glibc: exclude child recipes from CVE scanning

Message ID 20190716124721.22289-1-ross.burton@intel.com
State Accepted
Commit 1f9a963b9ff7ebe052ba54b9fcbdf7d09478dd17
Headers show
Series
  • glibc: exclude child recipes from CVE scanning
Related show

Commit Message

Ross Burton July 16, 2019, 12:47 p.m.
As glibc will be scanned for CVEs, we don't need to scan glibc-locale,
glibc-mtrace, and glibc-scripts which are all separate recipes for technical
reasons.

Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the
global whitelist.

Signed-off-by: Ross Burton <ross.burton@intel.com>

---
 meta/classes/cve-check.bbclass            | 4 +---
 meta/recipes-core/glibc/glibc-locale.inc  | 3 +++
 meta/recipes-core/glibc/glibc-mtrace.inc  | 3 +++
 meta/recipes-core/glibc/glibc-scripts.inc | 3 +++
 4 files changed, 10 insertions(+), 3 deletions(-)

-- 
2.20.1

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Comments

Khem Raj July 16, 2019, 5:44 p.m. | #1
seems good to me.

On Tue, Jul 16, 2019 at 5:47 AM Ross Burton <ross.burton@intel.com> wrote:
>

> As glibc will be scanned for CVEs, we don't need to scan glibc-locale,

> glibc-mtrace, and glibc-scripts which are all separate recipes for technical

> reasons.

>

> Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the

> global whitelist.

>

> Signed-off-by: Ross Burton <ross.burton@intel.com>

> ---

>  meta/classes/cve-check.bbclass            | 4 +---

>  meta/recipes-core/glibc/glibc-locale.inc  | 3 +++

>  meta/recipes-core/glibc/glibc-mtrace.inc  | 3 +++

>  meta/recipes-core/glibc/glibc-scripts.inc | 3 +++

>  4 files changed, 10 insertions(+), 3 deletions(-)

>

> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass

> index 5979edf3d17..19ac48cfd49 100644

> --- a/meta/classes/cve-check.bbclass

> +++ b/meta/classes/cve-check.bbclass

> @@ -37,9 +37,7 @@ CVE_CHECK_COPY_FILES ??= "1"

>  CVE_CHECK_CREATE_MANIFEST ??= "1"

>

>  # Whitelist for packages (PN)

> -CVE_CHECK_PN_WHITELIST = "\

> -    glibc-locale \

> -"

> +CVE_CHECK_PN_WHITELIST ?= ""

>

>  # Whitelist for CVE and version of package. If a CVE is found then the PV is

>  # compared with the version list, and if found the CVE is considered

> diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc

> index bf5eaee9380..ef06389ff94 100644

> --- a/meta/recipes-core/glibc/glibc-locale.inc

> +++ b/meta/recipes-core/glibc/glibc-locale.inc

> @@ -98,3 +98,6 @@ do_install() {

>  inherit libc-package

>

>  BBCLASSEXTEND = "nativesdk"

> +

> +# Don't scan for CVEs as glibc will be scanned

> +CVE_PRODUCT = ""

> diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc

> index d703c14bdc1..ef9d60ec239 100644

> --- a/meta/recipes-core/glibc/glibc-mtrace.inc

> +++ b/meta/recipes-core/glibc/glibc-mtrace.inc

> @@ -11,3 +11,6 @@ do_install() {

>         install -d -m 0755 ${D}${bindir}

>         install -m 0755 ${SRC}/mtrace ${D}${bindir}/

>  }

> +

> +# Don't scan for CVEs as glibc will be scanned

> +CVE_PRODUCT = ""

> diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc

> index 2a2b41507ed..14a14e45126 100644

> --- a/meta/recipes-core/glibc/glibc-scripts.inc

> +++ b/meta/recipes-core/glibc/glibc-scripts.inc

> @@ -18,3 +18,6 @@ do_install() {

>  # sotruss script requires sotruss-lib.so (given by libsotruss package),

>  # to produce trace of the library calls.

>  RDEPENDS_${PN} += "libsotruss"

> +

> +# Don't scan for CVEs as glibc will be scanned

> +CVE_PRODUCT = ""

> --

> 2.20.1

>

> --

> _______________________________________________

> Openembedded-core mailing list

> Openembedded-core@lists.openembedded.org

> http://lists.openembedded.org/mailman/listinfo/openembedded-core

-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Patch

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 5979edf3d17..19ac48cfd49 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -37,9 +37,7 @@  CVE_CHECK_COPY_FILES ??= "1"
 CVE_CHECK_CREATE_MANIFEST ??= "1"
 
 # Whitelist for packages (PN)
-CVE_CHECK_PN_WHITELIST = "\
-    glibc-locale \
-"
+CVE_CHECK_PN_WHITELIST ?= ""
 
 # Whitelist for CVE and version of package. If a CVE is found then the PV is
 # compared with the version list, and if found the CVE is considered
diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc
index bf5eaee9380..ef06389ff94 100644
--- a/meta/recipes-core/glibc/glibc-locale.inc
+++ b/meta/recipes-core/glibc/glibc-locale.inc
@@ -98,3 +98,6 @@  do_install() {
 inherit libc-package
 
 BBCLASSEXTEND = "nativesdk"
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc
index d703c14bdc1..ef9d60ec239 100644
--- a/meta/recipes-core/glibc/glibc-mtrace.inc
+++ b/meta/recipes-core/glibc/glibc-mtrace.inc
@@ -11,3 +11,6 @@  do_install() {
 	install -d -m 0755 ${D}${bindir}
 	install -m 0755 ${SRC}/mtrace ${D}${bindir}/
 }
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""
diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc
index 2a2b41507ed..14a14e45126 100644
--- a/meta/recipes-core/glibc/glibc-scripts.inc
+++ b/meta/recipes-core/glibc/glibc-scripts.inc
@@ -18,3 +18,6 @@  do_install() {
 # sotruss script requires sotruss-lib.so (given by libsotruss package), 
 # to produce trace of the library calls.
 RDEPENDS_${PN} += "libsotruss"
+
+# Don't scan for CVEs as glibc will be scanned
+CVE_PRODUCT = ""