[OE-core] [openembedded-core] [scarthgap] [PATCH v1 16/34] cve-check: allow feed choice

[Het Patel via lists.openembedded.org]

From: Marta Rybczynska <rybczyn...@gmail.com>

Allow choice of one of three feeds and update task dependencies
accordingly. All feeds contain data from NVD and are stored in
different files.

Set the NVD_DB_VERSION variable to choose feed:
NVD2 (default) - the NVD feed with API version 2
NVD1 - the NVD JSON feed (deprecated)
FKIE - the FKIE-CAD feed reconstruction

In case of malformed database feed name, we default to NVD2 and show
an error.

Signed-off-by: Marta Rybczynska <marta.rybczyn...@ygreky.com>
Signed-off-by: Richard Purdie <richard.pur...@linuxfoundation.org>
(cherry picked from commit f265812bfb6797aee10e7be42865736c9ff3478f)
Signed-off-by: Het Patel <het...@cisco.com>
---
 meta/classes/cve-check.bbclass | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 8aa7293368..234eeae7d4 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -31,7 +31,12 @@
 CVE_PRODUCT ??= "${BPN}"
 CVE_VERSION ??= "${PV}"
 
-CVE_CHECK_DB_FILENAME ?= "nvdcve_2-2.db"
+# Possible database sources: NVD1, NVD2, FKIE
+NVD_DB_VERSION ?= "NVD2"
+
+# Use different file names for each database source, as they synchronize at 
different moments, so may be slightly different
+CVE_CHECK_DB_FILENAME ?= "${@'nvdcve_2-2.db' if d.getVar('NVD_DB_VERSION') == 
'NVD2' else 'nvdcve_1-3.db' if d.getVar('NVD_DB_VERSION') == 'NVD1' else 
'nvdfkie_1-1.db'}"
+CVE_CHECK_DB_FETCHER ?= "${@'cve-update-nvd2-native' if 
d.getVar('NVD_DB_VERSION') == 'NVD2' else 'cve-update-db-native'}"
 CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
 CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
 CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"
@@ -101,6 +106,11 @@ CVE_VERSION_SUFFIX ??= ""
 python () {
     from oe.cve_check import extend_cve_status
     extend_cve_status(d)
+
+    nvd_database_type = d.getVar("NVD_DB_VERSION")
+    if nvd_database_type not in ("NVD1", "NVD2", "FKIE"):
+        bb.erroronce("Malformed NVD_DB_VERSION, must be one of: NVD1, NVD2, 
FKIE. Defaulting to NVD2")
+        d.setVar("NVD_DB_VERSION", "NVD2")
 }
 
 def generate_json_report(d, out_path, link_path):
@@ -171,7 +181,7 @@ python do_cve_check () {
 
 addtask cve_check before do_build
 do_cve_check[vardeps] += "CVE_STATUS CVE_CHECK_STATUSMAP"
-do_cve_check[depends] = "cve-update-nvd2-native:do_unpack"
+do_cve_check[depends] = "${CVE_CHECK_DB_FETCHER}:do_unpack"
 do_cve_check[nostamp] = "1"
 
 python cve_check_cleanup () {

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#231469): 
https://lists.openembedded.org/g/openembedded-core/message/231469
Mute This Topic: https://lists.openembedded.org/mt/117905854/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-