From patchwork Fri Nov 22 11:39:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 180053 Delivered-To: patch@linaro.org Received: by 2002:ac9:2f4d:0:0:0:0:0 with SMTP id c13csp92706ocg; Fri, 22 Nov 2019 03:40:34 -0800 (PST) X-Google-Smtp-Source: APXvYqwcrlUFV8zZ3fDlLuC0WsZjcJh/FDb/M6GZ/iPshHsUKPbBdaky41i7FLYmAyTOwbEzf/8T X-Received: by 2002:a62:528d:: with SMTP id g135mr17231673pfb.172.1574422834082; Fri, 22 Nov 2019 03:40:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574422834; cv=none; d=google.com; s=arc-20160816; b=YrfMdSA5y6X0lcU5Wsypvv5k1pDJ8UMXb9SluBZUSSdGcl0YkcEUjigJ9Tj0DT/zzL ZXg3OXmi1r1Ihi3N2+JlmqJ6s+AGhtzjrJkn8UCl4ZBcWSD42hOP3ODgynp56GQ/NsoR 4X4M7jXaeKjrnmJD4lsH3fN4wjvaPv2qbLlnMy4j/Xh2mleUuyRCO/zmA91qgRYMvWlE WY6y16LeT79EO+Qa8+YkPIOb9jRRuRogMNu7DOrdZs+W/AVuRqu9dILMua2arSBGzL0o Vj8esjhWzNoF3GemyTx29qaTSx92uvAvHxce7OUD96SNbUmYj9cMXSVbapn7VnJY0uPT IBmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=OM9mW5LsTPISCmMMaXHbWp7nUisFZLJQ6e+tX4d9BEM=; b=lDK7QV2PVVfWhDq1OPp0IEKEzAoYco0rgWHt6zpMNSB69+HAh9ErjDaKInVQcd0G7/ CJVsx9StBYbFATIZPscMiivhVSBff/Fb/3bOa554PIQJMqbpn5RCP3S82qBmTR77qKUo PpFHH4ZgNyGDvyrMTdhgG87cOMOts8JvSAZeptNM1Eq7It/C1VL9uiyN7dkdjEa3CNpg HaegRZ0pnsZ/rI2ZX8r6gDXG59duMg4KgdImgdWsLKmJ7U1rj7QATAK7q/aU+UeyKUxo EzgHcvE69knXobJA0qVDZbZmOvl0SyJCBYsQa9eVsoOO34s+C9OqhE+NEz1GLq8odNdN Zbyg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id n199si3508320pfd.5.2019.11.22.03.40.33; Fri, 22 Nov 2019 03:40:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 09CCA7FCC4; Fri, 22 Nov 2019 11:40:32 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mail.openembedded.org (Postfix) with ESMTP id 480307FA10 for ; Fri, 22 Nov 2019 11:40:07 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:08 -0800 X-IronPort-AV: E=Sophos;i="5.69,229,1571727600"; d="scan'208";a="201485271" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.255.164.245]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:04 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Fri, 22 Nov 2019 19:39:01 +0800 Message-Id: <934828320beb9f4414da09e5a9f10cdcb0faff91.1574422359.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 02/15] libsoup: set CVE_PRODUCT X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Adrian Bunk Signed-off-by: Anuj Mittal --- meta/recipes-support/libsoup/libsoup-2.4_2.66.2.bb | 2 ++ 1 file changed, 2 insertions(+) -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-support/libsoup/libsoup-2.4_2.66.2.bb b/meta/recipes-support/libsoup/libsoup-2.4_2.66.2.bb index 357f2fd3db..3a735cf27a 100644 --- a/meta/recipes-support/libsoup/libsoup-2.4_2.66.2.bb +++ b/meta/recipes-support/libsoup/libsoup-2.4_2.66.2.bb @@ -15,6 +15,8 @@ SRC_URI = "${GNOME_MIRROR}/libsoup/${SHRT_VER}/libsoup-${PV}.tar.xz \ SRC_URI[md5sum] = "66c2ae89d6031b01337d78a2c57c75d5" SRC_URI[sha256sum] = "bd2ea602eba642509672812f3c99b77cbec2f3de02ba1cc8cb7206bf7de0ae2a" +CVE_PRODUCT = "libsoup" + S = "${WORKDIR}/libsoup-${PV}" inherit meson gettext pkgconfig upstream-version-is-even gobject-introspection gtk-doc From patchwork Fri Nov 22 11:39:02 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 180054 Delivered-To: patch@linaro.org Received: by 2002:ac9:2f4d:0:0:0:0:0 with SMTP id c13csp92803ocg; Fri, 22 Nov 2019 03:40:41 -0800 (PST) X-Google-Smtp-Source: APXvYqxyGhtx+i+y1uZLNZZxP+rgaC/XkTyMla/v53+Ixr3hQwsavWpWMYQ2q7zAbNLgjjcZOEVR X-Received: by 2002:a63:204e:: with SMTP id r14mr15781058pgm.101.1574422841294; Fri, 22 Nov 2019 03:40:41 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574422841; cv=none; d=google.com; s=arc-20160816; b=aLnlw6u2A+AHhpTzTs9WM86p9VRFAW1PP8WSNHPuUhBjM61vNkWJ8Ko+JLOTsSVzzs Ry1quvlSbYJPeg3CT59Oh4flhn5DrOEJ+gjdTzztLUQRQfqv4x11Y5COyuyEjkSWRgt+ gqN59Eo6DWWDhPniNM4iGMYesovete9pyOteoMLQlgXDTQRzEa26tL4F6qe8TFD3CWdk mUQi+hDorRDkQw9f80zhJWJ25HFUhHNP52qHrx3w4CqnQ0zg65PeVQJzyk3wQG03AFEt kMVHBuYsXjFpp3X/Rq/dQFns09bHO3DkKxjq3gi14prXsFmKxiz/ra/lnuOdqPOkPtkd W1Qg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=qczBHbg72scpKJS4VEJ5UWbbs1vSXMSI6lKlZofxWIc=; b=Z8g5PXgUfj1RJ70/NPSMcUKMQuBnSW0obKUW1vknlBxBbREdrpTYfwjLXrTwaGywi6 JugnHNk1xlgqF43EPfVfgpsJuMYYQe6lONhWCNYQipOPZdp3/UeggDm6TrdntC/O1EiH u3RHnZ+IruSjoDrD1G0lwX9LEcijnzH+FY6/99mjiLOZdWsqOrs5bjCT2p6MzVujdEZd cWcujCAawgcakRm8C0GPpCces4G2+wle+Wm/hAedrE0ENmxR5mw7ByzouXJpN+N6u5bB huXcnD1Zw8gzjfR7qXBnhiG987dyZBTrioEDqt48X0ZnIdHHn51zJV/ccy0C/3B7vPE0 m+Fw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id l67si3516242pfl.287.2019.11.22.03.40.40; Fri, 22 Nov 2019 03:40:41 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 452397FCDB; Fri, 22 Nov 2019 11:40:33 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mail.openembedded.org (Postfix) with ESMTP id 39B997FCC0 for ; Fri, 22 Nov 2019 11:40:11 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:12 -0800 X-IronPort-AV: E=Sophos;i="5.69,229,1571727600"; d="scan'208";a="201485306" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.255.164.245]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:09 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Fri, 22 Nov 2019 19:39:02 +0800 Message-Id: <639dfde9437ac937a6996d4b6aa241d5184f4f74.1574422359.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 03/15] cve-check: we don't actually need to unpack to check X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton The patch scanner works with patch files in the layer, not in the workdir, so it doesn't need to unpack. (From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal --- meta/classes/cve-check.bbclass | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 1c8b2223a2..3326944d79 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -62,7 +62,7 @@ python do_cve_check () { } -addtask cve_check after do_unpack before do_build +addtask cve_check before do_build do_cve_check[depends] = "cve-update-db-native:do_populate_cve_db" do_cve_check[nostamp] = "1" @@ -70,7 +70,6 @@ python cve_check_cleanup () { """ Delete the file used to gather all the CVE information. """ - bb.utils.remove(e.data.getVar("CVE_CHECK_TMP_FILE")) } From patchwork Fri Nov 22 11:39:03 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 180055 Delivered-To: patch@linaro.org Received: by 2002:ac9:2f4d:0:0:0:0:0 with SMTP id c13csp92934ocg; Fri, 22 Nov 2019 03:40:48 -0800 (PST) X-Google-Smtp-Source: APXvYqxkpZA31M3vkIyiBPmS8D5Is6ibAM0pCIT0+A9m9qF2CglEgBOoua+wqtt2FsTU120P/04/ X-Received: by 2002:aa7:848f:: with SMTP id u15mr16718834pfn.124.1574422848395; Fri, 22 Nov 2019 03:40:48 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574422848; cv=none; d=google.com; s=arc-20160816; b=JWtzO4FiMxAN/rBe6qV4o6d3nt8wSdeBfZwZcYj104F2/h62zwbqtQxrE7TJbkCArn vwqP8Ia4B6r4Y0rzSRQeJ5phCi3DKx/0e0kWAlyj7uXG7bF9hJj0Pj8gBNT4BfWDtEY7 nODcixTjkik1XsBBgY3EQ5QVmGP3ciaxisjgUD6kTgenEKWwuOUzLz8i9vKGvXVZoe9k 8uJyZ21iocI1QdwHN6mbRf25nqUixfy6u67Yxb6vI5VdrOv5PUumz87HCFeqsNwvzAY1 //ENgKGCAjzL/1oSmKw80DJUpmRk+qTSZXXVIaBfjrfCYe4A8wYHpe6vX8gjCZ3CGqjy Xqtg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=nm88BW5g8kpttK4PhSljqPA+G5JTEihnzZKxMYyue7Q=; b=OdLIA/KSYHifXmaUzerSP9d5MRjZLFcO5vgvIZ4aezLjJ0ObSBkNnbM4KVy/j/s8+T dXL/V8b/1dMcuRN8XlSaapUI8u0QS+95gpifApHBYmgE1dOpi727NxReTQuXZAUba8VJ Klk+s4Iiz81gJwAzHJoM6n51DTOjghT2q5WIw5V/6FWSEmeWlIbpUYuzWbcR9rDo077f C2bsoePotP6Qa5xRFGMWOBn565uJmQG5sF6ekftfla07iYzt0Zr6xTCMI30bEdEzYhkA zG291GAnS4qql9/hKtoampiOua3DWuoEcmDcZrNbQVg+4opT56mKAxDjbgfzd8dTQdHw dh9g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id t5si2926970pjw.88.2019.11.22.03.40.48; Fri, 22 Nov 2019 03:40:48 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 801D27FCE3; Fri, 22 Nov 2019 11:40:34 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mail.openembedded.org (Postfix) with ESMTP id 4E7087FCAF for ; Fri, 22 Nov 2019 11:40:14 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:15 -0800 X-IronPort-AV: E=Sophos;i="5.69,229,1571727600"; d="scan'208";a="201485325" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.255.164.245]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:11 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Fri, 22 Nov 2019 19:39:03 +0800 Message-Id: <3654b6cc301576805c6eae76603b132d8b8fb5b9.1574422359.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 04/15] cve-update-db-native: don't refresh more than once an hour X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton We already fetch the yearly CVE metadata and check that for updates before downloading the full data, but we can speed up CVE checking further by only checking the CVE metadata once an hour. (From OE-Core rev: 50d898fd360c58fe85460517d965f62b7654771a) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal --- meta/recipes-core/meta/cve-update-db-native.bb | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 2c427a5884..19875a49b1 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -31,8 +31,16 @@ python do_populate_cve_db() { db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK') db_file = os.path.join(db_dir, 'nvdcve_1.0.db') json_tmpfile = os.path.join(db_dir, 'nvd.json.gz') - proxy = d.getVar("https_proxy") + # Don't refresh the database more than once an hour + try: + import time + if time.time() - os.path.getmtime(db_file) < (60*60): + return + except OSError: + pass + + proxy = d.getVar("https_proxy") if proxy: # instantiate an opener but do not install it as the global # opener unless if we're really sure it's applicable for all From patchwork Fri Nov 22 11:39:04 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 180056 Delivered-To: patch@linaro.org Received: by 2002:ac9:2f4d:0:0:0:0:0 with SMTP id c13csp93073ocg; Fri, 22 Nov 2019 03:40:56 -0800 (PST) X-Google-Smtp-Source: APXvYqy7Kzg/oTOswGnHuM1a8A6h+prxMBX9rZ31mH/bl+jL+Q1Khvg4H8P8cfNJeBB2N5yRGCra X-Received: by 2002:a17:902:8f94:: with SMTP id z20mr13861924plo.21.1574422855984; Fri, 22 Nov 2019 03:40:55 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574422855; cv=none; d=google.com; s=arc-20160816; b=XvXKo06f55dVo8aFpSR8JxUm0B5/HQZejBO2Oi6AbtATWkd0/DetUXxWr+JXtL5giI xCUJbFC5bv3fXrDJu7hSUXUQ8HbXOdAUYN7sSKJGXDBL5GZHKrL87IDBy1wQcAqVwLYI UjmT3ET983bUWBRofHfwUbFzcXz9afAxudrlRPeBc0gon9vIr3LsHGPXEIq/Qsdjr8PU aru7E+TOp15NduqeJAiHExi4LOomjflDQaSxEdMlf95iRhsHhtnz6EGdf3LS5xzec2F8 UbrEQ1tx03V7x5A87YdXcJmOQ6UKCcc7+rNEUDmo1rS0AguhKmtokZ33L7i2rchNokkY SJmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=caRZMs7JPwliZADoPE1G39TZ10X7iTw1BxEGjvoLC7I=; b=Z81or1cVVAGGdpc4+nH734+uVEQ02gfRNlgvje+DJeXMb22rDQpuoHX+Y0+yUZbrjL g0sVmDuv81R6991aOoTCZOgd2rtiz4dBaqZlnBXl+rJjQu5QrYDgttEcqclm1d94pzFj 6Cwnewkv/EHe+QlDZWRVelTZjGAmvTz57sJNApBzreLC2B/NnwiyPBZl3NlsFeZJA1Lf 7OEWMnwzxwsxwJgL0j2EzrVXY+ulofLY6Lz7IJNVo0BkaMGSCtjru/xoO4YHV3vKnqu/ q3DSUs6DfrLWHqR0pm4JymZSado/6GYliuv+M644XYGrDjZpPHa+Q1oUp+aVnklYRnna psxQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id i23si2959152pju.82.2019.11.22.03.40.55; Fri, 22 Nov 2019 03:40:55 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id C9BDE7FCEA; Fri, 22 Nov 2019 11:40:35 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mail.openembedded.org (Postfix) with ESMTP id 4E8C47FCC6 for ; Fri, 22 Nov 2019 11:40:16 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:17 -0800 X-IronPort-AV: E=Sophos;i="5.69,229,1571727600"; d="scan'208";a="201485328" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.255.164.245]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:15 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Fri, 22 Nov 2019 19:39:04 +0800 Message-Id: <668f8d0302fa8870f9c38e20d8de2a9e5991bf5f.1574422359.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 05/15] cve-update-db-native: don't hardcode the database name X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton Don't hardcode the database filename, there's a variable for this in cve-check.bbclass. (From OE-Core rev: 0d188a9dc4ae64c64cd661e9d9c3841e86f226ab) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal --- meta/recipes-core/meta/cve-update-db-native.bb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 19875a49b1..c15534de08 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -28,8 +28,8 @@ python do_populate_cve_db() { BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-" YEAR_START = 2002 - db_dir = os.path.join(d.getVar("DL_DIR"), 'CVE_CHECK') - db_file = os.path.join(db_dir, 'nvdcve_1.0.db') + db_file = d.getVar("CVE_CHECK_DB_FILE") + db_dir = os.path.dirname(db_file) json_tmpfile = os.path.join(db_dir, 'nvd.json.gz') # Don't refresh the database more than once an hour From patchwork Fri Nov 22 11:39:05 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 180057 Delivered-To: patch@linaro.org Received: by 2002:ac9:2f4d:0:0:0:0:0 with SMTP id c13csp93180ocg; Fri, 22 Nov 2019 03:41:04 -0800 (PST) X-Google-Smtp-Source: APXvYqz0Oqoe9Wp6QzokTB+FcA3AvtOrj5S8CbLmeWHTY5fhpAW65XrpVjw2H4StzCcNNBXNVtYh X-Received: by 2002:a65:5542:: with SMTP id t2mr15143706pgr.74.1574422863497; Fri, 22 Nov 2019 03:41:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574422863; cv=none; d=google.com; s=arc-20160816; b=PkRojaOqWj/jltUJ5/clKQbllI6FoRCXBva/9H0Q71KLWThVMIw34ELYAv29y34YiS Q492Ed2+eW/KwKWd4z5nScfIdMZdgmQoWpQW8lIPitSeJi3sQTSvIIcw0BHIv9z8rc4V bMXzrGOJSpgf7H5H4u665Ax9q5az078Ac73ytN0Q5xYk25UaBhuMCu9s/mcmr9sOPnxt LfgsrI1bQwFGa4rutUZDrMOWoQ0/E4CYhq/xzFkAVO/Ajg+gy72wwOYFiin9AqeJXbn+ b2lVNM6LOOEt62gduKwG1fwJUhPetroOKtwiorTorPh4EX6ZJqtBh8MGNMdF495DLxec i1CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=kVbJg8g8WYSXtwr1ONL+y0ze2+X4/yyJc5VIyf75xpo=; b=NryROsvnqBapWfNTIqz8cbTzw6WrrZbhOA61UjHOqV24NKXImnB5hBH/YP4ggDunEG IJeSaxs9bIAxfske0Zm2XVGxajeWT0UuXJgpdy+8LdWnNq6e6oV0aJz6iIY57trEP1fL F0Z8MxpemFD56CTdGb3w8+4ABTdJ/OZcKVuaNWBwGOSSxBnxQxLshbu2uCBdl3ZL/vOz Pz4HNFiuL5NqHMvMelPS6tzM91sxgOh9f3Em4TC4pGTE22Z5fHd0/GQCBStvL5j3GcST 2qVQUcDZkjzYMoosSoVOlngt9j+3g7LqV1nqAzKwpCfnzQBmsYuVyx6I46LwhaPQ20Je 53cA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id 204si3378179pfa.194.2019.11.22.03.41.03; Fri, 22 Nov 2019 03:41:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 0E2087FCF1; Fri, 22 Nov 2019 11:40:37 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by mail.openembedded.org (Postfix) with ESMTP id 34C977FCCD for ; Fri, 22 Nov 2019 11:40:18 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga104.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:19 -0800 X-IronPort-AV: E=Sophos;i="5.69,229,1571727600"; d="scan'208";a="201485334" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.255.164.245]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:17 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Fri, 22 Nov 2019 19:39:05 +0800 Message-Id: <9092fb0fc978e0d1123195d8f18b28b5bcf6dce2.1574422359.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 06/15] cve-update-db-native: add an index on the CVE ID column X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton Create an index on the PRODUCTS table which contains a row for each CPE, drastically increasing the performance of lookups for a specific CVE. (From OE-Core rev: b4048b05b3a00d85c40d09961f846eadcebd812e) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal --- meta/recipes-core/meta/cve-update-db-native.bb | 3 +++ 1 file changed, 3 insertions(+) -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index c15534de08..08b18f064f 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -120,11 +120,14 @@ python do_populate_cve_db() { def initialize_db(c): c.execute("CREATE TABLE IF NOT EXISTS META (YEAR INTEGER UNIQUE, DATE TEXT)") + c.execute("CREATE TABLE IF NOT EXISTS NVD (ID TEXT UNIQUE, SUMMARY TEXT, \ SCOREV2 TEXT, SCOREV3 TEXT, MODIFIED INTEGER, VECTOR TEXT)") + c.execute("CREATE TABLE IF NOT EXISTS PRODUCTS (ID TEXT, \ VENDOR TEXT, PRODUCT TEXT, VERSION_START TEXT, OPERATOR_START TEXT, \ VERSION_END TEXT, OPERATOR_END TEXT)") + c.execute("CREATE INDEX IF NOT EXISTS PRODUCT_ID_IDX on PRODUCTS(ID);") def parse_node_and_insert(c, node, cveId): # Parse children node if needed From patchwork Fri Nov 22 11:39:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 180058 Delivered-To: patch@linaro.org Received: by 2002:ac9:2f4d:0:0:0:0:0 with SMTP id c13csp93318ocg; Fri, 22 Nov 2019 03:41:11 -0800 (PST) X-Google-Smtp-Source: APXvYqxStqwSKJScOhi9T284Kz/zgstHrJvC/ZttfPod01rGcw+GrMGYHaMHQewXR2AtPa0h0xiq X-Received: by 2002:a63:4441:: with SMTP id t1mr15086664pgk.179.1574422870960; Fri, 22 Nov 2019 03:41:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574422870; cv=none; d=google.com; s=arc-20160816; b=Uzt4TuDPt2NGs5GS9/6AYXQsKyjyXNosz4LNOkQjXuHAJaARz8b10rbQ/6QScV9OHm /uceUBMP81rGEedPuw0objsyvAiNj2zqn2ssVfCy+vyStJM6ksaz6dsDTfV/hmbNBNWw 6YUr1GQl+SLjjLVEBhYh1luqkyGQ9YBN/p6Vu8PlmlTOWpdrUswlE4lBhUzuJUXmwlOI ///4wr+InhH8yx5wrI+8GudH1s8FNz4V4gNfCPw/jWD/A0qOC/t9VR5W3mMFI+rZ2JAr OUAMZDNMDZs1OQMmt2kEjtCvAhmOuj5JmbVhcm71stJzANb4yzKJZvUpTEVD00Fq2ghI 76Hg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=2Y7MMPZBlWNvXfL4mHqkEAkpW5j5nM+gQolC355OLg0=; b=RSmfTMaFfADoHvYG6rRwdeWiOICnP1QaCjehT94aojogS9D9LVvgEbyqB95XiqJ20Q Dx/XRLM9CX9Z94jK/jGf5znT5GaFf3r3BcbJi+djc01zcQeMGkNLUcmpqF+Yq8o9A40p 6p9JEGYWw+ElRsplLSkaPZscEZo20l32dzZbCSkoHyq+laMqITybOl0E5a7BAz44Xkwg wmH0ZZfDbPpDLvFAY/Lv2kkWwBI7iGIOpMR2oWSy3ErVEukEXOUHts9GlFYsjopBUEZo 7BXw3b2UvPYkckj4nNfAU9tWw2pCKzXtTX3ylOEvHbp7kY7HcauqYgIUHD7Qy4rvlIwX pRNw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id d4si2775842pll.309.2019.11.22.03.41.10; Fri, 22 Nov 2019 03:41:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 47FD27FCF7; Fri, 22 Nov 2019 11:40:38 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by mail.openembedded.org (Postfix) with ESMTP id DE7A67FCB2 for ; Fri, 22 Nov 2019 11:40:26 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga106.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:25 -0800 X-IronPort-AV: E=Sophos;i="5.69,229,1571727600"; d="scan'208";a="201485342" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.255.164.245]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:19 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Fri, 22 Nov 2019 19:39:06 +0800 Message-Id: X-Mailer: git-send-email 2.21.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 07/15] cve-update-db-native: clean up proxy handling X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton urllib handles adding proxy handlers if the proxies are set in the environment, so call bb.utils.export_proxies() to do that and remove the manual setup. (From OE-Core rev: 6b73004668b3b71c9c38814b79fbb58c893ed434) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal --- .../recipes-core/meta/cve-update-db-native.bb | 31 +++---------------- 1 file changed, 5 insertions(+), 26 deletions(-) -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/recipes-core/meta/cve-update-db-native.bb b/meta/recipes-core/meta/cve-update-db-native.bb index 08b18f064f..db1d69a28e 100644 --- a/meta/recipes-core/meta/cve-update-db-native.bb +++ b/meta/recipes-core/meta/cve-update-db-native.bb @@ -21,10 +21,12 @@ python do_populate_cve_db() { """ Update NVD database with json data feed """ - + import bb.utils import sqlite3, urllib, urllib.parse, shutil, gzip from datetime import date + bb.utils.export_proxies(d) + BASE_URL = "https://nvd.nist.gov/feeds/json/cve/1.0/nvdcve-1.0-" YEAR_START = 2002 @@ -40,16 +42,6 @@ python do_populate_cve_db() { except OSError: pass - proxy = d.getVar("https_proxy") - if proxy: - # instantiate an opener but do not install it as the global - # opener unless if we're really sure it's applicable for all - # urllib requests - proxy_handler = urllib.request.ProxyHandler({'https': proxy}) - proxy_opener = urllib.request.build_opener(proxy_handler) - else: - proxy_opener = None - cve_f = open(os.path.join(d.getVar("TMPDIR"), 'cve_check'), 'a') if not os.path.isdir(db_dir): @@ -67,15 +59,7 @@ python do_populate_cve_db() { json_url = year_url + ".json.gz" # Retrieve meta last modified date - - response = None - - if proxy_opener: - response = proxy_opener.open(meta_url) - else: - req = urllib.request.Request(meta_url) - response = urllib.request.urlopen(req) - + response = urllib.request.urlopen(meta_url) if response: for l in response.read().decode("utf-8").splitlines(): key, value = l.split(":", 1) @@ -95,12 +79,7 @@ python do_populate_cve_db() { # Update db with current year json file try: - if proxy_opener: - response = proxy_opener.open(json_url) - else: - req = urllib.request.Request(json_url) - response = urllib.request.urlopen(req) - + response = urllib.request.urlopen(json_url) if response: update_db(c, gzip.decompress(response.read()).decode('utf-8')) c.execute("insert or replace into META values (?, ?)", [year, last_modified]) From patchwork Fri Nov 22 11:39:07 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 180059 Delivered-To: patch@linaro.org Received: by 2002:ac9:2f4d:0:0:0:0:0 with SMTP id c13csp93436ocg; Fri, 22 Nov 2019 03:41:18 -0800 (PST) X-Google-Smtp-Source: APXvYqzaSfY/rdfv2l1E/XkMem5f5eTdIVOHXS+iFvqrIqDCPGANbsyGS2k9fDoJhrqvUNBhSAUe X-Received: by 2002:a17:90a:3d01:: with SMTP id h1mr18895905pjc.15.1574422878213; Fri, 22 Nov 2019 03:41:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574422878; cv=none; d=google.com; s=arc-20160816; b=vMlphlKEdND50QBFrDuViHBv2vudkzkRFxTjT6hhy4Z8caoFQaJju8sKtb2iy8u2gl JEJJvj7nHOUvzS8BVUqB4DYj3PRqy1Hgzr+xdn88KbL5FosjPfCowPTyFz2uDA6LvN4s vS7Q9H3OliZZTzlcDxHaE1tCYarkMI5qljv+w3DjimkBeBSnItTUZ/uCZRYsvmhHpsUM CgnlIWRYypzoPYKMFAM81uES14+0tEKiKZUBSlbjmJoAcTFZaywq6dEYwYWnTXf5SXeW BO27yRMB73QB5YD9oGVR5F6LApN03S3grFHU3fRf4aPNxckosF9X7xlN+dnzLTRL0oQw u5IQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=zNrDpLcLw+JBHKDP4AelnfjK/ZzwvRH3nJmm43FpBzE=; b=c0AOVnD3K3z6+fszUQIwZxSalWMnRsRkINM8b4BzgQKwI1QoTqAZV1m2GqDl92wdW6 mjhnvUSsSLbMvBtpJtY0dxH1BmG31U2D4iqGcGSCuzrUOiWp0cQUS6/Aiac6u/Hc5nLP 38Nn1uVrChBFBJRQ3HIpOkvq4nevGkFcLSpgVH/jcEZt4jCtsiEcLBJhJm70OA0A5hD2 VNUthVEJE7+9imOHh1WoPKFPULdUvyxBWF4UHhQNLEYp5Xt/zJTUnTJ0251obMUjnPjz JZ2l0zyo2Fva4weorBB/sNudf54JU3pNph9AVaLs/7HclPrDLLk9BrQ+wPiH+Y9TXeR9 vlGg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id k25si3324403pfk.50.2019.11.22.03.41.17; Fri, 22 Nov 2019 03:41:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 826C17FCF6; Fri, 22 Nov 2019 11:40:39 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mail.openembedded.org (Postfix) with ESMTP id E1BF37FCE0 for ; Fri, 22 Nov 2019 11:40:33 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:35 -0800 X-IronPort-AV: E=Sophos;i="5.69,229,1571727600"; d="scan'208";a="201485369" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.255.164.245]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:25 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Fri, 22 Nov 2019 19:39:07 +0800 Message-Id: X-Mailer: git-send-email 2.21.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 08/15] cve-check: rewrite look to fix false negatives X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton A previous optimisation was premature and resulted in false-negatives in the report. Rewrite the checking algorithm to first get the list of potential CVEs by vendor:product, then iterate through every matching CPE for that CVE to determine if the bounds match or not. By doing this in two stages we can know if we've checked every CPE, instead of accidentally breaking out of the scan too early. (From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal --- meta/classes/cve-check.bbclass | 63 ++++++++++++++++++---------------- 1 file changed, 34 insertions(+), 29 deletions(-) -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 3326944d79..c1cbdbde7b 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -165,7 +165,6 @@ def check_cves(d, patched_cves): """ Connect to the NVD database and find unpatched cves. """ - import ast, csv, tempfile, subprocess, io from distutils.version import LooseVersion cves_unpatched = [] @@ -187,68 +186,74 @@ def check_cves(d, patched_cves): cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() import sqlite3 - db_file = d.getVar("CVE_CHECK_DB_FILE") - conn = sqlite3.connect(db_file) + db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") + conn = sqlite3.connect(db_file, uri=True) + # For each of the known product names (e.g. curl has CPEs using curl and libcurl)... for product in products: - c = conn.cursor() if ":" in product: vendor, product = product.split(":", 1) - c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor)) else: - c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,)) + vendor = "%" - for row in c: - cve = row[0] - version_start = row[3] - operator_start = row[4] - version_end = row[5] - operator_end = row[6] + # Find all relevant CVE IDs. + for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): + cve = cverow[0] if cve in cve_whitelist: bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) # TODO: this should be in the report as 'whitelisted' patched_cves.add(cve) + continue elif cve in patched_cves: bb.note("%s has been patched" % (cve)) - else: - to_append = False + continue + + vulnerable = False + for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)): + (_, _, _, version_start, operator_start, version_end, operator_end) = row + #bb.debug(2, "Evaluating row " + str(row)) + if (operator_start == '=' and pv == version_start): - to_append = True + vulnerable = True else: if operator_start: try: - to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) - to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) + vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) + vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) - to_append_start = False + vulnerable_start = False else: - to_append_start = False + vulnerable_start = False if operator_end: try: - to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) - to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) + vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) + vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_end, version_end, cve)) - to_append_end = False + vulnerable_end = False else: - to_append_end = False + vulnerable_end = False if operator_start and operator_end: - to_append = to_append_start and to_append_end + vulnerable = vulnerable_start and vulnerable_end else: - to_append = to_append_start or to_append_end + vulnerable = vulnerable_start or vulnerable_end - if to_append: + if vulnerable: bb.note("%s-%s is vulnerable to %s" % (product, pv, cve)) cves_unpatched.append(cve) - else: - bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) - patched_cves.add(cve) + break + + if not vulnerable: + bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) + # TODO: not patched but not vulnerable + patched_cves.add(cve) + conn.close() return (list(patched_cves), cves_unpatched) From patchwork Fri Nov 22 11:39:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 180060 Delivered-To: patch@linaro.org Received: by 2002:ac9:5f8c:0:0:0:0:0 with SMTP id h12csp83454ocv; Fri, 22 Nov 2019 03:41:25 -0800 (PST) X-Google-Smtp-Source: APXvYqyyF1khoVWM1oXFTGQsaKnFCO/sveRM5N9oIvpzLIMULcwN0vuGuzv8rRm36Clf11x8XeiG X-Received: by 2002:a17:90b:24c:: with SMTP id fz12mr18177529pjb.51.1574422885182; Fri, 22 Nov 2019 03:41:25 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574422885; cv=none; d=google.com; s=arc-20160816; b=Eu9WF/Xl37WuQsxsnvamFK+VQQZSscc6jgFy42Pu7xf+irsyPo8T/XB3cABMX7G8Gz fcw+KyhJcvlxMxLPlZ/sHur+f596XLoFtZqz9ykXz81eptBcCm4ehMjY3bGHBcobDD5E JiPcgXKMvjanyrKKnaL3rhxzCt+haINduKrq2fDcy8DghkgdTmdE+/mN4NsPekPDB4uo mrGlhIKwY0SIatyi2uwEyTqNtZVyTubBICXci077KhwfJ5QbY62YYefAjwWPYJi9w4zP YBnXwQfNOjZ2KtmMn38/T9QOc0d9MuIhRZuhqQ/y5b6WupNPfBlpHotSMPe772N5jQgW HdGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=xiCQDXPmHAHIyyslKdG7I+VYKEDfqOhg8qLM/vq8toA=; b=Gco8DPPTyLI4amUvg7xbu/ZmoOozsVgp8MUhcp8a6mgml7wmLfNYELdx+7gAE7rpdu xvCZ3LbUhsRvbs5szCo+QySXyCX+Z7z3bi61cAYh1aJfLeD/8HOZe48nc7FT662XouQP 7x8jIwrZIdhvZLVN6S4S6g0i6Z8P4CyauYQB8Jk5mhRXsCHfjot7DqAQtNs5zKrRodvT UQfr/bUepDHMYBB+WVXoJiL9ITfn0ppVh8QXQmqlKlKdp9BWaPKy+WRorqQT60layQv4 g7lKNSEWMzsF+BO6s8y0TEZl46EoyWNhxZfDrfOvCr36/vcvTYcDnm4qw2jg6t59QGzj pwDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id c1si3045818plr.412.2019.11.22.03.41.24; Fri, 22 Nov 2019 03:41:25 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id D1D0E7FD02; Fri, 22 Nov 2019 11:40:40 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga12.intel.com (mga12.intel.com [192.55.52.136]) by mail.openembedded.org (Postfix) with ESMTP id 9F3957FCD3 for ; Fri, 22 Nov 2019 11:40:37 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga106.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:39 -0800 X-IronPort-AV: E=Sophos;i="5.69,229,1571727600"; d="scan'208";a="201485408" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.255.164.245]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:35 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Fri, 22 Nov 2019 19:39:08 +0800 Message-Id: <3413cd334f70f67eb6befae818b30a82d113c6c3.1574422359.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 09/15] cve-check: neaten get_cve_info X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton Remove obsolete Python 2 code, and use convenience methods for neatness. (From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal --- meta/classes/cve-check.bbclass | 18 +++++------------- 1 file changed, 5 insertions(+), 13 deletions(-) -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index c1cbdbde7b..e95716d9de 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -261,23 +261,15 @@ def check_cves(d, patched_cves): def get_cve_info(d, cves): """ Get CVE information from the database. - - Unfortunately the only way to get CVE info is set the output to - html (hard to parse) or query directly the database. """ - try: - import sqlite3 - except ImportError: - from pysqlite2 import dbapi2 as sqlite3 + import sqlite3 cve_data = {} - db_file = d.getVar("CVE_CHECK_DB_FILE") - placeholder = ",".join("?" * len(cves)) - query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder - conn = sqlite3.connect(db_file) - cur = conn.cursor() - for row in cur.execute(query, tuple(cves)): + conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE")) + placeholders = ",".join("?" * len(cves)) + query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders + for row in conn.execute(query, tuple(cves)): cve_data[row[0]] = {} cve_data[row[0]]["summary"] = row[1] cve_data[row[0]]["scorev2"] = row[2] From patchwork Fri Nov 22 11:39:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anuj Mittal X-Patchwork-Id: 180061 Delivered-To: patch@linaro.org Received: by 2002:ac9:2f4d:0:0:0:0:0 with SMTP id c13csp93697ocg; Fri, 22 Nov 2019 03:41:34 -0800 (PST) X-Google-Smtp-Source: APXvYqydEzUo/ZalI3vIgAQ5J++OLQJJMAT2fx8+HKppuRtsycj2Nd2nQrF5cuqPA5ENtarcmx5g X-Received: by 2002:a17:90a:bcf:: with SMTP id x15mr18892829pjd.0.1574422894222; Fri, 22 Nov 2019 03:41:34 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1574422894; cv=none; d=google.com; s=arc-20160816; b=NWQw60kRV1S5KRFe8B1acAbDeCTHQnxXlZHASDd3L1C7ol7HF1O9Gjh+Jy0GjRhRXm 22xEXoFufuyFnojyr1I6yIvFr8Opcbo7rQSfB2P4K1DeHmOvnrW4JqErWrQjGquoCOP4 lQsvWh+AXwE3VdgoTxBTYKvS2eWlTw4luEWg/4yxjkbZH4HyueAshNLVMvxnOT8qZ7qo iXPMBVdXbCyzePkzL/7PcWH3wfBEML4yiIfBPoK033Igvp1+dlk+olR2IKOlqc2mL/bf jLp/Fi35nuGh51S/RO3RSFzl9bUpVNm+jQb6XFZ3Td8gLozi098iNzMiAtb+Yf/2OEyu eJmw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :delivered-to; bh=0aWZtJi114TAr6NOnx+bkJCIZV2TuFaCT4AToofys5A=; b=IpA+oBahUXjN0sxnovov9TEC5C8TX1zTJ5B+69hEe4T9YGpNDBiiRCWjlphlbZaNW3 ++BhjrnYZjVmgpEY686dIfx21/0g5pYcCQPmtAKscA+deoIQOuaMdhS59VzX70+wxdV1 gonKAx2uqhAi8DTHbuEeF06HT8fQWhShjwGJrdX0jX/cmavCneOWLQNJzxN4TI8PC+Ho /sW/a0qQtuObMFF2KlkKlp69ZkhPNEoPiuwQHCbX7udrgKVj5yyS4strIq/g/jTjGVQK hildpBUR09OH4E1CK33PydHt432sPixe7ZL5xpZs80fTD3SgbcHUCoWCp5x5k+Vwet0e w41g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id i11si3196351pgk.349.2019.11.22.03.41.33; Fri, 22 Nov 2019 03:41:34 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 557C17FCBC; Fri, 22 Nov 2019 11:40:56 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mga17.intel.com (mga17.intel.com [192.55.52.151]) by mail.openembedded.org (Postfix) with ESMTP id 6682F7FCB2 for ; Fri, 22 Nov 2019 11:40:55 +0000 (UTC) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga008.jf.intel.com ([10.7.209.65]) by fmsmga107.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:56 -0800 X-IronPort-AV: E=Sophos;i="5.69,229,1571727600"; d="scan'208";a="201485414" Received: from anmitta2-mobl1.gar.corp.intel.com ([10.255.164.245]) by orsmga008-auth.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 22 Nov 2019 03:40:40 -0800 From: Anuj Mittal To: openembedded-core@lists.openembedded.org Date: Fri, 22 Nov 2019 19:39:09 +0800 Message-Id: <4f4d883798f8c07038c24e7d184af57e2087b5a4.1574422359.git.anuj.mittal@intel.com> X-Mailer: git-send-email 2.21.0 In-Reply-To: References: MIME-Version: 1.0 Subject: [OE-core] [zeus][PATCH 10/15] cve-check: fetch CVE data once at a time instead of in a single call X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton This code used to construct a single SQL statement that fetched the NVD data for every CVE requested. For recipes such as the kernel where there are over 2000 CVEs to report this can hit the variable count limit and the query fails with "sqlite3.OperationalError: too many SQL variables". The default limit is 999 variables, but some distributions such as Debian set the default to 250000. As the NVD table has an index on the ID column, whilst requesting the data CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time different is insignificant: 0.05s verses 0.01s on my machine. (From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Anuj Mittal --- meta/classes/cve-check.bbclass | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) -- 2.21.0 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index e95716d9de..19ed5548b3 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -267,17 +267,17 @@ def get_cve_info(d, cves): cve_data = {} conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE")) - placeholders = ",".join("?" * len(cves)) - query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholders - for row in conn.execute(query, tuple(cves)): - cve_data[row[0]] = {} - cve_data[row[0]]["summary"] = row[1] - cve_data[row[0]]["scorev2"] = row[2] - cve_data[row[0]]["scorev3"] = row[3] - cve_data[row[0]]["modified"] = row[4] - cve_data[row[0]]["vector"] = row[5] - conn.close() + for cve in cves: + for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)): + cve_data[row[0]] = {} + cve_data[row[0]]["summary"] = row[1] + cve_data[row[0]]["scorev2"] = row[2] + cve_data[row[0]]["scorev3"] = row[3] + cve_data[row[0]]["modified"] = row[4] + cve_data[row[0]]["vector"] = row[5] + + conn.close() return cve_data def cve_write_data(d, patched, unpatched, cve_data):