diff options
author | Patrick Williams <patrick@stwcx.xyz> | 2022-08-22 23:51:32 +0300 |
---|---|---|
committer | Patrick Williams <patrick@stwcx.xyz> | 2022-08-22 23:52:39 +0300 |
commit | cddccf4ad5f8479a7a864e65444b5cebfeb5859e (patch) | |
tree | 027ba7ed151ee64b4083cb894704637aefab8958 /poky/meta/lib/oeqa/selftest/cases | |
parent | ab475af3890f35980cd224ec8da7143c68834989 (diff) | |
download | openbmc-cddccf4ad5f8479a7a864e65444b5cebfeb5859e.tar.xz |
subtree updates
poky: b6ce93d565..4aad5914ef:
Ahmed Hossam (1):
insane.bbclass: host-user-contaminated: Correct per package home path
Alex Kiernan (1):
openssh: Add openssh-sftp-server to openssh RDEPENDS
Alexander Kanavin (3):
mobile-broadband-provider-info: upgrade 20220315 -> 20220511
wireless-regdb: upgrade 2022.04.08 -> 2022.06.06
linux-firmware: update 20220610 -> 20220708
Alexandre Belloni (1):
pseudo: Fix handling of absolute links
Anuj Mittal (1):
efivar: change branch name to main
Bruce Ashfield (13):
linux-yocto/5.4: update to v5.4.182
linux-yocto/5.4: update to v5.4.183
linux-yocto/5.4: update to v5.4.186
linux-yocto/5.4: update to v5.4.188
linux-yocto/5.4: update to v5.4.190
linux-yocto/5.4: update to v5.4.192
linux-yocto/5.4: update to v5.4.196
linux-yocto/5.4: update to v5.4.199
linux-yocto/5.4: update to v5.4.203
linux-yocto/5.4: update to v5.4.205
linux-yocto-rt/5.4: fixup -rt build breakage
linux-yocto/5.4: update to v5.4.208
linux-yocto/5.4: update to v5.4.209
Chee Yang Lee (1):
dpkg: update to 1.19.8
Chen Qi (1):
cases/buildepoxy.py: fix typo
Christophe Priouzeau (1):
bitbake: fetch2/wget: Update user-agent
Dan Tran (1):
ncurses: Fix CVE-2022-29458
Davide Gardenal (3):
cve-check: add JSON format to summary output
cve-check: fix symlinks where link and output path are equal
rootfs-postcommands: fix symlinks where link and output path are equal
Dmitry Baryshkov (5):
linux-firmware: correct license for ar3k firmware
linux-firmware: upgrade 20220411 -> 20220509
linux-firmware: add support for building snapshots
linux-firmware: upgrade 20220509 -> 20220610
linux-firwmare: restore WHENCE_CHKSUM variable
Ernst Sjöstrand (2):
cve-check: Add helper for symlink handling
cve-check: Only include installed packages for rootfs manifest
Hitendra Prajapati (18):
pcre2: CVE-2022-1586 Out-of-bounds read
e2fsprogs: CVE-2022-1304 out-of-bounds read/write via crafted filesystem
pcre2: CVE-2022-1587 Out-of-bounds read
python-pip: CVE-2021-3572 Incorrect handling of unicode separators in git references
golang: CVE-2021-44717 syscall: don't close fd 0 on ForkExec error
golang: CVE-2022-24675 encoding/pem: fix stack overflow in Decode
golang: CVE-2021-31525 net/http: panic in ReadRequest and ReadResponse when reading a very large header
grub2: CVE-2021-3981 Incorrect permission in grub.cfg allow unprivileged user to read the file content
gnupg: CVE-2022-34903 possible signature forgery via injection into the status line
grub2: Fix buffer underflow write in the heap
qemu: CVE-2022-35414 can perform an uninitialized read on the translate_fail path, leading to an io_readx or io_writex crash
libTiff: CVE-2022-2056 CVE-2022-2057 CVE-2022-2058 DoS from Divide By Zero Error
libtirpc: CVE-2021-46828 DoS vulnerability with lots of connections
grub2: Fix several security issue of integer underflow
gdk-pixbuf: CVE-2021-46829 a heap-based buffer overflow
qemu: CVE-2020-27821 heap buffer overflow in msix_table_mmio_write
gnutls: CVE-2022-2509 Double free during gnutls_pkcs7_verify
zlib: CVE-2022-37434 a heap-based buffer over-read
Jate Sujjavanich (1):
IMAGE_LOCALES_ARCHIVE: add option to prevent locale archive creation
Joe Slater (1):
unzip: fix CVE-2021-4217
Joey Degges (1):
bitbake: fetch/git: Fix usehead for non-default names
Jose Quaresma (3):
archiver: use bb.note instead of echo
archiver: don't use machine variables in shared recipes
gstreamer1.0: use the correct meson option for the capabilities
Joshua Watt (1):
classes/cve-check: Move get_patches_cves to library
Khem Raj (2):
busybox: Use base_bindir instead of hardcoding /bin path
libmodule-build-perl: Use env utility to find perl interpreter
Konrad Weihmann (1):
linux-firmware: replace mkdir by install
LUIS ENRIQUEZ (1):
kernel-fitimage.bbclass: add padding algorithm property in config nodes
Marcel Ziswiler (1):
alsa-plugins: fix libavtp vs. avtp packageconfig
Marek Vasut (1):
lttng-modules: Backport Linux 5.18+, 5.15.44+, 5.10.119+ fixes
Marta Rybczynska (10):
cve-check: add json format
cve-update-db-native: update the CVE database once a day only
cve-update-db-native: let the user to drive the update interval
cve-check: Fix report generation
cve-check: move update_symlinks to a library
cve-check: write empty fragment files in the text mode
cve-check: add coverage statistics on recipes with/without CVEs
cve-update-db-native: make it possible to disable database updates
cve-check: add support for Ignored CVEs
oeqa/selftest/cve_check: add tests for Ignored and partial reports
Martin Jansa (4):
license_image.bbclass: close package.manifest file
rootfs.py: close kernel_abi_ver_file
wic: fix WicError message
libxml2: Port gentest.py to Python-3
Michael Opdenacker (3):
manuals: add missing space in appends
manuals: switch to the sstate mirror shared between all versions
ref-manual: variables: remove sphinx directive from literal block
Ming Liu (1):
rootfs-postcommands.bbclass: move host-user-contaminated.txt to ${S}
Mingli Yu (1):
oescripts: change compare logic in OEListPackageconfigTests
Muhammad Hamza (1):
initramfs-framework: move storage mounts to actual rootfs
Nick Potenski (1):
systemd: systemd-systemctl: Support instance conf files during enable
Pascal Bach (1):
bin_package: install into base_prefix
Paul Gortmaker (1):
install/devshell: Introduce git intercept script due to fakeroot issues
Pawan Badganchi (3):
fribidi: Add fix for CVE-2022-25308, CVE-2022-25309 and CVE-2022-25310
libinput: Add fix for CVE-2022-1215
openssh: Whitelist CVE-2021-36368
Peter Kjellerstedt (3):
metadata_scm.bbclass: Use immediate expansion for the METADATA_* variables
u-boot: Correct the SRC_URI
license.bbclass: Bound beginline and endline in copy_license_files()
Portia (1):
volatile-binds: Change DefaultDependencies from false to no
Rahul Kumar (1):
neard: Switch SRC_URI to git repo
Ralph Siemsen (3):
gzip: fix CVE-2022-1271
xz: fix CVE-2022-1271
apt: add -fno-strict-aliasing to CXXFLAGS to fix SHA256 bug
Randy MacLeod (1):
vim: update from 9.0.0063 to 9.0.0115
Ranjitsinh Rathod (9):
tiff: Add patches to fix multiple CVEs
freetype: Fix CVEs for freetype
git: Use CVE_CHECK_WHITELIST instead of CVE_CHECK_IGNORE
openssl: Minor security upgrade 1.1.1n to 1.1.1o
ruby: Upgrade ruby to 2.7.6 for security fix
ruby: Whitelist CVE-2021-28966 as this affects Windows OS only
libsdl2: Add fix for CVE-2021-33657
openssl: Minor security upgrade 1.1.1o to 1.1.1p
cve-extra-exclusions.inc: Use CVE_CHECK_WHITELIST
Rasmus Villemoes (1):
e2fsprogs: add alternatives handling of lsattr as well
Richard Purdie (34):
vim: Upgrade 8.2.4524 -> 8.2.4681
git: Ignore CVE-2022-24975
pseudo: Add patch to workaround paths with crazy lengths
libxshmfence: Correct LICENSE to HPND
build-appliance-image: Update to dunfell head revision
perf-build-test/report: Drop phantomjs and html email reports support
base: Drop git intercept
uninative: Upgrade to 3.6 with gcc 12 support
base: Avoid circular references to our own scripts
scripts: Make git intercept global
scripts/git: Ensure we don't have circular references
vim: Upgrade 8.2.4681 -> 8.2.4912
vim: Upgrade 8.2.4912 -> 8.2.5034 to fix 9 CVEs
cve-check: Allow warnings to be disabled
openssl: Backport fix for ptest cert expiry
libxslt: Mark CVE-2022-29824 as not applying
local.conf.sample: Update sstate url to new 'all' path
vim: Upgrade 8.2.5034 -> 8.2.5083
gcc-source: Fix incorrect task dependencies from ${B}
bitbake: tinfoil/data_smart: Allow variable history emit() to function remotely
bitbake: bin/bitbake-getvar: Add a new command to query a variable value (with history)
unzip: Port debian fixes for two CVEs
cve-extra-exclusions: Clean up and ignore three CVEs (2xqemu and nasm)
vim: 8.2.5083 -> 9.0.0005
oeqa/runtime/scp: Disable scp test for dropbear
packagegroup-core-ssh-dropbear: Add openssh-sftp-server recommendation
oe-selftest-image: Ensure the image has sftp as well as dropbear
bitbake: fetch/wget: Move files into place atomically
ref-manual: Add XZ_THREADS and XZ_MEMLIMIT
build-appliance-image: Update to dunfell head revision
insane: Fix buildpaths test to work with special devices
vim: Upgrade 9.0.0021 -> 9.0.0063
kernel-arch: Fix buildpaths leaking into external module compiles
build-appliance-image: Update to dunfell head revision
Riyaz (1):
libxml2: Fix CVE-2022-29824 for libxml2
Robert Joslyn (3):
curl: Backport CVE fixes
curl: Fix CVE_CHECK_WHITELIST typo
curl: Fix CVE-2022-32206, CVE-2022-32207, and CVE-2022-32208
Ross Burton (10):
zlib: backport the fix for CVE-2018-25032
boost: don't specify gcc version
python3: ignore CVE-2015-20107
cve-check: no need to depend on the fetch task
oeqa/selftest/cve_check: add tests for recipe and image reports
bitbake: knotty: display active tasks when printing keepAlive() message
bitbake: knotty: reduce keep-alive timeout from 5000s (83 minutes) to 10 minutes
cve-check: hook cleanup to the BuildCompleted event, not CookerExit
vim: upgrade to 9.0.0021
cve_check: skip remote patches that haven't been fetched when searching for CVE tags
Sana Kazi (1):
curl: Fix CVEs for curl
Sana.Kazi (1):
libjpeg-turbo: Fix CVE-2021-46822
Shruthi Ravichandran (1):
initscripts: run umountnfs as a KILL script
Stefan Wiehler (1):
kernel-yocto.bbclass: Reset to exiting on non-zero return code at end of task
Steve Sakoman (21):
documentation: update for 3.1.16 release
poky.conf: Bump version for 3.1.16 release
git update from 2.24.3 to 2.24.4
scripts/contrib/oe-build-perf-report-email.py: remove obsolete check for phantomjs and optipng
busybox: fix CVE-2022-28391
selftest: skip virgl test on alma 8.6
documentation: update for 3.1.17 release
poky.conf: bump version for 3.1.17 release
Revert "openssl: Backport fix for ptest cert expiry"
openssl: backport fix for ptest certificate expiration
openssl: update the epoch time for ct_test ptest
cups: fix CVE-2022-26691
openssh: break dependency on base package for -dev package
dropbear: break dependency on base package for -dev package
qemu: add PACKAGECONFIG for capstone
openssl: security upgrade 1.1.1p to 1.1.1q
documentation: update for 3.1.18 release
poky.conf: bump version for 3.1.18 release
selftest: skip virgl test on fedora 36
documentation: update for 3.1.19 release
poky.conf: bump version for 3.1.19 release
Virendra Thakur (1):
ffmpeg: Fix for CVE-2022-1475
leimaohui (1):
cve-check.bbclass: Added do_populate_sdk[recrdeptask].
omkar patil (1):
libxslt: Fix CVE-2021-30560
sana kazi (1):
tiff: Fix CVE-2022-0891
wangmy (1):
linux-firmware: upgrade 20220310 -> 20220411
zhengruoqin (1):
wireless-regdb: upgrade 2022.02.18 -> 2022.04.08
meta-raspberrypi: 934064a019..2081e1bb9a:
Omer Akram (1):
linux-firmware-rpidistro: fix wifi driver loading on cm4
meta-openembedded: fdd1dfe6b4..f22bf6efaa:
Adrian Fiergolski (1):
python3-matplotlib: add missing dependency
Akash Hadke (2):
iperf: Set CVE_PRODUCT to "iperf_project:iperf"
ntfs-3g-ntfsprogs: Set CVE_PRODUCT to "tuxera:ntfs-3g"
Armin Kuster (2):
mariadb: update to 10.4.25
bigbuckbunny-1080p: update SRC_URI
Chen Qi (2):
ntfs-3g-ntfsprogs: upgrade to 2021.8.22
ntfs-3g-ntfsprogs: upgrade to 2022.5.17
Hitendra Prajapati (3):
openldap: CVE-2022-29155 OpenLDAP SQL injection
xterm: CVE-2022-24130 Buffer overflow in set_sixel in graphics_sixel.c
cyrus-sasl: CVE-2022-24407 failure to properly escape SQL input allows an attacker to execute arbitrary SQL commands
Jeroen Hofstee (1):
php: move to version v7.4.28
Julien STEPHAN (2):
opencl-icd-loader: switch to main branch
opencl-headers: switch to main branch
Khem Raj (2):
postgresql: Fix build on riscv
meta-oe: Add leading whitespace for append operator
Martin Jansa (5):
python3-cryptography: backport 3 changes to fix CVE-2020-36242
ostree: prevent ostree-native depending on target virtual/kernel to provide kernel-module-overlay
tesseract-lang: switch from master branch to main
leveldb: switch from master branch to main
grpc: switch from master branch to main for upb
Mikko Rapeli (1):
fuse: set CVE_PRODUCT to "fuse_project:fuse"
Mingli Yu (1):
bridge-utils: Switch to use the main branch
Ranjitsinh Rathod (1):
atftp: Add fix for CVE-2021-41054 and CVE-2021-46671
Riyaz Ahmed Khan (1):
tcpdump: Add fix for CVE-2018-16301
Sana Kazi (1):
openjpeg: Whitelist CVE-2020-27844 and CVE-2015-1239
Steve Sakoman (1):
lua: fix CVE-2022-28805
Signed-off-by: Patrick Williams <patrick@stwcx.xyz>
Change-Id: I394bfdef7725cf9babd0d3cd7fe45ea3c6c8c2ab
Diffstat (limited to 'poky/meta/lib/oeqa/selftest/cases')
-rw-r--r-- | poky/meta/lib/oeqa/selftest/cases/cve_check.py | 159 | ||||
-rw-r--r-- | poky/meta/lib/oeqa/selftest/cases/oescripts.py | 3 | ||||
-rw-r--r-- | poky/meta/lib/oeqa/selftest/cases/runtime_test.py | 4 |
3 files changed, 164 insertions, 2 deletions
diff --git a/poky/meta/lib/oeqa/selftest/cases/cve_check.py b/poky/meta/lib/oeqa/selftest/cases/cve_check.py index d1947baffc..d0b2213703 100644 --- a/poky/meta/lib/oeqa/selftest/cases/cve_check.py +++ b/poky/meta/lib/oeqa/selftest/cases/cve_check.py @@ -1,9 +1,13 @@ -from oe.cve_check import Version +import json +import os from oeqa.selftest.case import OESelftestTestCase +from oeqa.utils.commands import bitbake, get_bb_vars class CVECheck(OESelftestTestCase): def test_version_compare(self): + from oe.cve_check import Version + result = Version("100") > Version("99") self.assertTrue( result, msg="Failed to compare version '100' > '99'") result = Version("2.3.1") > Version("2.2.3") @@ -42,3 +46,156 @@ class CVECheck(OESelftestTestCase): self.assertTrue( result ,msg="Failed to compare version with suffix '1.0p2' > '1.0p1'") result = Version("1.0_patch2","patch") < Version("1.0_patch3","patch") self.assertTrue( result ,msg="Failed to compare version with suffix '1.0_patch2' < '1.0_patch3'") + + + def test_recipe_report_json(self): + config = """ +INHERIT += "cve-check" +CVE_CHECK_FORMAT_JSON = "1" +""" + self.write_config(config) + + vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "m4-native_cve.json") + + try: + os.remove(summary_json) + os.remove(recipe_json) + except FileNotFoundError: + pass + + bitbake("m4-native -c cve_check") + + def check_m4_json(filename): + with open(filename) as f: + report = json.load(f) + self.assertEqual(report["version"], "1") + self.assertEqual(len(report["package"]), 1) + package = report["package"][0] + self.assertEqual(package["name"], "m4-native") + found_cves = { issue["id"]: issue["status"] for issue in package["issue"]} + self.assertIn("CVE-2008-1687", found_cves) + self.assertEqual(found_cves["CVE-2008-1687"], "Patched") + + self.assertExists(summary_json) + check_m4_json(summary_json) + self.assertExists(recipe_json) + check_m4_json(recipe_json) + + + def test_image_json(self): + config = """ +INHERIT += "cve-check" +CVE_CHECK_FORMAT_JSON = "1" +""" + self.write_config(config) + + vars = get_bb_vars(["CVE_CHECK_DIR", "CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + report_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + print(report_json) + try: + os.remove(report_json) + except FileNotFoundError: + pass + + bitbake("core-image-minimal-initramfs") + self.assertExists(report_json) + + # Check that the summary report lists at least one package + with open(report_json) as f: + report = json.load(f) + self.assertEqual(report["version"], "1") + self.assertGreater(len(report["package"]), 1) + + # Check that a random recipe wrote a recipe report to deploy/cve/ + recipename = report["package"][0]["name"] + recipe_report = os.path.join(vars["CVE_CHECK_DIR"], recipename + "_cve.json") + self.assertExists(recipe_report) + with open(recipe_report) as f: + report = json.load(f) + self.assertEqual(report["version"], "1") + self.assertEqual(len(report["package"]), 1) + self.assertEqual(report["package"][0]["name"], recipename) + + + def test_recipe_report_json_unpatched(self): + config = """ +INHERIT += "cve-check" +CVE_CHECK_FORMAT_JSON = "1" +CVE_CHECK_REPORT_PATCHED = "0" +""" + self.write_config(config) + + vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "m4-native_cve.json") + + try: + os.remove(summary_json) + os.remove(recipe_json) + except FileNotFoundError: + pass + + bitbake("m4-native -c cve_check") + + def check_m4_json(filename): + with open(filename) as f: + report = json.load(f) + self.assertEqual(report["version"], "1") + self.assertEqual(len(report["package"]), 1) + package = report["package"][0] + self.assertEqual(package["name"], "m4-native") + #m4 had only Patched CVEs, so the issues array will be empty + self.assertEqual(package["issue"], []) + + self.assertExists(summary_json) + check_m4_json(summary_json) + self.assertExists(recipe_json) + check_m4_json(recipe_json) + + + def test_recipe_report_json_ignored(self): + config = """ +INHERIT += "cve-check" +CVE_CHECK_FORMAT_JSON = "1" +CVE_CHECK_REPORT_PATCHED = "1" +""" + self.write_config(config) + + vars = get_bb_vars(["CVE_CHECK_SUMMARY_DIR", "CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + summary_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], vars["CVE_CHECK_SUMMARY_FILE_NAME_JSON"]) + recipe_json = os.path.join(vars["CVE_CHECK_SUMMARY_DIR"], "logrotate_cve.json") + + try: + os.remove(summary_json) + os.remove(recipe_json) + except FileNotFoundError: + pass + + bitbake("logrotate -c cve_check") + + def check_m4_json(filename): + with open(filename) as f: + report = json.load(f) + self.assertEqual(report["version"], "1") + self.assertEqual(len(report["package"]), 1) + package = report["package"][0] + self.assertEqual(package["name"], "logrotate") + found_cves = { issue["id"]: issue["status"] for issue in package["issue"]} + # m4 CVE should not be in logrotate + self.assertNotIn("CVE-2008-1687", found_cves) + # logrotate has both Patched and Ignored CVEs + self.assertIn("CVE-2011-1098", found_cves) + self.assertEqual(found_cves["CVE-2011-1098"], "Patched") + self.assertIn("CVE-2011-1548", found_cves) + self.assertEqual(found_cves["CVE-2011-1548"], "Ignored") + self.assertIn("CVE-2011-1549", found_cves) + self.assertEqual(found_cves["CVE-2011-1549"], "Ignored") + self.assertIn("CVE-2011-1550", found_cves) + self.assertEqual(found_cves["CVE-2011-1550"], "Ignored") + + self.assertExists(summary_json) + check_m4_json(summary_json) + self.assertExists(recipe_json) + check_m4_json(recipe_json) diff --git a/poky/meta/lib/oeqa/selftest/cases/oescripts.py b/poky/meta/lib/oeqa/selftest/cases/oescripts.py index 726daff7c6..fb99be447e 100644 --- a/poky/meta/lib/oeqa/selftest/cases/oescripts.py +++ b/poky/meta/lib/oeqa/selftest/cases/oescripts.py @@ -133,7 +133,8 @@ class OEListPackageconfigTests(OEScriptTests): def check_endlines(self, results, expected_endlines): for line in results.output.splitlines(): for el in expected_endlines: - if line.split() == el.split(): + if line and line.split()[0] == el.split()[0] and \ + ' '.join(sorted(el.split())) in ' '.join(sorted(line.split())): expected_endlines.remove(el) break diff --git a/poky/meta/lib/oeqa/selftest/cases/runtime_test.py b/poky/meta/lib/oeqa/selftest/cases/runtime_test.py index 20dc1c9482..df11984713 100644 --- a/poky/meta/lib/oeqa/selftest/cases/runtime_test.py +++ b/poky/meta/lib/oeqa/selftest/cases/runtime_test.py @@ -175,6 +175,8 @@ class TestImage(OESelftestTestCase): if "DISPLAY" not in os.environ: self.skipTest("virgl gtk test must be run inside a X session") distro = oe.lsb.distro_identifier() + if distro and distro == 'almalinux-8.6': + self.skipTest('virgl isn\'t working with Alma 8') if distro and distro == 'debian-8': self.skipTest('virgl isn\'t working with Debian 8') if distro and distro == 'centos-7': @@ -185,6 +187,8 @@ class TestImage(OESelftestTestCase): self.skipTest('virgl isn\'t working with Fedora 34') if distro and distro == 'fedora-35': self.skipTest('virgl isn\'t working with Fedora 35') + if distro and distro == 'fedora-36': + self.skipTest('virgl isn\'t working with Fedora 36') if distro and distro == 'opensuseleap-15.0': self.skipTest('virgl isn\'t working with Opensuse 15.0') |