cve-update-db: Catch request.urlopen errors.

If the NVD url is not accessible, print a warning on top of the CVE report, and continue. The database will not be fully updated, but cve_check can still run on the previous database. (From OE-Core rev: 0325dd72714f0b447558084f481b77f0ec850eed) Signed-off-by: Pierre Le Magourou <pierre.lemagourou@softbankrobotics.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2026-04-05 08:02:25 +02:00 · 2019-07-03 11:35:06 +02:00
parent a61354e965
commit 4a68a44f56
2 changed files with 24 additions and 11 deletions
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -51,14 +51,15 @@ python do_cve_check () {
    Check recipe for patched and unpatched CVEs
    """

-    if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
+    if os.path.exists(d.getVar("CVE_CHECK_DB_FILE")):
        patched_cves = get_patches_cves(d)
        patched, unpatched = check_cves(d, patched_cves)
        if patched or unpatched:
            cve_data = get_cve_info(d, patched + unpatched)
            cve_write_data(d, patched, unpatched, cve_data)
    else:
-        bb.note("Failed to update CVE database, skipping CVE check")
+        bb.note("No CVE database found, skipping CVE check")
+
 }

 addtask cve_check after do_unpack before do_build
--- a/meta/recipes-core/meta/cve-update-db.bb
+++ b/meta/recipes-core/meta/cve-update-db.bb
@@ -28,6 +28,7 @@ python do_populate_cve_db() {
    db_file = db_dir + '/nvd-json.db'
    json_tmpfile = db_dir + '/nvd.json.gz'
    proxy = d.getVar("https_proxy")
+    cve_f = open(d.getVar("TMPDIR") + '/cve_check', 'a')

    if not os.path.isdir(db_dir):
        os.mkdir(db_dir)
@@ -47,9 +48,13 @@ python do_populate_cve_db() {
        req = urllib.request.Request(meta_url)
        if proxy:
            req.set_proxy(proxy, 'https')
-        with urllib.request.urlopen(req) as r:
-            date_line = str(r.read().splitlines()[0])
-            last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1)
+        try:
+            with urllib.request.urlopen(req, timeout=1) as r:
+                date_line = str(r.read().splitlines()[0])
+                last_modified = re.search('lastModifiedDate:(.*)', date_line).group(1)
+        except:
+            cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+            break

        # Compare with current db last modified date
        c.execute("select DATE from META where YEAR = '%d'" % year)
@@ -59,19 +64,26 @@ python do_populate_cve_db() {
            req = urllib.request.Request(json_url)
            if proxy:
                req.set_proxy(proxy, 'https')
-            with urllib.request.urlopen(req) as r, open(json_tmpfile, 'wb') as tmpfile:
-                shutil.copyfileobj(r, tmpfile)
+            try:
+                with urllib.request.urlopen(req, timeout=1) as r, \
+                     open(json_tmpfile, 'wb') as tmpfile:
+                    shutil.copyfileobj(r, tmpfile)
+            except:
+                cve_f.write('Warning: CVE db update error, CVE data is outdated.\n\n')
+                break
+
            with gzip.open(json_tmpfile, 'rt') as jsonfile:
                update_db(c, jsonfile)
            c.execute("insert or replace into META values (?, ?)",
                    [year, last_modified])

+        # Update success, set the date to cve_check file.
+        if year == date.today().year:
+            cve_f.write('CVE database update : %s\n\n' % date.today())
+
+    cve_f.close()
    conn.commit()
    conn.close()
-
-    cve_check_tmp_file =  d.getVar("TMPDIR") + '/cve_check'
-    with open(cve_check_tmp_file, 'a'):
-        os.utime(cve_check_tmp_file, None)
 }

 # DJB2 hash algorithm