CVE-check failing on world with meta-openembedded: diff.gz file

Marta Rybczynska

Dear all,
We're running cve-check on a world build containing oe-core, meta-oe and more. We have an issue with the lockdev recipe (meta-openembedded/meta-oe/recipes-support/lockdev/, which causes a fail like below:

$ bitbake world --runonly=do_cve_check
ERROR: lockdev-1_1.0.3-r0 do_cve_check: File Not found: <path>lockdev/1_1.0.3-r0/lockdev_1.0.3-1.6.diff
ERROR: lockdev-1_1.0.3-r0 do_cve_check: Failure in searching patches
ERROR: Logfile of failure stored in: <path>/lockdev/1_1.0.3-r0/temp/log.do_cve_check.8709
ERROR: Task (<path>/meta-openembedded/meta-oe/recipes-support/lockdev/ failed with exit code '1'

The issue is caused by the fact that lockdev_1.0.3-1.6.diff is missing. When we look into the recipe, it is downloading lockdev_1.0.3-1.6.diff.gz file Please note the additional extension.

Stripping the extension comes from oe-core/meta/oe/, from the patch_path function, which is figuring out if a file is a patch, and returning the local path if it is so. However, at the moment when we do_cve_check, the .gz file is not uncompressed.

I'm wondering how to solve it.
1. Add a dependency to make sure eventual patch files are decompressed first?
2. Do not consider this as a patch file in the scope of cve-check ? (this is more a part of the source then an actual patch that might be fixing a CVE)

This is the only case like that we have in the build. Please note that removing ".diff" from the extension list in patch_path() is solving the issue.

Any comments or suggestions?

Kind regards,

Join to automatically receive all group messages.