Message ID | 20220427114339.1174686-1-ross.burton@arm.com |
---|---|
State | Accepted, archived |
Commit | cefc8741438c91f74264da6b59dece2e31f9e5a5 |
Headers | show |
Series | cve_check: skip remote patches that haven't been fetched when searching for CVE tags | expand |
On Wed, Apr 27, 2022 at 1:43 PM Ross Burton <ross.burton@arm.com> wrote: > If a remote patch is compressed we need to have run the unpack task for > the file to exist locally. Currently cve_check only depends on fetch so > instead of erroring out, emit a warning that this file won't be scanned > for CVE references. > > Typically, remote compressed patches won't contain our custom tags, so > this is unlikely to be an issue. > > Signed-off-by: Ross Burton <ross.burton@arm.com> > --- > meta/lib/oe/cve_check.py | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > > diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py > index e445b7a6ae..dc7d2e2826 100644 > --- a/meta/lib/oe/cve_check.py > +++ b/meta/lib/oe/cve_check.py > @@ -89,9 +89,10 @@ def get_patched_cves(d): > for url in oe.patch.src_patches(d): > patch_file = bb.fetch.decodeurl(url)[2] > > + # Remote compressed patches may not be unpacked, so silently > ignore them > if not os.path.isfile(patch_file): > - bb.error("File Not found: %s" % patch_file) > - raise FileNotFoundError > + bb.warn("%s does not exist, cannot extract CVE list" % > patch_file) > + continue > > # Check patch file name for CVE ID > fname_match = cve_file_name_match.search(patch_file) > -- > 2.25.1 > > Tested-by: Marta Rybczynska <marta.rybczynska@huawei.com>
diff --git a/meta/lib/oe/cve_check.py b/meta/lib/oe/cve_check.py index e445b7a6ae..dc7d2e2826 100644 --- a/meta/lib/oe/cve_check.py +++ b/meta/lib/oe/cve_check.py @@ -89,9 +89,10 @@ def get_patched_cves(d): for url in oe.patch.src_patches(d): patch_file = bb.fetch.decodeurl(url)[2] + # Remote compressed patches may not be unpacked, so silently ignore them if not os.path.isfile(patch_file): - bb.error("File Not found: %s" % patch_file) - raise FileNotFoundError + bb.warn("%s does not exist, cannot extract CVE list" % patch_file) + continue # Check patch file name for CVE ID fname_match = cve_file_name_match.search(patch_file)
If a remote patch is compressed we need to have run the unpack task for the file to exist locally. Currently cve_check only depends on fetch so instead of erroring out, emit a warning that this file won't be scanned for CVE references. Typically, remote compressed patches won't contain our custom tags, so this is unlikely to be an issue. Signed-off-by: Ross Burton <ross.burton@arm.com> --- meta/lib/oe/cve_check.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)