Re: [OE-core] [PATCH 1/3] cve-check-tool: Add recipe

[Burton, Ross]

On 24 February 2016 at 15:27,  wrote:

> +python () {
> +# If the cve-check class is inherited it is needed to populate the
> +# CVE database before checking the CVEs for all recipes.
> +pn = d.getVar("PN", True)
> +if pn.endswith("-native") and bb.data.inherits_class('cve-check', d):
> +bb.build.addtask("do_populate_cve_db", "do_build",
> "do_populate_sysroot", d)
> +}
>

Wouldn't this be better done as an explicit dependency of the class task?

Ross
-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

[OE-core] [PATCH 1/3] cve-check-tool: Add recipe

[mariano . lopez]

From: Mariano Lopez 

cve-check-tool is a program to for checking public CVEs.
This tool also seek to determine if a vulnerability has
been addressed by a patch.

The recipe also includes the do_populate_cve_db task
that will populate the database used by the tool. This
task is added when the cve-check class has been inherited.

[YOCTO #7515]

Co-authored by Elena Reshetova & Mariano Lopez

Signed-off-by: Mariano Lopez 
---
 .../cve-check-tool/cve-check-tool_5.6.bb   | 61 ++
 1 file changed, 61 insertions(+)
 create mode 100644 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.bb

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.bb 
b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.bb
new file mode 100644
index 000..b173eab
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.bb
@@ -0,0 +1,61 @@
+SUMMARY = "cve-check-tool"
+DESCRIPTION = "cve-check-tool is a tool for checking known (public) CVEs.\
+The tool will identify potentially vunlnerable software packages within Linux 
distributions through version matching."
+HOMEPAGE = "https://github.com/ikeydoherty/cve-check-tool";
+SECTION = "Development/Tools"
+LICENSE = "GPL-2.0"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
+
+SRC_URI = 
"https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
+file://change_logic_cve_get_file_parent.patch"
+
+SRC_URI[md5sum] = "30f32e6254580162eacfcc437a144463"
+SRC_URI[sha256sum] = 
"d35af2bfa014b9d7cdc9c59ec0bd7df40c22dfcd57244c9099c0aa9bdc9c0cb4"
+
+DEPENDS = "libcheck glib-2.0 json-glib curl libxml2 sqlite3 openssl"
+
+inherit pkgconfig autotools
+
+EXTRA_OECONF = "--disable-static"
+
+python () {
+# If the cve-check class is inherited it is needed to populate the
+# CVE database before checking the CVEs for all recipes.
+pn = d.getVar("PN", True)
+if pn.endswith("-native") and bb.data.inherits_class('cve-check', d):
+bb.build.addtask("do_populate_cve_db", "do_build", 
"do_populate_sysroot", d)
+}
+
+python do_populate_cve_db () {
+import subprocess
+import time
+from bb.utils import export_proxies
+
+export_proxies(d)
+fail_text = "Failed to update database"
+error_str = fail_text
+cve_dir = d.getVar("CVE_CHECK_DB_DIR", True)
+cmd = "cve-check-update -d %s" % cve_dir
+bb.debug(1, "Updating cve-check-tool database located in %s" % cve_dir)
+try:
+popen = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, 
stderr=subprocess.PIPE)
+output, error = popen.communicate()
+bb.debug(2, "Command %s returned:\n%s" % (cmd, output.decode()))
+error_str = error.decode()
+bb.debug(2, "Command %s errors:\n%s" % (cmd, error_str))
+except:
+bb.warn("Error in executing cve-check-update: %s" % 
str(sys.exc_info()))
+
+if fail_text in error_str:
+bb.warn("Failed to update cve-check-tool database, CVEs won't be 
checked")
+else:
+utc_time = time.gmtime(time.time())
+format_time = "%Y-%m-%d %H:%M:%S"
+with open(d.getVar("CVE_CHECK_TMP_FILE", True), "w") as f:
+f.write("CVE database was updated on %s UTC\n\n"
+% time.strftime(format_time, utc_time))
+}
+
+do_populate_cve_db[nostamp] = "1"
+
+BBCLASSEXTEND = "native"
-- 
2.6.2

-- 
___
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core