Age | Commit message (Collapse) | Author |
|
The JSON report generated by the cve-check class is basically a huge
list of packages. This list of packages is, however, unsorted.
To make things easier for people comparing the JSON, or more
specifically for git when archiving the JSON over time in a git
repository, we can sort the list by package name.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This allows building detailed vulnerability analysis tools without
relying on external resources.
Signed-off-by: Antoine Lubineau <antoine.lubineau@easymile.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
Originally these were shell functions but they have long since been processed by
bb.build.exec_func(). Since we no longer need shell syntax, we can drop the ';'
delimiters and just use a space separated string.
This cleans up the variable and quietly removes any stray ';' that do happen to
still make it in.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
- Replace CVE_CHECK_IGNORE with CVE_STATUS to be more flexible.
The CVE_STATUS should contain an information about status wich
is decoded in 3 items:
- generic status: "Ignored", "Patched" or "Unpatched"
- more detailed status enum
- description: free text describing reason for status
Examples of usage:
CVE_STATUS[CVE-1234-0001] = "not-applicable-platform: Issue only applies on Windows"
CVE_STATUS[CVE-1234-0002] = "fixed-version: Fixed externally"
CVE_CHECK_STATUSMAP[not-applicable-platform] = "Ignored"
CVE_CHECK_STATUSMAP[fixed-version] = "Patched"
Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
Signed-off-by: Peter Marko <peter.marko@siemens.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
${IMAGE_NAME} and ${IMAGE_LINK_NAME}
* ${IMAGE_NAME}${IMAGE_NAME_SUFFIX} is almost always used together already
and when they aren't it's usually because of hardcoded '.rootfs' suffix
* it's a bit strange, because ${IMAGE_NAME_SUFFIX} is applied after the
version from ${IMAGE_VERSION_SUFFIX}, if we move it to ${IMAGE_LINK_NAME}
then it will be applied before the version and ${IMAGE_LINK_NAME}
will be just the version-less symlink to latest built version.
* it's not added to INITRAMFS_IMAGE_NAME as it assumes that all
images used as initramfs will set IMAGE_NAME_SUFFIX to empty.
Many already do as shown bellow, but you might need to extend
this list in your layer.
* this also allows to drop support for imgsuffix varflag, recipes which
don't want to have .rootfs suffix can just set IMAGE_NAME_SUFFIX to
empty and it will be consistently respected by both IMAGE_NAME and IMAGE_LINK_NAME
* imgsuffix = d.getVarFlag("do_" + taskname, 'imgsuffix') or d.expand("${IMAGE_NAME_SUFFIX}.")
is kind of terrible, notice trailing '.' after ${IMAGE_NAME_SUFFIX}
while this dot was in imgsuffix in:
do_bootimg[imgsuffix] = "."
but in both cases it's not really part of the imgsuffix, but the
"extension" type separator as in dst variable:
dst = os.path.join(deploy_dir, link_name + "." + type)
- src = img_name + imgsuffix + type
+ src = img_name + "." + type
* for ubifs volumes move vname after IMAGE_NAME_SUFFIX
* to better document these changes here is an example with default poky
configuration with just:
IMAGE_FSTYPES:append:pn-core-image-minimal = " live wic wic.vmdk ubi"
MKUBIFS_ARGS = "-m 2048 -e 129024 -c 968 -x zlib"
UBINIZE_ARGS = "-m 2048 -p 131072 -s 512"
added in local.conf, so that deploy_dir has also some initramfs and more
IMAGE_FSTYPES
* "ls -lahi tmp/deploy/images/qemux86-64/"
output after "bitbake core-image-minimal"
And deploy-dir is cleaned between runs with:
bitbake -c clean core-image-minimal core-image-minimal-initramfs virtual/kernel grub-efi systemd-boot
The output confirms that the only change is ".rootfs" added not only
in ext4 and manifest files, but also for hddimg, iso, qemuboot.conf
testdata.json for both the actual artifacts as well as the symlinks
while core-image-minimal-initramfs doesn't have them as IMAGE_NAME_SUFFIX
was already set to empty there:
meta/classes-recipe/baremetal-image.bbclass:IMAGE_NAME_SUFFIX ?= ""
meta/recipes-core/images/core-image-minimal-initramfs.bb:IMAGE_NAME_SUFFIX ?= ""
meta/recipes-core/images/core-image-tiny-initramfs.bb:IMAGE_NAME_SUFFIX ?= ""
meta/recipes-extended/baremetal-example/baremetal-helloworld_git.bb:IMAGE_NAME_SUFFIX ?= ""
meta/recipes-extended/images/core-image-testcontroller-initramfs.bb:IMAGE_NAME_SUFFIX ?= ""
before these changes:
total 297M
31269162 drwxr-xr-x 2 martin martin 4.0K Mar 7 19:19 .
31263942 drwxr-xr-x 3 martin martin 4.0K Mar 7 12:53 ..
35845703 lrwxrwxrwx 2 martin martin 77 Mar 7 12:27 bzImage -> bzImage--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.bin
35845704 -rw-r--r-- 2 martin martin 11M Mar 7 12:27 bzImage--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.bin
35845702 lrwxrwxrwx 2 martin martin 77 Mar 7 12:27 bzImage-qemux86-64.bin -> bzImage--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.bin
40236967 -rw-r--r-- 2 martin martin 13M Mar 7 19:19 core-image-minimal-initramfs-qemux86-64-20230307181808.cpio.gz
40203232 -rw-r--r-- 2 martin martin 1.1K Mar 7 19:19 core-image-minimal-initramfs-qemux86-64-20230307181808.manifest
40212700 -rw-r--r-- 2 martin martin 1.6K Mar 7 19:19 core-image-minimal-initramfs-qemux86-64-20230307181808.qemuboot.conf
40211556 -rw-r--r-- 2 martin martin 211K Mar 7 19:19 core-image-minimal-initramfs-qemux86-64-20230307181808.testdata.json
40236964 lrwxrwxrwx 2 martin martin 62 Mar 7 19:19 core-image-minimal-initramfs-qemux86-64.cpio.gz -> core-image-minimal-initramfs-qemux86-64-20230307181808.cpio.gz
40203235 lrwxrwxrwx 2 martin martin 63 Mar 7 19:19 core-image-minimal-initramfs-qemux86-64.manifest -> core-image-minimal-initramfs-qemux86-64-20230307181808.manifest
40212690 lrwxrwxrwx 2 martin martin 68 Mar 7 19:19 core-image-minimal-initramfs-qemux86-64.qemuboot.conf -> core-image-minimal-initramfs-qemux86-64-20230307181808.qemuboot.conf
40211560 lrwxrwxrwx 2 martin martin 68 Mar 7 19:19 core-image-minimal-initramfs-qemux86-64.testdata.json -> core-image-minimal-initramfs-qemux86-64-20230307181808.testdata.json
40237307 -rw-r--r-- 2 martin martin 57M Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.hddimg
40237329 -rw-r--r-- 2 martin martin 56M Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.iso
40220347 -rw-r--r-- 2 martin martin 1.6K Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.qemuboot.conf
40236942 -rw-r--r-- 2 martin martin 34M Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.rootfs.ext4
40211563 -rw-r--r-- 2 martin martin 1.2K Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.rootfs.manifest
40237206 -rw-r--r-- 2 martin martin 16M Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.rootfs.tar.bz2
40237216 -rw-r--r-- 2 martin martin 20M Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.rootfs.ubi
40224358 -rw-r--r-- 2 martin martin 19M Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.rootfs.ubifs
40360386 -rw-r--r-- 2 martin martin 73M Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.rootfs.wic
40237285 -rw-r--r-- 2 martin martin 35M Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.rootfs.wic.vmdk
40209866 -rw-r--r-- 2 martin martin 206K Mar 7 19:19 core-image-minimal-qemux86-64-20230307181808.testdata.json
40236946 lrwxrwxrwx 2 martin martin 56 Mar 7 19:19 core-image-minimal-qemux86-64.ext4 -> core-image-minimal-qemux86-64-20230307181808.rootfs.ext4
40237336 lrwxrwxrwx 2 martin martin 51 Mar 7 19:19 core-image-minimal-qemux86-64.hddimg -> core-image-minimal-qemux86-64-20230307181808.hddimg
40237337 lrwxrwxrwx 2 martin martin 48 Mar 7 19:19 core-image-minimal-qemux86-64.iso -> core-image-minimal-qemux86-64-20230307181808.iso
40211564 lrwxrwxrwx 2 martin martin 60 Mar 7 19:19 core-image-minimal-qemux86-64.manifest -> core-image-minimal-qemux86-64-20230307181808.rootfs.manifest
40220348 lrwxrwxrwx 2 martin martin 58 Mar 7 19:19 core-image-minimal-qemux86-64.qemuboot.conf -> core-image-minimal-qemux86-64-20230307181808.qemuboot.conf
40237205 lrwxrwxrwx 2 martin martin 59 Mar 7 19:19 core-image-minimal-qemux86-64.tar.bz2 -> core-image-minimal-qemux86-64-20230307181808.rootfs.tar.bz2
40209873 lrwxrwxrwx 2 martin martin 58 Mar 7 19:19 core-image-minimal-qemux86-64.testdata.json -> core-image-minimal-qemux86-64-20230307181808.testdata.json
40237217 lrwxrwxrwx 2 martin martin 55 Mar 7 19:19 core-image-minimal-qemux86-64.ubi -> core-image-minimal-qemux86-64-20230307181808.rootfs.ubi
40236771 lrwxrwxrwx 2 martin martin 57 Mar 7 19:19 core-image-minimal-qemux86-64.ubifs -> core-image-minimal-qemux86-64-20230307181808.rootfs.ubifs
40237287 lrwxrwxrwx 2 martin martin 55 Mar 7 19:19 core-image-minimal-qemux86-64.wic -> core-image-minimal-qemux86-64-20230307181808.rootfs.wic
40237286 lrwxrwxrwx 2 martin martin 60 Mar 7 19:19 core-image-minimal-qemux86-64.wic.vmdk -> core-image-minimal-qemux86-64-20230307181808.rootfs.wic.vmdk
40237192 -rw-r--r-- 2 martin martin 3.8K Mar 7 19:19 core-image-minimal.env
34458377 -rw-r--r-- 2 martin martin 616K Mar 7 17:55 grub-efi-bootx64.efi
34963606 -rwxr-xr-x 2 martin martin 103K Mar 6 22:02 linuxx64.efi.stub
35845662 -rw-r--r-- 2 martin martin 8.2M Mar 7 12:27 modules--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.tgz
35845701 lrwxrwxrwx 2 martin martin 77 Mar 7 12:27 modules-qemux86-64.tgz -> modules--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.tgz
34963605 -rwxr-xr-x 2 martin martin 140K Mar 6 22:02 systemd-bootx64.efi
27651415 -rw-r--r-- 2 martin martin 274 Mar 7 19:19 ubinize-core-image-minimal-qemux86-64-20230307181808.cfg
after these changes:
total 297M
31269162 drwxr-xr-x 2 martin martin 4.0K Mar 7 19:16 .
31263942 drwxr-xr-x 3 martin martin 4.0K Mar 7 12:53 ..
39479266 lrwxrwxrwx 2 martin martin 77 Mar 7 12:27 bzImage -> bzImage--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.bin
39479267 -rw-r--r-- 2 martin martin 11M Mar 7 12:27 bzImage--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.bin
39479264 lrwxrwxrwx 2 martin martin 77 Mar 7 12:27 bzImage-qemux86-64.bin -> bzImage--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.bin
39648810 -rw-r--r-- 2 martin martin 13M Mar 7 19:15 core-image-minimal-initramfs-qemux86-64-20230307181456.cpio.gz
39638400 -rw-r--r-- 2 martin martin 1.1K Mar 7 19:15 core-image-minimal-initramfs-qemux86-64-20230307181456.manifest
39644650 -rw-r--r-- 2 martin martin 1.6K Mar 7 19:15 core-image-minimal-initramfs-qemux86-64-20230307181456.qemuboot.conf
39637657 -rw-r--r-- 2 martin martin 211K Mar 7 19:15 core-image-minimal-initramfs-qemux86-64-20230307181456.testdata.json
39648091 lrwxrwxrwx 2 martin martin 62 Mar 7 19:15 core-image-minimal-initramfs-qemux86-64.cpio.gz -> core-image-minimal-initramfs-qemux86-64-20230307181456.cpio.gz
39638401 lrwxrwxrwx 2 martin martin 63 Mar 7 19:15 core-image-minimal-initramfs-qemux86-64.manifest -> core-image-minimal-initramfs-qemux86-64-20230307181456.manifest
39644651 lrwxrwxrwx 2 martin martin 68 Mar 7 19:15 core-image-minimal-initramfs-qemux86-64.qemuboot.conf -> core-image-minimal-initramfs-qemux86-64-20230307181456.qemuboot.conf
39637662 lrwxrwxrwx 2 martin martin 68 Mar 7 19:15 core-image-minimal-initramfs-qemux86-64.testdata.json -> core-image-minimal-initramfs-qemux86-64-20230307181456.testdata.json
39654281 -rw-r--r-- 2 martin martin 34M Mar 7 19:15 core-image-minimal-qemux86-64.rootfs-20230307181456.ext4
39656710 -rw-r--r-- 2 martin martin 57M Mar 7 19:15 core-image-minimal-qemux86-64.rootfs-20230307181456.hddimg
39657112 -rw-r--r-- 2 martin martin 56M Mar 7 19:16 core-image-minimal-qemux86-64.rootfs-20230307181456.iso
39645313 -rw-r--r-- 2 martin martin 1.2K Mar 7 19:15 core-image-minimal-qemux86-64.rootfs-20230307181456.manifest
39646013 -rw-r--r-- 2 martin martin 1.6K Mar 7 19:15 core-image-minimal-qemux86-64.rootfs-20230307181456.qemuboot.conf
39656336 -rw-r--r-- 2 martin martin 16M Mar 7 19:15 core-image-minimal-qemux86-64.rootfs-20230307181456.tar.bz2
39644408 -rw-r--r-- 2 martin martin 206K Mar 7 19:15 core-image-minimal-qemux86-64.rootfs-20230307181456.testdata.json
39656583 -rw-r--r-- 2 martin martin 20M Mar 7 19:15 core-image-minimal-qemux86-64.rootfs-20230307181456.ubi
39654124 -rw-r--r-- 2 martin martin 19M Mar 7 19:15 core-image-minimal-qemux86-64.rootfs-20230307181456.ubifs
39802371 -rw-r--r-- 2 martin martin 73M Mar 7 19:16 core-image-minimal-qemux86-64.rootfs-20230307181456.wic
39657113 -rw-r--r-- 2 martin martin 35M Mar 7 19:16 core-image-minimal-qemux86-64.rootfs-20230307181456.wic.vmdk
39654412 lrwxrwxrwx 2 martin martin 56 Mar 7 19:15 core-image-minimal-qemux86-64.rootfs.ext4 -> core-image-minimal-qemux86-64.rootfs-20230307181456.ext4
39657167 lrwxrwxrwx 2 martin martin 58 Mar 7 19:16 core-image-minimal-qemux86-64.rootfs.hddimg -> core-image-minimal-qemux86-64.rootfs-20230307181456.hddimg
39657168 lrwxrwxrwx 2 martin martin 55 Mar 7 19:16 core-image-minimal-qemux86-64.rootfs.iso -> core-image-minimal-qemux86-64.rootfs-20230307181456.iso
39645316 lrwxrwxrwx 2 martin martin 60 Mar 7 19:15 core-image-minimal-qemux86-64.rootfs.manifest -> core-image-minimal-qemux86-64.rootfs-20230307181456.manifest
39646014 lrwxrwxrwx 2 martin martin 65 Mar 7 19:15 core-image-minimal-qemux86-64.rootfs.qemuboot.conf -> core-image-minimal-qemux86-64.rootfs-20230307181456.qemuboot.conf
39656315 lrwxrwxrwx 2 martin martin 59 Mar 7 19:15 core-image-minimal-qemux86-64.rootfs.tar.bz2 -> core-image-minimal-qemux86-64.rootfs-20230307181456.tar.bz2
39644406 lrwxrwxrwx 2 martin martin 65 Mar 7 19:15 core-image-minimal-qemux86-64.rootfs.testdata.json -> core-image-minimal-qemux86-64.rootfs-20230307181456.testdata.json
39656584 lrwxrwxrwx 2 martin martin 55 Mar 7 19:15 core-image-minimal-qemux86-64.rootfs.ubi -> core-image-minimal-qemux86-64.rootfs-20230307181456.ubi
39654775 lrwxrwxrwx 2 martin martin 57 Mar 7 19:15 core-image-minimal-qemux86-64.rootfs.ubifs -> core-image-minimal-qemux86-64.rootfs-20230307181456.ubifs
39657126 lrwxrwxrwx 2 martin martin 55 Mar 7 19:16 core-image-minimal-qemux86-64.rootfs.wic -> core-image-minimal-qemux86-64.rootfs-20230307181456.wic
39657088 lrwxrwxrwx 2 martin martin 60 Mar 7 19:16 core-image-minimal-qemux86-64.rootfs.wic.vmdk -> core-image-minimal-qemux86-64.rootfs-20230307181456.wic.vmdk
39654418 -rw-r--r-- 2 martin martin 3.8K Mar 7 19:15 core-image-minimal.env
39475732 -rw-r--r-- 2 martin martin 616K Mar 7 17:55 grub-efi-bootx64.efi
31507074 -rwxr-xr-x 2 martin martin 103K Mar 6 22:02 linuxx64.efi.stub
39479261 -rw-r--r-- 2 martin martin 8.2M Mar 7 12:27 modules--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.tgz
39479263 lrwxrwxrwx 2 martin martin 77 Mar 7 12:27 modules-qemux86-64.tgz -> modules--6.1.14+git0+e8d08fc4c0_b05ca3429c-r0.0-qemux86-64-20230307112110.tgz
31507058 -rwxr-xr-x 2 martin martin 140K Mar 6 22:02 systemd-bootx64.efi
27651415 -rw-r--r-- 2 martin martin 274 Mar 7 19:15 ubinize-core-image-minimal-qemux86-64.rootfs-20230307181456.cfg
[YOCTO #12937]
Signed-off-by: Martin Jansa <Martin.Jansa@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
Add new fetcher for the NVD database using the 2.0 API [1].
The implementation changes as little as possible, keeping the current
database format (but using a different database file for the transition
period), with a notable exception of not using the META table.
Minor changes that could be visible:
- the database starts in 1999 instead of 2002
- the complete fetch is longer (30 minutes typically)
[1] https://nvd.nist.gov/developers/vulnerabilities
Signed-off-by: Marta Rybczynska <marta.rybczynska@syslinbit.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
NVD DB store version and update in the same value, separated by '_'.
The proposed patch check if the version from NVD DB contains a "_",
ie 9.2.0_p1 is convert to 9.2.0p1 before version comparison.
[YOCTO #14127]
Reviewed-by: Yoann CONGAL <yoann.congal@smile.fr>
Signed-off-by: Geoffrey GIRY <geoffrey.giry@smile.fr>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
When building an image cve_check_write_rootfs_manifest() would sometimes fail
with a FileNotFoundError when writing the manifest.cve due to the parent
directory (DEPLOY_DIR_IMAGE) not (yet) existing.
The image task will provide the manifest in the deploy directory afterwards,
so other recipes depending on the manifest being in DEPLOY_DIR_IMAGE should
continue to function properly.
Signed-off-by: Jermain Horsman <jermain.horsman@nedap.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
We can have multiple processes reading the database at the same time, and
cursors only release their locks when they're garbage collected.
This might be the cause of random sqlite errors on the autobuilder, so
explicitly close the cursors when we're done with them.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
|
|
The CVE check database needs to have a shared lock acquired on it before
it is accessed. This to prevent cve-update-db-native from deleting the
database file out from underneath it.
[YOCTO #14899]
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
As stated in our top level license files, the license is MIT unless
otherwise stated. Add SPDX identifers accordingly. Replace older
license statementa with the standardised syntax. Also drop "All
Rights Reserved" expression as it isn't used now, doesn't mean anything
and is confusing.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Where there isn't a copyright statement, add one to make it explicit.
Also drop editor config lines where they were present.
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The cve-check class writes temporary files to preserve state across the
build, and cleans them up in a CookerExit handler.
However, in memory-resident builds the cooker won't exit in between
builds, so the state isn't cleared and the CVE report generation fails:
NOTE: Generating JSON CVE summary
ERROR: Error adding the same package twice
Easily solved by hooking to BuildCompleted, instead of CookerExit.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Ignored CVEs aren't patched, but do not apply in our configuration
for some reason. Up till now they were only partially supported
and reported as "Patched".
This patch adds separate reporting of Ignored CVEs. The variable
CVE_CHECK_REPORT_PATCHED now manages reporting of both patched
and ignored CVEs.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Make empty return types in check_cvs the same for all code paths.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
In the cve-check text mode output, we didn't write fragment
files if there are no CVEs (if CVE_CHECK_REPORT_PATCHED is 1),
or no unpached CVEs otherwise.
However, in a system after multiple builds,
cve_check_write_rootfs_manifest might find older files and use
them as current, what leads to incorrect reporting.
Fix it by always writing a fragment file, even if empty.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Move the function to a library, it could be useful in other places.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
When running CVE checks in CI we're usually not interested in warnings on the
console for any CVEs present. Add a configuration option CVE_CHECK_SHOW_WARNINGS
to allow this to be disabled (it is left enabled by default).
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Before this the rootfs manifest and the summary were identical.
We should separate the summary and rootfs manifest more clearly,
now the summary is for all CVEs and the rootfs manifest is only for
things in that image. This is even more useful if you build multiple
images.
Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
As product, sdk should do cve check as well as rootfs.
Signed-off-by: Lei Maohui <leimaohui@fujitsu.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
|
|
The addition of summary output caused two issues: error when building
an image and the fact that JSON output was generated even when
CVE_CHECK_FORMAT_JSON.
When generating an image it caused an error like:
ERROR: core-image-minimal-1.0-r0 do_rootfs: Error executing a python function in exec_func_python() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_func_python() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:cve_check_write_rootfs_manifest(d)
0003:
File: '/home/alexk/poky/meta/classes/cve-check.bbclass', lineno: 213, function: cve_check_write_rootfs_manifest
0209:
0210: link_path = os.path.join(deploy_dir, "%s.json" % link_name)
0211: manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
0212: bb.note("Generating JSON CVE manifest")
*** 0213: generate_json_report(json_summary_name, json_summary_link_name)
0214: bb.plain("Image CVE JSON report stored in: %s" % link_path)
0215:}
0216:
0217:ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
Exception: NameError: name 'json_summary_name' is not defined
The fix is to pass the d variable to the pure python function generate_json_report
to get correct values of variables and add conditions for the JSON
output where needed.
In addition clarify the message presenting the summary JSON file,
which isn't related to an image.
Uses partial fixes from Alex Kiernan, Ernst Sjöstrand (ernstp),
and Davide Gardenal.
Fixes: f2987891d315 ("cve-check: add JSON format to summary output")
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
An if statement now checks if the link and output path are
the same, if they are then the link is not created,
otherwise it is.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
|
|
Create generate_json_report including all the code used to generate the JSON
manifest file.
Add to cve_save_summary_handler the ability to create the summary in JSON format.
Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
|
|
The only part of the cve-check task which needs files is the patch
examination, and typically these patches are local so fetch isn't needed.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Until now the CVE checker was giving information about CVEs found for
a product (or more products) contained in a recipe. However, there was
no easy way to find out which products or recipes have no CVEs. Having
no reported CVEs might mean there are simply none, but can also mean
a product name (CPE) mismatch.
This patch adds CVE_CHECK_COVERAGE option enabling a new type of
statistics. Then we use the new JSON format to report the information.
The legacy text mode report does not contain it.
This option is expected to help with an identification of recipes with
mismatched CPEs, issues in the database and more.
This work is based on [1], but adding the JSON format makes it easier
to implement, without additional result files.
[1] https://lists.openembedded.org/g/openembedded-core/message/159873
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
Add an option to output the CVE check in a JSON-based format.
This format is easier to parse in software than the original
text-based one and allows post-processing by other tools.
Output formats are now handed by CVE_CHECK_FORMAT_TEXT and
CVE_CHECK_FORMAT_JSON. Both of them are enabled by default.
The JSON output format gets generated in a similar way to the
text format with the exception of the manifest: appending to
JSON arrays requires parsing the file. Because of that we
first write JSON fragments and then assemble them in one pass
at the end.
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
|
|
Update internal variable names to improve the terms used.
Signed-off-by: Saul Wold <saul.wold@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Now that all of the functions in cve-check open the database read-only,
we can remove this lockfile.
This means cve-check can run in parallal again, improving runtimes
massively.
This reverts commit d55fbf4779483d2cfd71df78d0f733b599fef739.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
All of the function in cve-check should open the database read-only, as
the only writer is the fetch task in cve-update-db. However,
get_cve_info() was failing to do this, which might be causing locking
issues with sqlite.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Create directory of the CVE_CHECK_MANIFEST variable before copy to it,
so that the variable can use an arbitrary directory name.
Signed-off-by: Stefan Herbrechtsmeier <stefan.herbrechtsmeier@weidmueller.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
this should prevent running into the very rare error
sqlite3.OperationalError: attempt to write a readonly database
As highlighted by https://www.sqlite.org/faq.html#q5
it is likely that the adapter won't allow use multiple exec calls
at the same time.
So it's best to prevent multiple accesses at a time, by reusing
the already in place CVE_CHECK_DB_FILE_LOCK
YOCTO #14110
Signed-off-by: Konrad Weihmann <kweihmann@outlook.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Moving the function will allow other classes to capture which CVEs have
been patched, in particular SBoM generation.
Also add a function to capture the CPE ID from the CVE Product and
Version
Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This variable has been deprecated since Yocto Project version 3.0.
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The old URL schema
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-ID
now redirects to
https://nvd.nist.gov/vuln/detail/CVE-ID
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This implements various fixes in comments in cve-check.bbclass
In particular, the "whitlisted" typo is important as the "whitelisted"
word is going to be replaced in a near future.
Signed-off-by: Michael Opdenacker <michael.opdenacker@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
This is the result of automated script conversion:
scripts/contrib/convert-overrides.py <oe-core directory>
converting the metadata to use ":" as the override character instead of "_".
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
There are times when exluding or including a layer
may be desired. This provide the framwork for that via
two variables. The default is all layers in bblayers.
CVE_CHECK_LAYER_INCLUDELIST
CVE_CHECK_LAYER_EXCLUDELIST
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Lets include whcih layer a package belongs to and
add it to the cve logs
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
add CVE_VERSION_SUFFIX to indicate the version suffix type, currently
works in two value, "alphabetical" if the version string uses single
alphabetical character suffix as incremental release, blank to not
consider the unidentified suffixes. This can be expand when more suffix
pattern identified.
refactor cve_check.Version class to use functools and add parameter to
handle suffix condition.
Also update testcases to cover new changes.
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The way distutils.version.LooseVersion compare version are tricky, it treat
all these ( "1.0-beta2", "1.0-rc1", "1.0A", "1.0p2" and "1.0pre1") as greater
version than "1.0". This might be right for "1.0A" and "1.0p1" but not for
the rest, also these version could be confusing, the "p" in "1.0p1" can be
"pre" or "patched" version or even other meaning.
Replace Looseversion with custom class, it uses regex to capture common
version format like "1.1.1" or tag format using date like "2020-12-12" as
release section, check for following known string/tags ( beta, rc, pre, dev,
alpha, preview) as pre-release section, any other trailing characters
are difficult to understand/define so ignore them. Compare release
section and pre-release section saperately.
included selftest for the version class.
[YOCTO#14127]
Signed-off-by: Lee Chee Yang <chee.yang.lee@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The output currently shows the remapped product and version fields,
which may not be the actual recipe name/version. As this report is about
recipes, use the real values.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
patched CVEs
Default behavior is not changed. To suppress patched CVEs, set:
CVE_CHECK_REPORT_PATCHED = ""
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
per-recipe check file
The addition of this variable also makes it possible to change the
output suffix of the check files, e.g. in local.conf:
CVE_CHECK_MANIFEST_append = ".txt"
CVE_CHECK_RECIPE_FILE_append = ".txt"
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Instead of inventing a new task to fetch the CVE data, use the existing
fetch task.
Signed-off-by: Ross Burton <ross.burton@arm.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
For example, if you just run 'bitbake cve-update-db-native' in a clean
build system, |cve_tmp_file| won't exist yet.
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
Previously CVE_CHECK_DB_FILE / CVE_CHECK_DB_DIR was the same across
multiconfigs which led to a race condition wherein multiple
cve-update-db-native:do_populate_cve_db tasks could attempt to write to
the same sqlite database. This led to the following task failure:
Error executing a python function in exec_python_func() autogenerated:
The stack trace of python calls that resulted in this exception/failure was:
File: 'exec_python_func() autogenerated', lineno: 2, function: <module>
0001:
*** 0002:do_populate_cve_db(d)
0003:
File: '/mnt/data/agent/work/74f119cccb44f133/yocto/sources/poky/meta/recipes-core/meta/cve-update-db-native.bb', lineno: 103, function: do_populate_cve_db
0099: if year == date.today().year:
0100: cve_f.write('CVE database update : %s\n\n' % date.today())
0101:
0102: cve_f.close()
*** 0103: conn.commit()
0104: conn.close()
0105:}
0106:
0107:def initialize_db(c):
Exception: sqlite3.OperationalError: disk I/O error
Use a lockfile to ensure multiple tasks don't step over each other.
Signed-off-by: Chris Laplante <chris.laplante@agilent.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|
|
The cve-check file should be saved always, it has good info.
Put a copy in the log dir as cve-summary with symlinks to latest run.
[Yocto #13974]
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
|