summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorErnst Sjöstrand <ernstp@gmail.com>2022-05-24 13:50:21 +0200
committerRichard Purdie <richard.purdie@linuxfoundation.org>2022-05-27 23:50:47 +0100
commitc4cabfa755288e6f8e9981146216523a43fda3ab (patch)
tree6c074bee8ed2e8647d395e0f8a1063375bb3bdc8
parentfd5a40c0132b14d28190fcbeab02469340636cde (diff)
downloadpoky-c4cabfa755288e6f8e9981146216523a43fda3ab.tar.gz
cve-check: Only include installed packages for rootfs manifest
Before this the rootfs manifest and the summary were identical. We should separate the summary and rootfs manifest more clearly, now the summary is for all CVEs and the rootfs manifest is only for things in that image. This is even more useful if you build multiple images. (From OE-Core rev: 3b8cc6fc45f0ea5677729ee2b1819bdc7a441ab1) Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com> Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/classes/cve-check.bbclass69
1 files changed, 54 insertions, 15 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 0ab7ec7ae6..3bb924ba34 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -176,6 +176,8 @@ python cve_check_write_rootfs_manifest () {
176 """ 176 """
177 177
178 import shutil 178 import shutil
179 import json
180 from oe.rootfs import image_list_installed_packages
179 from oe.cve_check import cve_check_merge_jsons 181 from oe.cve_check import cve_check_merge_jsons
180 182
181 if d.getVar("CVE_CHECK_COPY_FILES") == "1": 183 if d.getVar("CVE_CHECK_COPY_FILES") == "1":
@@ -186,26 +188,63 @@ python cve_check_write_rootfs_manifest () {
186 if os.path.exists(deploy_file_json): 188 if os.path.exists(deploy_file_json):
187 bb.utils.remove(deploy_file_json) 189 bb.utils.remove(deploy_file_json)
188 190
189 if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): 191 # Create a list of relevant recipies
190 bb.note("Writing rootfs CVE manifest") 192 recipies = set()
191 deploy_dir = d.getVar("DEPLOY_DIR_IMAGE") 193 for pkg in list(image_list_installed_packages(d)):
192 link_name = d.getVar("IMAGE_LINK_NAME") 194 pkg_info = os.path.join(d.getVar('PKGDATA_DIR'),
195 'runtime-reverse', pkg)
196 pkg_data = oe.packagedata.read_pkgdatafile(pkg_info)
197 recipies.add(pkg_data["PN"])
198
199 bb.note("Writing rootfs CVE manifest")
200 deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
201 link_name = d.getVar("IMAGE_LINK_NAME")
202
203 json_data = {"version":"1", "package": []}
204 text_data = ""
205 enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1"
206 enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1"
207
208 save_pn = d.getVar("PN")
209
210 for pkg in recipies:
211 # To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate
212 # it with the different PN names set each time.
213 d.setVar("PN", pkg)
214 if enable_text:
215 pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE")
216 if os.path.exists(pkgfilepath):
217 with open(pkgfilepath) as pfile:
218 text_data += pfile.read()
219
220 if enable_json:
221 pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
222 if os.path.exists(pkgfilepath):
223 with open(pkgfilepath) as j:
224 data = json.load(j)
225 cve_check_merge_jsons(json_data, data)
226
227 d.setVar("PN", save_pn)
228
229 if enable_text:
230 link_path = os.path.join(deploy_dir, "%s.cve" % link_name)
193 manifest_name = d.getVar("CVE_CHECK_MANIFEST") 231 manifest_name = d.getVar("CVE_CHECK_MANIFEST")
194 cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
195 232
196 bb.utils.mkdirhier(os.path.dirname(manifest_name)) 233 with open(manifest_name, "w") as f:
197 shutil.copyfile(cve_tmp_file, manifest_name) 234 f.write(text_data)
198 235
199 manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name) 236 update_symlinks(manifest_name, link_path)
200 update_symlinks(manifest_name, manifest_link)
201 bb.plain("Image CVE report stored in: %s" % manifest_name) 237 bb.plain("Image CVE report stored in: %s" % manifest_name)
202 238
203 if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": 239 if enable_json:
204 link_path = os.path.join(deploy_dir, "%s.json" % link_name) 240 link_path = os.path.join(deploy_dir, "%s.json" % link_name)
205 manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON") 241 manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
206 bb.note("Generating JSON CVE manifest") 242
207 generate_json_report(d, manifest_path, link_path) 243 with open(manifest_name, "w") as f:
208 bb.plain("Image CVE JSON report stored in: %s" % link_path) 244 json.dump(json_data, f, indent=2)
245
246 update_symlinks(manifest_name, link_path)
247 bb.plain("Image CVE JSON report stored in: %s" % manifest_name)
209} 248}
210 249
211ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" 250ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"