Le ven. 23 févr. 2024 à 22:09, Simone Weiß <simone.p.we...@posteo.com> a
écrit :
> From: Simone Weiß <simone.p.we...@posteo.com>
>
> Log if the CVE_STATUS is set for a CVE, but the cve is not reported for a
> component. This should hopefully help to clean up not needed CVE_STATUS
> settings.
>
Thank you for taking the time to do this :-)
> Signed-off-by: Simone Weiß <simone.p.we...@posteo.com>
> ---
> meta/classes/cve-check.bbclass | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/meta/classes/cve-check.bbclass
> b/meta/classes/cve-check.bbclass
> index 5191d04303..b82a9e89ec 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -418,6 +418,9 @@ def check_cves(d, patched_cves):
> cves_status.append([product, False])
>
> conn.close()
> + diff_ignore = list(set(cve_ignore) - set(cves_ignored))
> + if diff_ignore:
> + bb.warn("Found CVE (%s) with CVE_STATUS set that is not found in
> database for this component" % " ".join(diff_ignore))
>
A non-optional warning might be a bit harsh (Especially one that can come
up after an independent NVD database update).
How about a new element in the output of cve_check (the
build/tmp/log/cve/*.{txt,json} files)?
That way, someone looking for this info may find it, everyone else can
(safely) ignore this.
Another way I see would be to make the warning optional by using QA_WARN&co
but I'm not 100% sure it can be done...
Regards,
if not cves_in_recipe:
> bb.note("No CVE records for products in recipe %s" % (pn))
> --
> 2.39.2
>
>
>
>
>
--
Yoann Congal
Smile ECS - Tech expert
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#196116):
https://lists.openembedded.org/g/openembedded-core/message/196116
Mute This Topic: https://lists.openembedded.org/mt/104536878/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
