mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-26 00:32:12 +02:00
Code Issues Packages Projects Releases Wiki Activity

cve-check: Only include installed packages for rootfs manifest

Browse Source 
Before this the rootfs manifest and the summary were identical.
We should separate the summary and rootfs manifest more clearly,
now the summary is for all CVEs and the rootfs manifest is only for
things in that image. This is even more useful if you build multiple
images.

(From OE-Core rev: 3b8cc6fc45f0ea5677729ee2b1819bdc7a441ab1)

Signed-off-by: Ernst Sjöstrand <ernstp@gmail.com>
Signed-off-by: Luca Ceresoli <luca.ceresoli@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Ernst Sjöstrand
2022-05-24 13:50:21 +02:00
committed by Richard Purdie
parent fd5a40c013
commit c4cabfa755
1 changed files with 54 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

69
meta/classes/cve-check.bbclass
View File

@@ -176,6 +176,8 @@ python cve_check_write_rootfs_manifest () {
"""
import shutil
import json
from oe.rootfs import image_list_installed_packages
from oe.cve_check import cve_check_merge_jsons
if d.getVar("CVE_CHECK_COPY_FILES") == "1":
@@ -186,26 +188,63 @@ python cve_check_write_rootfs_manifest () {
if os.path.exists(deploy_file_json):
bb.utils.remove(deploy_file_json)
if os.path.exists(d.getVar("CVE_CHECK_TMP_FILE")):
bb.note("Writing rootfs CVE manifest")
deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
link_name = d.getVar("IMAGE_LINK_NAME")
# Create a list of relevant recipies
recipies = set()
for pkg in list(image_list_installed_packages(d)):
pkg_info = os.path.join(d.getVar('PKGDATA_DIR'),
'runtime-reverse', pkg)
pkg_data = oe.packagedata.read_pkgdatafile(pkg_info)
recipies.add(pkg_data["PN"])
bb.note("Writing rootfs CVE manifest")
deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
link_name = d.getVar("IMAGE_LINK_NAME")
json_data = {"version":"1", "package": []}
text_data = ""
enable_json = d.getVar("CVE_CHECK_FORMAT_JSON") == "1"
enable_text = d.getVar("CVE_CHECK_FORMAT_TEXT") == "1"
save_pn = d.getVar("PN")
for pkg in recipies:
# To be able to use the CVE_CHECK_RECIPE_FILE variable we have to evaluate
# it with the different PN names set each time.
d.setVar("PN", pkg)
if enable_text:
pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE")
if os.path.exists(pkgfilepath):
with open(pkgfilepath) as pfile:
text_data += pfile.read()
if enable_json:
pkgfilepath = d.getVar("CVE_CHECK_RECIPE_FILE_JSON")
if os.path.exists(pkgfilepath):
with open(pkgfilepath) as j:
data = json.load(j)
cve_check_merge_jsons(json_data, data)
d.setVar("PN", save_pn)
if enable_text:
link_path = os.path.join(deploy_dir, "%s.cve" % link_name)
manifest_name = d.getVar("CVE_CHECK_MANIFEST")
cve_tmp_file = d.getVar("CVE_CHECK_TMP_FILE")
bb.utils.mkdirhier(os.path.dirname(manifest_name))
shutil.copyfile(cve_tmp_file, manifest_name)
with open(manifest_name, "w") as f:
f.write(text_data)
manifest_link = os.path.join(deploy_dir, "%s.cve" % link_name)
update_symlinks(manifest_name, manifest_link)
update_symlinks(manifest_name, link_path)
bb.plain("Image CVE report stored in: %s" % manifest_name)
if d.getVar("CVE_CHECK_FORMAT_JSON") == "1":
link_path = os.path.join(deploy_dir, "%s.json" % link_name)
manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
bb.note("Generating JSON CVE manifest")
generate_json_report(d, manifest_path, link_path)
bb.plain("Image CVE JSON report stored in: %s" % link_path)
if enable_json:
link_path = os.path.join(deploy_dir, "%s.json" % link_name)
manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
with open(manifest_name, "w") as f:
json.dump(json_data, f, indent=2)
update_symlinks(manifest_name, link_path)
bb.plain("Image CVE JSON report stored in: %s" % manifest_name)
}
ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"