[0/3] Add initial capability to check CVEs for recipes

Submitted by Mikko Rapeli on Feb. 25, 2016, 1:27 p.m. | Patch ID: 116449

Details

Message ID 20160225132748.GD6210@loska
State New
Headers show

Commit Message

Mikko Rapeli Feb. 25, 2016, 1:27 p.m.
On Thu, Feb 25, 2016 at 01:29:13PM +0100, Mikko Rapeli wrote:
> On Thu, Feb 25, 2016 at 01:14:21PM +0100, Mikko Rapeli wrote:
> > On Wed, Feb 24, 2016 at 03:27:05PM +0000, mariano.lopez@linux.intel.com wrote:
> > > From: Mariano Lopez <mariano.lopez@linux.intel.com>
> > > 
> > > This series add the cve-check-tool recipe, a tool used to identify
> > > potentially vulnerable software through version matching. It will
> > > check if a vulnerability has been addressed by a patch.
> > > 
> > > Also add the new cve-check class that will add a task for all recipes
> > > to check for CVEs using cve-check-tool. This tool can be used by recipe,
> > > image (will generate an image report in deploy dir), and with "world"
> > > and "universe"
> > > 
> > > To run it just inherit the class and enter:
> > > 
> > > bitbake -c cve_check <recipe>
> > 
> > I tried these on yocto/dizzy but:

Full changes needed in dizzy are:


And with this I get nice reports with "bitbake -c cve_check openssl" to
tmp/deploy/cve/openssl.

I'll try with a full image build next, but I really, really like this stuff.

Thanks!

-Mikko

Patch hide | download patch | download mbox

diff --git a/bitbake/lib/bb/utils.py b/bitbake/lib/bb/utils.py
index 670e592..f24a584 100644
--- a/bitbake/lib/bb/utils.py
+++ b/bitbake/lib/bb/utils.py
@@ -893,3 +893,21 @@  def multiprocessingpool(*args, **kwargs):
 
     return multiprocessing.Pool(*args, **kwargs)
 
+# export common proxies variables from datastore to environment
+def export_proxies(d):
+    import os
+
+    variables = ['http_proxy', 'HTTP_PROXY', 'https_proxy', 'HTTPS_PROXY',
+                    'ftp_proxy', 'FTP_PROXY', 'no_proxy', 'NO_PROXY']
+    exported = False
+
+    for v in variables:
+        if v in os.environ.keys():
+            exported = True
+        else:
+            v_proxy = d.getVar(v, True)
+            if v_proxy is not None:
+                os.environ[v] = v_proxy
+                exported = True
+
+    return exported
diff --git a/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb b/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
index 9df81cb..b98d991 100644
--- a/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
+++ b/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
@@ -21,3 +21,5 @@  FILES_${PN} += "${datadir}/icons"
 do_install_append () {
 	install -m 0644 ${WORKDIR}/index.theme ${D}/${datadir}/icons/hicolor
 }
+
+BBCLASSEXTEND = "native"
diff --git a/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb b/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
index ce00709..26f8f7f 100644
--- a/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
+++ b/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
@@ -18,3 +18,5 @@  SRC_URI[archive.sha256sum] = "dbf558d2da989ab84a27e4e13daa51ceaa97eb959c2c2f8097
 inherit gnome gettext lib_package
 
 EXTRA_OECONF = "--disable-introspection"
+
+BBCLASSEXTEND = "native"

Comments

Mikko Rapeli Feb. 25, 2016, 2:09 p.m.
For openssh there must be some bugs or tunings needed to match the version
numbers used in CVE to ones in yocto. openssh-6.6p1 has zero matches
with the check but I think there are several:

downloads/CVE_CHECK$ grep openssh *xml| grep 6\.6\:p1
nvdcve-2.0-2016.xml:        <cpe-lang:fact-ref name="cpe:/a:openbsd:openssh:6.6:p1"/>
nvdcve-2.0-2016.xml:      <vuln:product>cpe:/a:openbsd:openssh:6.6:p1</vuln:product>
nvdcve-2.0-2016.xml:        <cpe-lang:fact-ref name="cpe:/a:openbsd:openssh:6.6:p1"/>
nvdcve-2.0-2016.xml:      <vuln:product>cpe:/a:openbsd:openssh:6.6:p1</vuln:product>

How should these tunings be made?

-Mikko
Mikko Rapeli Feb. 26, 2016, 8:14 a.m.
Hi,

On my developer machine the cve-check ran ok for dizzy but on build server
with sstate-cache and rmwork enabled it failed with what looks like a race
condition when scanning the patch files:

17:45:36 ERROR: Error executing a python function in /home/builder/src/base/poky/meta/recipes-extended/mailx/mailx_12.5.bb:
17:45:36 
17:45:36 The stack trace of python calls that resulted in this exception/failure was:
17:45:36 File: 'do_cve_check', lineno: 17, function: <module>
17:45:36      0013:    else:
17:45:36      0014:        bb.note("Failed to update CVE database, skipping CVE check")
17:45:36      0015:
17:45:36      0016:
17:45:36  *** 0017:do_cve_check(d)
17:45:36      0018:
17:45:37 File: 'do_cve_check', lineno: 8, function: do_cve_check
17:45:37      0004:    Check recipe for patched and unpatched CVEs
17:45:37      0005:    """
17:45:37      0006:
17:45:37      0007:    if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE", True)):
17:45:37  *** 0008:        patched_cves = get_patches_cves(d)
17:45:37      0009:        patched, unpatched = check_cves(d, patched_cves)
17:45:37      0010:        if patched or unpatched:
17:45:37      0011:            cve_data = get_cve_info(d, patched + unpatched)
17:45:37      0012:            cve_write_data(d, patched, unpatched, cve_data)
17:45:37 File: 'cve-check.bbclass', lineno: 13, function: get_patches_cves
17:45:37      0009:    cve_match = re.compile("CVE:( CVE\-\d+\-\d+)+")
17:45:37      0010:    patched_cves = set()
17:45:37      0011:    for url in src_patches(d):
17:45:37      0012:        patch_file = bb.fetch.decodeurl(url)[2]
17:45:37  *** 0013:        with open(patch_file, "r") as f:
17:45:37      0014:            patch_text = f.read()
17:45:37      0015:
17:45:37      0016:        # Search for the "CVE: " line
17:45:37      0017:        match = cve_match.search(patch_text)
17:45:37 Exception: IOError: [Errno 2] No such file or directory: '/home/builder/src/base/build/tmp/work/corei7-64-linux/mailx/12.5-r2/heirloom-mailx_12.5-1.diff'
17:45:37 
17:45:37 ERROR: Function failed: do_cve_check

So could this be caused by cve-check changes or is this just a side effect
of some other recipe problems?

I could not see that kind of fixes in master.

-Mikko
Mariano Lopez Feb. 26, 2016, 2:48 p.m.
On 02/26/2016 02:14 AM, Mikko.Rapeli@bmw.de wrote:
> Hi,
>
> On my developer machine the cve-check ran ok for dizzy but on build server
> with sstate-cache and rmwork enabled it failed with what looks like a race
> condition when scanning the patch files:
>
> 17:45:36 ERROR: Error executing a python function in /home/builder/src/base/poky/meta/recipes-extended/mailx/mailx_12.5.bb:
> 17:45:36
> 17:45:36 The stack trace of python calls that resulted in this exception/failure was:
> 17:45:36 File: 'do_cve_check', lineno: 17, function: <module>
> 17:45:36      0013:    else:
> 17:45:36      0014:        bb.note("Failed to update CVE database, skipping CVE check")
> 17:45:36      0015:
> 17:45:36      0016:
> 17:45:36  *** 0017:do_cve_check(d)
> 17:45:36      0018:
> 17:45:37 File: 'do_cve_check', lineno: 8, function: do_cve_check
> 17:45:37      0004:    Check recipe for patched and unpatched CVEs
> 17:45:37      0005:    """
> 17:45:37      0006:
> 17:45:37      0007:    if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE", True)):
> 17:45:37  *** 0008:        patched_cves = get_patches_cves(d)
> 17:45:37      0009:        patched, unpatched = check_cves(d, patched_cves)
> 17:45:37      0010:        if patched or unpatched:
> 17:45:37      0011:            cve_data = get_cve_info(d, patched + unpatched)
> 17:45:37      0012:            cve_write_data(d, patched, unpatched, cve_data)
> 17:45:37 File: 'cve-check.bbclass', lineno: 13, function: get_patches_cves
> 17:45:37      0009:    cve_match = re.compile("CVE:( CVE\-\d+\-\d+)+")
> 17:45:37      0010:    patched_cves = set()
> 17:45:37      0011:    for url in src_patches(d):
> 17:45:37      0012:        patch_file = bb.fetch.decodeurl(url)[2]
> 17:45:37  *** 0013:        with open(patch_file, "r") as f:
> 17:45:37      0014:            patch_text = f.read()
> 17:45:37      0015:
> 17:45:37      0016:        # Search for the "CVE: " line
> 17:45:37      0017:        match = cve_match.search(patch_text)
> 17:45:37 Exception: IOError: [Errno 2] No such file or directory: '/home/builder/src/base/build/tmp/work/corei7-64-linux/mailx/12.5-r2/heirloom-mailx_12.5-1.diff'
> 17:45:37
> 17:45:37 ERROR: Function failed: do_cve_check
>
> So could this be caused by cve-check changes or is this just a side effect
> of some other recipe problems?
>
> I could not see that kind of fixes in master.
>
> -Mikko

The changes in patch series were minimal and actually this part of the 
code wasn't touched at all. That part of the code will look for all the 
files in the SRC_URI variable and will look for the "CVE:" tag in order 
to find patches that solve CVEs.

It seems the problem is with the bitbake fetcher, or the recipe; 
unfortunately the fetcher is one of the components that most change 
between releases. Another thing to check is that if actually there is a 
heirloom-mailx_12.5-1.diff file in the paths that the fetcher look for. 
You can check this in the cve_check or patch log in the work directory 
of the recipe.

Mariano
Mikko Rapeli Feb. 26, 2016, 2:56 p.m.
On Fri, Feb 26, 2016 at 08:48:47AM -0600, Mariano Lopez wrote:
> On 02/26/2016 02:14 AM, Mikko.Rapeli@bmw.de wrote:
> >Hi,
> >
> >On my developer machine the cve-check ran ok for dizzy but on build server
> >with sstate-cache and rmwork enabled it failed with what looks like a race
> >condition when scanning the patch files:
> >
> >17:45:36 ERROR: Error executing a python function in /home/builder/src/base/poky/meta/recipes-extended/mailx/mailx_12.5.bb:
> >17:45:36
> >17:45:36 The stack trace of python calls that resulted in this exception/failure was:
> >17:45:36 File: 'do_cve_check', lineno: 17, function: <module>
> >17:45:36      0013:    else:
> >17:45:36      0014:        bb.note("Failed to update CVE database, skipping CVE check")
> >17:45:36      0015:
> >17:45:36      0016:
> >17:45:36  *** 0017:do_cve_check(d)
> >17:45:36      0018:
> >17:45:37 File: 'do_cve_check', lineno: 8, function: do_cve_check
> >17:45:37      0004:    Check recipe for patched and unpatched CVEs
> >17:45:37      0005:    """
> >17:45:37      0006:
> >17:45:37      0007:    if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE", True)):
> >17:45:37  *** 0008:        patched_cves = get_patches_cves(d)
> >17:45:37      0009:        patched, unpatched = check_cves(d, patched_cves)
> >17:45:37      0010:        if patched or unpatched:
> >17:45:37      0011:            cve_data = get_cve_info(d, patched + unpatched)
> >17:45:37      0012:            cve_write_data(d, patched, unpatched, cve_data)
> >17:45:37 File: 'cve-check.bbclass', lineno: 13, function: get_patches_cves
> >17:45:37      0009:    cve_match = re.compile("CVE:( CVE\-\d+\-\d+)+")
> >17:45:37      0010:    patched_cves = set()
> >17:45:37      0011:    for url in src_patches(d):
> >17:45:37      0012:        patch_file = bb.fetch.decodeurl(url)[2]
> >17:45:37  *** 0013:        with open(patch_file, "r") as f:
> >17:45:37      0014:            patch_text = f.read()
> >17:45:37      0015:
> >17:45:37      0016:        # Search for the "CVE: " line
> >17:45:37      0017:        match = cve_match.search(patch_text)
> >17:45:37 Exception: IOError: [Errno 2] No such file or directory: '/home/builder/src/base/build/tmp/work/corei7-64-linux/mailx/12.5-r2/heirloom-mailx_12.5-1.diff'
> >17:45:37
> >17:45:37 ERROR: Function failed: do_cve_check
> >
> >So could this be caused by cve-check changes or is this just a side effect
> >of some other recipe problems?
> >
> >I could not see that kind of fixes in master.
> >
> >-Mikko
> 
> The changes in patch series were minimal and actually this part of the code
> wasn't touched at all. That part of the code will look for all the files in
> the SRC_URI variable and will look for the "CVE:" tag in order to find
> patches that solve CVEs.

Yep, the code seems straight forward.

> It seems the problem is with the bitbake fetcher, or the recipe;
> unfortunately the fetcher is one of the components that most change between
> releases. Another thing to check is that if actually there is a
> heirloom-mailx_12.5-1.diff file in the paths that the fetcher look for. You
> can check this in the cve_check or patch log in the work directory of the
> recipe.

Unfortunately the file is there if I check with devshell but I have now
four different CI runs with this failure. Only difference to my developer
machine is sstate cache. Build machines maintain their own sstate cache.

-Mikko
Mikko Rapeli Feb. 26, 2016, 2:57 p.m.
On Fri, Feb 26, 2016 at 03:56:24PM +0100, Mikko Rapeli wrote:
> On Fri, Feb 26, 2016 at 08:48:47AM -0600, Mariano Lopez wrote:
> > On 02/26/2016 02:14 AM, Mikko.Rapeli@bmw.de wrote:
> > >Hi,
> > >
> > >On my developer machine the cve-check ran ok for dizzy but on build server
> > >with sstate-cache and rmwork enabled it failed with what looks like a race
> > >condition when scanning the patch files:
> > >
> > >17:45:36 ERROR: Error executing a python function in /home/builder/src/base/poky/meta/recipes-extended/mailx/mailx_12.5.bb:
> > >17:45:36
> > >17:45:36 The stack trace of python calls that resulted in this exception/failure was:
> > >17:45:36 File: 'do_cve_check', lineno: 17, function: <module>
> > >17:45:36      0013:    else:
> > >17:45:36      0014:        bb.note("Failed to update CVE database, skipping CVE check")
> > >17:45:36      0015:
> > >17:45:36      0016:
> > >17:45:36  *** 0017:do_cve_check(d)
> > >17:45:36      0018:
> > >17:45:37 File: 'do_cve_check', lineno: 8, function: do_cve_check
> > >17:45:37      0004:    Check recipe for patched and unpatched CVEs
> > >17:45:37      0005:    """
> > >17:45:37      0006:
> > >17:45:37      0007:    if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE", True)):
> > >17:45:37  *** 0008:        patched_cves = get_patches_cves(d)
> > >17:45:37      0009:        patched, unpatched = check_cves(d, patched_cves)
> > >17:45:37      0010:        if patched or unpatched:
> > >17:45:37      0011:            cve_data = get_cve_info(d, patched + unpatched)
> > >17:45:37      0012:            cve_write_data(d, patched, unpatched, cve_data)
> > >17:45:37 File: 'cve-check.bbclass', lineno: 13, function: get_patches_cves
> > >17:45:37      0009:    cve_match = re.compile("CVE:( CVE\-\d+\-\d+)+")
> > >17:45:37      0010:    patched_cves = set()
> > >17:45:37      0011:    for url in src_patches(d):
> > >17:45:37      0012:        patch_file = bb.fetch.decodeurl(url)[2]
> > >17:45:37  *** 0013:        with open(patch_file, "r") as f:
> > >17:45:37      0014:            patch_text = f.read()
> > >17:45:37      0015:
> > >17:45:37      0016:        # Search for the "CVE: " line
> > >17:45:37      0017:        match = cve_match.search(patch_text)
> > >17:45:37 Exception: IOError: [Errno 2] No such file or directory: '/home/builder/src/base/build/tmp/work/corei7-64-linux/mailx/12.5-r2/heirloom-mailx_12.5-1.diff'
> > >17:45:37
> > >17:45:37 ERROR: Function failed: do_cve_check
> > >
> > >So could this be caused by cve-check changes or is this just a side effect
> > >of some other recipe problems?
> > >
> > >I could not see that kind of fixes in master.
> > >
> > >-Mikko
> > 
> > The changes in patch series were minimal and actually this part of the code
> > wasn't touched at all. That part of the code will look for all the files in
> > the SRC_URI variable and will look for the "CVE:" tag in order to find
> > patches that solve CVEs.
> 
> Yep, the code seems straight forward.
> 
> > It seems the problem is with the bitbake fetcher, or the recipe;
> > unfortunately the fetcher is one of the components that most change between
> > releases. Another thing to check is that if actually there is a
> > heirloom-mailx_12.5-1.diff file in the paths that the fetcher look for. You
> > can check this in the cve_check or patch log in the work directory of the
> > recipe.
> 
> Unfortunately the file is there if I check with devshell but I have now
> four different CI runs with this failure. Only difference to my developer
> machine is sstate cache. Build machines maintain their own sstate cache.

Last two runs were with v2 patches.

-Mikko
Mariano Lopez Feb. 26, 2016, 3:38 p.m.
On 02/26/2016 08:57 AM, Mikko.Rapeli@bmw.de wrote:
> On Fri, Feb 26, 2016 at 03:56:24PM +0100, Mikko Rapeli wrote:
>> On Fri, Feb 26, 2016 at 08:48:47AM -0600, Mariano Lopez wrote:
>>> On 02/26/2016 02:14 AM, Mikko.Rapeli@bmw.de wrote:
>>>> Hi,
>>>>
>>>> On my developer machine the cve-check ran ok for dizzy but on build server
>>>> with sstate-cache and rmwork enabled it failed with what looks like a race
>>>> condition when scanning the patch files:
>>>>
>>>> 17:45:36 ERROR: Error executing a python function in /home/builder/src/base/poky/meta/recipes-extended/mailx/mailx_12.5.bb:
>>>> 17:45:36
>>>> 17:45:36 The stack trace of python calls that resulted in this exception/failure was:
>>>> 17:45:36 File: 'do_cve_check', lineno: 17, function: <module>
>>>> 17:45:36      0013:    else:
>>>> 17:45:36      0014:        bb.note("Failed to update CVE database, skipping CVE check")
>>>> 17:45:36      0015:
>>>> 17:45:36      0016:
>>>> 17:45:36  *** 0017:do_cve_check(d)
>>>> 17:45:36      0018:
>>>> 17:45:37 File: 'do_cve_check', lineno: 8, function: do_cve_check
>>>> 17:45:37      0004:    Check recipe for patched and unpatched CVEs
>>>> 17:45:37      0005:    """
>>>> 17:45:37      0006:
>>>> 17:45:37      0007:    if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE", True)):
>>>> 17:45:37  *** 0008:        patched_cves = get_patches_cves(d)
>>>> 17:45:37      0009:        patched, unpatched = check_cves(d, patched_cves)
>>>> 17:45:37      0010:        if patched or unpatched:
>>>> 17:45:37      0011:            cve_data = get_cve_info(d, patched + unpatched)
>>>> 17:45:37      0012:            cve_write_data(d, patched, unpatched, cve_data)
>>>> 17:45:37 File: 'cve-check.bbclass', lineno: 13, function: get_patches_cves
>>>> 17:45:37      0009:    cve_match = re.compile("CVE:( CVE\-\d+\-\d+)+")
>>>> 17:45:37      0010:    patched_cves = set()
>>>> 17:45:37      0011:    for url in src_patches(d):
>>>> 17:45:37      0012:        patch_file = bb.fetch.decodeurl(url)[2]
>>>> 17:45:37  *** 0013:        with open(patch_file, "r") as f:
>>>> 17:45:37      0014:            patch_text = f.read()
>>>> 17:45:37      0015:
>>>> 17:45:37      0016:        # Search for the "CVE: " line
>>>> 17:45:37      0017:        match = cve_match.search(patch_text)
>>>> 17:45:37 Exception: IOError: [Errno 2] No such file or directory: '/home/builder/src/base/build/tmp/work/corei7-64-linux/mailx/12.5-r2/heirloom-mailx_12.5-1.diff'
>>>> 17:45:37
>>>> 17:45:37 ERROR: Function failed: do_cve_check
>>>>
>>>> So could this be caused by cve-check changes or is this just a side effect
>>>> of some other recipe problems?
>>>>
>>>> I could not see that kind of fixes in master.
>>>>
>>>> -Mikko
>>> The changes in patch series were minimal and actually this part of the code
>>> wasn't touched at all. That part of the code will look for all the files in
>>> the SRC_URI variable and will look for the "CVE:" tag in order to find
>>> patches that solve CVEs.
>> Yep, the code seems straight forward.
>>
>>> It seems the problem is with the bitbake fetcher, or the recipe;
>>> unfortunately the fetcher is one of the components that most change between
>>> releases. Another thing to check is that if actually there is a
>>> heirloom-mailx_12.5-1.diff file in the paths that the fetcher look for. You
>>> can check this in the cve_check or patch log in the work directory of the
>>> recipe.
>> Unfortunately the file is there if I check with devshell but I have now
>> four different CI runs with this failure. Only difference to my developer
>> machine is sstate cache. Build machines maintain their own sstate cache.
> Last two runs were with v2 patches.

Would be possible to run these CI with master to check if you see the 
error too?
Also, what you can do is to put try: except:, but this won't solve the 
problem, just will hide it so the build can finish.

>
> -Mikko

Mariano Lopez
Ross Burton Feb. 29, 2016, 2:17 p.m.
On 26 February 2016 at 08:14, <Mikko.Rapeli@bmw.de> wrote:

> 17:45:37  *** 0013:        with open(patch_file, "r") as f:
> 17:45:37      0014:            patch_text = f.read()
> 17:45:37      0015:
> 17:45:37      0016:        # Search for the "CVE: " line
> 17:45:37      0017:        match = cve_match.search(patch_text)
> 17:45:37 Exception: IOError: [Errno 2] No such file or directory:
> '/home/builder/src/base/build/tmp/work/corei7-64-linux/mailx/12.5-r2/heirloom-mailx_12.5-1.diff'
> 17:45:37
> 17:45:37 ERROR: Function failed: do_cve_check
>
> So could this be caused by cve-check changes or is this just a side effect
> of some other recipe problems?
>

Do you have rm_work enabled?

Ross
Mikko Rapeli Feb. 29, 2016, 2:19 p.m.
On Mon, Feb 29, 2016 at 02:17:26PM +0000, Burton, Ross wrote:
> On 26 February 2016 at 08:14, <Mikko.Rapeli@bmw.de> wrote:
> 
> > 17:45:37  *** 0013:        with open(patch_file, "r") as f:
> > 17:45:37      0014:            patch_text = f.read()
> > 17:45:37      0015:
> > 17:45:37      0016:        # Search for the "CVE: " line
> > 17:45:37      0017:        match = cve_match.search(patch_text)
> > 17:45:37 Exception: IOError: [Errno 2] No such file or directory:
> > '/home/builder/src/base/build/tmp/work/corei7-64-linux/mailx/12.5-r2/heirloom-mailx_12.5-1.diff'
> > 17:45:37
> > 17:45:37 ERROR: Function failed: do_cve_check
> >
> > So could this be caused by cve-check changes or is this just a side effect
> > of some other recipe problems?
> >
> 
> Do you have rm_work enabled?

Yes.

-Mikko
Mariano Lopez March 1, 2016, 3:15 p.m.
On 02/29/2016 08:19 AM, Mikko.Rapeli@bmw.de wrote:
> On Mon, Feb 29, 2016 at 02:17:26PM +0000, Burton, Ross wrote:
>> On 26 February 2016 at 08:14, <Mikko.Rapeli@bmw.de> wrote:
>>
>>> 17:45:37  *** 0013:        with open(patch_file, "r") as f:
>>> 17:45:37      0014:            patch_text = f.read()
>>> 17:45:37      0015:
>>> 17:45:37      0016:        # Search for the "CVE: " line
>>> 17:45:37      0017:        match = cve_match.search(patch_text)
>>> 17:45:37 Exception: IOError: [Errno 2] No such file or directory:
>>> '/home/builder/src/base/build/tmp/work/corei7-64-linux/mailx/12.5-r2/heirloom-mailx_12.5-1.diff'
>>> 17:45:37
>>> 17:45:37 ERROR: Function failed: do_cve_check
>>>
>>> So could this be caused by cve-check changes or is this just a side effect
>>> of some other recipe problems?
>>>
>> Do you have rm_work enabled?
> Yes.
>
> -Mikko

I think I have found the problem, when you do devshell it will execute 
do_unpack and the cve_check task must run after that for some recipes. 
Try this:

addtask cve_check after do_unpack before do_build

Sorry, to no include a diff, the diff is way bigger than just this line 
at the moment.

Mariano
Mikko Rapeli March 2, 2016, 6:32 a.m.
On Tue, Mar 01, 2016 at 09:15:37AM -0600, Mariano Lopez wrote:
> 
> 
> On 02/29/2016 08:19 AM, Mikko.Rapeli@bmw.de wrote:
> >On Mon, Feb 29, 2016 at 02:17:26PM +0000, Burton, Ross wrote:
> >>On 26 February 2016 at 08:14, <Mikko.Rapeli@bmw.de> wrote:
> >>
> >>>17:45:37  *** 0013:        with open(patch_file, "r") as f:
> >>>17:45:37      0014:            patch_text = f.read()
> >>>17:45:37      0015:
> >>>17:45:37      0016:        # Search for the "CVE: " line
> >>>17:45:37      0017:        match = cve_match.search(patch_text)
> >>>17:45:37 Exception: IOError: [Errno 2] No such file or directory:
> >>>'/home/builder/src/base/build/tmp/work/corei7-64-linux/mailx/12.5-r2/heirloom-mailx_12.5-1.diff'
> >>>17:45:37
> >>>17:45:37 ERROR: Function failed: do_cve_check
> >>>
> >>>So could this be caused by cve-check changes or is this just a side effect
> >>>of some other recipe problems?
> >>>
> >>Do you have rm_work enabled?
> >Yes.
> >
> >-Mikko
> 
> I think I have found the problem, when you do devshell it will execute
> do_unpack and the cve_check task must run after that for some recipes. Try
> this:
> 
> addtask cve_check after do_unpack before do_build

Thanks, with this change the scan builds pass on dizzy.

-Mikko