cve-check: don't warn if a patch is remote

We don't make do_cve_check depend on do_unpack because that would be a waste of time 99% of the time. The compromise here is that we can't scan remote patches for issues, but this isn't a problem so downgrade the warning to a note. Also move the check for CVEs in the filename before the local file check so that even with remote patches, we still check for CVE references in the name. (From OE-Core rev: 0251cad677579f5b4dcc25fa2f8552c6040ac2cf) Signed-off-by: Ross Burton <ross.burton@arm.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2025-07-19 21:09:03 +02:00 · 2023-11-03 13:28:11 +00:00 · 2023-11-03 13:28:11 +00:00 · 7ffa4d4044
commit 7ffa4d4044
parent e575f59b82
1 changed files with 6 additions and 5 deletions
--- a/meta/lib/oe/cve_check.py
+++ b/meta/lib/oe/cve_check.py
@ -95,11 +95,6 @@ def get_patched_cves(d):
    for url in oe.patch.src_patches(d):
        patch_file = bb.fetch.decodeurl(url)[2]

-        # Remote compressed patches may not be unpacked, so silently ignore them
-        if not os.path.isfile(patch_file):
-            bb.warn("%s does not exist, cannot extract CVE list" % patch_file)
-            continue
-
        # Check patch file name for CVE ID
        fname_match = cve_file_name_match.search(patch_file)
        if fname_match:
@ -107,6 +102,12 @@ def get_patched_cves(d):
            patched_cves.add(cve)
            bb.debug(2, "Found CVE %s from patch file name %s" % (cve, patch_file))

+        # Remote patches won't be present and compressed patches won't be
+        # unpacked, so say we're not scanning them
+        if not os.path.isfile(patch_file):
+            bb.note("%s is remote or compressed, not scanning content" % patch_file)
+            continue
+
        with open(patch_file, "r", encoding="utf-8") as f:
            try:
                patch_text = f.read()