL; >> - static bool _show_version = false; >> - static bool _quiet = false; >> -+static const char *_cacert_file = NULL; >> - >> - static GOptionEntry _entries[] = { >> - { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL }, >> - { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL }, >> - { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL }, >> -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, >> - { .short_name = 0 } >> - }; >> - >> -@@ -88,7 +90,7 @@ int main(int argc, char **argv) >> - goto end; >> - } >> - >> -- if (update_db(_quiet, db_path->str)) { >> -+ if (update_db(_quiet, db_path->str, _cacert_file)) { >> - ret = EXIT_SUCCESS; >> - } else { >> - fprintf(stderr, "Failed to update database\n"); >> -diff --git a/src/update.c b/src/update.c >> -index 070560a..8cb4a39 100644 >> ---- a/src/update.c >> -+++ b/src/update.c >> -@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) >> - >> - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, >> - bool db_exist, bool verbose, >> -- unsigned int this_percent, unsigned int next_percent) >> -+ unsigned int this_percent, unsigned int next_percent, >> -+ const char *cacert_file) >> - { >> - const char nvd_uri[] = URI_PREFIX; >> - autofree(cve_string) *uri_meta = NULL; >> -@@ -331,14 +332,14 @@ refetch: >> - } >> - >> - /* Fetch NVD META file */ >> -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); >> -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file); >> - if (st == FETCH_STATUS_FAIL) { >> - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); >> - return -1; >> - } >> - >> - /* Fetch NVD XML file */ >> -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); >> -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file); >> - switch (st) { >> - case FETCH_STATUS_FAIL: >> - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); >> -@@ -391,7 +392,7 @@ refetch: >> - return 0; >> - } >> - >> --bool update_db(bool quiet, const char *db_file) >> -+bool update_db(bool quiet, const char *db_file, const char *cacert_file) >> - { >> - autofree(char) *db_dir = NULL; >> - autofree(CveDB) *cve_db = NULL; >> -@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file) >> - if (!quiet) >> - fprintf(stderr, "completed: %u%%\r", start_percent); >> - rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, >> -- start_percent, end_percent); >> -+ start_percent, end_percent, >> -+ cacert_file); >> - switch (rc) { >> - case 0: >> - if (!quiet) >> -diff --git a/src/update.h b/src/update.h >> -index b8e9911..ceea0c3 100644 >> ---- a/src/update.h >> -+++ b/src/update.h >> -@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path); >> - >> - int update_required(const char *db_file); >> - >> --bool update_db(bool quiet, const char *db_file); >> -+bool update_db(bool quiet, const char *db_file, const char *cacert_file); >> - >> - >> - /* >> --- >> -2.1.4 >> - >> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch >> deleted file mode 100644 >> index 8ea6f686e3f..00000000000 >> --- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch >> +++ /dev/null >> @@ -1,135 +0,0 @@ >> -From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001 >> -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net> >> -Date: Mon, 26 Sep 2016 12:12:41 +0100 >> -Subject: [PATCH] print progress in percent when downloading CVE db >> -MIME-Version: 1.0 >> -Content-Type: text/plain; charset=UTF-8 >> -Content-Transfer-Encoding: 8bit >> - >> -Upstream-Status: Pending >> -Signed-off-by: André Draszik <git@andred.net> >> ---- >> - src/library/fetch.c | 28 +++++++++++++++++++++++++++- >> - src/library/fetch.h | 3 ++- >> - src/update.c | 16 ++++++++++++---- >> - 3 files changed, 41 insertions(+), 6 deletions(-) >> - >> -diff --git a/src/library/fetch.c b/src/library/fetch.c >> -index 06d4b30..0fe6d76 100644 >> ---- a/src/library/fetch.c >> -+++ b/src/library/fetch.c >> -@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f >> - return fwrite(ptr, size, nmemb, f->f); >> - } >> - >> --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose) >> -+struct percent_t { >> -+ unsigned int start; >> -+ unsigned int end; >> -+}; >> -+ >> -+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow) >> -+{ >> -+ (void) ultotal; >> -+ (void) ulnow; >> -+ >> -+ struct percent_t *percent = (struct percent_t *) ptr; >> -+ >> -+ if (dltotal && percent && percent->end >= percent->start) { >> -+ unsigned int diff = percent->end - percent->start; >> -+ if (diff) { >> -+ fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal)); >> -+ } >> -+ } >> -+ >> -+ return 0; >> -+} >> -+ >> -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, >> -+ unsigned int start_percent, unsigned int end_percent) >> - { >> - FetchStatus ret = FETCH_STATUS_FAIL; >> - CURLcode res; >> - struct stat st; >> - CURL *curl = NULL; >> - struct fetch_t *f = NULL; >> -+ struct percent_t percent = { .start = start_percent, .end = end_percent }; >> - >> - curl = curl_easy_init(); >> - if (!curl) { >> -@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose) >> - } >> - if (verbose) { >> - (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L); >> -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent); >> -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new); >> - } >> - res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func); >> - if (res != CURLE_OK) { >> -diff --git a/src/library/fetch.h b/src/library/fetch.h >> -index 70c3779..4cce5d1 100644 >> ---- a/src/library/fetch.h >> -+++ b/src/library/fetch.h >> -@@ -28,7 +28,8 @@ typedef enum { >> - * @param verbose Whether to be verbose >> - * @return A FetchStatus, indicating the operation taken >> - */ >> --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose); >> -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, >> -+ unsigned int this_percent, unsigned int next_percent); >> - >> - /** >> - * Attempt to extract the given gzipped file >> -diff --git a/src/update.c b/src/update.c >> -index 30fbe96..eaeeefd 100644 >> ---- a/src/update.c >> -+++ b/src/update.c >> -@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) >> - } >> - >> - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, >> -- bool db_exist, bool verbose) >> -+ bool db_exist, bool verbose, >> -+ unsigned int this_percent, unsigned int next_percent) >> - { >> - const char nvd_uri[] = URI_PREFIX; >> - autofree(cve_string) *uri_meta = NULL; >> -@@ -330,14 +331,14 @@ refetch: >> - } >> - >> - /* Fetch NVD META file */ >> -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose); >> -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); >> - if (st == FETCH_STATUS_FAIL) { >> - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); >> - return -1; >> - } >> - >> - /* Fetch NVD XML file */ >> -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose); >> -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); >> - switch (st) { >> - case FETCH_STATUS_FAIL: >> - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); >> -@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file) >> - for (int i = YEAR_START; i <= year+1; i++) { >> - int y = i > year ? -1 : i; >> - int rc; >> -+ unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START); >> -+ unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START); >> - >> -- rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet); >> -+ if (!quiet) >> -+ fprintf(stderr, "completed: %u%%\r", start_percent); >> -+ rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, >> -+ start_percent, end_percent); >> - switch (rc) { >> - case 0: >> -+ if (!quiet) >> -+ fprintf(stderr,"completed: %u%%\r", end_percent); >> - continue; >> - case ENOMEM: >> - goto oom; >> --- >> -2.9.3 >> - >> diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch >> deleted file mode 100644 >> index 458c0cc84e5..00000000000 >> --- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch >> +++ /dev/null >> @@ -1,52 +0,0 @@ >> -From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 >> -From: Sergey Popovich <popovich_sergei@mail.ua> >> -Date: Fri, 21 Apr 2017 07:32:23 -0700 >> -Subject: [PATCH] update: Compare computed vs expected sha256 digit string >> - ignoring case >> - >> -We produce sha256 digest string using %x snprintf() >> -qualifier for each byte of digest which uses alphabetic >> -characters from "a" to "f" in lower case to represent >> -integer values from 10 to 15. >> - >> -Previously all of the NVD META files supply sha256 >> -digest string for corresponding XML file in lower case. >> - >> -However due to some reason this changed recently to >> -provide digest digits in upper case causing fetched >> -data consistency checks to fail. This prevents database >> -from being updated periodically. >> - >> -While commit c4f6e94 (update: Do not treat sha256 failure >> -as fatal if requested) adds useful option to skip >> -digest validation at all and thus provides workaround for >> -this situation, it might be unacceptable for some >> -deployments where we need to ensure that downloaded >> -data is consistent before start parsing it and update >> -SQLite database. >> - >> -Use strcasecmp() to compare two digest strings case >> -insensitively and addressing this case. >> - >> -Upstream-Status: Backport >> -Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> >> ---- >> - src/update.c | 2 +- >> - 1 file changed, 1 insertion(+), 1 deletion(-) >> - >> -diff --git a/src/update.c b/src/update.c >> -index 8588f38..3cc6b67 100644 >> ---- a/src/update.c >> -+++ b/src/update.c >> -@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data) >> - snprintf(&csum_data[idx], len, "%02hhx", digest[i]); >> - } >> - >> -- ret = streq(csum_meta, csum_data); >> -+ ret = !strcasecmp(csum_meta, csum_data); >> - >> - err_unmap: >> - munmap(buffer, length); >> --- >> -2.11.0 >> - >> diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch >> deleted file mode 100644 >> index 0774ad946a4..00000000000 >> --- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch >> +++ /dev/null >> @@ -1,51 +0,0 @@ >> -From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001 >> -From: Khem Raj <raj.khem@gmail.com> >> -Date: Mon, 22 Aug 2016 22:54:24 -0700 >> -Subject: [PATCH] Check for malloc_trim before using it >> - >> -malloc_trim is gnu specific and not all libc >> -implement it, threfore write a configure check >> -to poke for it first and use the define to >> -guard its use. >> - >> -Helps in compiling on musl based systems >> - >> -Signed-off-by: Khem Raj <raj.khem@gmail.com> >> ---- >> -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48] >> - configure.ac | 2 ++ >> - src/core.c | 4 ++-- >> - 2 files changed, 4 insertions(+), 2 deletions(-) >> - >> -diff --git a/configure.ac b/configure.ac >> -index d3b66ce..79c3542 100644 >> ---- a/configure.ac >> -+++ b/configure.ac >> -@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0]) >> - m4_define([openssl_required_version],[1.0.0]) >> - # TODO: Set minimum sqlite >> - >> -+AC_CHECK_FUNCS_ONCE(malloc_trim) >> -+ >> - PKG_CHECK_MODULES(CVE_CHECK_TOOL, >> - [ >> - glib-2.0 >= glib_required_version, >> -diff --git a/src/core.c b/src/core.c >> -index 6263031..0d5df29 100644 >> ---- a/src/core.c >> -+++ b/src/core.c >> -@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname) >> - } >> - >> - b = true; >> -- >> -+#ifdef HAVE_MALLOC_TRIM >> - malloc_trim(0); >> -- >> -+#endif >> - xmlFreeTextReader(r); >> - if (fd) { >> - close(fd); >> --- >> -2.9.3 >> - >> -- >> 2.20.1 >>
diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb deleted file mode 100644 index 1c84fb1cf2d..00000000000 --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb +++ /dev/null @@ -1,62 +0,0 @@ -SUMMARY = "cve-check-tool" -DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\ -The tool will identify potentially vunlnerable software packages within Linux distributions through version matching." -HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool" -SECTION = "Development/Tools" -LICENSE = "GPL-2.0+" -LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6" - -SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \ - file://check-for-malloc_trim-before-using-it.patch \ - file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \ - file://0001-curl-allow-overriding-default-CA-certificate-file.patch \ - file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \ - file://0001-Fix-freeing-memory-allocated-by-sqlite.patch \ - " - -SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" -SRC_URI[sha256sum] = "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b" - -UPSTREAM_CHECK_URI = "https://github.com/ikeydoherty/cve-check-tool/releases" - -DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl ca-certificates" - -RDEPENDS_${PN} = "ca-certificates" - -inherit pkgconfig autotools - -EXTRA_OECONF = "--disable-coverage --enable-relative-plugins" -CFLAGS_append = " -Wno-error=pedantic" - -do_populate_cve_db() { - if [ "${BB_NO_NETWORK}" = "1" ] ; then - bbwarn "BB_NO_NETWORK is set; Can't update cve-check-tool database, new CVEs won't be detected" - return - fi - - # In case we don't inherit cve-check class, use default values defined in the class. - cve_dir="${CVE_CHECK_DB_DIR}" - cve_file="${CVE_CHECK_TMP_FILE}" - - [ -z "${cve_dir}" ] && cve_dir="${DL_DIR}/CVE_CHECK" - [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check" - - unused="${@bb.utils.export_proxies(d)}" - bbdebug 2 "Updating cve-check-tool database located in $cve_dir" - # --cacert works around curl-native not finding the CA bundle - if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then - printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file" - else - bbwarn "Error in executing cve-check-update" - if [ "${@'1' if bb.data.inherits_class('cve-check', d) else '0'}" -ne 0 ] ; then - bbwarn "Failed to update cve-check-tool database, CVEs won't be checked" - fi - fi -} - -addtask populate_cve_db after do_populate_sysroot -do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot" -do_populate_cve_db[nostamp] = "1" -do_populate_cve_db[progress] = "percent" - -BBCLASSEXTEND = "native nativesdk" diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch b/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch deleted file mode 100644 index 4a82cf2dded..00000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch +++ /dev/null @@ -1,50 +0,0 @@ -From a3353429652f83bb8b0316500faa88fa2555542d Mon Sep 17 00:00:00 2001 -From: Peter Marko <peter.marko@siemens.com> -Date: Thu, 13 Apr 2017 23:09:52 +0200 -Subject: [PATCH] Fix freeing memory allocated by sqlite - -Upstream-Status: Backport -Signed-off-by: Peter Marko <peter.marko@siemens.com> ---- - src/core.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/src/core.c b/src/core.c -index 6263031..6788f16 100644 ---- a/src/core.c -+++ b/src/core.c -@@ -82,7 +82,7 @@ static bool ensure_table(CveDB *self) - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); - if (rc != SQLITE_OK) { - fprintf(stderr, "ensure_table(): %s\n", err); -- free(err); -+ sqlite3_free(err); - return false; - } - -@@ -91,7 +91,7 @@ static bool ensure_table(CveDB *self) - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); - if (rc != SQLITE_OK) { - fprintf(stderr, "ensure_table(): %s\n", err); -- free(err); -+ sqlite3_free(err); - return false; - } - -@@ -99,11 +99,11 @@ static bool ensure_table(CveDB *self) - rc = sqlite3_exec(self->db, query, NULL, NULL, &err); - if (rc != SQLITE_OK) { - fprintf(stderr, "ensure_table(): %s\n", err); -- free(err); -+ sqlite3_free(err); - return false; - } - if (err) { -- free(err); -+ sqlite3_free(err); - } - - return true; --- -2.1.4 - diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch deleted file mode 100644 index 3d8ebd1bd26..00000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch +++ /dev/null @@ -1,215 +0,0 @@ -From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001 -From: Jussi Kukkonen <jussi.kukkonen@intel.com> -Date: Thu, 9 Feb 2017 14:51:28 +0200 -Subject: [PATCH] curl: allow overriding default CA certificate file - -Similar to curl, --cacert can now be used in cve-check-tool and -cve-check-update to override the default CA certificate file. Useful -in cases where the system default is unsuitable (for example, -out-dated) or broken (as in OE's current native libcurl, which embeds -a path string from one build host and then uses it on another although -the right path may have become something different). - -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45] - -Signed-off-by: Patrick Ohly <patrick.ohly@intel.com> - - -Took Patrick Ohlys original patch from meta-security-isafw, rebased -on top of other patches. - -Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> ---- - src/library/cve-check-tool.h | 1 + - src/library/fetch.c | 10 +++++++++- - src/library/fetch.h | 3 ++- - src/main.c | 5 ++++- - src/update-main.c | 4 +++- - src/update.c | 12 +++++++----- - src/update.h | 2 +- - 7 files changed, 27 insertions(+), 10 deletions(-) - -diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h -index e4bb5b1..f89eade 100644 ---- a/src/library/cve-check-tool.h -+++ b/src/library/cve-check-tool.h -@@ -43,6 +43,7 @@ typedef struct CveCheckTool { - bool bugs; /**<Whether bug tracking is enabled */ - GHashTable *mapping; /**<CVE Mapping */ - const char *output_file; /**<Output file, if any */ -+ const char *cacert_file; /**<Non-default SSL certificate file, if any */ - } CveCheckTool; - - /** -diff --git a/src/library/fetch.c b/src/library/fetch.c -index 0fe6d76..8f998c3 100644 ---- a/src/library/fetch.c -+++ b/src/library/fetch.c -@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow - } - - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -- unsigned int start_percent, unsigned int end_percent) -+ unsigned int start_percent, unsigned int end_percent, -+ const char *cacert_file) - { - FetchStatus ret = FETCH_STATUS_FAIL; - CURLcode res; -@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, - return ret; - } - -+ if (cacert_file) { -+ res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file); -+ if (res != CURLE_OK) { -+ goto bail; -+ } -+ } -+ - if (stat(target, &st) == 0) { - res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE); - if (res != CURLE_OK) { -diff --git a/src/library/fetch.h b/src/library/fetch.h -index 4cce5d1..836c7d7 100644 ---- a/src/library/fetch.h -+++ b/src/library/fetch.h -@@ -29,7 +29,8 @@ typedef enum { - * @return A FetchStatus, indicating the operation taken - */ - FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -- unsigned int this_percent, unsigned int next_percent); -+ unsigned int this_percent, unsigned int next_percent, -+ const char *cacert_file); - - /** - * Attempt to extract the given gzipped file -diff --git a/src/main.c b/src/main.c -index 8e6f158..ae69d47 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -280,6 +280,7 @@ static bool csv_mode = false; - static char *modified_stamp = NULL; - static gchar *mapping_file = NULL; - static gchar *output_file = NULL; -+static gchar *cacert_file = NULL; - - static GOptionEntry _entries[] = { - { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL }, -@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = { - { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL }, - { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL}, - { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL}, -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, - { .short_name = 0 } - }; - -@@ -492,6 +494,7 @@ int main(int argc, char **argv) - - quiet = csv_mode || !no_html; - self->output_file = output_file; -+ self->cacert_file = cacert_file; - - if (!csv_mode && self->output_file) { - quiet = false; -@@ -530,7 +533,7 @@ int main(int argc, char **argv) - if (status) { - fprintf(stderr, "Update of db forced\n"); - cve_db_unlock(); -- if (!update_db(quiet, db_path->str)) { -+ if (!update_db(quiet, db_path->str, self->cacert_file)) { - fprintf(stderr, "DB update failure\n"); - goto cleanup; - } -diff --git a/src/update-main.c b/src/update-main.c -index 2379cfa..c52d9d0 100644 ---- a/src/update-main.c -+++ b/src/update-main.c -@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\ - static gchar *nvds = NULL; - static bool _show_version = false; - static bool _quiet = false; -+static const char *_cacert_file = NULL; - - static GOptionEntry _entries[] = { - { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL }, - { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL }, - { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL }, -+ { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL}, - { .short_name = 0 } - }; - -@@ -88,7 +90,7 @@ int main(int argc, char **argv) - goto end; - } - -- if (update_db(_quiet, db_path->str)) { -+ if (update_db(_quiet, db_path->str, _cacert_file)) { - ret = EXIT_SUCCESS; - } else { - fprintf(stderr, "Failed to update database\n"); -diff --git a/src/update.c b/src/update.c -index 070560a..8cb4a39 100644 ---- a/src/update.c -+++ b/src/update.c -@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) - - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, - bool db_exist, bool verbose, -- unsigned int this_percent, unsigned int next_percent) -+ unsigned int this_percent, unsigned int next_percent, -+ const char *cacert_file) - { - const char nvd_uri[] = URI_PREFIX; - autofree(cve_string) *uri_meta = NULL; -@@ -331,14 +332,14 @@ refetch: - } - - /* Fetch NVD META file */ -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file); - if (st == FETCH_STATUS_FAIL) { - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); - return -1; - } - - /* Fetch NVD XML file */ -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file); - switch (st) { - case FETCH_STATUS_FAIL: - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); -@@ -391,7 +392,7 @@ refetch: - return 0; - } - --bool update_db(bool quiet, const char *db_file) -+bool update_db(bool quiet, const char *db_file, const char *cacert_file) - { - autofree(char) *db_dir = NULL; - autofree(CveDB) *cve_db = NULL; -@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file) - if (!quiet) - fprintf(stderr, "completed: %u%%\r", start_percent); - rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, -- start_percent, end_percent); -+ start_percent, end_percent, -+ cacert_file); - switch (rc) { - case 0: - if (!quiet) -diff --git a/src/update.h b/src/update.h -index b8e9911..ceea0c3 100644 ---- a/src/update.h -+++ b/src/update.h -@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path); - - int update_required(const char *db_file); - --bool update_db(bool quiet, const char *db_file); -+bool update_db(bool quiet, const char *db_file, const char *cacert_file); - - - /* --- -2.1.4 - diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch b/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch deleted file mode 100644 index 8ea6f686e3f..00000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch +++ /dev/null @@ -1,135 +0,0 @@ -From e9ed26cde63f8ca7607a010a518329339f8c02d3 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Andr=C3=A9=20Draszik?= <git@andred.net> -Date: Mon, 26 Sep 2016 12:12:41 +0100 -Subject: [PATCH] print progress in percent when downloading CVE db -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream-Status: Pending -Signed-off-by: André Draszik <git@andred.net> ---- - src/library/fetch.c | 28 +++++++++++++++++++++++++++- - src/library/fetch.h | 3 ++- - src/update.c | 16 ++++++++++++---- - 3 files changed, 41 insertions(+), 6 deletions(-) - -diff --git a/src/library/fetch.c b/src/library/fetch.c -index 06d4b30..0fe6d76 100644 ---- a/src/library/fetch.c -+++ b/src/library/fetch.c -@@ -37,13 +37,37 @@ static size_t write_func(void *ptr, size_t size, size_t nmemb, struct fetch_t *f - return fwrite(ptr, size, nmemb, f->f); - } - --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose) -+struct percent_t { -+ unsigned int start; -+ unsigned int end; -+}; -+ -+static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow, curl_off_t ultotal, curl_off_t ulnow) -+{ -+ (void) ultotal; -+ (void) ulnow; -+ -+ struct percent_t *percent = (struct percent_t *) ptr; -+ -+ if (dltotal && percent && percent->end >= percent->start) { -+ unsigned int diff = percent->end - percent->start; -+ if (diff) { -+ fprintf(stderr,"completed: %"CURL_FORMAT_CURL_OFF_T"%%\r", percent->start + (diff * dlnow / dltotal)); -+ } -+ } -+ -+ return 0; -+} -+ -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -+ unsigned int start_percent, unsigned int end_percent) - { - FetchStatus ret = FETCH_STATUS_FAIL; - CURLcode res; - struct stat st; - CURL *curl = NULL; - struct fetch_t *f = NULL; -+ struct percent_t percent = { .start = start_percent, .end = end_percent }; - - curl = curl_easy_init(); - if (!curl) { -@@ -67,6 +91,8 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose) - } - if (verbose) { - (void)curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 0L); -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFODATA, &percent); -+ (void)curl_easy_setopt(curl, CURLOPT_XFERINFOFUNCTION, progress_callback_new); - } - res = curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, (curl_write_callback)write_func); - if (res != CURLE_OK) { -diff --git a/src/library/fetch.h b/src/library/fetch.h -index 70c3779..4cce5d1 100644 ---- a/src/library/fetch.h -+++ b/src/library/fetch.h -@@ -28,7 +28,8 @@ typedef enum { - * @param verbose Whether to be verbose - * @return A FetchStatus, indicating the operation taken - */ --FetchStatus fetch_uri(const char *uri, const char *target, bool verbose); -+FetchStatus fetch_uri(const char *uri, const char *target, bool verbose, -+ unsigned int this_percent, unsigned int next_percent); - - /** - * Attempt to extract the given gzipped file -diff --git a/src/update.c b/src/update.c -index 30fbe96..eaeeefd 100644 ---- a/src/update.c -+++ b/src/update.c -@@ -266,7 +266,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok) - } - - static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db, -- bool db_exist, bool verbose) -+ bool db_exist, bool verbose, -+ unsigned int this_percent, unsigned int next_percent) - { - const char nvd_uri[] = URI_PREFIX; - autofree(cve_string) *uri_meta = NULL; -@@ -330,14 +331,14 @@ refetch: - } - - /* Fetch NVD META file */ -- st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose); -+ st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent); - if (st == FETCH_STATUS_FAIL) { - fprintf(stderr, "Failed to fetch %s\n", uri_meta->str); - return -1; - } - - /* Fetch NVD XML file */ -- st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose); -+ st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent); - switch (st) { - case FETCH_STATUS_FAIL: - fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str); -@@ -459,10 +460,17 @@ bool update_db(bool quiet, const char *db_file) - for (int i = YEAR_START; i <= year+1; i++) { - int y = i > year ? -1 : i; - int rc; -+ unsigned int start_percent = ((i+0 - YEAR_START) * 100) / (year+2 - YEAR_START); -+ unsigned int end_percent = ((i+1 - YEAR_START) * 100) / (year+2 - YEAR_START); - -- rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet); -+ if (!quiet) -+ fprintf(stderr, "completed: %u%%\r", start_percent); -+ rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet, -+ start_percent, end_percent); - switch (rc) { - case 0: -+ if (!quiet) -+ fprintf(stderr,"completed: %u%%\r", end_percent); - continue; - case ENOMEM: - goto oom; --- -2.9.3 - diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch b/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch deleted file mode 100644 index 458c0cc84e5..00000000000 --- a/meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch +++ /dev/null @@ -1,52 +0,0 @@ -From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001 -From: Sergey Popovich <popovich_sergei@mail.ua> -Date: Fri, 21 Apr 2017 07:32:23 -0700 -Subject: [PATCH] update: Compare computed vs expected sha256 digit string - ignoring case - -We produce sha256 digest string using %x snprintf() -qualifier for each byte of digest which uses alphabetic -characters from "a" to "f" in lower case to represent -integer values from 10 to 15. - -Previously all of the NVD META files supply sha256 -digest string for corresponding XML file in lower case. - -However due to some reason this changed recently to -provide digest digits in upper case causing fetched -data consistency checks to fail. This prevents database -from being updated periodically. - -While commit c4f6e94 (update: Do not treat sha256 failure -as fatal if requested) adds useful option to skip -digest validation at all and thus provides workaround for -this situation, it might be unacceptable for some -deployments where we need to ensure that downloaded -data is consistent before start parsing it and update -SQLite database. - -Use strcasecmp() to compare two digest strings case -insensitively and addressing this case. - -Upstream-Status: Backport -Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua> ---- - src/update.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/update.c b/src/update.c -index 8588f38..3cc6b67 100644 ---- a/src/update.c -+++ b/src/update.c -@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data) - snprintf(&csum_data[idx], len, "%02hhx", digest[i]); - } - -- ret = streq(csum_meta, csum_data); -+ ret = !strcasecmp(csum_meta, csum_data); - - err_unmap: - munmap(buffer, length); --- -2.11.0 - diff --git a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch b/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch deleted file mode 100644 index 0774ad946a4..00000000000 --- a/meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch +++ /dev/null @@ -1,51 +0,0 @@ -From ce64633b9733e962b8d8482244301f614d8b5845 Mon Sep 17 00:00:00 2001 -From: Khem Raj <raj.khem@gmail.com> -Date: Mon, 22 Aug 2016 22:54:24 -0700 -Subject: [PATCH] Check for malloc_trim before using it - -malloc_trim is gnu specific and not all libc -implement it, threfore write a configure check -to poke for it first and use the define to -guard its use. - -Helps in compiling on musl based systems - -Signed-off-by: Khem Raj <raj.khem@gmail.com> ---- -Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/48] - configure.ac | 2 ++ - src/core.c | 4 ++-- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/configure.ac b/configure.ac -index d3b66ce..79c3542 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -19,6 +19,8 @@ m4_define([json_required_version], [0.16.0]) - m4_define([openssl_required_version],[1.0.0]) - # TODO: Set minimum sqlite - -+AC_CHECK_FUNCS_ONCE(malloc_trim) -+ - PKG_CHECK_MODULES(CVE_CHECK_TOOL, - [ - glib-2.0 >= glib_required_version, -diff --git a/src/core.c b/src/core.c -index 6263031..0d5df29 100644 ---- a/src/core.c -+++ b/src/core.c -@@ -498,9 +498,9 @@ bool cve_db_load(CveDB *self, const char *fname) - } - - b = true; -- -+#ifdef HAVE_MALLOC_TRIM - malloc_trim(0); -- -+#endif - xmlFreeTextReader(r); - if (fd) { - close(fd); --- -2.9.3 -
Signed-off-by: Ross Burton <ross.burton@intel.com> --- .../cve-check-tool/cve-check-tool_5.6.4.bb | 62 ----- ...x-freeing-memory-allocated-by-sqlite.patch | 50 ---- ...erriding-default-CA-certificate-file.patch | 215 ------------------ ...s-in-percent-when-downloading-CVE-db.patch | 135 ----------- ...omputed-vs-expected-sha256-digit-str.patch | 52 ----- ...heck-for-malloc_trim-before-using-it.patch | 51 ----- 6 files changed, 565 deletions(-) delete mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-Fix-freeing-memory-allocated-by-sqlite.patch delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-print-progress-in-percent-when-downloading-CVE-db.patch delete mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-update-Compare-computed-vs-expected-sha256-digit-str.patch delete mode 100644 meta/recipes-devtools/cve-check-tool/files/check-for-malloc_trim-before-using-it.patch