cve-check-tool: backport a patch to make CVE checking work
CVE checking in OE didn't work as do_populate_cve_db failed with the following error message. [snip]/downloads/CVE_CHECK/nvdcve-2.0-2002.xml is not consistent Backport a patch to fix this error. (From OE-Core rev: ee55b5685aaa4be92d6d51f8641a559d4e34ce64) (From OE-Core rev: e0f0a7283c597e783b69aac2c8e8a7663b70262d) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
f375c30a17
commit
bc45d3a86b
|
@ -10,6 +10,7 @@ SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.
|
|||
file://check-for-malloc_trim-before-using-it.patch \
|
||||
file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
|
||||
file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
|
||||
file://0001-update-Compare-computed-vs-expected-sha256-digit-str.patch \
|
||||
"
|
||||
|
||||
SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
|
||||
|
|
|
@ -0,0 +1,52 @@
|
|||
From b0426e63c9ac61657e029f689bcb8dd051e752c6 Mon Sep 17 00:00:00 2001
|
||||
From: Sergey Popovich <popovich_sergei@mail.ua>
|
||||
Date: Fri, 21 Apr 2017 07:32:23 -0700
|
||||
Subject: [PATCH] update: Compare computed vs expected sha256 digit string
|
||||
ignoring case
|
||||
|
||||
We produce sha256 digest string using %x snprintf()
|
||||
qualifier for each byte of digest which uses alphabetic
|
||||
characters from "a" to "f" in lower case to represent
|
||||
integer values from 10 to 15.
|
||||
|
||||
Previously all of the NVD META files supply sha256
|
||||
digest string for corresponding XML file in lower case.
|
||||
|
||||
However due to some reason this changed recently to
|
||||
provide digest digits in upper case causing fetched
|
||||
data consistency checks to fail. This prevents database
|
||||
from being updated periodically.
|
||||
|
||||
While commit c4f6e94 (update: Do not treat sha256 failure
|
||||
as fatal if requested) adds useful option to skip
|
||||
digest validation at all and thus provides workaround for
|
||||
this situation, it might be unacceptable for some
|
||||
deployments where we need to ensure that downloaded
|
||||
data is consistent before start parsing it and update
|
||||
SQLite database.
|
||||
|
||||
Use strcasecmp() to compare two digest strings case
|
||||
insensitively and addressing this case.
|
||||
|
||||
Upstream-Status: Backport
|
||||
Signed-off-by: Sergey Popovich <popovich_sergei@mail.ua>
|
||||
---
|
||||
src/update.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/update.c b/src/update.c
|
||||
index 8588f38..3cc6b67 100644
|
||||
--- a/src/update.c
|
||||
+++ b/src/update.c
|
||||
@@ -187,7 +187,7 @@ static bool nvdcve_data_ok(const char *meta, const char *data)
|
||||
snprintf(&csum_data[idx], len, "%02hhx", digest[i]);
|
||||
}
|
||||
|
||||
- ret = streq(csum_meta, csum_data);
|
||||
+ ret = !strcasecmp(csum_meta, csum_data);
|
||||
|
||||
err_unmap:
|
||||
munmap(buffer, length);
|
||||
--
|
||||
2.11.0
|
||||
|
Loading…
Reference in New Issue