diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-11-25 17:41:34 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-11-25 17:41:44 +0300 |
| commit | 6dbb316ab9052d4dbf158377e1ffe36f205d5477 (patch) | |
| tree | 721c5dfa7946f5188240620aa7d138f8a688e9f7 /poky/meta/classes | |
| parent | 8410d61f39efb52ffab1dc89efb05ca3ae837907 (diff) | |
| download | openbmc-6dbb316ab9052d4dbf158377e1ffe36f205d5477.tar.xz | |
poky: subtree update:a616ffebdc..9052e5b32a
Adrian Bunk (1):
bind: Whitelist CVE-2019-6470
Alexander Kanavin (13):
python: update to 2.7.17
tiff: update to 4.1.0
librepo: upgrade 1.10.6 -> 1.11.0
btrfs-tools: upgrade 5.3 -> 5.3.1
psmisc: update to 23.3
libxslt: update to 1.1.34
Revert "devtool/standard.py: Not filtering devtool workspace for devtool finish"
mpg123: upgrade 1.25.12 -> 1.25.13
vala: upgrade 0.46.3 -> 0.46.4
sysstat: upstream version check is working again
cairo: the component is dual licensed
selftest: check that 'devtool upgrade' correctly drops backported patches
runqemu: add options that enable virgl with the SDL frontend
Alistair Francis (1):
mesa: Upgrade to 19.2.4
Anuj Mittal (7):
boost: fix build for x32
rng-tools: upgrade 6.7 -> 6.8
harfbuzz: upgrade 2.6.1 -> 2.6.4
libsolv: upgrade 0.7.6 -> 0.7.8
sqlite3: upgrade 3.30.0 -> 3.30.1
stress-ng: upgrade 0.10.08 -> 0.10.10
glib-2.0: upgrade 2.62.1 -> 2.62.2
Armin Kuster (9):
oeqa/manual/bsp-hw: remove rpm -ivh test
oeqa/runtime/boot: add reboot test
oeqa/manual/bsp-hw: remove reboot test
oeqa/manual/bsp-hw: move storage tests to runtime
oeqa/manual/bsp-hw: remove usb and SDmicro tests
manual/bsd-hw: remove bash tests
oeqa/manual/compliance-test: remove crashme tests
oeqa/manual/compliance-test: move crashme to runtime
/oeqa/manual/compliance-test: remove obsolete test
Chee Yang Lee (2):
wic: rm with -r flag support
selftest/wic: test wic rm with -r flag
Denys Dmytriyenko (1):
distro_features_check: expand with MACHINE_FEATURES and COMBINED_FEATURES, rename
Kai Kang (1):
systemd: remove ${PN}-xorg-xinitrc
Khem Raj (1):
webkitgtk: Remove clang specific option
Paul Barker (1):
cdrtools-native: Don't set uid/gid during install
Paul Eggleton (1):
devtool: fix devtool upgrade with reproducible_builds class
Richard Purdie (10):
oeqa/devtool: Avoid unbound variable errors
recipetool/create: Fix to work with reproducible_builds
opkg: Add upstream fixes for empty packages
opkg-utils: Fix silent empty/broken opkg package creation
core-image-full-cmdline: Add less
bitbake: fetch2/clearcase: Fix warnings from python 3.8
bitbake: runqueue: Fix hash equivalence duplicate tasks running
sanity: Add check for tar older than 1.28
oeqa/selftest/sstatetests: Ensure we don't use hashequiv for sstatesigs tests
package_ipk: Remove pointless comment to trigger rebuild
Ross Burton (8):
cve-update-db-native: don't hardcode the database name
cve-update-db-native: add an index on the CVE ID column
cve-update-db-native: clean up proxy handling
cve-check: rewrite look to fix false negatives
cve-check: neaten get_cve_info
cve-check: fetch CVE data once at a time instead of in a single call
bitbake: tests: add test for the hashing functions
bitbake: utils: also use mmap for SHA256 and SHA1, for performance
Yi Zhao (1):
bitbake: contrib/vim/indent/bitbake.vim: move it to correct directory
Change-Id: I526155f21145180c764252a2ae5bfba33def10ff
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/classes')
| -rw-r--r-- | poky/meta/classes/cve-check.bbclass | 95 | ||||
| -rw-r--r-- | poky/meta/classes/distro_features_check.bbclass | 35 | ||||
| -rw-r--r-- | poky/meta/classes/features_check.bbclass | 85 | ||||
| -rw-r--r-- | poky/meta/classes/package_ipk.bbclass | 1 | ||||
| -rw-r--r-- | poky/meta/classes/sanity.bbclass | 5 |
5 files changed, 140 insertions, 81 deletions
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 3326944d7..19ed5548b 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -165,7 +165,6 @@ def check_cves(d, patched_cves): """ Connect to the NVD database and find unpatched cves. """ - import ast, csv, tempfile, subprocess, io from distutils.version import LooseVersion cves_unpatched = [] @@ -187,68 +186,74 @@ def check_cves(d, patched_cves): cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() import sqlite3 - db_file = d.getVar("CVE_CHECK_DB_FILE") - conn = sqlite3.connect(db_file) + db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") + conn = sqlite3.connect(db_file, uri=True) + # For each of the known product names (e.g. curl has CPEs using curl and libcurl)... for product in products: - c = conn.cursor() if ":" in product: vendor, product = product.split(":", 1) - c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor)) else: - c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,)) + vendor = "%" - for row in c: - cve = row[0] - version_start = row[3] - operator_start = row[4] - version_end = row[5] - operator_end = row[6] + # Find all relevant CVE IDs. + for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): + cve = cverow[0] if cve in cve_whitelist: bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) # TODO: this should be in the report as 'whitelisted' patched_cves.add(cve) + continue elif cve in patched_cves: bb.note("%s has been patched" % (cve)) - else: - to_append = False + continue + + vulnerable = False + for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)): + (_, _, _, version_start, operator_start, version_end, operator_end) = row + #bb.debug(2, "Evaluating row " + str(row)) + if (operator_start == '=' and pv == version_start): - to_append = True + vulnerable = True else: if operator_start: try: - to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) - to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) + vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) + vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) - to_append_start = False + vulnerable_start = False else: - to_append_start = False + vulnerable_start = False if operator_end: try: - to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) - to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) + vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) + vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_end, version_end, cve)) - to_append_end = False + vulnerable_end = False else: - to_append_end = False + vulnerable_end = False if operator_start and operator_end: - to_append = to_append_start and to_append_end + vulnerable = vulnerable_start and vulnerable_end else: - to_append = to_append_start or to_append_end + vulnerable = vulnerable_start or vulnerable_end - if to_append: + if vulnerable: bb.note("%s-%s is vulnerable to %s" % (product, pv, cve)) cves_unpatched.append(cve) - else: - bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) - patched_cves.add(cve) + break + + if not vulnerable: + bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) + # TODO: not patched but not vulnerable + patched_cves.add(cve) + conn.close() return (list(patched_cves), cves_unpatched) @@ -256,31 +261,23 @@ def check_cves(d, patched_cves): def get_cve_info(d, cves): """ Get CVE information from the database. - - Unfortunately the only way to get CVE info is set the output to - html (hard to parse) or query directly the database. """ - try: - import sqlite3 - except ImportError: - from pysqlite2 import dbapi2 as sqlite3 + import sqlite3 cve_data = {} - db_file = d.getVar("CVE_CHECK_DB_FILE") - placeholder = ",".join("?" * len(cves)) - query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder - conn = sqlite3.connect(db_file) - cur = conn.cursor() - for row in cur.execute(query, tuple(cves)): - cve_data[row[0]] = {} - cve_data[row[0]]["summary"] = row[1] - cve_data[row[0]]["scorev2"] = row[2] - cve_data[row[0]]["scorev3"] = row[3] - cve_data[row[0]]["modified"] = row[4] - cve_data[row[0]]["vector"] = row[5] - conn.close() + conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE")) + for cve in cves: + for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)): + cve_data[row[0]] = {} + cve_data[row[0]]["summary"] = row[1] + cve_data[row[0]]["scorev2"] = row[2] + cve_data[row[0]]["scorev3"] = row[3] + cve_data[row[0]]["modified"] = row[4] + cve_data[row[0]]["vector"] = row[5] + + conn.close() return cve_data def cve_write_data(d, patched, unpatched, cve_data): diff --git a/poky/meta/classes/distro_features_check.bbclass b/poky/meta/classes/distro_features_check.bbclass index eeaa3b44c..8124a8ca2 100644 --- a/poky/meta/classes/distro_features_check.bbclass +++ b/poky/meta/classes/distro_features_check.bbclass @@ -1,32 +1,7 @@ -# Allow checking of required and conflicting DISTRO_FEATURES -# -# ANY_OF_DISTRO_FEATURES: ensure at least one item on this list is included -# in DISTRO_FEATURES. -# REQUIRED_DISTRO_FEATURES: ensure every item on this list is included -# in DISTRO_FEATURES. -# CONFLICT_DISTRO_FEATURES: ensure no item in this list is included in -# DISTRO_FEATURES. -# -# Copyright 2013 (C) O.S. Systems Software LTDA. +# Temporarily provide fallback to the old name of the class -python () { - # Assume at least one var is set. - distro_features = set((d.getVar('DISTRO_FEATURES') or '').split()) - - any_of_distro_features = set((d.getVar('ANY_OF_DISTRO_FEATURES') or '').split()) - if any_of_distro_features: - if set.isdisjoint(any_of_distro_features, distro_features): - raise bb.parse.SkipRecipe("one of '%s' needs to be in DISTRO_FEATURES" % ' '.join(any_of_distro_features)) - - required_distro_features = set((d.getVar('REQUIRED_DISTRO_FEATURES') or '').split()) - if required_distro_features: - missing = set.difference(required_distro_features, distro_features) - if missing: - raise bb.parse.SkipRecipe("missing required distro feature%s '%s' (not in DISTRO_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing))) - - conflict_distro_features = set((d.getVar('CONFLICT_DISTRO_FEATURES') or '').split()) - if conflict_distro_features: - conflicts = set.intersection(conflict_distro_features, distro_features) - if conflicts: - raise bb.parse.SkipRecipe("conflicting distro feature%s '%s' (in DISTRO_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts))) +python __anonymous() { + bb.warn("distro_features_check.bbclass is deprecated, please use features_check.bbclass instead") } + +inherit features_check diff --git a/poky/meta/classes/features_check.bbclass b/poky/meta/classes/features_check.bbclass new file mode 100644 index 000000000..391fbe1c9 --- /dev/null +++ b/poky/meta/classes/features_check.bbclass @@ -0,0 +1,85 @@ +# Allow checking of required and conflicting DISTRO_FEATURES +# +# ANY_OF_DISTRO_FEATURES: ensure at least one item on this list is included +# in DISTRO_FEATURES. +# REQUIRED_DISTRO_FEATURES: ensure every item on this list is included +# in DISTRO_FEATURES. +# CONFLICT_DISTRO_FEATURES: ensure no item in this list is included in +# DISTRO_FEATURES. +# ANY_OF_MACHINE_FEATURES: ensure at least one item on this list is included +# in MACHINE_FEATURES. +# REQUIRED_MACHINE_FEATURES: ensure every item on this list is included +# in MACHINE_FEATURES. +# CONFLICT_MACHINE_FEATURES: ensure no item in this list is included in +# MACHINE_FEATURES. +# ANY_OF_COMBINED_FEATURES: ensure at least one item on this list is included +# in COMBINED_FEATURES. +# REQUIRED_COMBINED_FEATURES: ensure every item on this list is included +# in COMBINED_FEATURES. +# CONFLICT_COMBINED_FEATURES: ensure no item in this list is included in +# COMBINED_FEATURES. +# +# Copyright 2019 (C) Texas Instruments Inc. +# Copyright 2013 (C) O.S. Systems Software LTDA. + +python () { + # Assume at least one var is set. + distro_features = set((d.getVar('DISTRO_FEATURES') or '').split()) + + any_of_distro_features = set((d.getVar('ANY_OF_DISTRO_FEATURES') or '').split()) + if any_of_distro_features: + if set.isdisjoint(any_of_distro_features, distro_features): + raise bb.parse.SkipRecipe("one of '%s' needs to be in DISTRO_FEATURES" % ' '.join(any_of_distro_features)) + + required_distro_features = set((d.getVar('REQUIRED_DISTRO_FEATURES') or '').split()) + if required_distro_features: + missing = set.difference(required_distro_features, distro_features) + if missing: + raise bb.parse.SkipRecipe("missing required distro feature%s '%s' (not in DISTRO_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing))) + + conflict_distro_features = set((d.getVar('CONFLICT_DISTRO_FEATURES') or '').split()) + if conflict_distro_features: + conflicts = set.intersection(conflict_distro_features, distro_features) + if conflicts: + raise bb.parse.SkipRecipe("conflicting distro feature%s '%s' (in DISTRO_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts))) + + # Assume at least one var is set. + machine_features = set((d.getVar('MACHINE_FEATURES') or '').split()) + + any_of_machine_features = set((d.getVar('ANY_OF_MACHINE_FEATURES') or '').split()) + if any_of_machine_features: + if set.isdisjoint(any_of_machine_features, machine_features): + raise bb.parse.SkipRecipe("one of '%s' needs to be in MACHINE_FEATURES" % ' '.join(any_of_machine_features)) + + required_machine_features = set((d.getVar('REQUIRED_MACHINE_FEATURES') or '').split()) + if required_machine_features: + missing = set.difference(required_machine_features, machine_features) + if missing: + raise bb.parse.SkipRecipe("missing required machine feature%s '%s' (not in MACHINE_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing))) + + conflict_machine_features = set((d.getVar('CONFLICT_MACHINE_FEATURES') or '').split()) + if conflict_machine_features: + conflicts = set.intersection(conflict_machine_features, machine_features) + if conflicts: + raise bb.parse.SkipRecipe("conflicting machine feature%s '%s' (in MACHINE_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts))) + + # Assume at least one var is set. + combined_features = set((d.getVar('COMBINED_FEATURES') or '').split()) + + any_of_combined_features = set((d.getVar('ANY_OF_COMBINED_FEATURES') or '').split()) + if any_of_combined_features: + if set.isdisjoint(any_of_combined_features, combined_features): + raise bb.parse.SkipRecipe("one of '%s' needs to be in COMBINED_FEATURES" % ' '.join(any_of_combined_features)) + + required_combined_features = set((d.getVar('REQUIRED_COMBINED_FEATURES') or '').split()) + if required_combined_features: + missing = set.difference(required_combined_features, combined_features) + if missing: + raise bb.parse.SkipRecipe("missing required machine feature%s '%s' (not in COMBINED_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing))) + + conflict_combined_features = set((d.getVar('CONFLICT_COMBINED_FEATURES') or '').split()) + if conflict_combined_features: + conflicts = set.intersection(conflict_combined_features, combined_features) + if conflicts: + raise bb.parse.SkipRecipe("conflicting machine feature%s '%s' (in COMBINED_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts))) +} diff --git a/poky/meta/classes/package_ipk.bbclass b/poky/meta/classes/package_ipk.bbclass index 9f9da2f91..4f2397703 100644 --- a/poky/meta/classes/package_ipk.bbclass +++ b/poky/meta/classes/package_ipk.bbclass @@ -154,7 +154,6 @@ def ipk_write_pkg(pkg, d): ctrlfile.write('%s\n' % textwrap.fill(description, width=74, initial_indent=' ', subsequent_indent=' ')) else: ctrlfile.write(c % tuple(pullData(fs, localdata))) - # more fields custom_fields_chunk = get_package_additional_metadata("ipk", localdata) if custom_fields_chunk is not None: diff --git a/poky/meta/classes/sanity.bbclass b/poky/meta/classes/sanity.bbclass index a14bf5388..63ab6cf3d 100644 --- a/poky/meta/classes/sanity.bbclass +++ b/poky/meta/classes/sanity.bbclass @@ -523,6 +523,7 @@ def check_wsl(d): # Tar version 1.24 and onwards handle overwriting symlinks correctly # but earlier versions do not; this needs to work properly for sstate +# Version 1.28 is needed so opkg-build works correctly when reproducibile builds are enabled def check_tar_version(sanity_data): from distutils.version import LooseVersion import subprocess @@ -532,7 +533,9 @@ def check_tar_version(sanity_data): return "Unable to execute tar --version, exit code %d\n%s\n" % (e.returncode, e.output) version = result.split()[3] if LooseVersion(version) < LooseVersion("1.24"): - return "Your version of tar is older than 1.24 and has bugs which will break builds. Please install a newer version of tar.\n" + return "Your version of tar is older than 1.24 and has bugs which will break builds. Please install a newer version of tar (1.28+).\n" + if LooseVersion(version) < LooseVersion("1.28"): + return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the projects buildtools-tarball from our last release).\n" return None # We use git parameters and functionality only found in 1.7.8 or later |