]> code.ossystems Code Review - openembedded-core.git/commitdiff
Code Review / openembedded-core.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: e0f0a72)
cve-check.bbclass: make warning contain CVE IDs
authorChen Qi <Qi.Chen@windriver.com>
Tue, 9 May 2017 09:31:36 +0000 (17:31 +0800)
committerRichard Purdie <richard.purdie@linuxfoundation.org>
Mon, 5 Jun 2017 22:28:04 +0000 (23:28 +0100)
When warning users about unpatched CVE, we'd better put CVE IDs into
the warning message, so that it would be more straight forward for the
user to know which CVEs are not patched.

So instead of:
  WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log.
We should have:
  WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log.

(From OE-Core rev: ad46069e7b58f2fba373131716f28407816fa1a6)

Signed-off-by: Chen Qi <Qi.Chen@windriver.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
meta/classes/cve-check.bbclass patch | blob | history

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 0e4294fdc4d0c7ddd0ddb3b7c93a146856824645..3a9e22728888208bd6cb7db873d34d33fb447b86 100644 (file)
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -234,7 +234,7 @@ def cve_write_data(d, patched, unpatched, cve_data):
     cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
     nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
     write_string = ""
-    first_alert = True
+    unpatched_cves = []
     bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
 
     for cve in sorted(cve_data):
@@ -244,15 +244,16 @@ def cve_write_data(d, patched, unpatched, cve_data):
         if cve in patched:
             write_string += "CVE STATUS: Patched\n"
         else:
+            unpatched_cves.append(cve)
             write_string += "CVE STATUS: Unpatched\n"
-            if first_alert:
-                bb.warn("Found unpatched CVE, for more information check %s" % cve_file)
-                first_alert = False
         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"]
         write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
         write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
 
+    if unpatched_cves:
+        bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file))
+
     with open(cve_file, "w") as f:
         bb.note("Writing file %s with CVE information" % cve_file)
         f.write(write_string)
Mirror of the official openembedded-core repository