python3-checksec-py, python3-pylddwrap, python3-icontract: add recipes

they were sent for meta-security long time ago in 2021: https://lists.yoctoproject.org/g/yocto/message/54470 but never merged there, now there are lief, docopt, rich, asttokens already in meta-python and checksec-py depends on lief version, e.g. https://github.com/Wenzel/checksec.py/commit/976d530867756d1393189708aa98308b07b1f3b2 is needed to fixcompatibility with newer lief currently in meta-python Signed-off-by: Martin Jansa <martin.jansa@gmail.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
author: Martin Jansa <martin.jansa@gmail.com> 2025-11-14 13:58:04 +0100
committer: Khem Raj <raj.khem@gmail.com> 2025-11-14 07:39:48 -0800
commit: a78e6d21094eacf338ca8038c05fea24f19b2ddf (patch)
tree: 4c62444552a8ff1b47150c8c41136ef21f8242f4
parent: 38ea8a4617ad395b2addd24bd1f6b57a8242fa0b (diff)
download: meta-openembedded-a78e6d21094eacf338ca8038c05fea24f19b2ddf.tar.gz
4 files changed, 148 insertions, 0 deletions
diff --git a/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch
new file mode 100644
index 0000000000..3a99ba33e3
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch
@@ -0,0 +1,81 @@
+From b540967b87394d855c26375ac5a9a7265f265053 Mon Sep 17 00:00:00 2001
+From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
+Date: Fri, 2 Jul 2021 14:42:25 +0200
+Subject: [PATCH] main: Add option to ignore symlinks
+When analyzing a complete rootfs (which might not be the rootfs of the
+analyzing system) symlinks within that rootfs might be broken. In
+particular absolute symlinks. However, if by chance such a symlink
+currently points to a valid binary in your system, this binary pointed
+to is analyzed. This commit adds the possibility to ignore symlinks to
+files (symlinks to dirs are already ignored by default). This allows to
+solve the issue described above, and if the whole rootfs is analyzed
+there shouldn't be a loss of information (because all the binaries will
+be analyzed anyway). Additionally, this also saves some time when
+performing the analysis.
+Upstream-Status: Submitted [https://github.com/Wenzel/checksec.py/pull/106]
+---
+ checksec/__main__.py | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+diff --git a/checksec/__main__.py b/checksec/__main__.py
+index a14862f..931d850 100644
+--- a/checksec/__main__.py
+++ b/checksec/__main__.py
+@@ -8,6 +8,7 @@ Options:
+     -w WORKERS --workers=WORKERS    Specify the number of process pool workers [default: 4]
+     -j --json                       Display results as JSON
+     -s LIBC --set-libc=LIBC         Specify LIBC library to use to check for fortify scores (ELF)
+    -i --ignore-symlinks            Ignore symlinks to files
+     -d --debug                      Enable debug output
+     -h --help                       Display this message
+ """
+@@ -27,18 +28,18 @@ from .pe import PEChecksecData, PESecurity, is_pe
+ from .utils import lief_set_logging
+ 
+ 
+-def walk_filepath_list(filepath_list: List[Path], recursive: bool = False) -> Iterator[Path]:
+def walk_filepath_list(filepath_list: List[Path], recursive: bool = False, ignore_symlinks: bool = False) -> Iterator[Path]:
+     for path in filepath_list:
+         if path.is_dir() and not path.is_symlink():
+             try:
+                 if recursive:
+                     for f in os.scandir(path):
+-                        yield from walk_filepath_list([Path(f)], recursive)
+                        yield from walk_filepath_list([Path(f)], recursive, ignore_symlinks)
+                 else:
+                     yield from (Path(f) for f in os.scandir(path))
+             except OSError:
+                 continue
+-        elif path.is_file():
+        elif path.is_file() and (not ignore_symlinks or not path.is_symlink()):
+             yield path
+ 
+ 
+@@ -75,6 +76,7 @@ def main(args):
+     json = args["--json"]
+     recursive = args["--recursive"]
+     libc_path = args["--set-libc"]
+    ignore_symlinks = args["--ignore-symlinks"]
+ 
+     # logging
+     formatter = "%(asctime)s %(levelname)s:%(name)s:%(message)s"
+@@ -110,7 +112,7 @@ def main(args):
+             # we need to consume the iterator once to get the total
+             # for the progress bar
+             check_output.enumerating_tasks_start()
+-            count = sum(1 for i in walk_filepath_list(filepath_list, recursive))
+            count = sum(1 for i in walk_filepath_list(filepath_list, recursive, ignore_symlinks))
+             check_output.enumerating_tasks_stop(count)
+             with ProcessPoolExecutor(
+                 max_workers=workers, initializer=worker_initializer, initargs=(libc_path,)
+@@ -119,7 +121,7 @@ def main(args):
+                     check_output.processing_tasks_start()
+                     future_to_checksec = {
+                         pool.submit(checksec_file, filepath): filepath
+-                        for filepath in walk_filepath_list(filepath_list, recursive)
+                        for filepath in walk_filepath_list(filepath_list, recursive, ignore_symlinks)
+                     }
+                     for future in as_completed(future_to_checksec):
+                         filepath = future_to_checksec[future]
diff --git a/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb b/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb
new file mode 100644
index 0000000000..8d8e54e227
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb
@@ -0,0 +1,27 @@
+SUMMARY = "Recipe to embedded the Python PiP Package checksec_py"
+HOMEPAGE = "https://pypi.org/project/checksec_py"
+LICENSE = "GPL-3.0-only"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464"
+PR = "r0"
+inherit pypi python_poetry_core
+PYPI_PACKAGE = "checksec_py"
+SRC_URI[sha256sum] = "892854f95d17a76d8f45a5c0cc597b9f1bebced3fffb9c7205d0baaf5eace886"
+SRC_URI += " \
+    file://0001-main-Add-option-to-ignore-symlinks.patch \
+"
+RDEPENDS:${PN} += " \
+    python3-docopt \
+    python3-lief \
+    python3-pylddwrap \
+    python3-rich \
+"
+# python3-lief is not available for x86:
+# https://github.com/lief-project/LIEF/commit/3def579f75965aa19c021d840a759bce2afc0a31#r152197203
+COMPATIBLE_HOST:x86 = "null"
+BBCLASSEXTEND = "native nativesdk"
diff --git a/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb b/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb
new file mode 100644
index 0000000000..5075a1a6a1
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb
@@ -0,0 +1,14 @@
+SUMMARY = "Recipe to embedded the Python PiP Package icontract"
+HOMEPAGE = "https://pypi.org/project/icontract"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1d4a9b1f6b84bedf7a38843931e0dd57"
+PR = "r0"
+inherit pypi setuptools3
+PYPI_PACKAGE = "icontract"
+SRC_URI[sha256sum] = "c1fd55c7709ef18a2ee64313fe863be2668b53060828fcca3525051160c92691"
+RDEPENDS:${PN} += "python3-asttokens"
+BBCLASSEXTEND = "native"
diff --git a/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb b/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb
new file mode 100644
index 0000000000..045ccb9f1e
--- /dev/null
+++ b/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb
@@ -0,0 +1,26 @@
+SUMMARY = "Recipe to embedded the Python PiP Package pylddwrap"
+HOMEPAGE = "https://pypi.org/project/pylddwrap"
+LICENSE = "MIT"
+LIC_FILES_CHKSUM = "file://LICENSE;md5=48fd6c978d39a38b3a04f45a1456d0fa"
+inherit pypi setuptools3
+PYPI_PACKAGE = "pylddwrap"
+SRC_URI[sha256sum] = "a70437fea7bca647c0e98161e1006ef49970267999c571b499760f1c43c6ba10"
+PR = "r0"
+RDEPENDS:${PN} += "python3-icontract"
+BBCLASSEXTEND = "native"
+do_install:append() {
+    # similarly to https://gitlab.com/akuster/meta-security/-/commit/0fd8e0f8cae612010bafecbff77ed9bb6f647a2d#4e154e295e639fd6c298ca644c75291eb99e0a57_0_16
+    # but delete it from prefix and delete requirements.txt as well.
+    # ERROR: QA Issue: python3-pylddwrap: Files/directories were installed but not shipped in any package:
+    # /usr/README.rst
+    # /usr/requirements.txt
+    # /usr/LICENSE
+    # Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
+    # python3-pylddwrap: 3 installed and not shipped files. [installed-vs-shipped]
+    rm -f ${D}${prefix}/README.rst ${D}${prefix}/requirements.txt ${D}${prefix}/LICENSE
+}
author	Martin Jansa <martin.jansa@gmail.com>	2025-11-14 13:58:04 +0100
committer	Khem Raj <raj.khem@gmail.com>	2025-11-14 07:39:48 -0800
commit	a78e6d21094eacf338ca8038c05fea24f19b2ddf (patch)
tree	4c62444552a8ff1b47150c8c41136ef21f8242f4
parent	38ea8a4617ad395b2addd24bd1f6b57a8242fa0b (diff)
download	meta-openembedded-a78e6d21094eacf338ca8038c05fea24f19b2ddf.tar.gz

diff --git a/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch new file mode 100644 index 0000000000..3a99ba33e3 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch
@@ -0,0 +1,81 @@
	1	From b540967b87394d855c26375ac5a9a7265f265053 Mon Sep 17 00:00:00 2001
	2	From: Maximilian Blenk <Maximilian.Blenk@bmw.de>
	3	Date: Fri, 2 Jul 2021 14:42:25 +0200
	4	Subject: [PATCH] main: Add option to ignore symlinks
	5
	6	When analyzing a complete rootfs (which might not be the rootfs of the
	7	analyzing system) symlinks within that rootfs might be broken. In
	8	particular absolute symlinks. However, if by chance such a symlink
	9	currently points to a valid binary in your system, this binary pointed
	10	to is analyzed. This commit adds the possibility to ignore symlinks to
	11	files (symlinks to dirs are already ignored by default). This allows to
	12	solve the issue described above, and if the whole rootfs is analyzed
	13	there shouldn't be a loss of information (because all the binaries will
	14	be analyzed anyway). Additionally, this also saves some time when
	15	performing the analysis.
	16
	17	Upstream-Status: Submitted [https://github.com/Wenzel/checksec.py/pull/106]
	18	---
	19	checksec/__main__.py \| 12 +++++++-----
	20	1 file changed, 7 insertions(+), 5 deletions(-)
	21
	22	diff --git a/checksec/__main__.py b/checksec/__main__.py
	23	index a14862f..931d850 100644
	24	--- a/checksec/__main__.py
	25	+++ b/checksec/__main__.py
	26	@@ -8,6 +8,7 @@ Options:
	27	-w WORKERS --workers=WORKERS Specify the number of process pool workers [default: 4]
	28	-j --json Display results as JSON
	29	-s LIBC --set-libc=LIBC Specify LIBC library to use to check for fortify scores (ELF)
	30	+ -i --ignore-symlinks Ignore symlinks to files
	31	-d --debug Enable debug output
	32	-h --help Display this message
	33	"""
	34	@@ -27,18 +28,18 @@ from .pe import PEChecksecData, PESecurity, is_pe
	35	from .utils import lief_set_logging
	36
	37
	38	-def walk_filepath_list(filepath_list: List[Path], recursive: bool = False) -> Iterator[Path]:
	39	+def walk_filepath_list(filepath_list: List[Path], recursive: bool = False, ignore_symlinks: bool = False) -> Iterator[Path]:
	40	for path in filepath_list:
	41	if path.is_dir() and not path.is_symlink():
	42	try:
	43	if recursive:
	44	for f in os.scandir(path):
	45	- yield from walk_filepath_list([Path(f)], recursive)
	46	+ yield from walk_filepath_list([Path(f)], recursive, ignore_symlinks)
	47	else:
	48	yield from (Path(f) for f in os.scandir(path))
	49	except OSError:
	50	continue
	51	- elif path.is_file():
	52	+ elif path.is_file() and (not ignore_symlinks or not path.is_symlink()):
	53	yield path
	54
	55
	56	@@ -75,6 +76,7 @@ def main(args):
	57	json = args["--json"]
	58	recursive = args["--recursive"]
	59	libc_path = args["--set-libc"]
	60	+ ignore_symlinks = args["--ignore-symlinks"]
	61
	62	# logging
	63	formatter = "%(asctime)s %(levelname)s:%(name)s:%(message)s"
	64	@@ -110,7 +112,7 @@ def main(args):
	65	# we need to consume the iterator once to get the total
	66	# for the progress bar
	67	check_output.enumerating_tasks_start()
	68	- count = sum(1 for i in walk_filepath_list(filepath_list, recursive))
	69	+ count = sum(1 for i in walk_filepath_list(filepath_list, recursive, ignore_symlinks))
	70	check_output.enumerating_tasks_stop(count)
	71	with ProcessPoolExecutor(
	72	max_workers=workers, initializer=worker_initializer, initargs=(libc_path,)
	73	@@ -119,7 +121,7 @@ def main(args):
	74	check_output.processing_tasks_start()
	75	future_to_checksec = {
	76	pool.submit(checksec_file, filepath): filepath
	77	- for filepath in walk_filepath_list(filepath_list, recursive)
	78	+ for filepath in walk_filepath_list(filepath_list, recursive, ignore_symlinks)
	79	}
	80	for future in as_completed(future_to_checksec):
	81	filepath = future_to_checksec[future]


diff --git a/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb b/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb new file mode 100644 index 0000000000..8d8e54e227 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb
@@ -0,0 +1,27 @@
	1	SUMMARY = "Recipe to embedded the Python PiP Package checksec_py"
	2	HOMEPAGE = "https://pypi.org/project/checksec_py"
	3	LICENSE = "GPL-3.0-only"
	4	LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464"
	5
	6	PR = "r0"
	7
	8	inherit pypi python_poetry_core
	9	PYPI_PACKAGE = "checksec_py"
	10	SRC_URI[sha256sum] = "892854f95d17a76d8f45a5c0cc597b9f1bebced3fffb9c7205d0baaf5eace886"
	11
	12	SRC_URI += " \
	13	file://0001-main-Add-option-to-ignore-symlinks.patch \
	14	"
	15
	16	RDEPENDS:${PN} += " \
	17	python3-docopt \
	18	python3-lief \
	19	python3-pylddwrap \
	20	python3-rich \
	21	"
	22
	23	# python3-lief is not available for x86:
	24	# https://github.com/lief-project/LIEF/commit/3def579f75965aa19c021d840a759bce2afc0a31#r152197203
	25	COMPATIBLE_HOST:x86 = "null"
	26
	27	BBCLASSEXTEND = "native nativesdk"


diff --git a/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb b/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb new file mode 100644 index 0000000000..5075a1a6a1 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb
@@ -0,0 +1,14 @@
	1	SUMMARY = "Recipe to embedded the Python PiP Package icontract"
	2	HOMEPAGE = "https://pypi.org/project/icontract"
	3	LICENSE = "MIT"
	4	LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1d4a9b1f6b84bedf7a38843931e0dd57"
	5
	6	PR = "r0"
	7
	8	inherit pypi setuptools3
	9	PYPI_PACKAGE = "icontract"
	10	SRC_URI[sha256sum] = "c1fd55c7709ef18a2ee64313fe863be2668b53060828fcca3525051160c92691"
	11
	12	RDEPENDS:${PN} += "python3-asttokens"
	13
	14	BBCLASSEXTEND = "native"


diff --git a/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb b/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb new file mode 100644 index 0000000000..045ccb9f1e --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb
@@ -0,0 +1,26 @@
	1	SUMMARY = "Recipe to embedded the Python PiP Package pylddwrap"
	2	HOMEPAGE = "https://pypi.org/project/pylddwrap"
	3	LICENSE = "MIT"
	4	LIC_FILES_CHKSUM = "file://LICENSE;md5=48fd6c978d39a38b3a04f45a1456d0fa"
	5
	6	inherit pypi setuptools3
	7	PYPI_PACKAGE = "pylddwrap"
	8	SRC_URI[sha256sum] = "a70437fea7bca647c0e98161e1006ef49970267999c571b499760f1c43c6ba10"
	9
	10	PR = "r0"
	11
	12	RDEPENDS:${PN} += "python3-icontract"
	13
	14	BBCLASSEXTEND = "native"
	15
	16	do_install:append() {
	17	# similarly to https://gitlab.com/akuster/meta-security/-/commit/0fd8e0f8cae612010bafecbff77ed9bb6f647a2d#4e154e295e639fd6c298ca644c75291eb99e0a57_0_16
	18	# but delete it from prefix and delete requirements.txt as well.
	19	# ERROR: QA Issue: python3-pylddwrap: Files/directories were installed but not shipped in any package:
	20	# /usr/README.rst
	21	# /usr/requirements.txt
	22	# /usr/LICENSE
	23	# Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install.
	24	# python3-pylddwrap: 3 installed and not shipped files. [installed-vs-shipped]
	25	rm -f ${D}${prefix}/README.rst ${D}${prefix}/requirements.txt ${D}${prefix}/LICENSE
	26	}