[0/3] Add initial capability to check CVEs for recipes

Submitted by Mikko Rapeli on Feb. 25, 2016, 12:14 p.m. | Patch ID: 116445

Details

Message ID 20160225121421.GB6210@loska
State New
Headers show

Commit Message

Mikko Rapeli Feb. 25, 2016, 12:14 p.m.
On Wed, Feb 24, 2016 at 03:27:05PM +0000, mariano.lopez@linux.intel.com wrote:
> From: Mariano Lopez <mariano.lopez@linux.intel.com>
> 
> This series add the cve-check-tool recipe, a tool used to identify
> potentially vulnerable software through version matching. It will
> check if a vulnerability has been addressed by a patch.
> 
> Also add the new cve-check class that will add a task for all recipes
> to check for CVEs using cve-check-tool. This tool can be used by recipe,
> image (will generate an image report in deploy dir), and with "world"
> and "universe"
> 
> To run it just inherit the class and enter:
> 
> bitbake -c cve_check <recipe>

I tried these on yocto/dizzy but:

ERROR: Task do_cve_check in /home/builder/src/base/poky/meta/recipes-core/busybox/busybox_1.22.1.bb depends upon non-existent task do_populate_cve_db in virtual:native:/home/builder/src/base/poky/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.bb

Is there some simple way to make this work there too?

For testing purposes I tried this only with busybox:

$ cat busybox_%.bbappend 
inherit cve-check

The cve-check-tool itself needed a few native backports/fixes:


-Mikko

Patch hide | download patch | download mbox

diff --git a/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb b/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
index 9df81cb..b98d991 100644
--- a/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
+++ b/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
@@ -21,3 +21,5 @@  FILES_${PN} += "${datadir}/icons"
 do_install_append () {
 	install -m 0644 ${WORKDIR}/index.theme ${D}/${datadir}/icons/hicolor
 }
+
+BBCLASSEXTEND = "native"
diff --git a/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb b/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
index ce00709..26f8f7f 100644
--- a/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
+++ b/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
@@ -18,3 +18,5 @@  SRC_URI[archive.sha256sum] = "dbf558d2da989ab84a27e4e13daa51ceaa97eb959c2c2f8097
 inherit gnome gettext lib_package
 
 EXTRA_OECONF = "--disable-introspection"
+
+BBCLASSEXTEND = "native"

Comments

Mikko Rapeli Feb. 25, 2016, 12:29 p.m.
On Thu, Feb 25, 2016 at 01:14:21PM +0100, Mikko Rapeli wrote:
> On Wed, Feb 24, 2016 at 03:27:05PM +0000, mariano.lopez@linux.intel.com wrote:
> > From: Mariano Lopez <mariano.lopez@linux.intel.com>
> > 
> > This series add the cve-check-tool recipe, a tool used to identify
> > potentially vulnerable software through version matching. It will
> > check if a vulnerability has been addressed by a patch.
> > 
> > Also add the new cve-check class that will add a task for all recipes
> > to check for CVEs using cve-check-tool. This tool can be used by recipe,
> > image (will generate an image report in deploy dir), and with "world"
> > and "universe"
> > 
> > To run it just inherit the class and enter:
> > 
> > bitbake -c cve_check <recipe>
> 
> I tried these on yocto/dizzy but:
> 
> ERROR: Task do_cve_check in /home/builder/src/base/poky/meta/recipes-core/busybox/busybox_1.22.1.bb depends upon non-existent task do_populate_cve_db in virtual:native:/home/builder/src/base/poky/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.bb
> 
> Is there some simple way to make this work there too?
> 
> For testing purposes I tried this only with busybox:
> 
> $ cat busybox_%.bbappend 
> inherit cve-check
> 
> The cve-check-tool itself needed a few native backports/fixes:
> 
> diff --git a/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb b/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
> index 9df81cb..b98d991 100644
> --- a/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
> +++ b/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
> @@ -21,3 +21,5 @@ FILES_${PN} += "${datadir}/icons"
>  do_install_append () {
>  	install -m 0644 ${WORKDIR}/index.theme ${D}/${datadir}/icons/hicolor
>  }
> +
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb b/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
> index ce00709..26f8f7f 100644
> --- a/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
> +++ b/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
> @@ -18,3 +18,5 @@ SRC_URI[archive.sha256sum] = "dbf558d2da989ab84a27e4e13daa51ceaa97eb959c2c2f8097
>  inherit gnome gettext lib_package
>  
>  EXTRA_OECONF = "--disable-introspection"
> +
> +BBCLASSEXTEND = "native"

Sorry, I guess this is needed to enable the class properly:

$ grep cve-check conf/local.conf
INHERIT += "cve-check"

but there are some other backports needed in python modules...

-Mikko