meta/classes/cve-check.bbclass

8 # CVE found and generate a file in the recipe WORKDIR/cve
32 CVE_CHECK_LOG ?= "${T}/cve.log"
34 CVE_CHECK_SUMMARY_DIR ?= "${LOG_DIR}/cve"
35 CVE_CHECK_SUMMARY_FILE_NAME ?= "cve-summary"
37 CVE_CHECK_SUMMARY_FILE_NAME_JSON = "cve-summary.json"
38 CVE_CHECK_SUMMARY_INDEX_PATH = "${CVE_CHECK_SUMMARY_DIR}/cve-summary-index.txt"
40 CVE_CHECK_LOG_JSON ?= "${T}/cve.json"
42 CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
45 CVE_CHECK_MANIFEST ?= "${IMGDEPLOYDIR}/${IMAGE_NAME}${IMAGE_NAME_SUFFIX}.cve"
158 do_cve_check[depends] = "cve-update-db-native:do_fetch"
229         link_path = os.path.join(deploy_dir, "%s.cve" % link_name)
276         bb.note("Recipe has been skipped by cve-check")
296             cve = cverow[0]
298             if cve in cve_ignore:
299                 bb.note("%s-%s ignores %s" % (product, pv, cve))
300                 cves_ignored.append(cve)
302             elif cve in patched_cves:
303                 bb.note("%s has been patched" % (cve))
314 …("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor))
318                 if cve in cve_ignore:
333                                     (product, pv, operator_start, version_start, cve))
344                                     (product, pv, operator_end, version_end, cve))
356                         bb.note("%s is ignored in %s-%s" % (cve, pn, real_pv))
357                         cves_ignored.append(cve)
359                         bb.note("%s-%s is vulnerable to %s" % (pn, real_pv, cve))
360                         cves_unpatched.append(cve)
365                 bb.note("%s-%s is not vulnerable to %s" % (pn, real_pv, cve))
366                 patched_cves.add(cve)
391     for cve in cves:
392         cursor = conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,))
434     for cve in sorted(cve_data):
435         is_patched = cve in patched
436         is_ignored = cve in ignored
444         write_string += "CVE: %s\n" % cve
450             unpatched_cves.append(cve)
452         write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"]
453         write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"]
454         write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"]
455         write_string += "VECTOR: %s\n" % cve_data[cve]["vector"]
456         write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve)
548     for cve in sorted(cve_data):
549         is_patched = cve in patched
550         is_ignored = cve in ignored
560             unpatched_cves.append(cve)
562         issue_link = "%s%s" % (nvd_link, cve)
565             "id" : cve,
566             "summary" : cve_data[cve]["summary"],
567             "scorev2" : cve_data[cve]["scorev2"],
568             "scorev3" : cve_data[cve]["scorev3"],
569             "vector" : cve_data[cve]["vector"],