Re: [OE-core] [PATCH] rng-tools: disable libjitterentropy due to cpu usage
Yes, I wonder why this needs to be disabled altogether at build time. Can’t rng-tools figure out the right sources at run time? Alex On Mon 2. May 2022 at 23.33, William A. Kennington III via lists.openembedded.org wrote: > Isn't this desirable if you don't have an hwrng? We want to generate > entropy so we can perform cryptographic operations by default if we > bring in rng-tools. > > On Mon, May 2, 2022 at 2:10 PM Wes Malone wrote: > > > > After boot rngd maxes out the processor initializing JITTER entropy for > > some minutes. Here we disable libjitterentropy in favor of only using > > the hardware random source via config. > > > > Signed-off-by: Wes Malone > > --- > > meta/recipes-support/rng-tools/rng-tools_6.15.bb | 1 - > > 1 file changed, 1 deletion(-) > > > > diff --git a/meta/recipes-support/rng-tools/rng-tools_6.15.bb > b/meta/recipes-support/rng-tools/rng-tools_6.15.bb > > index 0696351903..4eed060960 100644 > > --- a/meta/recipes-support/rng-tools/rng-tools_6.15.bb > > +++ b/meta/recipes-support/rng-tools/rng-tools_6.15.bb > > @@ -21,7 +21,6 @@ inherit autotools update-rc.d systemd pkgconfig > > > > EXTRA_OECONF = "--without-rtlsdr" > > > > -PACKAGECONFIG ??= "libjitterentropy" > > PACKAGECONFIG:libc-musl = "libargp libjitterentropy" > > > > PACKAGECONFIG[libargp] = > "--with-libargp,--without-libargp,argp-standalone," > > -- > > 2.36.0 > > > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165189): https://lists.openembedded.org/g/openembedded-core/message/165189 Mute This Topic: https://lists.openembedded.org/mt/90845997/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 9/9] uninative: Upgrade to 3.6 with gcc 12 support
From: Richard Purdie
There are reports of issues with the new libstdc++ from gcc 12. This upgrades
to a gcc 12 version of uninative to allow builds on those systems. Gcc 12 isn't
finalised so we may need to add a new version of this if/as appropriate when it
is.
Signed-off-by: Richard Purdie
(cherry picked from commit e3da4da7e5da5bb9e1d360e2be2fdd5132e69320)
Signed-off-by: Steve Sakoman
---
meta/conf/distro/include/yocto-uninative.inc | 8
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/meta/conf/distro/include/yocto-uninative.inc
b/meta/conf/distro/include/yocto-uninative.inc
index bfe05ce1eb..411fe45a24 100644
--- a/meta/conf/distro/include/yocto-uninative.inc
+++ b/meta/conf/distro/include/yocto-uninative.inc
@@ -7,9 +7,9 @@
#
UNINATIVE_MAXGLIBCVERSION = "2.35"
-UNINATIVE_VERSION = "3.5"
+UNINATIVE_VERSION = "3.6"
UNINATIVE_URL ?=
"http://downloads.yoctoproject.org/releases/uninative/${UNINATIVE_VERSION}/;
-UNINATIVE_CHECKSUM[aarch64] ?=
"6de0771bd21e0fcb5e80388e5b561a8023b24083bcbf46e056a089982aff75d7"
-UNINATIVE_CHECKSUM[i686] ?=
"8c8745becbfa1c341bae839c7eab56ddf17ce36c303bcd73d3b2f2f788b631c2"
-UNINATIVE_CHECKSUM[x86_64] ?=
"e8047a5748e6f266165da141eb6d08b23674f30e477b0e5505b6403d50fbc4b2"
+UNINATIVE_CHECKSUM[aarch64] ?=
"d64831cf2792c8e470c2e42230660e1a8e5de56a579cdd59978791f663c2f3ed"
+UNINATIVE_CHECKSUM[i686] ?=
"2f0ee9b66b1bb2c85e2b592fb3c9c7f5d77399fa638d74961330cdb8de34ca3b"
+UNINATIVE_CHECKSUM[x86_64] ?=
"9bfc4c970495b3716b2f9e52c4df9f968c02463a9a95000f6657fbc3fde1f098"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165188):
https://lists.openembedded.org/g/openembedded-core/message/165188
Mute This Topic: https://lists.openembedded.org/mt/90848102/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 8/9] neard: Switch SRC_URI to git repo
From: Rahul Kumar
The tarball (neard-0.16.tar.xz) fetched by the recipe is incomplete.
Few plugins (e.g. tizen) and tests scripts (e.g. Test-channel, test-see,
neard-ui.py, ndef-agent etc) are missing.
Since neard did not release latest tarballs, so as per community
recommendation switching the recipe SRC_URI to git repo.
Community Discussion:
https://lists.openembedded.org/g/openembedded-core/topic/90058043#163681
Signed-off-by: Rahul Kumar
Signed-off-by: Luca Ceresoli
Signed-off-by: Richard Purdie
(cherry-picked from b563f40ebf4461d9c35df72bd7599ea11e97da9c)
Signed-off-by: Rahul Kumar
Signed-off-by: Steve Sakoman
---
meta/recipes-connectivity/neard/neard_0.16.bb | 13 +++--
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/meta/recipes-connectivity/neard/neard_0.16.bb
b/meta/recipes-connectivity/neard/neard_0.16.bb
index 7c124a3c0b..dd0742f792 100644
--- a/meta/recipes-connectivity/neard/neard_0.16.bb
+++ b/meta/recipes-connectivity/neard/neard_0.16.bb
@@ -2,21 +2,22 @@ SUMMARY = "Linux NFC daemon"
DESCRIPTION = "A daemon for the Linux Near Field Communication stack"
HOMEPAGE = "http://01.org/linux-nfc;
LICENSE = "GPLv2"
+LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
+
file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13 \
+ "
DEPENDS = "dbus glib-2.0 libnl"
-SRC_URI = "${KERNELORG_MIRROR}/linux/network/nfc/${BP}.tar.xz \
+SRC_URI =
"git://git.kernel.org/pub/scm/network/nfc/neard.git;protocol=git;branch=master \
file://neard.in \
file://Makefile.am-fix-parallel-issue.patch \
file://Makefile.am-do-not-ship-version.h.patch \
file://0001-Add-header-dependency-to-nciattach.o.patch \
"
-SRC_URI[md5sum] = "5c691fb7872856dc0d909c298bc8cb41"
-SRC_URI[sha256sum] =
"eae3b11c541a988ec11ca94b7deab01080cd5b58cfef3ced6ceac9b6e6e65b36"
-LIC_FILES_CHKSUM = "file://COPYING;md5=12f884d2ae1ff87c09e5b7ccc2c4ca7e \
- file://src/near.h;beginline=1;endline=20;md5=358e4deefef251a4761e1ffacc965d13
\
- "
+SRCREV = "949795024f7625420e93e288c56e194cb9a3e74a"
+
+S = "${WORKDIR}/git"
inherit autotools pkgconfig systemd update-rc.d
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165187):
https://lists.openembedded.org/g/openembedded-core/message/165187
Mute This Topic: https://lists.openembedded.org/mt/90848100/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 7/9] bitbake.conf: mark all directories as safe for git to read
From: Ross Burton
Recent git releases containing [1] have an ownership check when opening
repositories, and refuse to open a repository if it is owned by a
different user.
This breaks any use of git in do_install, as that is executed by the
(fake) root user. Whilst not common, this does happen.
Setting the git configuration safe.directories=* disables this check, so
that git is usable in fakeroot tasks. This can be set globally via the
internal environment variable GIT_CONFIG_PARAMETERS, we can't use
GIT_CONFIG_*_KEY/VALUE as that isn't present in all the releases which
have the ownership check.
We already set GIT_CEILING_DIRECTORIES to ensure that git doesn't
recurse up out of the work directory, so this isn't a security issue.
[1] https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
Signed-off-by: Ross Burton
Signed-off-by: Richard Purdie
(cherry picked from commit 8bed8e6993e7297bdcd68940aa0d47ef47120117)
Signed-off-by: Steve Sakoman
---
meta/conf/bitbake.conf | 8
1 file changed, 8 insertions(+)
diff --git a/meta/conf/bitbake.conf b/meta/conf/bitbake.conf
index 91f003d6dd..2b94e37861 100644
--- a/meta/conf/bitbake.conf
+++ b/meta/conf/bitbake.conf
@@ -726,10 +726,18 @@ export PKG_CONFIG_DISABLE_UNINSTALLED = "yes"
export PKG_CONFIG_SYSTEM_LIBRARY_PATH = "${base_libdir}:${libdir}"
export PKG_CONFIG_SYSTEM_INCLUDE_PATH = "${includedir}"
+# Git configuration
+
# Don't allow git to chdir up past WORKDIR so that it doesn't detect the OE
# repository when building a recipe
export GIT_CEILING_DIRECTORIES = "${WORKDIR}"
+# Treat all directories are safe, as during fakeroot tasks git will run as
+# root so recent git releases (eg 2.30.3) will refuse to work on repositories.
See
+# https://github.com/git/git/commit/8959555cee7ec045958f9b6dd62e541affb7e7d9
for
+# further details.
+export GIT_CONFIG_PARAMETERS="'safe.directory=*'"
+
###
### Config file processing
###
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165186):
https://lists.openembedded.org/g/openembedded-core/message/165186
Mute This Topic: https://lists.openembedded.org/mt/90848099/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 6/9] base: Drop git intercept
From: Richard Purdie
We're going to use the environment approach for solving this issue.
Signed-off-by: Richard Purdie
(cherry picked from commit 0982977dc052ad4e65608f6853f930121d08837a)
Signed-off-by: Steve Sakoman
---
meta/classes/base.bbclass | 1 -
1 file changed, 1 deletion(-)
diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 398b098651..9ed736b0e1 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -335,7 +335,6 @@ addtask install after do_compile
do_install[dirs] = "${B}"
# Remove and re-create ${D} so that is it guaranteed to be empty
do_install[cleandirs] = "${D}"
-PATH:prepend:task-install = "${COREBASE}/scripts/git-intercept:"
base_do_install() {
:
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165185):
https://lists.openembedded.org/g/openembedded-core/message/165185
Mute This Topic: https://lists.openembedded.org/mt/90848098/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 5/9] install/devshell: Introduce git intercept script due to fakeroot issues
From: Paul Gortmaker
In a devshell, recent versions of git will complain if the repo is owned
by someone other than the current UID - consider this example:
--
bitbake -c devshell linux-yocto
[...]
kernel-source#git branch
fatal: unsafe repository
('/home/paul/poky/build-qemuarm64/tmp/work-shared/qemuarm64/kernel-source' is
owned by someone else)
To add an exception for this directory, call:
git config --global --add safe.directory
/home/paul/poky/build-qemuarm64/tmp/work-shared/qemuarm64/kernel-source
kernel-source#
--
Of course the devshell has UID zero and the "real" UID is for "paul" in
this case. And so recent git versions complain.
As the whole purpose of the devshell is to invoke a shell where development
can take place, having a non-functional git is clearly unacceptable.
Richard suggested we could use PSEUDO_UNLOAD=1 to evade this issue, and I
suggested we probably will see other similar instances like this and should
make use of PATH to intercept via devshell wrappers - conveniently we already
have examples of this.
Here, we copy the existing "ar" example and tune it to the needs of git to
combine Richard's suggestion and mine.
As such we now also can store commit logs and use send-email with our user
specific settings, instead of "root", so in additon to fixing basic
commands like "git branch" it should also increase general usefulness.
RP: Tweaked the patch so the PATH change only applies to the devshell task
and is a generic git intercept rather than devshell specific.
RP: Also apply the PATH change to do_install tasks since that also runs under
fakeroot and several software projects inject "git describe" output into
their binaries (systemd, iputils, llvm, ipt-gpu-tools at least) causing
reproducibility issues from systems with different git versions.
Signed-off-by: Paul Gortmaker
Signed-off-by: Richard Purdie
(cherry picked from commit 3266c327dfa186791e0f1e2ad63c6f5d39714814)
Signed-off-by: Steve Sakoman
---
meta/classes/base.bbclass | 1 +
meta/classes/devshell.bbclass | 2 ++
scripts/git-intercept/git | 19 +++
3 files changed, 22 insertions(+)
create mode 100755 scripts/git-intercept/git
diff --git a/meta/classes/base.bbclass b/meta/classes/base.bbclass
index 9ed736b0e1..398b098651 100644
--- a/meta/classes/base.bbclass
+++ b/meta/classes/base.bbclass
@@ -335,6 +335,7 @@ addtask install after do_compile
do_install[dirs] = "${B}"
# Remove and re-create ${D} so that is it guaranteed to be empty
do_install[cleandirs] = "${D}"
+PATH:prepend:task-install = "${COREBASE}/scripts/git-intercept:"
base_do_install() {
:
diff --git a/meta/classes/devshell.bbclass b/meta/classes/devshell.bbclass
index ad9f267848..114a50b20e 100644
--- a/meta/classes/devshell.bbclass
+++ b/meta/classes/devshell.bbclass
@@ -2,6 +2,8 @@ inherit terminal
DEVSHELL = "${SHELL}"
+PATH:prepend:task-devshell = "${COREBASE}/scripts/git-intercept:"
+
python do_devshell () {
if d.getVarFlag("do_devshell", "manualfakeroot"):
d.prependVar("DEVSHELL", "pseudo ")
diff --git a/scripts/git-intercept/git b/scripts/git-intercept/git
new file mode 100755
index 00..8adf5c9ecb
--- /dev/null
+++ b/scripts/git-intercept/git
@@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+#
+# Wrapper around 'git' that doesn't think we are root
+
+import os
+import shutil
+import sys
+
+os.environ['PSEUDO_UNLOAD'] = '1'
+
+# calculate path to the real 'git'
+path = os.environ['PATH']
+path = path.replace(os.path.dirname(sys.argv[0]), '')
+real_git = shutil.which('git', path=path)
+
+if len(sys.argv) == 1:
+os.execl(real_git, 'git')
+
+os.execv(real_git, sys.argv)
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165184):
https://lists.openembedded.org/g/openembedded-core/message/165184
Mute This Topic: https://lists.openembedded.org/mt/90848097/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 4/9] cases/buildepoxy.py: fix typo
From: Chen Qi
Signed-off-by: Chen Qi
Signed-off-by: Luca Ceresoli
Signed-off-by: Richard Purdie
(cherry picked from commit 3a9b6e71d1e7e8e2ebc0ed047841e36f09300387)
Signed-off-by: Steve Sakoman
---
meta/lib/oeqa/sdk/cases/buildepoxy.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/lib/oeqa/sdk/cases/buildepoxy.py
b/meta/lib/oeqa/sdk/cases/buildepoxy.py
index 385f8ccca8..f69f720cd6 100644
--- a/meta/lib/oeqa/sdk/cases/buildepoxy.py
+++ b/meta/lib/oeqa/sdk/cases/buildepoxy.py
@@ -17,7 +17,7 @@ class EpoxyTest(OESDKTestCase):
"""
def setUp(self):
if not (self.tc.hasHostPackage("nativesdk-meson")):
-raise unittest.SkipTest("GalculatorTest class: SDK doesn't contain
Meson")
+raise unittest.SkipTest("EpoxyTest class: SDK doesn't contain
Meson")
def test_epoxy(self):
with tempfile.TemporaryDirectory(prefix="epoxy", dir=self.tc.sdk_dir)
as testdir:
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165183):
https://lists.openembedded.org/g/openembedded-core/message/165183
Mute This Topic: https://lists.openembedded.org/mt/90848093/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 3/9] devshell.bbclass: Allow devshell & pydevshell to use the network
From: Peter Kjellerstedt
Otherwise it will fail if using OE_TERMINAL = "xterm" with the not so
helpful error:
xterm: Xt error: Can't open display: localhost:0.0
Signed-off-by: Peter Kjellerstedt
Signed-off-by: Luca Ceresoli
Signed-off-by: Richard Purdie
(cherry picked from commit ba53fc3bcecfe32401471dc1008c7ead96504150)
Signed-off-by: Steve Sakoman
---
meta/classes/devshell.bbclass | 2 ++
1 file changed, 2 insertions(+)
diff --git a/meta/classes/devshell.bbclass b/meta/classes/devshell.bbclass
index 76dd0b42ee..ad9f267848 100644
--- a/meta/classes/devshell.bbclass
+++ b/meta/classes/devshell.bbclass
@@ -21,6 +21,7 @@ addtask devshell after do_patch do_prepare_recipe_sysroot
DEVSHELL_STARTDIR ?= "${S}"
do_devshell[dirs] = "${DEVSHELL_STARTDIR}"
do_devshell[nostamp] = "1"
+do_devshell[network] = "1"
# devshell and fakeroot/pseudo need careful handling since only the final
# command should run under fakeroot emulation, any X connection should
@@ -154,3 +155,4 @@ python do_devpyshell() {
addtask devpyshell after do_patch
do_devpyshell[nostamp] = "1"
+do_devpyshell[network] = "1"
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165182):
https://lists.openembedded.org/g/openembedded-core/message/165182
Mute This Topic: https://lists.openembedded.org/mt/90848091/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 1/9] python3: ignore CVE-2015-20107
From: Ross Burton CVE-2015-20107 describes an arbitrary command execution in the mailcap module, but this is by design in mailcap and needs to be worked around by the calling application. Upstream Python will be documenting this flaw in the library reference, and it is likely that the mailcap module will be deprecated and removed in the future. Signed-off-by: Ross Burton Signed-off-by: Luca Ceresoli Signed-off-by: Richard Purdie (cherry picked from commit 85fac8408baf92d8b71946f5bfea92952b7eab01) Signed-off-by: Steve Sakoman --- meta/recipes-devtools/python/python3_3.8.13.bb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-devtools/python/python3_3.8.13.bb b/meta/recipes-devtools/python/python3_3.8.13.bb index d7f6e9155d..040bacf97c 100644 --- a/meta/recipes-devtools/python/python3_3.8.13.bb +++ b/meta/recipes-devtools/python/python3_3.8.13.bb @@ -57,6 +57,9 @@ CVE_CHECK_WHITELIST += "CVE-2019-18348" # This is windows only issue. CVE_CHECK_WHITELIST += "CVE-2020-15523 CVE-2022-26488" +# The mailcap module is insecure by design, so this can't be fixed in a meaningful way. +# The module will be removed in the future and flaws documented. +CVE_CHECK_WHITELIST += "CVE-2015-20107" PYTHON_MAJMIN = "3.8" -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165180): https://lists.openembedded.org/g/openembedded-core/message/165180 Mute This Topic: https://lists.openembedded.org/mt/90848089/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 2/9] busybox: Use base_bindir instead of hardcoding /bin path
From: Khem Raj
This symlink is not valid when using usrmerge and ptest packaging would fail
Exception: FileExistsError: [Errno 17] File exists: '/usr/bin/busybox.suid' ->
'/mnt/b/yoe/master/build/tmp/work/ppc64p9le-yoe-linux-musl/busybox/1.35.0-r0/package/usr/lib/busybox/ptest/bin/login'
Signed-off-by: Khem Raj
Signed-off-by: Luca Ceresoli
Signed-off-by: Richard Purdie
(cherry picked from commit 238fd30689054c7b44176dce7180fb6dac4e1b6f)
Signed-off-by: Steve Sakoman
---
meta/recipes-core/busybox/busybox.inc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/busybox/busybox.inc
b/meta/recipes-core/busybox/busybox.inc
index e0522be729..3553376582 100644
--- a/meta/recipes-core/busybox/busybox.inc
+++ b/meta/recipes-core/busybox/busybox.inc
@@ -348,7 +348,7 @@ do_install_ptest () {
# These access the internet which is not guaranteed to work on
machines running the tests
rm -rf ${D}${PTEST_PATH}/testsuite/wget
sort ${B}/.config > ${D}${PTEST_PATH}/.config
- ln -s /bin/busybox ${D}${PTEST_PATH}/busybox
+ ln -s ${base_bindir}/busybox ${D}${PTEST_PATH}/busybox
}
inherit update-alternatives
--
2.25.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165181):
https://lists.openembedded.org/g/openembedded-core/message/165181
Mute This Topic: https://lists.openembedded.org/mt/90848090/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 0/9] Patch review
Please review this set of patches for dunfell and have comments back by end of day Wednesday. Passed a-full on autobuilder: https://autobuilder.yoctoproject.org/typhoon/#/builders/83/builds/3600 with the exception of the meta-virtualization test which was just added to a-full: https://autobuilder.yoctoproject.org/typhoon/#/builders/128/builds/19 Note that the test passed for qemuarm and qemuarm64, but failed for qemux86-64. I tried to refrain from commenting that the test was added by someone with an arm.com address, but I couldn't help myself ;-) (looking at you Ross!) I'm not going to hold up the review process on this, since this is a newly added test. Any help fixing this for qemux86-64 would be much appreciated. Steve The following changes since commit bb3fc61f0d7f7bcd77ef194b76f4fdd8a7ff6aa5: scripts/contrib/oe-build-perf-report-email.py: remove obsolete check for phantomjs and optipng (2022-04-27 05:00:00 -1000) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-nut http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-nut Chen Qi (1): cases/buildepoxy.py: fix typo Khem Raj (1): busybox: Use base_bindir instead of hardcoding /bin path Paul Gortmaker (1): install/devshell: Introduce git intercept script due to fakeroot issues Peter Kjellerstedt (1): devshell.bbclass: Allow devshell & pydevshell to use the network Rahul Kumar (1): neard: Switch SRC_URI to git repo Richard Purdie (2): base: Drop git intercept uninative: Upgrade to 3.6 with gcc 12 support Ross Burton (2): python3: ignore CVE-2015-20107 bitbake.conf: mark all directories as safe for git to read meta/classes/devshell.bbclass | 4 meta/conf/bitbake.conf| 8 meta/conf/distro/include/yocto-uninative.inc | 8 meta/lib/oeqa/sdk/cases/buildepoxy.py | 2 +- meta/recipes-connectivity/neard/neard_0.16.bb | 13 +++-- meta/recipes-core/busybox/busybox.inc | 2 +- .../recipes-devtools/python/python3_3.8.13.bb | 3 +++ scripts/git-intercept/git | 19 +++ 8 files changed, 47 insertions(+), 12 deletions(-) create mode 100755 scripts/git-intercept/git -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165179): https://lists.openembedded.org/g/openembedded-core/message/165179 Mute This Topic: https://lists.openembedded.org/mt/90848087/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][dunfell 0/6] Pull request (cover letter only)
The following changes since commit 8e81d38048c953d0823abf04d5b2506cd988f0bb: build-appliance-image: Update to dunfell head revision (2022-04-25 15:58:54 +0100) are available in the Git repository at: git://git.openembedded.org/openembedded-core-contrib stable/dunfell-next http://cgit.openembedded.org/openembedded-core-contrib/log/?h=stable/dunfell-next Dmitry Baryshkov (1): linux-firmware: correct license for ar3k firmware Marta Rybczynska (1): cve-check: add json format Richard Purdie (1): perf-build-test/report: Drop phantomjs and html email reports support Ross Burton (1): boost: don't specify gcc version Steve Sakoman (1): scripts/contrib/oe-build-perf-report-email.py: remove obsolete check for phantomjs and optipng sana kazi (1): tiff: Fix CVE-2022-0891 meta/classes/cve-check.bbclass| 144 +++- meta/lib/oe/cve_check.py | 16 ++ .../linux-firmware/linux-firmware_20220411.bb | 4 +- .../libtiff/files/CVE-2022-0891.patch | 217 ++ meta/recipes-multimedia/libtiff/tiff_4.1.0.bb | 1 + meta/recipes-support/boost/boost.inc | 2 +- scripts/contrib/build-perf-test-wrapper.sh| 15 +- scripts/contrib/oe-build-perf-report-email.py | 167 +- 8 files changed, 388 insertions(+), 178 deletions(-) create mode 100644 meta/recipes-multimedia/libtiff/files/CVE-2022-0891.patch -- 2.25.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165178): https://lists.openembedded.org/g/openembedded-core/message/165178 Mute This Topic: https://lists.openembedded.org/mt/90847801/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] rng-tools: disable libjitterentropy due to cpu usage
Isn't this desirable if you don't have an hwrng? We want to generate entropy so we can perform cryptographic operations by default if we bring in rng-tools. On Mon, May 2, 2022 at 2:10 PM Wes Malone wrote: > > After boot rngd maxes out the processor initializing JITTER entropy for > some minutes. Here we disable libjitterentropy in favor of only using > the hardware random source via config. > > Signed-off-by: Wes Malone > --- > meta/recipes-support/rng-tools/rng-tools_6.15.bb | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/meta/recipes-support/rng-tools/rng-tools_6.15.bb > b/meta/recipes-support/rng-tools/rng-tools_6.15.bb > index 0696351903..4eed060960 100644 > --- a/meta/recipes-support/rng-tools/rng-tools_6.15.bb > +++ b/meta/recipes-support/rng-tools/rng-tools_6.15.bb > @@ -21,7 +21,6 @@ inherit autotools update-rc.d systemd pkgconfig > > EXTRA_OECONF = "--without-rtlsdr" > > -PACKAGECONFIG ??= "libjitterentropy" > PACKAGECONFIG:libc-musl = "libargp libjitterentropy" > > PACKAGECONFIG[libargp] = "--with-libargp,--without-libargp,argp-standalone," > -- > 2.36.0 > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165177): https://lists.openembedded.org/g/openembedded-core/message/165177 Mute This Topic: https://lists.openembedded.org/mt/90845997/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] rng-tools: disable libjitterentropy due to cpu usage
After boot rngd maxes out the processor initializing JITTER entropy for some minutes. Here we disable libjitterentropy in favor of only using the hardware random source via config. Signed-off-by: Wes Malone --- meta/recipes-support/rng-tools/rng-tools_6.15.bb | 1 - 1 file changed, 1 deletion(-) diff --git a/meta/recipes-support/rng-tools/rng-tools_6.15.bb b/meta/recipes-support/rng-tools/rng-tools_6.15.bb index 0696351903..4eed060960 100644 --- a/meta/recipes-support/rng-tools/rng-tools_6.15.bb +++ b/meta/recipes-support/rng-tools/rng-tools_6.15.bb @@ -21,7 +21,6 @@ inherit autotools update-rc.d systemd pkgconfig EXTRA_OECONF = "--without-rtlsdr" -PACKAGECONFIG ??= "libjitterentropy" PACKAGECONFIG:libc-musl = "libargp libjitterentropy" PACKAGECONFIG[libargp] = "--with-libargp,--without-libargp,argp-standalone," -- 2.36.0 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165176): https://lists.openembedded.org/g/openembedded-core/message/165176 Mute This Topic: https://lists.openembedded.org/mt/90845997/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] rng-tools: disable libjitterentropy due to cpu usage
Since updating to kirkstone from hardknott, after boot rngd maxes out my rpi4's processor for minutes initializing JITTER. The sustained CPU usage was triggering my resource monitoring alerts. Changing config to disable jitter with -x jitter stops the initialization process and uses just the pi's hardware rng source. Since that solved the problem I disabled building rng-tools with libjitterentropy enabled. I submitted the change to meta-raspberrypi (pull #1057) where kraj noted that the CPU spike is seen even on qemu so the change should go in the core layer. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165175): https://lists.openembedded.org/g/openembedded-core/message/165175 Mute This Topic: https://lists.openembedded.org/mt/90845997/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] glibc: ptest: Add lib32-glibc-tests PROVIDES
Hi Pgowda, Il giorno Mon, 2 May 2022 01:08:51 -0700 "Pgowda" ha scritto: > While running lib32-glibc-tests, it fails with the following error > as the recipe is not PROVIDED. BBCLASSEXTEND is cleaned in glibc-tests > and is not able to recognize the multilibs. > > ERROR: Nothing PROVIDES 'lib32-glibc-tests' > > Signed-off-by: pgowda It seems like this patch is triggering some build error: https://autobuilder.yoctoproject.org/typhoon/#/builders/73/builds/5100/steps/19/logs/stdio -- Luca Ceresoli, Bootlin Embedded Linux and Kernel engineering https://bootlin.com -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165174): https://lists.openembedded.org/g/openembedded-core/message/165174 Mute This Topic: https://lists.openembedded.org/mt/90831085/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 2/2] cve-update-db-native: allow an option to force the CVE database update
On Mon, May 2, 2022 at 12:43 PM Ralph Siemsen wrote: > > On Mon, May 2, 2022 at 9:23 AM Marta Rybczynska wrote: > > > > On Fri, Apr 29, 2022 at 5:53 PM Ralph Siemsen > > wrote: > >> > >> # Interval between CVE database updates, in seconds. > >> # Set to "0" to to force an update of the database. > >> CVE_DATABASE_UPDATE_INTERVAL ?= "24*60*60" > >> > > > > This is a good idea, thank you Ralph, I like it. I'll be sending a v2 > > shortly. > > Thanks for this. I've tested it locally, on the fist run, the CVE > database was fetched (it took quite a while, for some reason). On > subsequent runs, no fetch occurs, so this seems to be working. > > I then set CVE_DB_UPDATE_INTERVAL = "3600" in my local.conf, and ran > the build again. As it had been over an hour since the first build, > the database was downloaded again. The timestamp on nvdcve_1.1.db did > not change (as noted in one of your commit descriptions). > > So, it seems to be working correctly. I will re-test tomorrow (eg. > after 24 hours) with the interval set back to default. > > One minor point of confusion is that the log still shows "NOTE: recipe > cve-update-db-native-1.0-r0: task do_fetch: Started" even when the > download is skipped. This is of course understandable when looking at > the python code, the check is within the do_fetch function. There is > probably no simple way to avoid this from being displayed. And most > users won't notice anyway. But it initially confused me about what was > happening. yeah you can avoid it unless another logic outside of this function is invoked. perhaps we can add a diagnostic inside the do_fetch to spill out the state information and informing like "no fetch needed" or "database uptodate" or somesuch > > Regards, > Ralph > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165173): https://lists.openembedded.org/g/openembedded-core/message/165173 Mute This Topic: https://lists.openembedded.org/mt/90771095/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 2/2] cve-update-db-native: allow an option to force the CVE database update
On Mon, May 2, 2022 at 9:23 AM Marta Rybczynska wrote: > > On Fri, Apr 29, 2022 at 5:53 PM Ralph Siemsen > wrote: >> >> # Interval between CVE database updates, in seconds. >> # Set to "0" to to force an update of the database. >> CVE_DATABASE_UPDATE_INTERVAL ?= "24*60*60" >> > > This is a good idea, thank you Ralph, I like it. I'll be sending a v2 > shortly. Thanks for this. I've tested it locally, on the fist run, the CVE database was fetched (it took quite a while, for some reason). On subsequent runs, no fetch occurs, so this seems to be working. I then set CVE_DB_UPDATE_INTERVAL = "3600" in my local.conf, and ran the build again. As it had been over an hour since the first build, the database was downloaded again. The timestamp on nvdcve_1.1.db did not change (as noted in one of your commit descriptions). So, it seems to be working correctly. I will re-test tomorrow (eg. after 24 hours) with the interval set back to default. One minor point of confusion is that the log still shows "NOTE: recipe cve-update-db-native-1.0-r0: task do_fetch: Started" even when the download is skipped. This is of course understandable when looking at the python code, the check is within the do_fetch function. There is probably no simple way to avoid this from being displayed. And most users won't notice anyway. But it initially confused me about what was happening. Regards, Ralph -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165172): https://lists.openembedded.org/g/openembedded-core/message/165172 Mute This Topic: https://lists.openembedded.org/mt/90771095/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH v2] classes: rootfs-postcommands: add skip option to overlayfs_qa_check
Hi Claudius, Il giorno Fri, 29 Apr 2022 10:17:33 +0200 "Claudius Heine" ha scritto: > The overlayfs_qa_check checks if the current root file system has a > mount configured for each overlayfs, when the overlayfs class is used. > > However there are certain instances where this mount point is created > at runtime and not static in a fstab entry or systemd mount unit. > > One such case would be if overlayfs-etc is used, where the device is > mounted in the preinit script and not via a mount unit or fstab entry. > > However there are other possibilities for this as well, like startup > scripts that support a dynamic partition layout. For instance when > systemd-repart is used. > > This adds the `OVERLAYFS_QA_SKIP` variable, which allows to define QA > skips via its flags. In principle it supports multiple QA skip flags > separated by whitespace, but only one (`mount-configured`) is > implemented here. To skip this QA check simply add `mount-configured` > to the flag of `OVERLAYFS_QA_SKIP` with the same name. For instance > if a overlayfs is configured as: > > OVERLAYFS_MOUNT_POINT[data] = "/data" > > Skipping this QA check can be done by setting: > > OVERLAYFS_QA_SKIP[data] = "mount-configured" > > Signed-off-by: Claudius Heine Failures appeared on the autobuilders with your patch applied: https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/3530/steps/15/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/87/builds/3530/steps/15/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/80/builds/3470/steps/14/logs/stdio https://autobuilder.yoctoproject.org/typhoon/#/builders/79/builds/3521/steps/15/logs/stdio Best regards, -- Luca Ceresoli, Bootlin Embedded Linux and Kernel engineering https://bootlin.com -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165171): https://lists.openembedded.org/g/openembedded-core/message/165171 Mute This Topic: https://lists.openembedded.org/mt/90771927/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v2 2/2] cve-update-db-native: let the user to drive the update interval
Add a new variable CVE_DB_UPDATE_INTERVAL allowing the user to set
the database update interval.
- a positive value sets an interval (in seconds)
- a zero ("0") forces the database update
Signed-off-by: Marta Rybczynska
---
Changes from v1:
- allow to set the interval, not only force the update
---
meta/recipes-core/meta/cve-update-db-native.bb | 10 +-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index af39480dda..c8c1cbf115 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -13,6 +13,9 @@ deltask do_install
deltask do_populate_sysroot
NVDCVE_URL ?= "https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-;
+# CVE database update interval, in seconds. By default: once a day (24*60*60).
+# Use 0 to force the update
+CVE_DB_UPDATE_INTERVAL ?= "86400"
python () {
if not bb.data.inherits_class("cve-check", d):
@@ -44,11 +47,16 @@ python do_fetch() {
os.remove(db_file)
# The NVD database changes once a day, so no need to update more frequently
+# Allow the user to force-update
try:
import time
-if time.time() - os.path.getmtime(db_file) < (24*60*60):
+update_interval = int(d.getVar("CVE_DB_UPDATE_INTERVAL"))
+if (update_interval < 0):
+update_interval = 0
+if time.time() - os.path.getmtime(db_file) < update_interval:
bb.debug(2, "Recently updated, skipping")
return
+
except OSError:
pass
--
2.33.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165170):
https://lists.openembedded.org/g/openembedded-core/message/165170
Mute This Topic: https://lists.openembedded.org/mt/90836291/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH v2 1/2] cve-update-db-native: update the CVE database once a day only
The update of the NVD database was expected to happen once per hour.
However, the database file date changes only if the content was actually
updated. In practice, the check worked for the first hour after the
new download.
As the NVD database changes usually only once a day, we can just
update it less frequently.
Signed-off-by: Marta Rybczynska
---
meta/recipes-core/meta/cve-update-db-native.bb | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/meta/recipes-core/meta/cve-update-db-native.bb
b/meta/recipes-core/meta/cve-update-db-native.bb
index e5822cee58..af39480dda 100644
--- a/meta/recipes-core/meta/cve-update-db-native.bb
+++ b/meta/recipes-core/meta/cve-update-db-native.bb
@@ -43,10 +43,10 @@ python do_fetch() {
if os.path.exists(db_file):
os.remove(db_file)
-# Don't refresh the database more than once an hour
+# The NVD database changes once a day, so no need to update more frequently
try:
import time
-if time.time() - os.path.getmtime(db_file) < (60*60):
+if time.time() - os.path.getmtime(db_file) < (24*60*60):
bb.debug(2, "Recently updated, skipping")
return
except OSError:
--
2.33.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165169):
https://lists.openembedded.org/g/openembedded-core/message/165169
Mute This Topic: https://lists.openembedded.org/mt/90836287/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [master][kirkstone][PATCH] cve-check: add JSON format to summary output
On Sun, May 1, 2022 at 11:08 PM Jose Quaresma wrote:
>
> Hi Davide,
>
> This patch needs to be sent first for the master branch and backported for
> kirkstone only after that.
He's tagged [master] in the subject in addition to [kirkstone], so
this is fine. I appreciate the heads up that I should keep an eye out
for the master commit.
Steve
> Davide Gardenal escreveu no dia segunda,
> 2/05/2022 à(s) 08:43:
>>
>> Create generate_json_report including all the code used to generate the JSON
>> manifest file.
>> Add to cve_save_summary_handler the ability to create the summary in JSON
>> format.
>>
>> Signed-off-by: Davide Gardenal
>> ---
>> meta/classes/cve-check.bbclass | 50 +---
>> 1 file changed, 32 insertions(+), 18 deletions(-)
>>
>> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
>> index 78516d0..64875d7 100644
>> --- a/meta/classes/cve-check.bbclass
>> +++ b/meta/classes/cve-check.bbclass
>> @@ -79,6 +79,29 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
>> # set to "alphabetical" for version using single alphabetical character as
>> increment release
>> CVE_VERSION_SUFFIX ??= ""
>>
>> +def generate_json_report(out_path, link_path):
>> +if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
>> +import json
>> +from oe.cve_check import cve_check_merge_jsons
>> +
>> +bb.note("Generating JSON CVE summary")
>> +index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
>> +summary = {"version":"1", "package": []}
>> +with open(index_file) as f:
>> +filename = f.readline()
>> +while filename:
>> +with open(filename.rstrip()) as j:
>> +data = json.load(j)
>> +cve_check_merge_jsons(summary, data)
>> +filename = f.readline()
>> +
>> +with open(out_path, "w") as f:
>> +json.dump(summary, f, indent=2)
>> +
>> +if os.path.exists(os.path.realpath(link_path)):
>> +os.remove(link_path)
>> +os.symlink(os.path.basename(out_path), link_path)
>> +
>> python cve_save_summary_handler () {
>> import shutil
>> import datetime
>> @@ -101,6 +124,11 @@ python cve_save_summary_handler () {
>> if os.path.exists(os.path.realpath(cvefile_link)):
>> os.remove(cvefile_link)
>> os.symlink(os.path.basename(cve_summary_file), cvefile_link)
>> +
>> +json_summary_link_name = os.path.join(cvelogpath,
>> d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
>> +json_summary_name = os.path.join(cvelogpath, "%s-%s.json" %
>> (cve_summary_name, timestamp))
>> +generate_json_report(json_summary_name, json_summary_link_name)
>> +bb.plain("CVE report summary created at: %s" %
>> json_summary_link_name)
>> }
>>
>> addhandler cve_save_summary_handler
>> @@ -175,25 +203,11 @@ python cve_check_write_rootfs_manifest () {
>> os.symlink(os.path.basename(manifest_name), manifest_link)
>> bb.plain("Image CVE report stored in: %s" % manifest_name)
>>
>> -if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
>> -import json
>> +link_path = os.path.join(deploy_dir, "%s.json" % link_name)
>> +manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
>> bb.note("Generating JSON CVE manifest")
>> -deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
>> -link_name = d.getVar("IMAGE_LINK_NAME")
>> -manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
>> -index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
>> -manifest = {"version":"1", "package": []}
>> -with open(index_file) as f:
>> -filename = f.readline()
>> -while filename:
>> -with open(filename.rstrip()) as j:
>> -data = json.load(j)
>> -cve_check_merge_jsons(manifest, data)
>> -filename = f.readline()
>> -
>> -with open(manifest_name, "w") as f:
>> -json.dump(manifest, f, indent=2)
>> -bb.plain("Image CVE report stored in: %s" % manifest_name)
>> +generate_json_report(json_summary_name, json_summary_link_name)
>> +bb.plain("Image CVE JSON report stored in: %s" % link_path)
>> }
>>
>> ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest;
>> ' if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
>> --
>> 2.32.0
>>
>>
>>
>>
>
>
> --
> Best regards,
>
> José Quaresma
>
>
>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165168):
https://lists.openembedded.org/g/openembedded-core/message/165168
Mute This Topic: https://lists.openembedded.org/mt/90830880/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH 2/2] cve-update-db-native: allow an option to force the CVE database update
On Fri, Apr 29, 2022 at 5:53 PM Ralph Siemsen wrote: > Hi Marta, > > This explains why the CVE database update seemed to happen far more > frequently than it should. Thanks for digging into it. > > On Fri, Apr 29, 2022 at 2:32 AM Marta Rybczynska > wrote: > > > > Add a new variable FORCE_CVE_DB_UPDATE allowing the user to force > > the database update, if the default update frequency is too low. > > Just an idea, maybe instead of a boolean, the variable could specify > the interval, eg: > > # Interval between CVE database updates, in seconds. > # Set to "0" to to force an update of the database. > CVE_DATABASE_UPDATE_INTERVAL ?= "24*60*60" > > This is a good idea, thank you Ralph, I like it. I'll be sending a v2 shortly. Regards, Marta -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165167): https://lists.openembedded.org/g/openembedded-core/message/165167 Mute This Topic: https://lists.openembedded.org/mt/90771095/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 2/2] vim: Security Fix For CVE-2022-1420
CVE: CVE-2022-1420
Signed-off-by: Rahul Chauhan
---
.../vim/files/CVE-2022-1420.patch | 93 +++
meta/recipes-support/vim/vim.inc | 1 +
2 files changed, 94 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2022-1420.patch
diff --git a/meta/recipes-support/vim/files/CVE-2022-1420.patch
b/meta/recipes-support/vim/files/CVE-2022-1420.patch
new file mode 100644
index 00..2c2e09a9d2
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2022-1420.patch
@@ -0,0 +1,93 @@
+From 6258e29cbdc55c9496baa23462ef77d79a4e08cf Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar
+Date: Sun, 17 Apr 2022 15:06:35 +0100
+Subject: [PATCH] patch 8.2.4774: crash when using a number for lambda name
+
+Problem:Crash when using a number for lambda name.
+Solution: Check the type of the lambda reference.
+
+Upstream-Status: Backport
[https://github.com/vim/vim/commit/8b91e71441069b1dde9ac9ff9d9a829b1b4aecca]
+CVE-2022-1420
+
+Signed-off-by: Rahul Chauhan
+---
+ src/errors.h| 4
+ src/eval.c | 16 ++--
+ src/testdir/test_lambda.vim | 4
+ src/version.c | 2 ++
+ 4 files changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/src/errors.h b/src/errors.h
+index 951acabb2..96bba755b 100644
+--- a/src/errors.h
b/src/errors.h
+@@ -3256,3 +3256,7 @@ EXTERN char e_compiling_closure_without_context_str[]
+ EXTERN char e_using_type_not_in_script_context_str[]
+ INIT(= N_("E1272: Using type not in a script context: %s"));
+ #endif
++#ifdef FEAT_EVAL
++EXTERN char e_string_or_function_required_for_arrow_parens_expr[]
++ INIT(= N_("E1275: String or function required for ->(expr)"));
++#endif
+diff --git a/src/eval.c b/src/eval.c
+index 2cde64216..5d208a378 100644
+--- a/src/eval.c
b/src/eval.c
+@@ -4094,19 +4094,23 @@ eval_lambda(
+ ++*arg;
+ ret = eval1(arg, rettv, evalarg);
+ *arg = skipwhite_and_linebreak(*arg, evalarg);
+- if (**arg == ')')
++ if (**arg != ')')
+ {
+- ++*arg;
++ emsg(_(e_missing_closing_paren));
++ return FAIL;
+ }
+- else
++ if (rettv->v_type != VAR_STRING && rettv->v_type != VAR_FUNC
++ && rettv->v_type != VAR_PARTIAL)
+ {
+- emsg(_(e_missing_closing_paren));
+- ret = FAIL;
++ emsg(_(e_string_or_function_required_for_arrow_parens_expr));
++ return FAIL;
+ }
++ ++*arg;
+ }
+ if (ret != OK)
+ return FAIL;
+-else if (**arg != '(')
++
++if (**arg != '(')
+ {
+ if (verbose)
+ {
+diff --git a/src/testdir/test_lambda.vim b/src/testdir/test_lambda.vim
+index e6dcb6774..8d06e5973 100644
+--- a/src/testdir/test_lambda.vim
b/src/testdir/test_lambda.vim
+@@ -66,6 +66,10 @@ function Test_lambda_fails()
+ echo assert_fails('echo 10->{a -> a + 2}', 'E107:')
+
+ call assert_fails('eval 0->(', "E110: Missing ')'")
++ call assert_fails('eval 0->(3)()', "E1275:")
++ call assert_fails('eval 0->([3])()', "E1275:")
++ call assert_fails('eval 0->({"a": 3})()', "E1275:")
++ call assert_fails('eval 0->(xxx)()', "E121:")
+ endfunc
+
+ func Test_not_lamda()
+diff --git a/src/version.c b/src/version.c
+index 38c3e69b6..c7516e3a5 100644
+--- a/src/version.c
b/src/version.c
+@@ -750,6 +750,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++4774,
+ /**/
+ 4763,
+ /**/
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index c78e53007e..05891b07df 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -20,6 +20,7 @@ SRC_URI =
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://no-path-adjust.patch \
file://racefix.patch \
file://CVE-2022-1381.patch \
+ file://CVE-2022-1420.patch \
"
PV .= ".4681"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165166):
https://lists.openembedded.org/g/openembedded-core/message/165166
Mute This Topic: https://lists.openembedded.org/mt/90834054/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH 1/2] vim: Security Fix For CVE-2022-1381
CVE: CVE-2022-1381
Signed-off-by: Rahul Chauhan
---
.../vim/files/CVE-2022-1381.patch | 111 ++
meta/recipes-support/vim/vim.inc | 1 +
2 files changed, 112 insertions(+)
create mode 100644 meta/recipes-support/vim/files/CVE-2022-1381.patch
diff --git a/meta/recipes-support/vim/files/CVE-2022-1381.patch
b/meta/recipes-support/vim/files/CVE-2022-1381.patch
new file mode 100644
index 00..1b0e129746
--- /dev/null
+++ b/meta/recipes-support/vim/files/CVE-2022-1381.patch
@@ -0,0 +1,111 @@
+From 6a6cb529c7a8bda2c45964137d7c8df9c2623d51 Mon Sep 17 00:00:00 2001
+From: Bram Moolenaar
+Date: Sat, 16 Apr 2022 18:52:17 +0100
+Subject: [PATCH] patch 8.2.4763: using invalid pointer with "V:" in Ex mode
+
+Problem:Using invalid pointer with "V:" in Ex mode.
+Solution: Correctly handle the command being changed to "+".
+
+Upstream-Status: Backport
[https://github.com/vim/vim/commit/f50808ed135ab973296bca515ae4029b321afe47]
+CVE-2022-1381
+
+Signed-off-by: Rahul Chauhan
+---
+ src/ex_docmd.c | 29 -
+ src/testdir/test_ex_mode.vim | 13 +
+ src/version.c| 2 ++
+ 3 files changed, 39 insertions(+), 5 deletions(-)
+
+diff --git a/src/ex_docmd.c b/src/ex_docmd.c
+index c12f151c3..9d3f1b420 100644
+--- a/src/ex_docmd.c
b/src/ex_docmd.c
+@@ -2782,7 +2782,9 @@ parse_command_modifiers(
+ cmdmod_T*cmod,
+ int skip_only)
+ {
++char_u *orig_cmd = eap->cmd;
+ char_u *cmd_start = NULL;
++int did_plus_cmd = FALSE;
+ char_u *p;
+ int starts_with_colon = FALSE;
+ int vim9script = in_vim9script();
+@@ -2818,6 +2820,7 @@ parse_command_modifiers(
+ && curwin->w_cursor.lnum < curbuf->b_ml.ml_line_count)
+ {
+ eap->cmd = (char_u *)"+";
++ did_plus_cmd = TRUE;
+ if (!skip_only)
+ ex_pressedreturn = TRUE;
+ }
+@@ -3100,13 +3103,29 @@ parse_command_modifiers(
+ // Since the modifiers have been parsed put the colon on top of the
+ // space: "'<,'>mod cmd" -> "mod:'<,'>cmd
+ // Put eap->cmd after the colon.
+- mch_memmove(cmd_start - 5, cmd_start, eap->cmd - cmd_start);
+- eap->cmd -= 5;
+- mch_memmove(eap->cmd - 1, ":'<,'>", 6);
++ if (did_plus_cmd)
++ {
++ size_t len = STRLEN(cmd_start);
++
++ // Special case: empty command may have been changed to "+":
++ // "'<,'>mod" -> "mod'<,'>+
++ mch_memmove(orig_cmd, cmd_start, len);
++ STRCPY(orig_cmd + len, "'<,'>+");
++ }
++ else
++ {
++ mch_memmove(cmd_start - 5, cmd_start, eap->cmd - cmd_start);
++ eap->cmd -= 5;
++ mch_memmove(eap->cmd - 1, ":'<,'>", 6);
++ }
+ }
+ else
+- // no modifiers, move the pointer back
+- eap->cmd -= 5;
++ // No modifiers, move the pointer back.
++ // Special case: empty command may have been changed to "+".
++ if (did_plus_cmd)
++ eap->cmd = (char_u *)"'<,'>+";
++ else
++ eap->cmd = orig_cmd;
+ }
+
+ return OK;
+diff --git a/src/testdir/test_ex_mode.vim b/src/testdir/test_ex_mode.vim
+index 2642a16d2..d981ced6b 100644
+--- a/src/testdir/test_ex_mode.vim
b/src/testdir/test_ex_mode.vim
+@@ -250,5 +250,18 @@ func Test_ex_mode_large_indent()
+ bwipe!
+ endfunc
+
++" This was accessing illegal memory when using "+" for eap->cmd.
++func Test_empty_command_visual_mode()
++ let lines =<< trim END
++ r
++ 0norm0V:
++ :qall!
++ END
++ call writefile(lines, 'Xexmodescript')
++ call assert_equal(1, RunVim([], [], '-u NONE -e -s -S Xexmodescript'))
++
++ call delete('Xexmodescript')
++endfunc
++
+
+ " vim: shiftwidth=2 sts=2 expandtab
+diff --git a/src/version.c b/src/version.c
+index 79a3bad67..38c3e69b6 100644
+--- a/src/version.c
b/src/version.c
+@@ -750,6 +750,8 @@ static char *(features[]) =
+
+ static int included_patches[] =
+ { /* Add new patch number below this line */
++/**/
++4763,
+ /**/
+ 4681,
+ /**/
diff --git a/meta/recipes-support/vim/vim.inc b/meta/recipes-support/vim/vim.inc
index 21ff036cf4..c78e53007e 100644
--- a/meta/recipes-support/vim/vim.inc
+++ b/meta/recipes-support/vim/vim.inc
@@ -19,6 +19,7 @@ SRC_URI =
"git://github.com/vim/vim.git;branch=master;protocol=https \
file://0001-src-Makefile-improve-reproducibility.patch \
file://no-path-adjust.patch \
file://racefix.patch \
+ file://CVE-2022-1381.patch \
"
PV .= ".4681"
--
2.17.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165165):
https://lists.openembedded.org/g/openembedded-core/message/165165
Mute This Topic:
Re: [OE-core] CVE-2022-24765 Git Errors with Bitbake
Ok thanks. I found the commit id: https://git.yoctoproject.org/poky/commit/?id=21559199516a31c7635c5f2d874eaa4a92fff0e5 Unfortunately, it will probably take some time until the solution is included on all our build machines. Until then, we fixed our setup by using PSEUDO_UNLOAD=1 before any git command. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#165164): https://lists.openembedded.org/g/openembedded-core/message/165164 Mute This Topic: https://lists.openembedded.org/mt/90703668/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [PATCH] glibc: ptest: Add lib32-glibc-tests PROVIDES
Hi Pgowda,
Pgowda escreveu no dia segunda, 2/05/2022 à(s) 09:09:
> While running lib32-glibc-tests, it fails with the following error
> as the recipe is not PROVIDED. BBCLASSEXTEND is cleaned in glibc-tests
> and is not able to recognize the multilibs.
>
> ERROR: Nothing PROVIDES 'lib32-glibc-tests'
>
> Signed-off-by: pgowda
> ---
> meta/recipes-core/glibc/glibc-tests_2.35.bb | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/recipes-core/glibc/glibc-tests_2.35.bb
> b/meta/recipes-core/glibc/glibc-tests_2.35.bb
> index 414f8660de..2515e98bb3 100644
> --- a/meta/recipes-core/glibc/glibc-tests_2.35.bb
> +++ b/meta/recipes-core/glibc/glibc-tests_2.35.bb
> @@ -18,7 +18,7 @@ python __anonymous() {
> d.setVar("PROVIDES", "${PN} ${PN}-ptest")
> d.setVar("RPROVIDES", "${PN} ${PN}-ptest")
>
> - d.setVar("BBCLASSEXTEND", "")
> +# d.setVar("BBCLASSEXTEND", "")
>
Why commenting? this line can be removed and the git will take care of
storing the change for future reference.
Jose
> d.setVar("RRECOMMENDS", "")
> d.setVar("SYSTEMD_SERVICE:nscd", "")
> d.setVar("SYSTEMD_PACKAGES", "")
> --
> 2.35.1
>
>
>
>
>
--
Best regards,
José Quaresma
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165163):
https://lists.openembedded.org/g/openembedded-core/message/165163
Mute This Topic: https://lists.openembedded.org/mt/90831085/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core] [master][kirkstone][PATCH] cve-check: add JSON format to summary output
Hi Davide,
This patch needs to be sent first for the master branch and backported
for kirkstone only after that.
Jose
Davide Gardenal escreveu no dia segunda,
2/05/2022 à(s) 08:43:
> Create generate_json_report including all the code used to generate the
> JSON
> manifest file.
> Add to cve_save_summary_handler the ability to create the summary in JSON
> format.
>
> Signed-off-by: Davide Gardenal
> ---
> meta/classes/cve-check.bbclass | 50 +---
> 1 file changed, 32 insertions(+), 18 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass
> b/meta/classes/cve-check.bbclass
> index 78516d0..64875d7 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -79,6 +79,29 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
> # set to "alphabetical" for version using single alphabetical character
> as increment release
> CVE_VERSION_SUFFIX ??= ""
>
> +def generate_json_report(out_path, link_path):
> +if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
> +import json
> +from oe.cve_check import cve_check_merge_jsons
> +
> +bb.note("Generating JSON CVE summary")
> +index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
> +summary = {"version":"1", "package": []}
> +with open(index_file) as f:
> +filename = f.readline()
> +while filename:
> +with open(filename.rstrip()) as j:
> +data = json.load(j)
> +cve_check_merge_jsons(summary, data)
> +filename = f.readline()
> +
> +with open(out_path, "w") as f:
> +json.dump(summary, f, indent=2)
> +
> +if os.path.exists(os.path.realpath(link_path)):
> +os.remove(link_path)
> +os.symlink(os.path.basename(out_path), link_path)
> +
> python cve_save_summary_handler () {
> import shutil
> import datetime
> @@ -101,6 +124,11 @@ python cve_save_summary_handler () {
> if os.path.exists(os.path.realpath(cvefile_link)):
> os.remove(cvefile_link)
> os.symlink(os.path.basename(cve_summary_file), cvefile_link)
> +
> +json_summary_link_name = os.path.join(cvelogpath,
> d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
> +json_summary_name = os.path.join(cvelogpath, "%s-%s.json" %
> (cve_summary_name, timestamp))
> +generate_json_report(json_summary_name, json_summary_link_name)
> +bb.plain("CVE report summary created at: %s" %
> json_summary_link_name)
> }
>
> addhandler cve_save_summary_handler
> @@ -175,25 +203,11 @@ python cve_check_write_rootfs_manifest () {
> os.symlink(os.path.basename(manifest_name), manifest_link)
> bb.plain("Image CVE report stored in: %s" % manifest_name)
>
> -if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
> -import json
> +link_path = os.path.join(deploy_dir, "%s.json" % link_name)
> +manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
> bb.note("Generating JSON CVE manifest")
> -deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
> -link_name = d.getVar("IMAGE_LINK_NAME")
> -manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
> -index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
> -manifest = {"version":"1", "package": []}
> -with open(index_file) as f:
> -filename = f.readline()
> -while filename:
> -with open(filename.rstrip()) as j:
> -data = json.load(j)
> -cve_check_merge_jsons(manifest, data)
> -filename = f.readline()
> -
> -with open(manifest_name, "w") as f:
> -json.dump(manifest, f, indent=2)
> -bb.plain("Image CVE report stored in: %s" % manifest_name)
> +generate_json_report(json_summary_name, json_summary_link_name)
> +bb.plain("Image CVE JSON report stored in: %s" % link_path)
> }
>
> ROOTFS_POSTPROCESS_COMMAND:prepend =
> "${@'cve_check_write_rootfs_manifest; ' if
> d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
> --
> 2.32.0
>
>
>
>
>
--
Best regards,
José Quaresma
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165162):
https://lists.openembedded.org/g/openembedded-core/message/165162
Mute This Topic: https://lists.openembedded.org/mt/90830880/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] glibc: ptest: Add lib32-glibc-tests PROVIDES
While running lib32-glibc-tests, it fails with the following error
as the recipe is not PROVIDED. BBCLASSEXTEND is cleaned in glibc-tests
and is not able to recognize the multilibs.
ERROR: Nothing PROVIDES 'lib32-glibc-tests'
Signed-off-by: pgowda
---
meta/recipes-core/glibc/glibc-tests_2.35.bb | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/meta/recipes-core/glibc/glibc-tests_2.35.bb
b/meta/recipes-core/glibc/glibc-tests_2.35.bb
index 414f8660de..2515e98bb3 100644
--- a/meta/recipes-core/glibc/glibc-tests_2.35.bb
+++ b/meta/recipes-core/glibc/glibc-tests_2.35.bb
@@ -18,7 +18,7 @@ python __anonymous() {
d.setVar("PROVIDES", "${PN} ${PN}-ptest")
d.setVar("RPROVIDES", "${PN} ${PN}-ptest")
- d.setVar("BBCLASSEXTEND", "")
+# d.setVar("BBCLASSEXTEND", "")
d.setVar("RRECOMMENDS", "")
d.setVar("SYSTEMD_SERVICE:nscd", "")
d.setVar("SYSTEMD_PACKAGES", "")
--
2.35.1
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165161):
https://lists.openembedded.org/g/openembedded-core/message/165161
Mute This Topic: https://lists.openembedded.org/mt/90831085/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [master][kirkstone][PATCH] cve-check: add JSON format to summary output
Create generate_json_report including all the code used to generate the JSON
manifest file.
Add to cve_save_summary_handler the ability to create the summary in JSON
format.
Signed-off-by: Davide Gardenal
---
meta/classes/cve-check.bbclass | 50 +---
1 file changed, 32 insertions(+), 18 deletions(-)
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 78516d0..64875d7 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -79,6 +79,29 @@ CVE_CHECK_LAYER_INCLUDELIST ??= ""
# set to "alphabetical" for version using single alphabetical character as
increment release
CVE_VERSION_SUFFIX ??= ""
+def generate_json_report(out_path, link_path):
+if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
+import json
+from oe.cve_check import cve_check_merge_jsons
+
+bb.note("Generating JSON CVE summary")
+index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
+summary = {"version":"1", "package": []}
+with open(index_file) as f:
+filename = f.readline()
+while filename:
+with open(filename.rstrip()) as j:
+data = json.load(j)
+cve_check_merge_jsons(summary, data)
+filename = f.readline()
+
+with open(out_path, "w") as f:
+json.dump(summary, f, indent=2)
+
+if os.path.exists(os.path.realpath(link_path)):
+os.remove(link_path)
+os.symlink(os.path.basename(out_path), link_path)
+
python cve_save_summary_handler () {
import shutil
import datetime
@@ -101,6 +124,11 @@ python cve_save_summary_handler () {
if os.path.exists(os.path.realpath(cvefile_link)):
os.remove(cvefile_link)
os.symlink(os.path.basename(cve_summary_file), cvefile_link)
+
+json_summary_link_name = os.path.join(cvelogpath,
d.getVar("CVE_CHECK_SUMMARY_FILE_NAME_JSON"))
+json_summary_name = os.path.join(cvelogpath, "%s-%s.json" %
(cve_summary_name, timestamp))
+generate_json_report(json_summary_name, json_summary_link_name)
+bb.plain("CVE report summary created at: %s" % json_summary_link_name)
}
addhandler cve_save_summary_handler
@@ -175,25 +203,11 @@ python cve_check_write_rootfs_manifest () {
os.symlink(os.path.basename(manifest_name), manifest_link)
bb.plain("Image CVE report stored in: %s" % manifest_name)
-if os.path.exists(d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")):
-import json
+link_path = os.path.join(deploy_dir, "%s.json" % link_name)
+manifest_path = d.getVar("CVE_CHECK_MANIFEST_JSON")
bb.note("Generating JSON CVE manifest")
-deploy_dir = d.getVar("DEPLOY_DIR_IMAGE")
-link_name = d.getVar("IMAGE_LINK_NAME")
-manifest_name = d.getVar("CVE_CHECK_MANIFEST_JSON")
-index_file = d.getVar("CVE_CHECK_SUMMARY_INDEX_PATH")
-manifest = {"version":"1", "package": []}
-with open(index_file) as f:
-filename = f.readline()
-while filename:
-with open(filename.rstrip()) as j:
-data = json.load(j)
-cve_check_merge_jsons(manifest, data)
-filename = f.readline()
-
-with open(manifest_name, "w") as f:
-json.dump(manifest, f, indent=2)
-bb.plain("Image CVE report stored in: %s" % manifest_name)
+generate_json_report(json_summary_name, json_summary_link_name)
+bb.plain("Image CVE JSON report stored in: %s" % link_path)
}
ROOTFS_POSTPROCESS_COMMAND:prepend = "${@'cve_check_write_rootfs_manifest; '
if d.getVar('CVE_CHECK_CREATE_MANIFEST') == '1' else ''}"
--
2.32.0
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#165160):
https://lists.openembedded.org/g/openembedded-core/message/165160
Mute This Topic: https://lists.openembedded.org/mt/90830880/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
