diff options
author | Ernst Sjöstrand <ernstp@gmail.com> | 2022-05-24 13:50:21 +0200 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2022-05-27 23:50:47 +0100 |
commit | c4cabfa755288e6f8e9981146216523a43fda3ab (patch) | |
tree | 6c074bee8ed2e8647d395e0f8a1063375bb3bdc8 /meta/classes | |
parent | fd5a40c0132b14d28190fcbeab02469340636cde (diff) | |
download | poky-c4cabfa755288e6f8e9981146216523a43fda3ab.tar.gz |
cve-check: Only include installed packages for rootfs manifest
Before this the rootfs manifest and the summary were identical.
We should separate the summary and rootfs manifest more clearly,
now the summary is for all CVEs and the rootfs manifest is only for
things in that image. This is even more useful if you build multiple
images.
(From OE-Core rev: 3b8cc6fc45f0ea5677729ee2b1819bdc7a441ab1)
Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/classes')
-rw-r--r-- | meta/classes/cve-check.bbclass | 69 |
1 files changed, 54 insertions, 15 deletions
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 0ab7ec7ae6..3bb924ba34 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass | |||
@@ -176,6 +176,8 @@ python cve_check_write_rootfs_manifest () { | |||
176 | """ | 176 | """ |
177 | 177 | ||
178 | import shutil | 178 | import shutil |
179 | import json | ||
180 | from oe.rootfs import image_list_installed_packages | ||
179 | from oe.cve_check import cve_check_merge_jsons | 181 | from oe.cve_check import cve_check_merge_jsons |
180 | 182 | ||
181 | if d.getVar("CVE_CHECK_COPY_FILES") == "1": | 183 | if d.getVar("CVE_CHECK_COPY_FILES") == "1": |
@@ -186,26 +188,63 @@ python cve_check_write_rootfs_manifest () { | |||
186 | if os.path.exists(deploy_file_json): | 188 | if os.path.exists(deploy_file_json): |
187 | bb.utils.remove(deploy_file_json) | 189 | bb.utils.remove(deploy_file_json) |
188 | 190 | ||
189 | if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")): | 191 | # Create a list of relevant recipies |
190 | bb.note("Writing rootfs CVE manifest") | 192 | recipies = set() |
191 | deploy_dir = d.getVar("DEPLOY_DIR_IMAGE") | 193 | for pkg in list(image_list_installed_packages(d)): |
192 | link_name = d.getVar("IMAGE_LINK_NAME") | 194 | pkg_info = os.path.join(d.getVar('PKGDATA_DIR'), |
195 | 'runtime-reverse', pkg) | ||
196 | pkg_data = oe.packagedata.read_pkgdatafile(pkg_info) | ||
197 | recipies.add(pkg_data["PN"]) | ||
198 | |||
199 | bb.note("Writing rootfs CVE manifest") | ||
200 | deploy_dir = d.getVar("DEPLOY_DIR_IMAGE") | ||
201 | link_name = d.getVar("IMAGE_LINK_NAME") | ||
202 | |||
203 | json_data = {"version":"1", "package": []} | ||
204 | text_data = "" | ||
205 | enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1" | ||
206 | enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1" | ||
207 | |||
208 | save_pn = d.getVar("PN") | ||
209 | |||
210 | for pkg in recipies: | ||
211 | # To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate | ||
212 | # it with the different PN names set each time. | ||
213 | d.setVar("PN", pkg) | ||
214 | if enable_text: | ||
215 | pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE") | ||
216 | if os.path.exists(pkgfilepath): | ||
217 | with open(pkgfilepath) as pfile: | ||
218 | text_data += pfile.read() | ||
219 | |||
220 | if enable_json: | ||
221 | pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON") | ||
222 | if os.path.exists(pkgfilepath): | ||
223 | with open(pkgfilepath) as j: | ||
224 | data = json.load(j) | ||
225 | cve_check_merge_jsons(json_data, data) | ||
226 | |||
227 | d.setVar("PN", save_pn) | ||
228 | |||
229 | if enable_text: | ||
230 | link_path = os.path.join(deploy_dir, "%s.cve" % link_name) | ||
193 | manifest_name = d.getVar("CVE_CHECK_MANIFEST") | 231 | manifest_name = d.getVar("CVE_CHECK_MANIFEST") |
194 | cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE") | ||
195 | 232 | ||
196 | bb.utils.mkdirhier(os.path.dirname(manifest_name)) | 233 | with open(manifest_name, "w") as f: |
197 | shutil.copyfile(cve_tmp_file, manifest_name) | 234 | f.write(text_data) |
198 | 235 | ||
199 | manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name) | 236 | update_symlinks(manifest_name, link_path) |
200 | update_symlinks(manifest_name, manifest_link) | ||
201 | bb.plain("Image CVE report stored in: %s" % manifest_name) | 237 | bb.plain("Image CVE report stored in: %s" % manifest_name) |
202 | 238 | ||
203 | if d.getVar("CVE_CHECK_FORMAT_JSON") == "1": | 239 | if enable_json: |
204 | link_path = os.path.join(deploy_dir, "%s.json" % link_name) | 240 | link_path = os.path.join(deploy_dir, "%s.json" % link_name) |
205 | manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON") | 241 | manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON") |
206 | bb.note("Generating JSON CVE manifest") | 242 | |
207 | generate_json_report(d, manifest_path, link_path) | 243 | with open(manifest_name, "w") as f: |
208 | bb.plain("Image CVE JSON report stored in: %s" % link_path) | 244 | json.dump(json_data, f, indent=2) |
245 | |||
246 | update_symlinks(manifest_name, link_path) | ||
247 | bb.plain("Image CVE JSON report stored in: %s" % manifest_name) | ||
209 | } | 248 | } |
210 | 249 | ||
211 | ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" | 250 | ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}" |