[kirkstone,6/7] cve-check: don't warn if a patch is remote

Message ID	b4e5e02ab5dcc6b32810aa88c371799777dd8821.1699483825.git.steve@sakoman.com
State	Accepted, archived
Commit	b4e5e02ab5dcc6b32810aa88c371799777dd8821
Headers	show Return-Path: <steve@sakoman.com> ip: 209.85.210.180, mailfrom: steve@sakoman.com) From: Steve Sakoman <steve@sakoman.com> To: openembedded-core@lists.openembedded.org Subject: [OE-core][kirkstone 6/7] cve-check: don't warn if a patch is remote Date: Wed, 8 Nov 2023 12:53:05 -1000 Message-Id: <b4e5e02ab5dcc6b32810aa88c371799777dd8821.1699483825.git.steve@sakoman.com> In-Reply-To: <cover.1699483825.git.steve@sakoman.com> References: <cover.1699483825.git.steve@sakoman.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	[kirkstone,1/7] binutils: Fix CVE-2022-47010 \| expand [kirkstone,1/7] binutils: Fix CVE-2022-47010 [kirkstone,2/7] libwebp: Fix CVE-2023-4863 [kirkstone,3/7] xserver-xorg: Fix for CVE-2023-5367 and CVE-2023-5380 [kirkstone,4/7] cve-check: sort the package list in the JSON report [kirkstone,5/7] cve-check: slightly more verbose warning when adding the same package twice [kirkstone,6/7] cve-check: don't warn if a patch is remote [kirkstone,7/7] python3-jinja2: Fixed ptest result output as per the standard

Message ID

b4e5e02ab5dcc6b32810aa88c371799777dd8821.1699483825.git.steve@sakoman.com

State

Accepted, archived

Commit

b4e5e02ab5dcc6b32810aa88c371799777dd8821

Headers

From: Steve Sakoman <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][kirkstone 6/7] cve-check: don't warn if a patch is remote
Date: Wed,  8 Nov 2023 12:53:05 -1000
Message-Id: 
 <b4e5e02ab5dcc6b32810aa88c371799777dd8821.1699483825.git.steve@sakoman.com>
In-Reply-To: <cover.1699483825.git.steve@sakoman.com>
References: <cover.1699483825.git.steve@sakoman.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

[kirkstone,1/7] binutils: Fix CVE-2022-47010 | expand

Commit Message

Steve Sakoman Nov. 8, 2023, 10:53 p.m. UTC

From: Ross Burton <ross.burton@arm.com>

We don't make do_cve_check depend on do_unpack because that would be a
waste of time 99% of the time.  The compromise here is that we can't
scan remote patches for issues, but this isn't a problem so downgrade
the warning to a note.

Also move the check for CVEs in the filename before the local file check
so that even with remote patches, we still check for CVE references in
the name.

Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
(cherry picked from commit 0251cad677579f5b4dcc25fa2f8552c6040ac2cf)
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
 meta/lib/oe/cve_check.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index 2efc4290af..65b1358ffc 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -89,11 +89,6 @@  def get_patched_cves(d):
     for url in oe.patch.src_patches(d):
         patch_file = bb.fetch.decodeurl(url)[2]
 
-        # Remote compressed patches may not be unpacked, so silently ignore them
-        if not os.path.isfile(patch_file):
-            bb.warn("%s does not exist, cannot extract CVE list" % patch_file)
-            continue
-
         # Check patch file name for CVE ID
         fname_match = cve_file_name_match.search(patch_file)
         if fname_match:
@@ -101,6 +96,12 @@  def get_patched_cves(d):
             patched_cves.add(cve)
             bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
 
+        # Remote patches won't be present and compressed patches won't be
+        # unpacked, so say we're not scanning them
+        if not os.path.isfile(patch_file):
+            bb.note("%s is remote or compressed, not scanning content" % patch_file)
+            continue
+
         with open(patch_file, "r", encoding="utf-8") as f:
             try:
                 patch_text = f.read()

[kirkstone,6/7] cve-check: don't warn if a patch is remote

Commit Message

Patch