From patchwork Mon Dec 16 15:59:57 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Armin Kuster X-Patchwork-Id: 181739 Delivered-To: patch@linaro.org Received: by 2002:ac9:44c4:0:0:0:0:0 with SMTP id t4csp4480704och; Mon, 16 Dec 2019 08:01:23 -0800 (PST) X-Google-Smtp-Source: APXvYqwHaicEglzOAwqBX1ROzXZWD5kWraHrewe1MqhTgROedjONVhyGxGVKonYP50+50OudldlX X-Received: by 2002:a17:90a:1f8e:: with SMTP id x14mr19021626pja.29.1576512083247; Mon, 16 Dec 2019 08:01:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1576512083; cv=none; d=google.com; s=arc-20160816; b=v6xcPNMrUcfTeZb06CsCjZTir9RW7JPIpx1N2NyRc/tnB6xr9x7LvKt91XdA61aiKX INCzL5rZOyomZRI2E9BerJGDvvr/sepoeHytHDY0zSUV06lx3DAWLkbb91y0w4wOlEh+ 50/zK19zkbCz0bBVtyb2l2UMynvr5yo05FHbd+iwUfl5XvFZX805I+akox6ZaSmGHJZG I+Z8hDcPxr6AwzMdHCMuAiIJRWtVLxxMWYieJ7iAYhwRgEqXGe21kJMRMqiW3CwbdIuS cP56gSZlR9DU00tkx59lN8tr5uMifEuqTi2feUSPdGIlNNEunrQ/kPlzkC3Ttc7bVCdR orFg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:mime-version :list-subscribe:list-help:list-post:list-archive:list-unsubscribe :list-id:precedence:subject:references:in-reply-to:message-id:date :to:from:dkim-signature:delivered-to; bh=5L+GrkzClyiHj+bLkG+2efA08/BmRGtmrh7VgNJeJCI=; b=weLvrdeFkFDU0v7mEarMpR6Cq32u7CdqkfQUoJeYpBcf4SuQKvHoR/tvUTJpxzsW9h 6w7N+8kCxf7vfu6D2A9uizwHo5xKi7bR8oKn5SMl6HHKyq9UnJkHweNwWxITN2lZY/Aq gieiAI/HBAU5yLFcde1RKcPo9o2PWPMELyMF6qlGffnbcMoyCH1RgLwaLjzBFSdMtl8G xrckIf8IIzHnGn1qJUV8vps0/UWTfyNde/ie6IP7GE8KvRZgNqb3coEWpR/vBE6/AycR h+ZdHmBG1xiJnY7APDJpknMa4WRRm8q75NRWOcqxMv1OxWm/K+9rN8lyl97YFF2ey9Am zGaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=uMxwr0zA; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id f11si15933510pjw.63.2019.12.16.08.01.22; Mon, 16 Dec 2019 08:01:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@gmail.com header.s=20161025 header.b=uMxwr0zA; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id 0AD557FDF3; Mon, 16 Dec 2019 16:00:40 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-pl1-f175.google.com (mail-pl1-f175.google.com [209.85.214.175]) by mail.openembedded.org (Postfix) with ESMTP id 8EAC67FDA1 for ; Mon, 16 Dec 2019 16:00:17 +0000 (UTC) Received: by mail-pl1-f175.google.com with SMTP id z3so3124414plk.6 for ; Mon, 16 Dec 2019 08:00:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references; bh=oLIjUHhuFis3lCiRnTDn8qETvmM4p4Cs7ZdatrBDJNk=; b=uMxwr0zAntfp5NrbbSQHnYCfDgzhpy50sQMWMnJMasFtbO3NkLTZL7q2qme1WAiU+8 BKmjy2degXTTGlTR+ch1V8RscZkOJJ2Kiwh0yJjYjs6hc+tc80T7x6CVJMsOlW9XH71N ZbVxwP4lBd631VwZ2hNoA2He9t+S2l+JYjZZqtvnuzPx1C9hORje/iHZ7xQkigvvGffW kBpEt1sawyWjeaA4q7J+eljgT0U0NyPPB23fsAg5hXDb4GdK9J/TaqC0H7y5kU9Jyrnd ztugsrmP3I/kgwQFxG+GzSi9YiRG/eO401zdoFQCGFNqRiCByvwzG+ue36Et7Z+31juP SyMQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=oLIjUHhuFis3lCiRnTDn8qETvmM4p4Cs7ZdatrBDJNk=; b=GsOPT/Tzv0oTtesXnrGfZFQ9GZGvCvEgOSJJZxMoX+3CK1E+0/BFLdF5zj0XBahU3p 1ukqdGEtiO27sgXzOEcpE2hjseecDm7a/VTyu4oHHrK473D2zZQDCPIrpAYrcrCSWQdR W+Xe++y+i9eHIPP0E9oBP3iYbcvObsgQOfir+JEHNYWYfpWGE8U0z2NYr3H1WnzNxwa9 fIYe50eUB7lSPr/FQzcuzBZP3QJzUxVND4DjldCbcLuc6cRNoDdwBwsoSLtYJdJF3JL/ 6NPhUYDNh2SpvFQIV6ezLY9OsRpsitSvDthAP3eIhB6NkXxOS2BXa9RJjtv96FSjJ9SL QZXA== X-Gm-Message-State: APjAAAXfY9rM4hpPD7+/LC6O5V1ZbWkeSqFmzP72dRz3mTUIRtQw4yEp 5Y0hFLE4o6A6kOfQzJ+zDMkkUW36hX8= X-Received: by 2002:a17:902:724a:: with SMTP id c10mr17090489pll.39.1576512018530; Mon, 16 Dec 2019 08:00:18 -0800 (PST) Received: from akuster-ThinkPad-T460s.mvista.com ([2601:202:4180:a5c0:e5c5:31c9:a010:f145]) by smtp.gmail.com with ESMTPSA id g6sm19568697pjl.25.2019.12.16.08.00.17 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 16 Dec 2019 08:00:18 -0800 (PST) From: Armin Kuster To: openembedded-core@lists.openembedded.org Date: Mon, 16 Dec 2019 07:59:57 -0800 Message-Id: <9d01a64844998d98fcfcebbe8580422094cd2dde.1576511913.git.akuster808@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: References: Subject: [OE-core] [thud 07/18] cve-check: ensure all known CVEs are in the report X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org From: Ross Burton CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) Signed-off-by: Ross Burton Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster --- meta/classes/cve-check.bbclass | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) -- 2.7.4 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index c00d291..f87bcc9 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -208,12 +208,14 @@ def check_cves(d, patched_cves): if cve in cve_whitelist: bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) + # TODO: this should be in the report as 'whitelisted' + patched_cves.add(cve) elif cve in patched_cves: bb.note("%s has been patched" % (cve)) else: to_append = False if (operator_start == '=' and pv == version_start): - cves_unpatched.append(cve) + to_append = True else: if operator_start: try: @@ -243,8 +245,11 @@ def check_cves(d, patched_cves): to_append = to_append_start or to_append_end if to_append: + bb.note("%s-%s is vulnerable to %s" % (product, pv, cve)) cves_unpatched.append(cve) - bb.debug(2, "%s-%s is not patched for %s" % (product, pv, cve)) + else: + bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) + patched_cves.add(cve) conn.close() return (list(patched_cves), cves_unpatched)