diff options
| author | Ross Burton <ross.burton@intel.com> | 2019-11-06 17:37:30 +0200 |
|---|---|---|
| committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2019-11-07 19:47:26 +0000 |
| commit | 7297cbd01ffe31a024b13a3ff2450f70df6aa7d1 (patch) | |
| tree | 1f2b921076e20a7fb6e434f93a42d77f7ee34d15 | |
| parent | 054d2fb421bc894ea7d96316087b91b579374531 (diff) | |
| download | poky-7297cbd01ffe31a024b13a3ff2450f70df6aa7d1.tar.gz | |
glibc: exclude child recipes from CVE scanning
As glibc will be scanned for CVEs, we don't need to scan glibc-locale,
glibc-mtrace, and glibc-scripts which are all separate recipes for technical
reasons.
Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the
global whitelist.
(From OE-Core rev: 1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17)
(From OE-Core rev: 2b9f1b654c726e7c7b2fe8710d60ca10212295f5)
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
| -rw-r--r-- | meta/classes/cve-check.bbclass | 4 | ||||
| -rw-r--r-- | meta/recipes-core/glibc/glibc-locale.inc | 3 | ||||
| -rw-r--r-- | meta/recipes-core/glibc/glibc-mtrace.inc | 3 | ||||
| -rw-r--r-- | meta/recipes-core/glibc/glibc-scripts.inc | 3 |
4 files changed, 10 insertions, 3 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 5979edf3d1..19ac48cfd4 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
| @@ -37,9 +37,7 @@ CVE_CHECK_COPY_FILES ??= "1" | |||
| 37 | CVE_CHECK_CREATE_MANIFEST ??= "1" | 37 | CVE_CHECK_CREATE_MANIFEST ??= "1" |
| 38 | 38 | ||
| 39 | # Whitelist for packages (PN) | 39 | # Whitelist for packages (PN) |
| 40 | CVE_CHECK_PN_WHITELIST = "\ | 40 | CVE_CHECK_PN_WHITELIST ?= "" |
| 41 | glibc-locale \ | ||
| 42 | " | ||
| 43 | 41 | ||
| 44 | # Whitelist for CVE and version of package. If a CVE is found then the PV is | 42 | # Whitelist for CVE and version of package. If a CVE is found then the PV is |
| 45 | # compared with the version list, and if found the CVE is considered | 43 | # compared with the version list, and if found the CVE is considered |
diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc index e50e5cf5e3..06edcfeaee 100644 --- a/meta/recipes-core/glibc/glibc-locale.inc +++ b/meta/recipes-core/glibc/glibc-locale.inc | |||
| @@ -95,3 +95,6 @@ do_install () { | |||
| 95 | inherit libc-package | 95 | inherit libc-package |
| 96 | 96 | ||
| 97 | BBCLASSEXTEND = "nativesdk" | 97 | BBCLASSEXTEND = "nativesdk" |
| 98 | |||
| 99 | # Don't scan for CVEs as glibc will be scanned | ||
| 100 | CVE_PRODUCT = "" | ||
diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc index d703c14bdc..ef9d60ec23 100644 --- a/meta/recipes-core/glibc/glibc-mtrace.inc +++ b/meta/recipes-core/glibc/glibc-mtrace.inc | |||
| @@ -11,3 +11,6 @@ do_install() { | |||
| 11 | install -d -m 0755 ${D}${bindir} | 11 | install -d -m 0755 ${D}${bindir} |
| 12 | install -m 0755 ${SRC}/mtrace ${D}${bindir}/ | 12 | install -m 0755 ${SRC}/mtrace ${D}${bindir}/ |
| 13 | } | 13 | } |
| 14 | |||
| 15 | # Don't scan for CVEs as glibc will be scanned | ||
| 16 | CVE_PRODUCT = "" | ||
diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc index 2a2b41507e..14a14e4512 100644 --- a/meta/recipes-core/glibc/glibc-scripts.inc +++ b/meta/recipes-core/glibc/glibc-scripts.inc | |||
| @@ -18,3 +18,6 @@ do_install() { | |||
| 18 | # sotruss script requires sotruss-lib.so (given by libsotruss package), | 18 | # sotruss script requires sotruss-lib.so (given by libsotruss package), |
| 19 | # to produce trace of the library calls. | 19 | # to produce trace of the library calls. |
| 20 | RDEPENDS_${PN} += "libsotruss" | 20 | RDEPENDS_${PN} += "libsotruss" |
| 21 | |||
| 22 | # Don't scan for CVEs as glibc will be scanned | ||
| 23 | CVE_PRODUCT = "" | ||