From patchwork Tue Jul 16 12:47:21 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ross Burton X-Patchwork-Id: 169059 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp810289ilk; Tue, 16 Jul 2019 05:47:40 -0700 (PDT) X-Google-Smtp-Source: APXvYqy649XU2KB9fwRCszQX6xRgmc00UK7KEufOi5bNXYFOuXbCzXSXB0rAZh0r/KyyH+A7MF1z X-Received: by 2002:a17:90a:1a45:: with SMTP id 5mr36891024pjl.43.1563281260821; Tue, 16 Jul 2019 05:47:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563281260; cv=none; d=google.com; s=arc-20160816; b=h5ohy94jhrQdEdV+NQdM8h3oC/krOp141JAhP9+ooIeSv3eN6ucIZ9hXAPAK4Us99K 3YrhewVb+bGA/0jf7X0AEGx1SiyUhrEDQ7sN7EnyLuxOvMeV5n3cAfa7wqXzr+evyA0n C72dQ14yrvv6etq6OLhYkQLUKyB0T5ouhdpLtqq5ny8Lr/3nKpF4iKzulCc3gpOooTa/ O/RvlFEHKHeJLfs330dsxIe07MLXKGaeY+LstsgbYcDqIwmODroet9Y/ML32iAFaSuXu yGlky06MRnW6UgvRy3BtZVnfjS3KR09rQDW+j7uU/Xx2gKyhGcnLomqCrJ1f3SlFle8E X9jw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=errors-to:sender:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:message-id:date:to:from:dkim-signature:delivered-to; bh=yAceO0Kyq26sWQ2WB4RKZjkyVVB3LxkXmw3yQ3ahqW0=; b=VQaidU3zZlE1eQNbM0Rvp3bPM5neRPFq8mK8z2gTyK4oK3oaZ3GgMmeVKWF8aYKGIw yod08jQ/JbfbEZyydR6AJViCJYDn2OYriUYF4PJ9F6E0YpwtwbsWeCZGbsnfgj67OeQL zoxDXJq9quKgdRtrB7odt8dfyjeQ6xqqPHz0+nsNZJuXoldgp0OmxRqqXnHmUfQJQiLm 231/0fPPdrb3cZwp5hqJiVGPVVmZMGB3yeyJRpQXNU7o2bv61yoOp08ELyt8MJY6WdCV FwrDVMBRMxLdnFVJXw1QvgrpskLg5VE31spPyxcFAYeFiqijQriWDvj7f4+Nf23IQeYo dq7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=ostOXA4u; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from mail.openembedded.org (mail.openembedded.org. [140.211.169.62]) by mx.google.com with ESMTP id y15si14819996pfb.28.2019.07.16.05.47.40; Tue, 16 Jul 2019 05:47:40 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) client-ip=140.211.169.62; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@intel-com.20150623.gappssmtp.com header.s=20150623 header.b=ostOXA4u; spf=pass (google.com: best guess record for domain of openembedded-core-bounces@lists.openembedded.org designates 140.211.169.62 as permitted sender) smtp.mailfrom=openembedded-core-bounces@lists.openembedded.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: from ec2-34-214-78-129.us-west-2.compute.amazonaws.com (localhost [127.0.0.1]) by mail.openembedded.org (Postfix) with ESMTP id A224C7E686; Tue, 16 Jul 2019 12:47:31 +0000 (UTC) X-Original-To: openembedded-core@lists.openembedded.org Delivered-To: openembedded-core@lists.openembedded.org Received: from mail-wm1-f41.google.com (mail-wm1-f41.google.com [209.85.128.41]) by mail.openembedded.org (Postfix) with ESMTP id 89DE87E467 for ; Tue, 16 Jul 2019 12:47:24 +0000 (UTC) Received: by mail-wm1-f41.google.com with SMTP id l2so18572353wmg.0 for ; Tue, 16 Jul 2019 05:47:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=QML8oMC1xdNQ8GtgkyHCi1A53x2hZgPAYn8XJL+6Ojc=; b=ostOXA4utUOvf2oDj3a5v20vyU479bD4QGnLRoGm9LdGmBAgs9dm6TIZiR0WMIA2QO qjMw47F0RwVwJ/mXciA9UaeSSKuWJdkUN/5267dbuTTnnbtPPd3qA3uyYjw5ZlHYyqW4 UUJbhd1N0iOuSmJQu+m1PEyOdeHioL4nv9QFBcP2iF4dTDMfiV948/qQpe6ugpwUCz8T scTpE1xQbbxoBRCcvOxgodavugpQdet875TUL72/6AuBWd4gh1XuYE7R0xzXBLzLtYm3 Coj3fyUVymM4B9daKMOkAyqFGK6Z+OyETwDOP+XTdxuCn3lt5eSiY6yLiZgs5GsbZrDZ 5pDA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:mime-version :content-transfer-encoding; bh=QML8oMC1xdNQ8GtgkyHCi1A53x2hZgPAYn8XJL+6Ojc=; b=km3VePBPDZv0XNUVWFt8GMk+tamHXEDaO2of7kCAVm3S5DioZG2RVU27zPOaKmJard sb77R26uk/R3/jqa7rC8B5/nxSxE9habFR/ahQ9CM2a6rHQaHlPskgyvZCYOGg7TuRSn VRSCQ20E3zUO07vUYB0Y7L19Ni7hQNvzZ1nKX4TJPHOPQkb1h/BExXKxM4iIKbsYBYwx xFGhrYu8n/VQy8HFcBf3zNr7CnWWY/u9CJv2T3HTFpAZR7NGnoTYbz+5L5LdeSbKtA9i h6oslxwr7OrRXWwBn4ZiF+lLPbzryEovmt3wzGnn14SwHAqdc2zAEbnsQz7MvU/R6xSh WdgA== X-Gm-Message-State: APjAAAX5GgoQ9axTaQxZ/tb7HlKEAHAL8Y9MxOH1kRakuSf5A5GtgxZD EIQpqLqdnxAXgPNsDVxqOwPfy7v7Dho= X-Received: by 2002:a1c:9a46:: with SMTP id c67mr29919399wme.11.1563281245030; Tue, 16 Jul 2019 05:47:25 -0700 (PDT) Received: from flashheart.burtonini.com (35.106.2.81.in-addr.arpa. [81.2.106.35]) by smtp.gmail.com with ESMTPSA id m7sm17012436wrx.65.2019.07.16.05.47.24 for (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 16 Jul 2019 05:47:24 -0700 (PDT) From: Ross Burton To: openembedded-core@lists.openembedded.org Date: Tue, 16 Jul 2019 13:47:21 +0100 Message-Id: <20190716124721.22289-1-ross.burton@intel.com> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Subject: [OE-core] [PATCH] glibc: exclude child recipes from CVE scanning X-BeenThere: openembedded-core@lists.openembedded.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Patches and discussions about the oe-core layer List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: openembedded-core-bounces@lists.openembedded.org Errors-To: openembedded-core-bounces@lists.openembedded.org As glibc will be scanned for CVEs, we don't need to scan glibc-locale, glibc-mtrace, and glibc-scripts which are all separate recipes for technical reasons. Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the global whitelist. Signed-off-by: Ross Burton --- meta/classes/cve-check.bbclass | 4 +--- meta/recipes-core/glibc/glibc-locale.inc | 3 +++ meta/recipes-core/glibc/glibc-mtrace.inc | 3 +++ meta/recipes-core/glibc/glibc-scripts.inc | 3 +++ 4 files changed, 10 insertions(+), 3 deletions(-) -- 2.20.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass index 5979edf3d17..19ac48cfd49 100644 --- a/meta/classes/cve-check.bbclass +++ b/meta/classes/cve-check.bbclass @@ -37,9 +37,7 @@ CVE_CHECK_COPY_FILES ??= "1" CVE_CHECK_CREATE_MANIFEST ??= "1" # Whitelist for packages (PN) -CVE_CHECK_PN_WHITELIST = "\ - glibc-locale \ -" +CVE_CHECK_PN_WHITELIST ?= "" # Whitelist for CVE and version of package. If a CVE is found then the PV is # compared with the version list, and if found the CVE is considered diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc index bf5eaee9380..ef06389ff94 100644 --- a/meta/recipes-core/glibc/glibc-locale.inc +++ b/meta/recipes-core/glibc/glibc-locale.inc @@ -98,3 +98,6 @@ do_install() { inherit libc-package BBCLASSEXTEND = "nativesdk" + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc index d703c14bdc1..ef9d60ec239 100644 --- a/meta/recipes-core/glibc/glibc-mtrace.inc +++ b/meta/recipes-core/glibc/glibc-mtrace.inc @@ -11,3 +11,6 @@ do_install() { install -d -m 0755 ${D}${bindir} install -m 0755 ${SRC}/mtrace ${D}${bindir}/ } + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = "" diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc index 2a2b41507ed..14a14e45126 100644 --- a/meta/recipes-core/glibc/glibc-scripts.inc +++ b/meta/recipes-core/glibc/glibc-scripts.inc @@ -18,3 +18,6 @@ do_install() { # sotruss script requires sotruss-lib.so (given by libsotruss package), # to produce trace of the library calls. RDEPENDS_${PN} += "libsotruss" + +# Don't scan for CVEs as glibc will be scanned +CVE_PRODUCT = ""