[OE-core] [meta-oe][PATCH] cve-update-db: Catch request.urlopen errors.
Pierre Le Magourou
lemagoup at gmail.com
Wed Jul 3 09:35:06 UTC 2019
From: Pierre Le Magourou <pierre.lemagourou at softbankrobotics.com>
If the NVD url is not accessible, print a warning on top of the CVE
report, and continue. The database will not be fully updated, but
cve_check can still run on the previous database.
Signed-off-by: Pierre Le Magourou <pierre.lemagourou at softbankrobotics.com>
---
meta/classes/cve-check.bbclass | 5 +++--
meta/recipes-core/meta/cve-update-db.bb | 30 +++++++++++++++++++++---------
2 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 1e7e8dd441..81071e3f19 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -51,14 +51,15 @@ python do_cve_check () {
Check recipe for patched and unpatched CVEs
"""
- if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
+ if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
patched_cves = get_patches_cves(d)
patched, unpatched = check_cves(d, patched_cves)
if patched or unpatched:
cve_data = get_cve_info(d, patched + unpatched)
cve_write_data(d, patched, unpatched, cve_data)
else:
- bb.note("Failed to update CVE database, skipping CVE check")
+ bb.note("No CVE database found, skipping CVE check")
+
}
addtask cve_check after do_unpack before do_build
diff --git a/meta/recipes-core/meta/cve-update-db.bb b/meta/recipes-core/meta/cve-update-db.bb
index 3e5bae8b1d..ae8f1a958b 100644
--- a/meta/recipes-core/meta/cve-update-db.bb
+++ b/meta/recipes-core/meta/cve-update-db.bb
@@ -28,6 +28,7 @@ python do_populate_cve_db() {
db_file = db_dir + '/nvd-json.db'
json_tmpfile = db_dir + '/nvd.json.gz'
proxy = d.getVar("https_proxy")
+ cve_f = open(d.getVar("TMPDIR") + '/cve_check', 'a')
if not os.path.isdir(db_dir):
os.mkdir(db_dir)
@@ -47,9 +48,13 @@ python do_populate_cve_db() {
req = urllib.request.Request(meta_url)
if proxy:
req.set_proxy(proxy, 'https')
- with urllib.request.urlopen(req) as r:
- date_line = str(r.read().splitlines()[0])
- last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1)
+ try:
+ with urllib.request.urlopen(req, timeout=1) as r:
+ date_line = str(r.read().splitlines()[0])
+ last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1)
+ except:
+ cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+ break
# Compare with current db last modified date
c.execute("select DATE from META where YEAR = '%d'" % year)
@@ -59,19 +64,26 @@ python do_populate_cve_db() {
req = urllib.request.Request(json_url)
if proxy:
req.set_proxy(proxy, 'https')
- with urllib.request.urlopen(req) as r, open(json_tmpfile, 'wb') as tmpfile:
- shutil.copyfileobj(r, tmpfile)
+ try:
+ with urllib.request.urlopen(req, timeout=1) as r, \
+ open(json_tmpfile, 'wb') as tmpfile:
+ shutil.copyfileobj(r, tmpfile)
+ except:
+ cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+ break
+
with gzip.open(json_tmpfile, 'rt') as jsonfile:
update_db(c, jsonfile)
c.execute("insert or replace into META values (?, ?)",
[year, last_modified])
+ # Update success, set the date to cve_check file.
+ if year == date.today().year:
+ cve_f.write('CVE database update : %s\n\n' % date.today())
+
+ cve_f.close()
conn.commit()
conn.close()
-
- cve_check_tmp_file = d.getVar("TMPDIR") + '/cve_check'
- with open(cve_check_tmp_file, 'a'):
- os.utime(cve_check_tmp_file, None)
}
# DJB2 hash algorithm
--
2.11.0
More information about the Openembedded-core
mailing list