diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-06-21 15:06:37 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-06-21 15:13:00 +0300 |
| commit | f3fd288e7961708569de104ef3335274f35bd1b8 (patch) | |
| tree | 5ccea465996907645ade20da50df6321b9756920 /poky/meta/classes | |
| parent | 231c99c6cf5e879dee20fc8f8c025f1b924c23eb (diff) | |
| download | openbmc-f3fd288e7961708569de104ef3335274f35bd1b8.tar.xz | |
subtree updates
meta-raspberrypi: 40283f583b..ca11a291ee:
Martin Schuessler (1):
omxplayer: remove hardcoded tune and arch from Makefile
poky: 111b7173fe..50d272863d:
Adrian Bunk (3):
wireless-regdb: Add recipe
go: Upgrade 1.12.5 -> 1.12.6
libxslt: Fix CVE-2019-11068
Alexander Kanavin (7):
vala: upgrade 0.44.3 -> 0.44.5
libnewt: merge libnewt-python recipe into the main recipe
epiphany: update to 3.32.3
btrfs-tools: update to 5.1.1
createrepo-c: upgrade 0.14.0 -> 0.14.2
librepo: upgrade 1.10.2 -> 1.10.3
libmodulemd: upgrade 2.4.0 -> 2.5.0
Alistair Francis (6):
libffi: Add RISC-V support
opensbi: Initial commit of OpenSBI
qemuriscv64: Add the QEMU RISC-V 64-bit machine
linux-yocto: Mark qemuriscv64 as compatible
qemuriscv: Build uImage for RISC-V machines
qemuriscv64: Fix QB_OPT_APPEND overwrite
Anuj Mittal (1):
runtime/cases/logrotate: make test more reliable
Ayoub Zaki (1):
kernel-fitimage: introduce FIT_HASH_ALG
Changqing Li (1):
gcc-runtime: fix C++ header mapping for n32/x32 tune
Chee Yang Lee (1):
wic/bootimg-efi: allow multiple initrd
Chen Qi (2):
manifest.py: fix test_SDK_manifest_entries
target-sdk-provides-dummy: add libperl.so.5 to DUMMY_PROVIDES
Chris PeBenito (1):
volatile-binds: Change cp to use -a instead of -p.
Denys Dmytriyenko (2):
mtd-utils: upgrade 2.0.2 -> 2.1.0+
mtd-utils: add "jffs" and "ubifs" PACKAGECONFIG options
He Zhe (1):
kernel: qemuarmv5: Update machine overrides of KERNEL_DEVICETREE
Joe Slater (1):
parted: change device manager check in ptest
Joshua Watt (1):
python3: Disable PGO for reproducible builds
Kai Kang (3):
systemd-conf: not configure network for nfs root
rng-tools: 6.6 -> 6.7
qemu: disable capstone for 32-bit mips with multilib
Lei Maohui (1):
openssl: Fix a build bug on aarch64BE.
Martin Jansa (4):
buildhistory: show time spent writting buildhistory
base.bbclass: define PACKAGECONFIG_CONFARGS before only sometimes appending to it
serf: stop scons trying to create directories in hosts rootfs
bitbake: tests/utils.py: add one more test cases for bb.utils.vercmp_string
Matt Madison (1):
apt: fix permissions on apt-daily script for systemd
Mingli Yu (1):
bitbake: add iconv to HOSTTOOLS
Pierre Le Magourou (4):
cve-update-db: New recipe to update CVE database
cve-check: Remove dependency to cve-check-tool-native
cve-check: Manage CVE_PRODUCT with more than one name
cve-check: Consider CVE that affects versions with less than operator
Ricardo Ribalda Delgado (4):
dpkg: Use less as pager
meson: Fix native patch to python3
rootfs: Fix dependency for every dpkg run
python3: python3: Fix build error x86->x86
Richard Purdie (7):
libxcrypt: Switch to disable obsolete APIs
libxcrypt-compat: Add recipe to build the obsolete APIs
uninative-tarball: Add libxcrypt-compat
openssh: Add missing DEPENDS on virtual/crypt
lttng-tools: Filter ptest output to remove random tmp directories
cmake: Clarify comment in cmake toolchain file
uninative: Update to 2.6 release
Robert Yang (2):
linux-dummy: Add do_compile_kernelmodules
make-mod-scripts: Depends on bison-native
Ross Burton (7):
insane: improve buildpath warning messages
insane: remove empty test that does nothing
binconfig: don't try to fix up .la files
libsdl2: use binconfig-disabled
glib-2.0: fix host path appearing in gsocketclient-slow test script
oeqa/logparser: ignore test failure commentary
python: make 'python' install everything instead of just the interpretter
Stefano Babic (1):
systat: systemd never enables the service
Tim Orling (4):
perl-rdepends.txt: more ptest dependencies fixes
libxml-sax-perl: upgrade 1.00 -> 1.02
libmodule-build-perl: move from meta-perl
libmodule-build-perl: upgrade 0.4224 -> 0.4229; enable ptest
Yi Zhao (2):
shadow: fix configure error with dash
less: upgrade 550 -> 551
Zang Ruochen (9):
lighttpd: Upgrade 1.4.53 -> 1.4.54
libevent:upgrade 2.1.8 -> 2.1.10
libevdev:upgrade 1.6.0 -> 1.7.0
gnutls:upgrade 3.6.7 -> 3.6.8
gnupg:upgrade 2.2.15 -> 2.2.16
curl:upgrade 7.64.1 -> 7.65.1
lttng-ust:upgrade 2.10.3 -> 2.10.4
xkeyboard:upgrade 2.26 -> 2.27
gobject-introspection:upgrade 1.60.1 -> 1.60.2
Change-Id: I3df401c6822e1c5c2ee9cff57c7264fe31c6d22d
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'poky/meta/classes')
| -rw-r--r-- | poky/meta/classes/base.bbclass | 2 | ||||
| -rw-r--r-- | poky/meta/classes/binconfig.bbclass | 9 | ||||
| -rw-r--r-- | poky/meta/classes/buildhistory.bbclass | 4 | ||||
| -rw-r--r-- | poky/meta/classes/cmake.bbclass | 2 | ||||
| -rw-r--r-- | poky/meta/classes/cve-check.bbclass | 90 | ||||
| -rw-r--r-- | poky/meta/classes/insane.bbclass | 10 | ||||
| -rw-r--r-- | poky/meta/classes/kernel-fitimage.bbclass | 13 |
7 files changed, 60 insertions, 70 deletions
diff --git a/poky/meta/classes/base.bbclass b/poky/meta/classes/base.bbclass index 90af8ba72..0c8a4b286 100644 --- a/poky/meta/classes/base.bbclass +++ b/poky/meta/classes/base.bbclass @@ -15,6 +15,8 @@ OE_EXTRA_IMPORTS ?= "" OE_IMPORTS += "os sys time oe.path oe.utils oe.types oe.package oe.packagegroup oe.sstatesig oe.lsb oe.cachedpath oe.license ${OE_EXTRA_IMPORTS}" OE_IMPORTS[type] = "list" +PACKAGECONFIG_CONFARGS ??= "" + def oe_import(d): import sys diff --git a/poky/meta/classes/binconfig.bbclass b/poky/meta/classes/binconfig.bbclass index 133b9537c..9112ed460 100644 --- a/poky/meta/classes/binconfig.bbclass +++ b/poky/meta/classes/binconfig.bbclass @@ -40,15 +40,6 @@ binconfig_package_preprocess () { -e 's:${STAGING_DIR_HOST}${prefix}:${prefix}:' \ $config done - for lafile in `find ${PKGD} -type f -name "*.la"` ; do - sed -i \ - -e 's:${STAGING_BASELIBDIR}:${base_libdir}:g;' \ - -e 's:${STAGING_LIBDIR}:${libdir}:g;' \ - -e 's:${STAGING_INCDIR}:${includedir}:g;' \ - -e 's:${STAGING_DATADIR}:${datadir}:' \ - -e 's:${STAGING_DIR_HOST}${prefix}:${prefix}:' \ - $lafile - done } SYSROOT_PREPROCESS_FUNCS += "binconfig_sysroot_preprocess" diff --git a/poky/meta/classes/buildhistory.bbclass b/poky/meta/classes/buildhistory.bbclass index 796f68cf8..2e501df24 100644 --- a/poky/meta/classes/buildhistory.bbclass +++ b/poky/meta/classes/buildhistory.bbclass @@ -839,11 +839,15 @@ python buildhistory_eventhandler() { if e.data.getVar("BUILDHISTORY_COMMIT") == "1": bb.note("Writing buildhistory") bb.build.exec_func("buildhistory_write_sigs", d) + import time + start=time.time() localdata = bb.data.createCopy(e.data) localdata.setVar('BUILDHISTORY_BUILD_FAILURES', str(e._failures)) interrupted = getattr(e, '_interrupted', 0) localdata.setVar('BUILDHISTORY_BUILD_INTERRUPTED', str(interrupted)) bb.build.exec_func("buildhistory_commit", localdata) + stop=time.time() + bb.note("Writing buildhistory took: %s seconds" % round(stop-start)) else: bb.note("No commit since BUILDHISTORY_COMMIT != '1'") } diff --git a/poky/meta/classes/cmake.bbclass b/poky/meta/classes/cmake.bbclass index f80a7e2f1..2b317c832 100644 --- a/poky/meta/classes/cmake.bbclass +++ b/poky/meta/classes/cmake.bbclass @@ -119,7 +119,7 @@ set( ENV{QT_CONF_PATH} ${WORKDIR}/qt.conf ) # directory as rpath by default set( CMAKE_INSTALL_RPATH ${OECMAKE_RPATH} ) -# Use native cmake modules +# Use our cmake modules list(APPEND CMAKE_MODULE_PATH "${STAGING_DATADIR}/cmake/Modules/") # add for non /usr/lib libdir, e.g. /usr/lib64 diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 743bc08a4..379f7121c 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -26,7 +26,7 @@ CVE_PRODUCT ??= "${BPN}" CVE_VERSION ??= "${PV}" CVE_CHECK_DB_DIR ?= "${DL_DIR}/CVE_CHECK" -CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd.db" +CVE_CHECK_DB_FILE ?= "${CVE_CHECK_DB_DIR}/nvd-json.db" CVE_CHECK_LOG ?= "${T}/cve.log" CVE_CHECK_TMP_FILE ?= "${TMPDIR}/cve_check" @@ -62,7 +62,7 @@ python do_cve_check () { } addtask cve_check after do_unpack before do_build -do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db" +do_cve_check[depends] = "cve-update-db:do_populate_cve_db" do_cve_check[nostamp] = "1" python cve_check_cleanup () { @@ -163,61 +163,55 @@ def get_patches_cves(d): def check_cves(d, patched_cves): """ - Run cve-check-tool looking for patched and unpatched CVEs. + Connect to the NVD database and find unpatched cves. """ - import ast, csv, tempfile, subprocess, io + from distutils.version import LooseVersion - cves_patched = [] cves_unpatched = [] - bpn = d.getVar("CVE_PRODUCT") + # CVE_PRODUCT can contain more than one product (eg. curl/libcurl) + bpn = d.getVar("CVE_PRODUCT").split() # If this has been unset then we're not scanning for CVEs here (for example, image recipes) - if not bpn: + if len(bpn) == 0: return ([], []) pv = d.getVar("CVE_VERSION").split("+git")[0] - cves = " ".join(patched_cves) - cve_db_dir = d.getVar("CVE_CHECK_DB_DIR") cve_whitelist = ast.literal_eval(d.getVar("CVE_CHECK_CVE_WHITELIST")) - cve_cmd = "cve-check-tool" - cmd = [cve_cmd, "--no-html", "--skip-update", "--csv", "--not-affected", "-t", "faux", "-d", cve_db_dir] # If the recipe has been whitlisted we return empty lists if d.getVar("PN") in d.getVar("CVE_CHECK_PN_WHITELIST").split(): bb.note("Recipe has been whitelisted, skipping check") return ([], []) - try: - # Write the faux CSV file to be used with cve-check-tool - fd, faux = tempfile.mkstemp(prefix="cve-faux-") - with os.fdopen(fd, "w") as f: - for pn in bpn.split(): - f.write("%s,%s,%s,\n" % (pn, pv, cves)) - cmd.append(faux) - - output = subprocess.check_output(cmd).decode("utf-8") - bb.debug(2, "Output of command %s:\n%s" % ("\n".join(cmd), output)) - except subprocess.CalledProcessError as e: - bb.warn("Couldn't check for CVEs: %s (output %s)" % (e, e.output)) - finally: - os.remove(faux) - - for row in csv.reader(io.StringIO(output)): - # Third row has the unpatched CVEs - if row[2]: - for cve in row[2].split(): - # Skip if the CVE has been whitlisted for the current version - if pv in cve_whitelist.get(cve,[]): - bb.note("%s-%s has been whitelisted for %s" % (bpn, pv, cve)) - else: - cves_unpatched.append(cve) - bb.debug(2, "%s-%s is not patched for %s" % (bpn, pv, cve)) - # Fourth row has patched CVEs - if row[3]: - for cve in row[3].split(): - cves_patched.append(cve) - bb.debug(2, "%s-%s is patched for %s" % (bpn, pv, cve)) - - return (cves_patched, cves_unpatched) + import sqlite3 + db_file = d.getVar("CVE_CHECK_DB_FILE") + conn = sqlite3.connect(db_file) + c = conn.cursor() + + query = """SELECT * FROM PRODUCTS WHERE + (PRODUCT IS '{0}' AND VERSION = '{1}' AND OPERATOR IS '=') OR + (PRODUCT IS '{0}' AND OPERATOR IS '<=');""" + for idx in range(len(bpn)): + for row in c.execute(query.format(bpn[idx],pv)): + cve = row[1] + version = row[4] + + try: + discardVersion = LooseVersion(version) < LooseVersion(pv) + except: + discardVersion = True + + if pv in cve_whitelist.get(cve,[]): + bb.note("%s-%s has been whitelisted for %s" % (bpn[idx], pv, cve)) + elif cve in patched_cves: + bb.note("%s has been patched" % (cve)) + elif discardVersion: + bb.debug(2, "Do not consider version %s " % (version)) + else: + cves_unpatched.append(cve) + bb.debug(2, "%s-%s is not patched for %s" % (bpn[idx], pv, cve)) + conn.close() + + return (list(patched_cves), cves_unpatched) def get_cve_info(d, cves): """ @@ -241,9 +235,10 @@ def get_cve_info(d, cves): for row in cur.execute(query, tuple(cves)): cve_data[row[0]] = {} cve_data[row[0]]["summary"] = row[1] - cve_data[row[0]]["score"] = row[2] - cve_data[row[0]]["modified"] = row[3] - cve_data[row[0]]["vector"] = row[4] + cve_data[row[0]]["scorev2"] = row[2] + cve_data[row[0]]["scorev3"] = row[3] + cve_data[row[0]]["modified"] = row[4] + cve_data[row[0]]["vector"] = row[5] conn.close() return cve_data @@ -270,7 +265,8 @@ def cve_write_data(d, patched, unpatched, cve_data): unpatched_cves.append(cve) write_string += "CVE STATUS: Unpatched\n" write_string += "CVE SUMMARY: %s\n" % cve_data[cve]["summary"] - write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["score"] + write_string += "CVSS v2 BASE SCORE: %s\n" % cve_data[cve]["scorev2"] + write_string += "CVSS v3 BASE SCORE: %s\n" % cve_data[cve]["scorev3"] write_string += "VECTOR: %s\n" % cve_data[cve]["vector"] write_string += "MORE INFORMATION: %s%s\n\n" % (nvd_link, cve) diff --git a/poky/meta/classes/insane.bbclass b/poky/meta/classes/insane.bbclass index fdc20c41a..0695a0443 100644 --- a/poky/meta/classes/insane.bbclass +++ b/poky/meta/classes/insane.bbclass @@ -259,13 +259,6 @@ def package_qa_check_dbg(path, name, d, elf, messages): package_qa_add_message(messages, "debug-files", "non debug package contains .debug directory: %s path %s" % \ (name, package_qa_clean_path(path,d))) -QAPATHTEST[perms] = "package_qa_check_perm" -def package_qa_check_perm(path,name,d, elf, messages): - """ - Check the permission of files - """ - return - QAPATHTEST[arch] = "package_qa_check_arch" def package_qa_check_arch(path,name,d, elf, messages): """ @@ -408,7 +401,8 @@ def package_qa_check_buildpaths(path, name, d, elf, messages): with open(path, 'rb') as f: file_content = f.read() if tmpdir in file_content: - package_qa_add_message(messages, "buildpaths", "File %s in package contained reference to tmpdir" % package_qa_clean_path(path,d)) + trimmed = path.replace(os.path.join (d.getVar("PKGDEST"), name), "") + package_qa_add_message(messages, "buildpaths", "File %s in package %s contains reference to TMPDIR" % (trimmed, name)) QAPATHTEST[xorg-driver-abi] = "package_qa_check_xorg_driver_abi" diff --git a/poky/meta/classes/kernel-fitimage.bbclass b/poky/meta/classes/kernel-fitimage.bbclass index 9e224daf0..b51882dce 100644 --- a/poky/meta/classes/kernel-fitimage.bbclass +++ b/poky/meta/classes/kernel-fitimage.bbclass @@ -50,6 +50,9 @@ python __anonymous () { # Options for the device tree compiler passed to mkimage '-D' feature: UBOOT_MKIMAGE_DTCOPTS ??= "" +# fitImage Hash Algo +FIT_HASH_ALG ?= "sha256" + # # Emit the fitImage ITS header # @@ -109,7 +112,7 @@ EOF # $4 ... Compression type fitimage_emit_section_kernel() { - kernel_csum="sha1" + kernel_csum="${FIT_HASH_ALG}" ENTRYPOINT="${UBOOT_ENTRYPOINT}" if [ -n "${UBOOT_ENTRYSYMBOL}" ]; then @@ -142,7 +145,7 @@ EOF # $3 ... Path to DTB image fitimage_emit_section_dtb() { - dtb_csum="sha1" + dtb_csum="${FIT_HASH_ALG}" dtb_loadline="" dtb_ext=${DTB##*.} @@ -176,7 +179,7 @@ EOF # $3 ... Path to setup image fitimage_emit_section_setup() { - setup_csum="sha1" + setup_csum="${FIT_HASH_ALG}" cat << EOF >> ${1} setup@${2} { @@ -203,7 +206,7 @@ EOF # $3 ... Path to ramdisk image fitimage_emit_section_ramdisk() { - ramdisk_csum="sha1" + ramdisk_csum="${FIT_HASH_ALG}" ramdisk_ctype="none" ramdisk_loadline="" ramdisk_entryline="" @@ -261,7 +264,7 @@ EOF # $6 ... default flag fitimage_emit_section_config() { - conf_csum="sha1" + conf_csum="${FIT_HASH_ALG}" if [ -n "${UBOOT_SIGN_ENABLE}" ] ; then conf_sign_keyname="${UBOOT_SIGN_KEYNAME}" fi |