| Message ID | 20220603121710.2443242-1-rybczynska@gmail.com |
|---|---|
| State | Accepted, archived |
| Commit | f1b7877acd0f6e3626faa57d9f89809cfcdfd0f1 |
| Headers | show |
| Series | cve-check: write empty fragment files in the text mode | expand |
Den fre 3 juni 2022 kl 14:17 skrev Marta Rybczynska <rybczynska@gmail.com>: > In the cve-check text mode output, we didn't write fragment > files if there are no CVEs (if CVE_CHECK_REPORT_PATCHED is 1), > or no unpached CVEs otherwise. > > However, in a system after multiple builds, > cve_check_write_rootfs_manifest might find older files and use > them as current, what leads to incorrect reporting. > > Fix it by always writing a fragment file, even if empty. > > Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> > --- > meta/classes/cve-check.bbclass | 27 +++++++++++++-------------- > 1 file changed, 13 insertions(+), 14 deletions(-) > > diff --git a/meta/classes/cve-check.bbclass > b/meta/classes/cve-check.bbclass > index c80a365819..0579d882db 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -440,23 +440,22 @@ def cve_write_data_text(d, patched, unpatched, > ignored, cve_data): > if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": > bb.warn("Found unpatched CVE (%s), for more information check %s" > % (" ".join(unpatched_cves),cve_file)) > > - if write_string: > - with open(cve_file, "w") as f: > - bb.note("Writing file %s with CVE information" % cve_file) > - f.write(write_string) > + with open(cve_file, "w") as f: > + bb.note("Writing file %s with CVE information" % cve_file) > This note feels quite redundant now. > + f.write(write_string) > > - if d.getVar("CVE_CHECK_COPY_FILES") == "1": > - deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") > - bb.utils.mkdirhier(os.path.dirname(deploy_file)) > - with open(deploy_file, "w") as f: > - f.write(write_string) > + if d.getVar("CVE_CHECK_COPY_FILES") == "1": > + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") > + bb.utils.mkdirhier(os.path.dirname(deploy_file)) > + with open(deploy_file, "w") as f: > + f.write(write_string) > > - if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": > - cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") > - bb.utils.mkdirhier(cvelogpath) > + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": > + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") > + bb.utils.mkdirhier(cvelogpath) > > - with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: > - f.write("%s" % write_string) > + with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: > + f.write("%s" % write_string) > > def cve_check_write_json_output(d, output, direct_file, deploy_file, > manifest_file): > """ > -- > 2.33.0 > >
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index c80a365819..0579d882db 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -440,23 +440,22 @@ def cve_write_data_text(d, patched, unpatched, ignored, cve_data): if unpatched_cves and d.getVar("CVE_CHECK_SHOW_WARNINGS") == "1": bb.warn("Found unpatched CVE (%s), for more information check %s" % (" ".join(unpatched_cves),cve_file)) - if write_string: - with open(cve_file, "w") as f: - bb.note("Writing file %s with CVE information" % cve_file) - f.write(write_string) + with open(cve_file, "w") as f: + bb.note("Writing file %s with CVE information" % cve_file) + f.write(write_string) - if d.getVar("CVE_CHECK_COPY_FILES") == "1": - deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") - bb.utils.mkdirhier(os.path.dirname(deploy_file)) - with open(deploy_file, "w") as f: - f.write(write_string) + if d.getVar("CVE_CHECK_COPY_FILES") == "1": + deploy_file = d.getVar("CVE_CHECK_RECIPE_FILE") + bb.utils.mkdirhier(os.path.dirname(deploy_file)) + with open(deploy_file, "w") as f: + f.write(write_string) - if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": - cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") - bb.utils.mkdirhier(cvelogpath) + if d.getVar("CVE_CHECK_CREATE_MANIFEST") == "1": + cvelogpath = d.getVar("CVE_CHECK_SUMMARY_DIR") + bb.utils.mkdirhier(cvelogpath) - with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: - f.write("%s" % write_string) + with open(d.getVar("CVE_CHECK_TMP_FILE"), "a") as f: + f.write("%s" % write_string) def cve_check_write_json_output(d, output, direct_file, deploy_file, manifest_file): """
In the cve-check text mode output, we didn't write fragment files if there are no CVEs (if CVE_CHECK_REPORT_PATCHED is 1), or no unpached CVEs otherwise. However, in a system after multiple builds, cve_check_write_rootfs_manifest might find older files and use them as current, what leads to incorrect reporting. Fix it by always writing a fragment file, even if empty. Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> --- meta/classes/cve-check.bbclass | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-)