@@ -207,18 +207,28 @@ CVE_CHECK_REPORT_PATCHED = "1"
self.assertEqual(len(report["package"]), 1)
package = report["package"][0]
self.assertEqual(package["name"], "logrotate")
- found_cves = { issue["id"]: issue["status"] for issue in package["issue"]}
+ found_cves = {}
+ for issue in package["issue"]:
+ found_cves[issue["id"]] = {
+ "status" : issue["status"],
+ "reason" : issue["reason"] if "reason" in issue else ""
+ }
# m4 CVE should not be in logrotate
self.assertNotIn("CVE-2008-1687", found_cves)
# logrotate has both Patched and Ignored CVEs
self.assertIn("CVE-2011-1098", found_cves)
- self.assertEqual(found_cves["CVE-2011-1098"], "Patched")
+ self.assertEqual(found_cves["CVE-2011-1098"]["status"], "Patched")
+ self.assertEqual(len(found_cves["CVE-2011-1098"]["reason"]), 0)
+ reason = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
self.assertIn("CVE-2011-1548", found_cves)
- self.assertEqual(found_cves["CVE-2011-1548"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1548"]["reason"], reason)
self.assertIn("CVE-2011-1549", found_cves)
- self.assertEqual(found_cves["CVE-2011-1549"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1549"]["reason"], reason)
self.assertIn("CVE-2011-1550", found_cves)
- self.assertEqual(found_cves["CVE-2011-1550"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["status"], "Ignored")
+ self.assertEqual(found_cves["CVE-2011-1550"]["reason"], reason)
self.assertExists(summary_json)
check_m4_json(summary_json)
@@ -16,8 +16,10 @@ SRC_URI = "${GITHUB_BASE_URI}/download/${PV}/${BP}.tar.xz \
SRC_URI[sha256sum] = "8fa12015e3b8415c121fc9c0ca53aa872f7b0702f543afda7e32b6c4900f6516"
-# These CVEs are debian, gentoo or SUSE specific on the way logrotate was installed/used
-CVE_CHECK_IGNORE += "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_GROUPS = "CVE_STATUS_RECIPE"
+CVE_STATUS_RECIPE = "CVE-2011-1548 CVE-2011-1549 CVE-2011-1550"
+CVE_STATUS_RECIPE[status] = "Ignored"
+CVE_STATUS_RECIPE[reason] = "CVE is debian, gentoo or SUSE specific on the way logrotate was installed/used"
PACKAGECONFIG ?= "${@bb.utils.filter('DISTRO_FEATURES', 'acl selinux', d)}"
- After introducing the CVE_STATUS_REASONING flag variable, CVEs could contain a reason for assigned statuses. - Add an example conversion in logrotate recipe. Signed-off-by: Andrej Valek <andrej.valek@siemens.com> --- meta/lib/oeqa/selftest/cases/cve_check.py | 20 ++++++++++++++----- .../logrotate/logrotate_3.21.0.bb | 6 ++++-- 2 files changed, 19 insertions(+), 7 deletions(-)