| Message ID | 20190716124721.22289-1-ross.burton@intel.com |
|---|---|
| State | Accepted |
| Commit | 1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17 |
| Headers | show |
| Series | glibc: exclude child recipes from CVE scanning | expand |
seems good to me. On Tue, Jul 16, 2019 at 5:47 AM Ross Burton <ross.burton@intel.com> wrote: > > As glibc will be scanned for CVEs, we don't need to scan glibc-locale, > glibc-mtrace, and glibc-scripts which are all separate recipes for technical > reasons. > > Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the > global whitelist. > > Signed-off-by: Ross Burton <ross.burton@intel.com> > --- > meta/classes/cve-check.bbclass | 4 +--- > meta/recipes-core/glibc/glibc-locale.inc | 3 +++ > meta/recipes-core/glibc/glibc-mtrace.inc | 3 +++ > meta/recipes-core/glibc/glibc-scripts.inc | 3 +++ > 4 files changed, 10 insertions(+), 3 deletions(-) > > diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass > index 5979edf3d17..19ac48cfd49 100644 > --- a/meta/classes/cve-check.bbclass > +++ b/meta/classes/cve-check.bbclass > @@ -37,9 +37,7 @@ CVE_CHECK_COPY_FILES ??= "1" > CVE_CHECK_CREATE_MANIFEST ??= "1" > > # Whitelist for packages (PN) > -CVE_CHECK_PN_WHITELIST = "\ > - glibc-locale \ > -" > +CVE_CHECK_PN_WHITELIST ?= "" > > # Whitelist for CVE and version of package. If a CVE is found then the PV is > # compared with the version list, and if found the CVE is considered > diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc > index bf5eaee9380..ef06389ff94 100644 > --- a/meta/recipes-core/glibc/glibc-locale.inc > +++ b/meta/recipes-core/glibc/glibc-locale.inc > @@ -98,3 +98,6 @@ do_install() { > inherit libc-package > > BBCLASSEXTEND = "nativesdk" > + > +# Don't scan for CVEs as glibc will be scanned > +CVE_PRODUCT = "" > diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc > index d703c14bdc1..ef9d60ec239 100644 > --- a/meta/recipes-core/glibc/glibc-mtrace.inc > +++ b/meta/recipes-core/glibc/glibc-mtrace.inc > @@ -11,3 +11,6 @@ do_install() { > install -d -m 0755 ${D}${bindir} > install -m 0755 ${SRC}/mtrace ${D}${bindir}/ > } > + > +# Don't scan for CVEs as glibc will be scanned > +CVE_PRODUCT = "" > diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc > index 2a2b41507ed..14a14e45126 100644 > --- a/meta/recipes-core/glibc/glibc-scripts.inc > +++ b/meta/recipes-core/glibc/glibc-scripts.inc > @@ -18,3 +18,6 @@ do_install() { > # sotruss script requires sotruss-lib.so (given by libsotruss package), > # to produce trace of the library calls. > RDEPENDS_${PN} += "libsotruss" > + > +# Don't scan for CVEs as glibc will be scanned > +CVE_PRODUCT = "" > -- > 2.20.1 > > -- > _______________________________________________ > Openembedded-core mailing list > Openembedded-core@lists.openembedded.org > http://lists.openembedded.org/mailman/listinfo/openembedded-core -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 5979edf3d17..19ac48cfd49 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -37,9 +37,7 @@ CVE_CHECK_COPY_FILES ??= "1" CVE_CHECK_CREATE_MANIFEST ??= "1" # Whitelist for packages (PN) -CVE_CHECK_PN_WHITELIST = "\ - glibc-locale \ -" +CVE_CHECK_PN_WHITELIST ?= "" # Whitelist for CVE and version of package. If a CVE is found then the PV is # compared with the version list, and if found the CVE is considered diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc index bf5eaee9380..ef06389ff94 100644 --- a/meta/recipes-core/glibc/glibc-locale.inc +++ b/meta/recipes-core/glibc/glibc-locale.inc @@ -98,3 +98,6 @@ do_install() { inherit libc-package BBCLASSEXTEND = "nativesdk" + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc index d703c14bdc1..ef9d60ec239 100644 --- a/meta/recipes-core/glibc/glibc-mtrace.inc +++ b/meta/recipes-core/glibc/glibc-mtrace.inc @@ -11,3 +11,6 @@ do_install() { install -d -m 0755 ${D}${bindir} install -m 0755 ${SRC}/mtrace ${D}${bindir}/ } + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc index 2a2b41507ed..14a14e45126 100644 --- a/meta/recipes-core/glibc/glibc-scripts.inc +++ b/meta/recipes-core/glibc/glibc-scripts.inc @@ -18,3 +18,6 @@ do_install() { # sotruss script requires sotruss-lib.so (given by libsotruss package), # to produce trace of the library calls. RDEPENDS_${PN} += "libsotruss" + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = ""
As glibc will be scanned for CVEs, we don't need to scan glibc-locale, glibc-mtrace, and glibc-scripts which are all separate recipes for technical reasons. Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the global whitelist. Signed-off-by: Ross Burton <ross.burton@intel.com> --- meta/classes/cve-check.bbclass | 4 +--- meta/recipes-core/glibc/glibc-locale.inc | 3 +++ meta/recipes-core/glibc/glibc-mtrace.inc | 3 +++ meta/recipes-core/glibc/glibc-scripts.inc | 3 +++ 4 files changed, 10 insertions(+), 3 deletions(-) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core