[OE-core] [PATCH] glibc: exclude child recipes from CVE scanning
Khem Raj
raj.khem at gmail.com
Tue Jul 16 17:44:48 UTC 2019
seems good to me.
On Tue, Jul 16, 2019 at 5:47 AM Ross Burton <ross.burton at intel.com> wrote:
>
> As glibc will be scanned for CVEs, we don't need to scan glibc-locale,
> glibc-mtrace, and glibc-scripts which are all separate recipes for technical
> reasons.
>
> Exclude the recipes by setting CVE_PRODUCT in the recipe, instead of using the
> global whitelist.
>
> Signed-off-by: Ross Burton <ross.burton at intel.com>
> ---
> meta/classes/cve-check.bbclass | 4 +---
> meta/recipes-core/glibc/glibc-locale.inc | 3 +++
> meta/recipes-core/glibc/glibc-mtrace.inc | 3 +++
> meta/recipes-core/glibc/glibc-scripts.inc | 3 +++
> 4 files changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
> index 5979edf3d17..19ac48cfd49 100644
> --- a/meta/classes/cve-check.bbclass
> +++ b/meta/classes/cve-check.bbclass
> @@ -37,9 +37,7 @@ CVE_CHECK_COPY_FILES ??= "1"
> CVE_CHECK_CREATE_MANIFEST ??= "1"
>
> # Whitelist for packages (PN)
> -CVE_CHECK_PN_WHITELIST = "\
> - glibc-locale \
> -"
> +CVE_CHECK_PN_WHITELIST ?= ""
>
> # Whitelist for CVE and version of package. If a CVE is found then the PV is
> # compared with the version list, and if found the CVE is considered
> diff --git a/meta/recipes-core/glibc/glibc-locale.inc b/meta/recipes-core/glibc/glibc-locale.inc
> index bf5eaee9380..ef06389ff94 100644
> --- a/meta/recipes-core/glibc/glibc-locale.inc
> +++ b/meta/recipes-core/glibc/glibc-locale.inc
> @@ -98,3 +98,6 @@ do_install() {
> inherit libc-package
>
> BBCLASSEXTEND = "nativesdk"
> +
> +# Don't scan for CVEs as glibc will be scanned
> +CVE_PRODUCT = ""
> diff --git a/meta/recipes-core/glibc/glibc-mtrace.inc b/meta/recipes-core/glibc/glibc-mtrace.inc
> index d703c14bdc1..ef9d60ec239 100644
> --- a/meta/recipes-core/glibc/glibc-mtrace.inc
> +++ b/meta/recipes-core/glibc/glibc-mtrace.inc
> @@ -11,3 +11,6 @@ do_install() {
> install -d -m 0755 ${D}${bindir}
> install -m 0755 ${SRC}/mtrace ${D}${bindir}/
> }
> +
> +# Don't scan for CVEs as glibc will be scanned
> +CVE_PRODUCT = ""
> diff --git a/meta/recipes-core/glibc/glibc-scripts.inc b/meta/recipes-core/glibc/glibc-scripts.inc
> index 2a2b41507ed..14a14e45126 100644
> --- a/meta/recipes-core/glibc/glibc-scripts.inc
> +++ b/meta/recipes-core/glibc/glibc-scripts.inc
> @@ -18,3 +18,6 @@ do_install() {
> # sotruss script requires sotruss-lib.so (given by libsotruss package),
> # to produce trace of the library calls.
> RDEPENDS_${PN} += "libsotruss"
> +
> +# Don't scan for CVEs as glibc will be scanned
> +CVE_PRODUCT = ""
> --
> 2.20.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core
More information about the Openembedded-core
mailing list