summaryrefslogtreecommitdiffstats
path: root/meta/classes/cve-check.bbclass
Commit message (Collapse)AuthorAgeFilesLines
* cve-check.bbclass: use "+git" as separator in PV instead of "git+"Mikko Rapeli2017-07-241-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | PV is the recipe major version number. cve-check tries to map that to NVD database release versions of the component. If the recipe sources are taken from git, the PV can be automatically modified to include git details, but the syntax is like 233+gitAUTOINC+a1e2ef7ec9. In CVE checks we want to remove the git details and just use the major version information, in this example 233. Thus use "+git" as the separator and use the first part before the separator as SW product version number in CVE check. Fixes version number for e.g. systemd recipe. If systemd PV is 233+gitAUTOINC+a1e2ef7ec9 there will be no matches from CVE database where latest release mentioned is plain 233. If the filter is set to +git, then CVE PV is 233 and issues like this are detected by do_cve_check: https://nvd.nist.gov/vuln/detail/CVE-2017-1000082 (From OE-Core rev: db8815abe3db60b0510fb378bf6d82172c2f2768) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: use weak assignment for default CVE_PRODUCTMikko Rapeli2017-07-241-1/+1
| | | | | | | | | | | | This way also bbclasses can override it. For example kernel.bbclass could set CVE_PRODUCT to linux_kernel for all users of the class which compile Linux kernels. (From OE-Core rev: 74672a7de5ada45ab8e25b89cbdea3ec33b63b7f) Signed-off-by: Mikko Rapeli <mikko.rapeli@bmw.de> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: add do_rootfs dependency on cve-checkPeter Marko2017-06-121-0/+1
| | | | | | | | | | | Since do_rootfs depends on cve-check results of all recipes, we need to recursively depend on recipe do_cve_check. (From OE-Core rev: a1af526e43cb476472a6203882c12deef297f542) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: do not parse error outputPeter Marko2017-06-121-1/+1
| | | | | | | | | | | | | Sometimes there are control messages in cve-check-tool printed to stderr. These lead to parsing error and thus failed build. This can happen for instance when cve database needs to be refreshed during build. (From OE-Core rev: 6d8a17f4c50be292990e37de65630a6b84466ee6) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: clean cve-check recipe result before re-buildingPeter Marko2017-06-121-0/+5
| | | | | | | | | | | | If there is cve report for a recipe in previous build and there is no result for current one, old cves are kept in CVE_CHECK_DIR. This happens on version upgrade or when cve/recipe is whitelisted. (From OE-Core rev: 85b4941c71a0e3c08a8c48d52a94dfe2897d2c92) Signed-off-by: Peter Marko <peter.marko@siemens.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: make warning contain CVE IDsChen Qi2017-05-181-4/+5
| | | | | | | | | | | | | | | | | When warning users about unpatched CVE, we'd better put CVE IDs into the warning message, so that it would be more straight forward for the user to know which CVEs are not patched. So instead of: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE, for more information check /path/to/workdir/cve/cve.log. We should have: WARNING: gnutls-3.5.9-r0 do_cve_check: Found unpatched CVE (CVE-2017-7869), for more information check /path/to/workdir/cve/cve.log. (From OE-Core rev: ad46069e7b58f2fba373131716f28407816fa1a6) Signed-off-by: Chen Qi <Qi.Chen@windriver.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: Fix dependenciesJussi Kukkonen2017-02-151-1/+1
| | | | | | | | | | | | | | With recipe-specific sysroots the cve_check task must depend on cve-check-tool-native:do_populate_sysroot to get the cve-check-tool binary into the recipe sysroot. A normal DEPENDS isn't used to avoid cyclic dependencies. (From OE-Core rev: bd60b1018bc0304bc928701e6d1090c8b1223616) Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* meta: remove True option to getVar callsJoshua Lock2016-12-161-23/+23
| | | | | | | | | | | | | getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) (From OE-Core rev: 7c552996597faaee2fbee185b250c0ee30ea3b5f) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check: allow recipes to override the product nameRoss Burton2016-12-131-1/+5
| | | | | | | | | | | Add a new variable CVE_PRODUCT for the product name to look up in the NVD database. Default this to BPN, but allow recipes such as tiff (which is libtiff in NVD) to override it. (From OE-Core rev: ba330051570a4c991885ee726cb187e0c911bd4f) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: CVE-2014-2524 / readline v5.2André Draszik2016-11-151-1/+1
| | | | | | | | | | | | | | | | | Contrary to the CVE report, the vulnerable trace functions don't exist in readline v5.2 (which we keep for GPLv2+ purposes), they were added in readline v6.0 only - let's whitelist that CVE in order to avoid false positives. See also the discussion in https://patchwork.openembedded.org/patch/81765/ (From OE-Core rev: b881a288eec598002685f68da80a24e0478fa496) Signed-off-by: André Draszik <adraszik@tycoint.com> Reviewed-by: Lukasz Nowak <lnowak@tycoint.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* Remove RM_OLD_IMAGE, it's no longer usefulJoshua Lock2016-10-151-2/+0
| | | | | | | | | | | | | | | | Since the move to put image deployment under sstate control in d54339d4b1a7e884de636f6325ca60409ebd95ff old images are automatically removed before a new image is deployed (the default behaviour of the sstate logic). RM_OLD_IMAGE is therefore no longer required to provide this behaviour, remove the variable and its users. (From OE-Core rev: 93631befe8b962bf99524746b49f4ebca336175c) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
* cve-check.bbclass: Add classMariano Lopez2016-09-161-0/+267
This class adds a new task for all the recipes to use cve-check-tool in order to look for public CVEs affecting the packages generated. It is possible to use this class when building an image, building a recipe, or using the "world" or "universe" cases. In order to use this class it must be inherited and it will add the task automatically to every recipe. [YOCTO #7515] Co-authored by Ross Burton & Mariano Lopez (From OE-Core rev: d98338075ec3a66acb8828e74711550d53b4d91b) Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-11-17 19:23:28 +0000