Skip to content

Commit

Permalink
cve_check: Use a local copy of the database during builds
Browse files Browse the repository at this point in the history 
Rtaher than trying to use a sqlite database over NFS from DL_DIR, work from
a local copy in STAGING DIR after fetching.

(From OE-Core rev: 468a9077d9b3466d60ee8c5b6144529ea5e5c849)

Signed-off-by: Richard Purdie <[email protected]>
(cherry picked from commit 03596904392d257572a905a182b92c780d636744)
Signed-off-by: Steve Sakoman <[email protected]>
  • Loading branch information
@rpurdie @sakoman
rpurdie authored and sakoman committed Aug 12, 2024
1 parent 3650a16 commit fb198e0
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 8 deletions.
7 changes: 4 additions & 3 deletions meta/classes/cve-check.bbclass
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,8 +31,9 @@
CVE_PRODUCT ??= "${BPN}"
CVE_VERSION ??= "${PV}"

CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK"
CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvdcve_2-1.db"
CVE_CHECK_DB_FILENAME ?= "nvdcve_2-1.db"
CVE_CHECK_DB_DIR ?= "${STAGING_DIR}/CVE_CHECK"
CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/${CVE_CHECK_DB_FILENAME}"
CVE_CHECK_DB_FILE_LOCK ?= "${CVE_CHECK_DB_FILE}.lock"

CVE_CHECK_LOG ?= "${T}/cve.log"
Expand Down Expand Up @@ -198,7 +199,7 @@ python do_cve_check () {
}

addtask cve_check before do_build
do_cve_check[depends] = "cve-update-nvd2-native:do_fetch"
do_cve_check[depends] = "cve-update-nvd2-native:do_unpack"
do_cve_check[nostamp] = "1"

python cve_check_cleanup () {
Expand Down
18 changes: 13 additions & 5 deletions meta/recipes-core/meta/cve-update-nvd2-native.bb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ INHIBIT_DEFAULT_DEPS = "1"

inherit native

deltask do_unpack
deltask do_patch
deltask do_configure
deltask do_compile
Expand All @@ -35,7 +34,9 @@ CVE_DB_INCR_UPDATE_AGE_THRES ?= "10368000"
# Number of attempts for each http query to nvd server before giving up
CVE_DB_UPDATE_ATTEMPTS ?= "5"

CVE_DB_TEMP_FILE ?= "${CVE_CHECK_DB_DIR}/temp_nvdcve_2.db"
CVE_CHECK_DB_DLDIR_FILE ?= "${DL_DIR}/CVE_CHECK/${CVE_CHECK_DB_FILENAME}"
CVE_CHECK_DB_DLDIR_LOCK ?= "${CVE_CHECK_DB_DLDIR_FILE}.lock"
CVE_CHECK_DB_TEMP_FILE ?= "${CVE_CHECK_DB_FILE}.tmp"

python () {
if not bb.data.inherits_class("cve-check", d):
Expand All @@ -52,9 +53,9 @@ python do_fetch() {

bb.utils.export_proxies(d)

db_file = d.getVar("CVE_CHECK_DB_FILE")
db_file = d.getVar("CVE_CHECK_DB_DLDIR_FILE")
db_dir = os.path.dirname(db_file)
db_tmp_file = d.getVar("CVE_DB_TEMP_FILE")
db_tmp_file = d.getVar("CVE_CHECK_DB_TEMP_FILE")

cleanup_db_download(db_file, db_tmp_file)
# By default let's update the whole database (since time 0)
Expand All @@ -77,6 +78,7 @@ python do_fetch() {
pass

bb.utils.mkdirhier(db_dir)
bb.utils.mkdirhier(os.path.dirname(db_tmp_file))
if os.path.exists(db_file):
shutil.copy2(db_file, db_tmp_file)

Expand All @@ -89,10 +91,16 @@ python do_fetch() {
os.remove(db_tmp_file)
}

do_fetch[lockfiles] += "${CVE_CHECK_DB_FILE_LOCK}"
do_fetch[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK}"
do_fetch[file-checksums] = ""
do_fetch[vardeps] = ""

python do_unpack() {
import shutil
shutil.copyfile(d.getVar("CVE_CHECK_DB_DLDIR_FILE"), d.getVar("CVE_CHECK_DB_FILE"))
}
do_unpack[lockfiles] += "${CVE_CHECK_DB_DLDIR_LOCK} ${CVE_CHECK_DB_FILE_LOCK}"

def cleanup_db_download(db_file, db_tmp_file):
"""
Cleanup the download space from possible failed downloads
Expand Down

0 comments on commit fb198e0

Please sign in to comment.