[2/5] cve_check: cleanup logging

Message ID	20240122140406.3837333-2-ross.burton@arm.com
State	Accepted, archived
Commit	10acc75b7f3387b968bacd51aade6a8dc11a463f
Headers	show Return-Path: <ross.burton@arm.com> ip: 217.140.110.172, mailfrom: ross.burton@arm.com) From: ross.burton@arm.com To: openembedded-core@lists.openembedded.org Subject: [PATCH 2/5] cve_check: cleanup logging Date: Mon, 22 Jan 2024 14:04:03 +0000 Message-Id: <20240122140406.3837333-2-ross.burton@arm.com> In-Reply-To: <20240122140406.3837333-1-ross.burton@arm.com> References: <20240122140406.3837333-1-ross.burton@arm.com> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable
Series	[1/5] cve_check: handle CVE_STATUS being set to the empty string \| expand [1/5] cve_check: handle CVE_STATUS being set to the empty string [2/5] cve_check: cleanup logging [3/5] zlib: ignore CVE-2023-6992 [4/5] xserver-xorg: add PACKAGECONFIG for xvfb [5/5] xserver-xorg: disable xvfb by default

Message ID

20240122140406.3837333-2-ross.burton@arm.com

State

Accepted, archived

Commit

10acc75b7f3387b968bacd51aade6a8dc11a463f

Headers

From: ross.burton@arm.com
To: openembedded-core@lists.openembedded.org
Subject: [PATCH 2/5] cve_check: cleanup logging
Date: Mon, 22 Jan 2024 14:04:03 +0000
Message-Id: <20240122140406.3837333-2-ross.burton@arm.com>
In-Reply-To: <20240122140406.3837333-1-ross.burton@arm.com>
References: <20240122140406.3837333-1-ross.burton@arm.com>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Series

[1/5] cve_check: handle CVE_STATUS being set to the empty string | expand

Commit Message

Ross Burton Jan. 22, 2024, 2:04 p.m. UTC

From: Ross Burton <ross.burton@arm.com>

Primarily list the number of patches found, useful when debugging.

Also clean up some bad escaping that caused warnings and use
re.IGNORECASE instead of manually doing case-insenstive rang matches.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 meta/lib/oe/cve_check.py | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py
index b5fc5364dc8..ed5c714cb8b 100644
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@@ -79,20 +79,19 @@  def get_patched_cves(d):
     import re
     import oe.patch
 
-    pn = d.getVar("PN")
-    cve_match = re.compile("CVE:( CVE\-\d{4}\-\d+)+")
+    cve_match = re.compile(r"CVE:( CVE-\d{4}-\d+)+")
 
     # Matches the last "CVE-YYYY-ID" in the file name, also if written
     # in lowercase. Possible to have multiple CVE IDs in a single
     # file name, but only the last one will be detected from the file name.
     # However, patch files contents addressing multiple CVE IDs are supported
     # (cve_match regular expression)
-
-    cve_file_name_match = re.compile(".*([Cc][Vv][Ee]\-\d{4}\-\d+)")
+    cve_file_name_match = re.compile(r".*(CVE-\d{4}-\d+)", re.IGNORECASE)
 
     patched_cves = set()
-    bb.debug(2, "Looking for patches that solves CVEs for %s" % pn)
-    for url in oe.patch.src_patches(d):
+    patches = oe.patch.src_patches(d)
+    bb.debug(2, "Scanning %d patches for CVEs" % len(patches))
+    for url in patches:
         patch_file = bb.fetch.decodeurl(url)[2]
 
         # Check patch file name for CVE ID
@@ -100,7 +99,7 @@  def get_patched_cves(d):
         if fname_match:
             cve = fname_match.group(1).upper()
             patched_cves.add(cve)
-            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))
+            bb.debug(2, "Found %s from patch file name %s" % (cve, patch_file))
 
         # Remote patches won't be present and compressed patches won't be
         # unpacked, so say we're not scanning them

[2/5] cve_check: cleanup logging

Commit Message

Patch