@@ -82,6 +82,9 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as increment release
CVE_VERSION_SUFFIX ??= ""
+# set to "1" for avoiding full scan for unpatched CVEs
+CVE_CHECK_WITH_DB ??= "0"
+
# Patched CVEs from recipe will be assigned to this variable
CVE_PATCHED ??= ""
@@ -147,7 +150,7 @@ python do_cve_check () {
"""
from oe.cve_check import get_patched_cves
- if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
+ if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")) and d.getVar("CVE_CHECK_WITH_DB") == "0":
try:
patched_cves = get_patched_cves(d)
except FileNotFoundError:
@@ -162,7 +165,7 @@ python do_cve_check () {
}
addtask cve_check before do_build
-do_cve_check[depends] = "cve-update-db-native:do_fetch"
+do_cve_check[depends] = "${@'cve-update-db-native:do_fetch' if d.getVar('CVE_CHECK_WITH_DB') == '0' else ''}"
do_cve_check[nostamp] = "1"
python cve_check_cleanup () {
Introduce a new variable 'CVE_CHECK_WITH_DB' default set to '0', when it is set to non zero value it avoids CVE scan for unpatched CVEs from NVD DB. It will work as the second operational mode for cve-check.bbclass which only exports the data. Signed-off-by: Akash Hadke <akash.hadke@kpit.com> --- meta/classes/cve-check.bbclass | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-)