Mariano,
On 07/11/2016 05:52 AM, mariano.lo...@linux.intel.com wrote: > From: Mariano Lopez <mariano.lo...@linux.intel.com> > > cve-check-tool is a program for public CVEs checking. > This tool also seek to determine if a vulnerability has > been addressed by a patch. By tool do you mean the "cve-check-tool"? All the Nvd DB can tell you if an CVE has been assigned, anything more than that is not guaranteed. Look at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5320 > > The recipe also includes the do_populate_cve_db task > that will populate the database used by the tool. This DB is big. May want to add a note to that affect. Maybe a note about how to share the DB across builds like with the AB. time for me to play with this. Thanks for driving this. regards, Armin > > [YOCTO #7515] > > Signed-off-by: Mariano Lopez <mariano.lo...@linux.intel.com> > --- > .../cve-check-tool/cve-check-tool_5.6.4.bb | 55 > ++++++++++++++++++++++ > 1 file changed, 55 insertions(+) > create mode 100644 > meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > > diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > new file mode 100644 > index 0000000..0cf64e4 > --- /dev/null > +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb > @@ -0,0 +1,55 @@ > +SUMMARY = "cve-check-tool" > +DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\ > +The tool will identify potentially vunlnerable software packages within > Linux distributions through version matching." > +HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool" > +SECTION = "Development/Tools" > +LICENSE = "GPL-2.0" > +LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6" > + > +SRC_URI = > "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz" > + > +SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155" > +SRC_URI[sha256sum] = > "b8f283be718af8d31232ac1bfc10a0378fb958aaaa49af39168f8acf501e6a5b" > + > +DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl" > + > +inherit pkgconfig autotools > + > +EXTRA_OECONF = "--disable-static" > + > +python do_populate_cve_db () { > + import subprocess > + import time > + > + if d.getVar("BB_NO_NETWORK", True) == "1": > + bb.error("BB_NO_NETWORK is set; Can't update cve-check-tool > database, " > + "CVEs won't be checked") > + return > + > + bb.utils.export_proxies(d) > + # In case we don't inherit cve-check class, use default values defined > in the class. > + cve_dir = d.getVar("CVE_CHECK_DB_DIR", True) or > d.expand("${DL_DIR}/CVE_CHECK") > + cve_file = d.getVar("CVE_CHECK_TMP_FILE", True) or > d.expand("${TMPDIR}/cve_check") > + cve_cmd = "cve-check-update" > + cmd = [cve_cmd, "-d", cve_dir] > + bb.debug(1, "Updating cve-check-tool database located in %s" % cve_dir) > + try: > + output = subprocess.check_output(cmd, stderr=subprocess.STDOUT) > + bb.debug(2, "Command '%s' returned:\n%s" % ("\n".join(cmd), output)) > + if bb.data.inherits_class('cve-check', d): > + time_utc = time.gmtime(time.time()) > + time_format = "%Y-%m-%d %H:%M:%S" > + with open(cve_file, "w") as f: > + f.write("CVE database was updated on %s UTC\n\n" > + % time.strftime(time_format, time_utc)) > + > + except subprocess.CalledProcessError as e: > + bb.warn("Error in executing cve-check-update: %s (output %s)" % (e, > e.output)) > + if bb.data.inherits_class('cve-check', d): > + bb.warn("Failed to update cve-check-tool database, CVEs won't be > checked") > +} > + > +addtask populate_cve_db after do_populate_sysroot > +do_populate_cve_db[nostamp] = "1" > + > +BBCLASSEXTEND = "native" > -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core