From patchwork Sun Dec 8 18:35:48 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Niko Mauno X-Patchwork-Id: 180963 Delivered-To: patch@linaro.org Received: by 2002:a92:3001:0:0:0:0:0 with SMTP id x1csp3447774ile; Sun, 8 Dec 2019 10:38:24 -0800 (PST) X-Google-Smtp-Source: APXvYqxPR91IrgawfJ0HOEyVkxNGPM6lz3OrRUQxkzYYhtc8b/mwy0Gy58XF9WGnIyOqoKeWbPEm X-Received: by 2002:a17:902:b68c:: with SMTP id c12mr25302722pls.126.1575830304037; Sun, 08 Dec 2019 10:38:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1575830304; cv=none; d=google.com; s=arc-20160816; b=gXk2HwGLt65m7jZnhfZQ+xsiJsqIdbspsfeRGRV5T/8rkjHzTYkEV5DyTla6lnUX3z Ucn3lBtGX9L6IXuMTgpTwlhRplgG3812GXzLyAZpyb698JgXtXH+UynHOzwt5isXLq4z v2hBjmXVWj+d5pKpPLw5BLQ3q98qxl5O48Zz2DsXrguwVOo35SoVng1nx9AlIsrAWV2r OGcu8AHiXuX8+LAPiOv2L52YSXCSRAs41X69t1fUAzOJrz/YegjvGNa7DsWWLZ65EMsV b9fC2Eko/T9T/ehZSYH234WERBH++QRBpOGrv/Lk9GSwo9fwcHJ7V6axXddyr3hf/okH EXbA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=qUd8oe/jMeHK0JiI7jNHX4DLPQMHnnqbFAWBXbED52w=; b=crHZG9dSuEiq5wx/1gmX1TsXCSUZiVa3IBZNLs1P7KAWgECcHV2sJdormBbx15Z7em 4XQ/cqyilB/wdIroD/xWH4PBmjBwmMoALxulPSgHXR+4CtBiswKJcoi8vcX8V3juc58j x3OIuVs5Q3t/4SuT5EbcB/oECWJ7ZY2XKsaKLo4PsPTYQCzd5f+KOyIRz8ZODz6QLz61 jd2w6dWk8/WXS+N4UPCBZSO4AvCOkhWnFCua2UVnM4WU6fH45OaXUxsMxEIRAEZJ4Fi6 Ak9eUzhke7YE//FymhJLep03/oOTfW/hNHSgsJIbtRE9h4Asvv/zGh1jmGoO/1gTCqnk 4wgQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=iki.fi Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id 21si978621pgn.257.2019.12.08.10.38.23; Sun, 08 Dec 2019 10:38:24 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=iki.fi Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id B7F757FBA6; Sun, 8 Dec 2019 18:38:21 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from sinikuusama2.dnainternet.net (sinikuusama2.dnainternet.net [83.102.40.152]) by mail.openembedded.org (Postfix) with ESMTP id 0A99A7F9B4 for ; Sun, 8 Dec 2019 18:38:19 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by sinikuusama2.dnainternet.net (Postfix) with ESMTP id 2A7E5F9A5; Sun, 8 Dec 2019 20:38:20 +0200 (EET) X-Virus-Scanned: DNA Internet at dnainternet.net X-Spam-Flag: NO X-Spam-Score: 0.653 X-Spam-Level: X-Spam-Status: No, score=0.653 tagged_above=-9999 required=6 tests=[SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.652] autolearn=disabled Received: from sinikuusama2.dnainternet.net ([83.102.40.152]) by localhost (sinikuusama2.dnainternet.net [127.0.0.1]) (DNA Internet, port 10041) with ESMTP id mwIzW070HLRb; Sun, 8 Dec 2019 20:38:19 +0200 (EET) Received: from luumupuu2.dnainternet.net (luumupuu2.dnainternet.net [83.102.40.55]) by sinikuusama2.dnainternet.net (Postfix) with ESMTP id CD0E1F8A1; Sun, 8 Dec 2019 20:38:19 +0200 (EET) Received: from localhost.localdomain (62-78-161-185.bb.dnainternet.fi [62.78.161.185]) by luumupuu2.dnainternet.net (Postfix) with ESMTP id 01D802C63; Sun, 8 Dec 2019 20:38:14 +0200 (EET) From: Niko Mauno To: openembedded-core@lists.openembedded.org Date: Sun, 8 Dec 2019 20:35:48 +0200 Message-Id: <20191208183557.32589-2-niko.mauno@iki.fi> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20191208183557.32589-1-niko.mauno@iki.fi> References: <20191208183557.32589-1-niko.mauno@iki.fi> MIME-Version: 1.0 Subject: [OE-core] [thud-next][PATCH 02/11] cve-check: ensure all known CVEs are in the report X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie --- meta/classes/cve-check.bbclass | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index c00d2910be..f87bcc9dc6 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -208,12 +208,14 @@ def check_cves(d, patched_cves): if cve in cve_whitelist: bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) + # TODO: this should be in the report as 'whitelisted' + patched_cves.add(cve) elif cve in patched_cves: bb.note("%s has been patched" % (cve)) else: to_append = False if (operator_start == '=' and pv == version_start): - cves_unpatched.append(cve) + to_append = True else: if operator_start: try: @@ -243,8 +245,11 @@ def check_cves(d, patched_cves): to_append = to_append_start or to_append_end if to_append: + bb.note("%s-%s is vulnerable to %s" % (product, pv, cve)) cves_unpatched.append(cve) - bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) + else: + bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) + patched_cves.add(cve) conn.close() return (list(patched_cves), cves_unpatched)