Mirror of git.yoctoproject.org/poky https://git.enea.com/cgit/linux/poky.git/atom?h=warrior-21.0.3 2020-01-28T11:15:02+00:00 2020-01-28T11:15:02+00:00 Peter Kjellerstedt peter.kjellerstedt@axis.com 2020-01-07T22:10:42+00:00 urn:sha1:4fc93977e9ab8d5cf63f383a77610515bd3f032e Since this file is written during recipe parsing, having it in the ${BUILDDIR}/conf directory, which is covered by an inotify watcher, will trigger a re-parse the next time bitbake is run and the resident bitbake server is enabled. This causes the sanity_info file to be updated again, which triggers a new parse the next time bitbake is run ad infinitum. Moving it to ${BUILDDIR}/cache should avoid this. (From OE-Core rev: a63d59f64a2d1f450a7639426cae8e0373a2d764) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit f98103b548aa7dba6b1be6c8e02ef41858a8e85c) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-28T11:15:02+00:00 Peter Kjellerstedt peter.kjellerstedt@axis.com 2020-01-07T22:10:43+00:00 urn:sha1:deb84639381ad6d90893beeb6c5d03f547c07ad9 Since the sanity_info file has moved from the conf directory to the cache directory, there is no longer any need to clean it away explicitly in clean_esdk_builddir() since the whole cache directory is already cleaned away anyway. (From OE-Core rev: 9b92d5fbfdcf48a17efdd8c1edda4ad26def017f) Signed-off-by: Peter Kjellerstedt <peter.kjellerstedt@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit 40c30990e1be72130819c040fe471e2bdc0c6e7d) Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-28T11:15:01+00:00 Mattias Hansson mattias.hansson@axis.com 2020-01-17T17:14:33+00:00 urn:sha1:ee756983714fd0657ceaac77ddae05578db2c36a do_prepare_recipe_sysroot may perform groupadd, which requires pseudo. However, do_prepare_recipe_sysroot does not depend on pseudo explicitly, which sometimes causes a build error when building a recipe that adds groups. This issue only occurs when executing do_prepare_recipe_sysroot for a recipe that adds groups before finishing a task that depends on pseudo for a recipe that doesn't add groups. (From OE-Core rev: 86f196dc077de7f3f6664e69703a96245b42ddc0) Signed-off-by: Mattias Hansson <mattihn@axis.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Adrian Bunk <bunk@stusta.de> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-16T22:38:53+00:00 Niko Mauno niko.mauno@iki.fi 2019-12-14T06:15:05+00:00 urn:sha1:8c7e02c9d1e1694d4dd690f91a90220b58cb912a Switch to recently released version 1.1 of NVD CVE JSON feed, as in https://nvd.nist.gov/General/News/JSON-1-1-Vulnerability-Feed-Release it is mentioned that Due to changes required to support CVSS v3.1 scoring, the JSON vulnerability feeds must be modified. This will require the consumers of this data to update their internal processes. We will be providing the JSON 1.1 schema on the data feeds page and the information below to prepare for this transition. ... The JSON 1.1 data feeds will be available on September 9th, 2019. At that time the current JSON 1.0 data feeds will no longer available. This change was tested briefly by issuing 'bitbake core-image-minimal' with 'cve-check.bbclass' inherited via local.conf, and then comparing the content between the resulting two 'DEPLOY_DIR_IMAGE/core-image-minimal-qemux86.cve' files, which did not seem to contain any other change, except total of 167 entries like CVSS v3 BASE SCORE: 0.0 were replaced with similar 'CVSS v3 BASE SCORE:' entries which had scores that were greater than '0.0' (up to '9.8'). (From OE-Core rev: cc20e4d8ff2f3aa52a2658404af9a0ff358cc323) (From OE-Core rev: 72c22b8791707480c380f49305c6d394578b2a4b) Signed-off-by: Niko Mauno <niko.mauno@iki.fi> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> (cherry picked from commit c92b8804d6e59b2707332859957f0e6a46db0a73) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-16T22:38:53+00:00 Ross Burton ross.burton@intel.com 2019-12-08T18:35:57+00:00 urn:sha1:c12415cc7ceee43653a70cbc4a8b5a6509f31fce This code used to construct a single SQL statement that fetched the NVD data for every CVE requested. For recipes such as the kernel where there are over 2000 CVEs to report this can hit the variable count limit and the query fails with "sqlite3.OperationalError: too many SQL variables". The default limit is 999 variables, but some distributions such as Debian set the default to 250000. As the NVD table has an index on the ID column, whilst requesting the data CVE-by-CVE is five times slower when working with 2000 CVEs the absolute time different is insignificant: 0.05s verses 0.01s on my machine. (From OE-Core rev: 53d0cc1e9b7190fa66d7ff1c59518f91b0128d99) (From OE-Core rev: 0f5b748a5b7fec41bac16bbc1346230e86bb99e3) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-16T22:38:52+00:00 Ross Burton ross.burton@intel.com 2019-12-08T18:35:56+00:00 urn:sha1:1ab16a1b7aae7ee9afc6d3e88b13a91c9a656475 Remove obsolete Python 2 code, and use convenience methods for neatness. (From OE-Core rev: f19253cc9e70c974a8e21a142086c13d7cde04ff) (From OE-Core rev: 0ec6843bec3e817c3bc62d04adea5fd385307b32) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-16T22:38:52+00:00 Ross Burton ross.burton@intel.com 2019-12-08T18:35:55+00:00 urn:sha1:2ea29b7c24349907db64c92d5cea687765044474 A previous optimisation was premature and resulted in false-negatives in the report. Rewrite the checking algorithm to first get the list of potential CVEs by vendor:product, then iterate through every matching CPE for that CVE to determine if the bounds match or not. By doing this in two stages we can know if we've checked every CPE, instead of accidentally breaking out of the scan too early. (From OE-Core rev: d61aff9e22704ad69df1f7ab0f8784f4e7cc0c69) (From OE-Core rev: 9948dd86d100bec56e22e6c0bbf4759925a4b306) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-16T22:38:52+00:00 Ross Burton ross.burton@intel.com 2019-12-08T18:35:50+00:00 urn:sha1:df244d25f05eaf43929016eec9c2de1d6dbe72b6 The patch scanner works with patch files in the layer, not in the workdir, so it doesn't need to unpack. (From OE-Core rev: 2cba6ada970deb5156e1ba0182f4f372851e3c17) (From OE-Core rev: 8bfe83d53c39e4a88f808af617db7db091694841) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-16T22:38:52+00:00 Ross Burton ross.burton@intel.com 2019-12-08T18:35:49+00:00 urn:sha1:50b6a611eafa7a0e3ca1971b4dcb485187928d68 (From OE-Core rev: d1a16e6f0edda5d9f03191d187788fc8b666bd7f) Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> 2020-01-16T22:38:52+00:00 Ross Burton ross.burton@intel.com 2019-12-08T18:35:48+00:00 urn:sha1:0be3c68cf444ea746aaeda6a071791949d7e9970 CVEs that are whitelisted or were not vulnerable when there are version comparisons were not included in the report, so alter the logic to ensure that all relevant CVEs are in the report for completeness. (From OE-Core rev: 98256ff05fcfe9d5ccad360582c36eafb577c264) (From OE-Core rev: 430e95cd819577d4d71fe6d579a175b8776aa467) Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>