Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / openbmc / 316dfdd917bec6a218f431211d28bf8df6b6fb0f^! / . / import-layers / yocto-poky / meta / classes / cve-check.bbclass
commit316dfdd917bec6a218f431211d28bf8df6b6fb0f[log] [tgz]
authorBrad Bishop <bradleyb@fuzziesquirrel.com>Mon Jun 25 12:45:53 2018 -0400
committerBrad Bishop <bradleyb@fuzziesquirrel.com>Wed Jun 27 14:38:15 2018 -0400
tree5541073f9851f44c2bd67b4959dc776ee3c3810f
parent36acd3e888044dea2ac0b2946f15616f968388c9 [diff] [blame]
Yocto 2.5

Move OpenBMC to Yocto 2.5(sumo)

Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Change-Id: I5c5ad6904a16e14c1c397f0baf10c9d465594a78

diff --git a/import-layers/yocto-poky/meta/classes/cve-check.bbclass b/import-layers/yocto-poky/meta/classes/cve-check.bbclass
index bc2f03f..537659d 100644
--- a/import-layers/yocto-poky/meta/classes/cve-check.bbclass
+++ b/import-layers/yocto-poky/meta/classes/cve-check.bbclass

@@ -23,12 +23,12 @@
 # The product name that the CVE database uses.  Defaults to BPN, but may need to
 # be overriden per recipe (for example tiff.bb sets CVE_PRODUCT=libtiff).
 CVE_PRODUCT ??= "${BPN}"
+CVE_VERSION ??= "${PV}"
 
 CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db"
 
-CVE_CHECK_LOCAL_DIR ?= "${WORKDIR}/cve"
-CVE_CHECK_LOCAL_FILE ?= "${CVE_CHECK_LOCAL_DIR}/cve.log"
+CVE_CHECK_LOG ?= "${T}/cve.log"
 CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check"
 
 CVE_CHECK_DIR ??= "${DEPLOY_DIR}/cve"
@@ -169,7 +169,10 @@
     cves_patched = []
     cves_unpatched = []
     bpn = d.getVar("CVE_PRODUCT")
-    pv = d.getVar("PV").split("+git")[0]
+    # If this has been unset then we're not scanning for CVEs here (for example, image recipes)
+    if not bpn:
+        return ([], [])
+    pv = d.getVar("CVE_VERSION").split("+git")[0]
     cves = " ".join(patched_cves)
     cve_db_dir = d.getVar("CVE_CHECK_DB_DIR")
     cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST"))
@@ -181,9 +184,6 @@
         bb.note("Recipe has been whitelisted, skipping check")
         return ([], [])
 
-    # It is needed to export the proxies to download the database using HTTP
-    bb.utils.export_proxies(d)
-
     try:
         # Write the faux CSV file to be used with cve-check-tool
         fd, faux = tempfile.mkstemp(prefix="cve-faux-")
@@ -251,11 +251,11 @@
     CVE manifest if enabled.
     """
 
-    cve_file = d.getVar("CVE_CHECK_LOCAL_FILE")
+    cve_file = d.getVar("CVE_CHECK_LOG")
     nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
     write_string = ""
     unpatched_cves = []
-    bb.utils.mkdirhier(d.getVar("CVE_CHECK_LOCAL_DIR"))
+    bb.utils.mkdirhier(os.path.dirname(cve_file))
 
     for cve in sorted(cve_data):
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")