[oe] [meta-python] Python Flask recipes + cve-searching during package creation

Sven Ebenfeld sven.ebenfeld at gmail.com
Fri Feb 19 11:29:28 UTC 2016 

First I would like to mention why I added these recipes.
Currently I'm working on my Master-Thesis for my studies in Applied IT
Security. The subject is to implement some security scans during image
creation.
This work shall help to prevent rolling out vulnerable firmware images.

One of the tasks I is trying to implement scanning vulnerability databases
during image creation or building packages. To achieve this, I'm going to
use the cve-search project (https://github.com/cve-search/cve-search).
This is a quite large project with a lot of dependencies of
python3-packages. But it gives the opportunity to search through a lot of
databases with quite good performance.

The main work is done in my own layer currently.
(https://github.com/esven/meta-esven) But when it is working, I hope to
include it in meta-security layer or something like that.
Unfortunately I'm unable to get access to the meta-python-flask layer. As
stated in the commit message, I don't know if all dependencies are fulfilled
for the flask recipes are fulfilled when building these recipes into images.
If you have already done these work, I would really like to benefit from
your work and not doing it again.

I'm trying to implement cve-searching like this:
1. build mongodb and redis as native
2. deploy cve-search including mongodb, redis and python3-dependencies in
native-sysroot
3. look for previously set up databases in sstate and use them in mongodb
and redis
4. start mongodb and redis with bitbake build (currently don't know how to
start it with shutting them down on bitbake shutdown) + give ability to use
external mongodb and redis server with configuration in local.conf
5.  for every package creation, search for known vulnerabilities using PV
and PN variables.
5.1. if a CVE fix has been backported, this can be ignored by adding it to a
defineable variable or by searching through local patch commit messages.
6. shutdown local mongodb and redis server on bitbake shutdown
7. save updated databases in sstate

I would really appreciate your feelings about this as I plan to finish this
task until end of march 2016.

Cheers,
Sven

> -----Original Message-----
> From: openembedded-devel-bounces at lists.openembedded.org
> [mailto:openembedded-devel-bounces at lists.openembedded.org] On
> Behalf Of Tim Orling
> Sent: Friday, February 19, 2016 5:58 AM
> To: openembedded-devel at lists.openembedded.org
> Subject: Re: [oe] [meta-python] Python Flask recipes
> 
> I agree with Khem on all counts and would welcome the recipes to meta-
> python, if you so choose.
> 
> Regards,
> Tim
> 
> > On Feb 18, 2016, at 7:46 PM, Khem Raj <raj.khem at gmail.com> wrote:
> >
> >
> >> On Feb 18, 2016, at 10:33 AM, Fabio Berton
> <fabio.berton at ossystems.com.br> wrote:
> >>
> >> Hi all!
> >>
> >> I noticed that a few days ago were added some python-flask recipes.
> >>
> >> I've been maintaining a layer with python-flask recipes, hosted here
> >> http://code.ossystems.com.br/gitweb?p=meta-python-
> flask.git;a=summary
> >>
> >> There are recipes in meta-python-flask that were added to meta-python
> >> and I want to simplify maintenance and avoid duplicate recipes.
> >>
> >> So, do I send recipes from meta-python-flask to meta-python or we
> >> move all python-flask recipes from meta-python to meta-python-flask,
> >> using a layer only for Flask web framework?
> >
> > Here is a hierarchy one can envision
> >
> > 1. Core python runtime support - Oe-core 2. python extended modules
> > and infrastructure - meta-python
> >
> > now if you think this framework is quite commonly used and is kind of
> > core to python world, its fine to have it in meta-python, if you think
> > its too specific then move the common packages to meta-python and
> > maintain it as a separate layer
> > --
> > _______________________________________________
> > Openembedded-devel mailing list
> > Openembedded-devel at lists.openembedded.org
> > http://lists.openembedded.org/mailman/listinfo/openembedded-devel
> --
> _______________________________________________
> Openembedded-devel mailing list
> Openembedded-devel at lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-devel

More information about the Openembedded-devel mailing list