openembedded-core.git/meta/classes/cve-check.bbclass, branch pyro Mirror of openembedded-core cve-check.bbclass: Fix dependencies 2017-02-15T17:29:42+00:00 Jussi Kukkonen jussi.kukkonen@intel.com 2017-02-09T19:38:31+00:00 bd60b1018bc0304bc928701e6d1090c8b1223616 With recipe-specific sysroots the cve_check task must depend on cve-check-tool-native:do_populate_sysroot to get the cve-check-tool binary into the recipe sysroot. A normal DEPENDS isn't used to avoid cyclic dependencies. Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
With recipe-specific sysroots the cve_check task must depend on
cve-check-tool-native:do_populate_sysroot to get the cve-check-tool
binary into the recipe sysroot.

A normal DEPENDS isn't used to avoid cyclic dependencies.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
meta: remove True option to getVar calls 2016-12-16T08:30:03+00:00 Joshua Lock joshua.g.lock@intel.com 2016-12-14T21:13:04+00:00 7c552996597faaee2fbee185b250c0ee30ea3b5f getVar() now defaults to expanding by default, thus remove the True option from getVar() calls with a regex search and replace. Search made with the following regex: getVar ?\(( ?[^,()]*), True\) Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.

Search made with the following regex: getVar ?\(( ?[^,()]*), True\)

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
cve-check: allow recipes to override the product name 2016-12-13T22:47:25+00:00 Ross Burton ross.burton@intel.com 2016-12-07T11:25:53+00:00 ba330051570a4c991885ee726cb187e0c911bd4f Add a new variable CVE_PRODUCT for the product name to look up in the NVD database. Default this to BPN, but allow recipes such as tiff (which is libtiff in NVD) to override it. Signed-off-by: Ross Burton <ross.burton@intel.com> 
Add a new variable CVE_PRODUCT for the product name to look up in the NVD
database.  Default this to BPN, but allow recipes such as tiff (which is libtiff
in NVD) to override it.

Signed-off-by: Ross Burton <ross.burton@intel.com>
cve-check.bbclass: CVE-2014-2524 / readline v5.2 2016-11-15T15:18:48+00:00 André Draszik adraszik@tycoint.com 2016-11-04T11:06:31+00:00 b881a288eec598002685f68da80a24e0478fa496 Contrary to the CVE report, the vulnerable trace functions don't exist in readline v5.2 (which we keep for GPLv2+ purposes), they were added in readline v6.0 only - let's whitelist that CVE in order to avoid false positives. See also the discussion in https://patchwork.openembedded.org/patch/81765/ Signed-off-by: André Draszik <adraszik@tycoint.com> Reviewed-by: Lukasz Nowak <lnowak@tycoint.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Contrary to the CVE report, the vulnerable trace functions
don't exist in readline v5.2 (which we keep for GPLv2+
purposes), they were added in readline v6.0 only - let's
whitelist that CVE in order to avoid false positives.

See also the discussion in
 https://patchwork.openembedded.org/patch/81765/

Signed-off-by: André Draszik <adraszik@tycoint.com>
Reviewed-by: Lukasz Nowak <lnowak@tycoint.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Remove RM_OLD_IMAGE, it's no longer useful 2016-10-15T08:48:28+00:00 Joshua Lock joshua.g.lock@intel.com 2016-10-12T20:46:41+00:00 93631befe8b962bf99524746b49f4ebca336175c Since the move to put image deployment under sstate control in d54339d4b1a7e884de636f6325ca60409ebd95ff old images are automatically removed before a new image is deployed (the default behaviour of the sstate logic). RM_OLD_IMAGE is therefore no longer required to provide this behaviour, remove the variable and its users. Signed-off-by: Joshua Lock <joshua.g.lock@intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
Since the move to put image deployment under sstate control in
d54339d4b1a7e884de636f6325ca60409ebd95ff old images are automatically
removed before a new image is deployed (the default behaviour of the
sstate logic).

RM_OLD_IMAGE is therefore no longer required to provide this
behaviour, remove the variable and its users.

Signed-off-by: Joshua Lock <joshua.g.lock@intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
cve-check.bbclass: Add class 2016-09-16T14:15:32+00:00 Mariano Lopez mariano.lopez@linux.intel.com 2016-08-24T18:58:35+00:00 d98338075ec3a66acb8828e74711550d53b4d91b This class adds a new task for all the recipes to use cve-check-tool in order to look for public CVEs affecting the packages generated. It is possible to use this class when building an image, building a recipe, or using the "world" or "universe" cases. In order to use this class it must be inherited and it will add the task automatically to every recipe. [YOCTO #7515] Co-authored by Ross Burton & Mariano Lopez Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com> Signed-off-by: Ross Burton <ross.burton@intel.com> 
This class adds a new task for all the recipes to use
cve-check-tool in order to look for public CVEs affecting
the packages generated.

It is possible to use this class when building an image,
building a recipe, or using the "world" or "universe" cases.

In order to use this class it must be inherited and it will
add the task automatically to every recipe.

[YOCTO #7515]

Co-authored by Ross Burton & Mariano Lopez

Signed-off-by: Mariano Lopez <mariano.lopez@linux.intel.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>