diff options
Diffstat (limited to 'poky/meta/classes')
-rw-r--r-- | poky/meta/classes/cve-check.bbclass | 95 | ||||
-rw-r--r-- | poky/meta/classes/distro_features_check.bbclass | 35 | ||||
-rw-r--r-- | poky/meta/classes/features_check.bbclass | 85 | ||||
-rw-r--r-- | poky/meta/classes/package_ipk.bbclass | 1 | ||||
-rw-r--r-- | poky/meta/classes/sanity.bbclass | 5 |
5 files changed, 140 insertions, 81 deletions
diff --git a/poky/meta/classes/cve-check.bbclass b/poky/meta/classes/cve-check.bbclass index 3326944d7..19ed5548b 100644 --- a/poky/meta/classes/cve-check.bbclass +++ b/poky/meta/classes/cve-check.bbclass @@ -165,7 +165,6 @@ def check_cves(d, patched_cves): """ Connect to the NVD database and find unpatched cves. """ - import ast, csv, tempfile, subprocess, io from distutils.version import LooseVersion cves_unpatched = [] @@ -187,68 +186,74 @@ def check_cves(d, patched_cves): cve_whitelist = d.getVar("CVE_CHECK_WHITELIST").split() import sqlite3 - db_file = d.getVar("CVE_CHECK_DB_FILE") - conn = sqlite3.connect(db_file) + db_file = d.expand("file:${CVE_CHECK_DB_FILE}?mode=ro") + conn = sqlite3.connect(db_file, uri=True) + # For each of the known product names (e.g. curl has CPEs using curl and libcurl)... for product in products: - c = conn.cursor() if ":" in product: vendor, product = product.split(":", 1) - c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR IS ?", (product, vendor)) else: - c.execute("SELECT * FROM PRODUCTS WHERE PRODUCT IS ?", (product,)) + vendor = "%" - for row in c: - cve = row[0] - version_start = row[3] - operator_start = row[4] - version_end = row[5] - operator_end = row[6] + # Find all relevant CVE IDs. + for cverow in conn.execute("SELECT DISTINCT ID FROM PRODUCTS WHERE PRODUCT IS ? AND VENDOR LIKE ?", (product, vendor)): + cve = cverow[0] if cve in cve_whitelist: bb.note("%s-%s has been whitelisted for %s" % (product, pv, cve)) # TODO: this should be in the report as 'whitelisted' patched_cves.add(cve) + continue elif cve in patched_cves: bb.note("%s has been patched" % (cve)) - else: - to_append = False + continue + + vulnerable = False + for row in conn.execute("SELECT * FROM PRODUCTS WHERE ID IS ? AND PRODUCT IS ? AND VENDOR LIKE ?", (cve, product, vendor)): + (_, _, _, version_start, operator_start, version_end, operator_end) = row + #bb.debug(2, "Evaluating row " + str(row)) + if (operator_start == '=' and pv == version_start): - to_append = True + vulnerable = True else: if operator_start: try: - to_append_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) - to_append_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) + vulnerable_start = (operator_start == '>=' and LooseVersion(pv) >= LooseVersion(version_start)) + vulnerable_start |= (operator_start == '>' and LooseVersion(pv) > LooseVersion(version_start)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_start, version_start, cve)) - to_append_start = False + vulnerable_start = False else: - to_append_start = False + vulnerable_start = False if operator_end: try: - to_append_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) - to_append_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) + vulnerable_end = (operator_end == '<=' and LooseVersion(pv) <= LooseVersion(version_end)) + vulnerable_end |= (operator_end == '<' and LooseVersion(pv) < LooseVersion(version_end)) except: bb.warn("%s: Failed to compare %s %s %s for %s" % (product, pv, operator_end, version_end, cve)) - to_append_end = False + vulnerable_end = False else: - to_append_end = False + vulnerable_end = False if operator_start and operator_end: - to_append = to_append_start and to_append_end + vulnerable = vulnerable_start and vulnerable_end else: - to_append = to_append_start or to_append_end + vulnerable = vulnerable_start or vulnerable_end - if to_append: + if vulnerable: bb.note("%s-%s is vulnerable to %s" % (product, pv, cve)) cves_unpatched.append(cve) - else: - bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) - patched_cves.add(cve) + break + + if not vulnerable: + bb.note("%s-%s is not vulnerable to %s" % (product, pv, cve)) + # TODO: not patched but not vulnerable + patched_cves.add(cve) + conn.close() return (list(patched_cves), cves_unpatched) @@ -256,31 +261,23 @@ def check_cves(d, patched_cves): def get_cve_info(d, cves): """ Get CVE information from the database. - - Unfortunately the only way to get CVE info is set the output to - html (hard to parse) or query directly the database. """ - try: - import sqlite3 - except ImportError: - from pysqlite2 import dbapi2 as sqlite3 + import sqlite3 cve_data = {} - db_file = d.getVar("CVE_CHECK_DB_FILE") - placeholder = ",".join("?" * len(cves)) - query = "SELECT * FROM NVD WHERE id IN (%s)" % placeholder - conn = sqlite3.connect(db_file) - cur = conn.cursor() - for row in cur.execute(query, tuple(cves)): - cve_data[row[0]] = {} - cve_data[row[0]]["summary"] = row[1] - cve_data[row[0]]["scorev2"] = row[2] - cve_data[row[0]]["scorev3"] = row[3] - cve_data[row[0]]["modified"] = row[4] - cve_data[row[0]]["vector"] = row[5] - conn.close() + conn = sqlite3.connect(d.getVar("CVE_CHECK_DB_FILE")) + for cve in cves: + for row in conn.execute("SELECT * FROM NVD WHERE ID IS ?", (cve,)): + cve_data[row[0]] = {} + cve_data[row[0]]["summary"] = row[1] + cve_data[row[0]]["scorev2"] = row[2] + cve_data[row[0]]["scorev3"] = row[3] + cve_data[row[0]]["modified"] = row[4] + cve_data[row[0]]["vector"] = row[5] + + conn.close() return cve_data def cve_write_data(d, patched, unpatched, cve_data): diff --git a/poky/meta/classes/distro_features_check.bbclass b/poky/meta/classes/distro_features_check.bbclass index eeaa3b44c..8124a8ca2 100644 --- a/poky/meta/classes/distro_features_check.bbclass +++ b/poky/meta/classes/distro_features_check.bbclass @@ -1,32 +1,7 @@ -# Allow checking of required and conflicting DISTRO_FEATURES -# -# ANY_OF_DISTRO_FEATURES: ensure at least one item on this list is included -# in DISTRO_FEATURES. -# REQUIRED_DISTRO_FEATURES: ensure every item on this list is included -# in DISTRO_FEATURES. -# CONFLICT_DISTRO_FEATURES: ensure no item in this list is included in -# DISTRO_FEATURES. -# -# Copyright 2013 (C) O.S. Systems Software LTDA. +# Temporarily provide fallback to the old name of the class -python () { - # Assume at least one var is set. - distro_features = set((d.getVar('DISTRO_FEATURES') or '').split()) - - any_of_distro_features = set((d.getVar('ANY_OF_DISTRO_FEATURES') or '').split()) - if any_of_distro_features: - if set.isdisjoint(any_of_distro_features, distro_features): - raise bb.parse.SkipRecipe("one of '%s' needs to be in DISTRO_FEATURES" % ' '.join(any_of_distro_features)) - - required_distro_features = set((d.getVar('REQUIRED_DISTRO_FEATURES') or '').split()) - if required_distro_features: - missing = set.difference(required_distro_features, distro_features) - if missing: - raise bb.parse.SkipRecipe("missing required distro feature%s '%s' (not in DISTRO_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing))) - - conflict_distro_features = set((d.getVar('CONFLICT_DISTRO_FEATURES') or '').split()) - if conflict_distro_features: - conflicts = set.intersection(conflict_distro_features, distro_features) - if conflicts: - raise bb.parse.SkipRecipe("conflicting distro feature%s '%s' (in DISTRO_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts))) +python __anonymous() { + bb.warn("distro_features_check.bbclass is deprecated, please use features_check.bbclass instead") } + +inherit features_check diff --git a/poky/meta/classes/features_check.bbclass b/poky/meta/classes/features_check.bbclass new file mode 100644 index 000000000..391fbe1c9 --- /dev/null +++ b/poky/meta/classes/features_check.bbclass @@ -0,0 +1,85 @@ +# Allow checking of required and conflicting DISTRO_FEATURES +# +# ANY_OF_DISTRO_FEATURES: ensure at least one item on this list is included +# in DISTRO_FEATURES. +# REQUIRED_DISTRO_FEATURES: ensure every item on this list is included +# in DISTRO_FEATURES. +# CONFLICT_DISTRO_FEATURES: ensure no item in this list is included in +# DISTRO_FEATURES. +# ANY_OF_MACHINE_FEATURES: ensure at least one item on this list is included +# in MACHINE_FEATURES. +# REQUIRED_MACHINE_FEATURES: ensure every item on this list is included +# in MACHINE_FEATURES. +# CONFLICT_MACHINE_FEATURES: ensure no item in this list is included in +# MACHINE_FEATURES. +# ANY_OF_COMBINED_FEATURES: ensure at least one item on this list is included +# in COMBINED_FEATURES. +# REQUIRED_COMBINED_FEATURES: ensure every item on this list is included +# in COMBINED_FEATURES. +# CONFLICT_COMBINED_FEATURES: ensure no item in this list is included in +# COMBINED_FEATURES. +# +# Copyright 2019 (C) Texas Instruments Inc. +# Copyright 2013 (C) O.S. Systems Software LTDA. + +python () { + # Assume at least one var is set. + distro_features = set((d.getVar('DISTRO_FEATURES') or '').split()) + + any_of_distro_features = set((d.getVar('ANY_OF_DISTRO_FEATURES') or '').split()) + if any_of_distro_features: + if set.isdisjoint(any_of_distro_features, distro_features): + raise bb.parse.SkipRecipe("one of '%s' needs to be in DISTRO_FEATURES" % ' '.join(any_of_distro_features)) + + required_distro_features = set((d.getVar('REQUIRED_DISTRO_FEATURES') or '').split()) + if required_distro_features: + missing = set.difference(required_distro_features, distro_features) + if missing: + raise bb.parse.SkipRecipe("missing required distro feature%s '%s' (not in DISTRO_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing))) + + conflict_distro_features = set((d.getVar('CONFLICT_DISTRO_FEATURES') or '').split()) + if conflict_distro_features: + conflicts = set.intersection(conflict_distro_features, distro_features) + if conflicts: + raise bb.parse.SkipRecipe("conflicting distro feature%s '%s' (in DISTRO_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts))) + + # Assume at least one var is set. + machine_features = set((d.getVar('MACHINE_FEATURES') or '').split()) + + any_of_machine_features = set((d.getVar('ANY_OF_MACHINE_FEATURES') or '').split()) + if any_of_machine_features: + if set.isdisjoint(any_of_machine_features, machine_features): + raise bb.parse.SkipRecipe("one of '%s' needs to be in MACHINE_FEATURES" % ' '.join(any_of_machine_features)) + + required_machine_features = set((d.getVar('REQUIRED_MACHINE_FEATURES') or '').split()) + if required_machine_features: + missing = set.difference(required_machine_features, machine_features) + if missing: + raise bb.parse.SkipRecipe("missing required machine feature%s '%s' (not in MACHINE_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing))) + + conflict_machine_features = set((d.getVar('CONFLICT_MACHINE_FEATURES') or '').split()) + if conflict_machine_features: + conflicts = set.intersection(conflict_machine_features, machine_features) + if conflicts: + raise bb.parse.SkipRecipe("conflicting machine feature%s '%s' (in MACHINE_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts))) + + # Assume at least one var is set. + combined_features = set((d.getVar('COMBINED_FEATURES') or '').split()) + + any_of_combined_features = set((d.getVar('ANY_OF_COMBINED_FEATURES') or '').split()) + if any_of_combined_features: + if set.isdisjoint(any_of_combined_features, combined_features): + raise bb.parse.SkipRecipe("one of '%s' needs to be in COMBINED_FEATURES" % ' '.join(any_of_combined_features)) + + required_combined_features = set((d.getVar('REQUIRED_COMBINED_FEATURES') or '').split()) + if required_combined_features: + missing = set.difference(required_combined_features, combined_features) + if missing: + raise bb.parse.SkipRecipe("missing required machine feature%s '%s' (not in COMBINED_FEATURES)" % ('s' if len(missing) > 1 else '', ' '.join(missing))) + + conflict_combined_features = set((d.getVar('CONFLICT_COMBINED_FEATURES') or '').split()) + if conflict_combined_features: + conflicts = set.intersection(conflict_combined_features, combined_features) + if conflicts: + raise bb.parse.SkipRecipe("conflicting machine feature%s '%s' (in COMBINED_FEATURES)" % ('s' if len(conflicts) > 1 else '', ' '.join(conflicts))) +} diff --git a/poky/meta/classes/package_ipk.bbclass b/poky/meta/classes/package_ipk.bbclass index 9f9da2f91..4f2397703 100644 --- a/poky/meta/classes/package_ipk.bbclass +++ b/poky/meta/classes/package_ipk.bbclass @@ -154,7 +154,6 @@ def ipk_write_pkg(pkg, d): ctrlfile.write('%s\n' % textwrap.fill(description, width=74, initial_indent=' ', subsequent_indent=' ')) else: ctrlfile.write(c % tuple(pullData(fs, localdata))) - # more fields custom_fields_chunk = get_package_additional_metadata("ipk", localdata) if custom_fields_chunk is not None: diff --git a/poky/meta/classes/sanity.bbclass b/poky/meta/classes/sanity.bbclass index a14bf5388..63ab6cf3d 100644 --- a/poky/meta/classes/sanity.bbclass +++ b/poky/meta/classes/sanity.bbclass @@ -523,6 +523,7 @@ def check_wsl(d): # Tar version 1.24 and onwards handle overwriting symlinks correctly # but earlier versions do not; this needs to work properly for sstate +# Version 1.28 is needed so opkg-build works correctly when reproducibile builds are enabled def check_tar_version(sanity_data): from distutils.version import LooseVersion import subprocess @@ -532,7 +533,9 @@ def check_tar_version(sanity_data): return "Unable to execute tar --version, exit code %d\n%s\n" % (e.returncode, e.output) version = result.split()[3] if LooseVersion(version) < LooseVersion("1.24"): - return "Your version of tar is older than 1.24 and has bugs which will break builds. Please install a newer version of tar.\n" + return "Your version of tar is older than 1.24 and has bugs which will break builds. Please install a newer version of tar (1.28+).\n" + if LooseVersion(version) < LooseVersion("1.28"): + return "Your version of tar is older than 1.28 and does not have the support needed to enable reproducible builds. Please install a newer version of tar (you could use the projects buildtools-tarball from our last release).\n" return None # We use git parameters and functionality only found in 1.7.8 or later |