| Message ID | 20251113205431.3489223-1-martin.jansa@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [meta-python,1/2] python3-checksec-py, python3-pylddwrap, python3-icontract: add recipes | expand |
python3-lief does not build for x86(32bit) so its using COMPATIBLE_HOST:x86 = "null" We will need same for this recipe as well as it depends on python3-lief On Thu, Nov 13, 2025 at 12:54 PM Martin Jansa via lists.openembedded.org <martin.jansa=gmail.com@lists.openembedded.org> wrote: > From: Martin Jansa <martin.jansa@gmail.com> > > they were sent for meta-security long time ago in 2021: > https://lists.yoctoproject.org/g/yocto/message/54470 > but never merged there, now there are lief, docopt, rich, asttokens > already in meta-python and checksec-py depends on lief version, e.g. > > https://github.com/Wenzel/checksec.py/commit/976d530867756d1393189708aa98308b07b1f3b2 > is needed to fixcompatibility with newer lief currently in meta-python > > Signed-off-by: Martin Jansa <martin.jansa@gmail.com> > --- > ...1-main-Add-option-to-ignore-symlinks.patch | 81 +++++++++++++++++++ > .../python/python3-checksec-py_0.7.5.bb | 23 ++++++ > .../python/python3-icontract_2.6.6.bb | 14 ++++ > .../python/python3-pylddwrap_1.2.2.bb | 26 ++++++ > 4 files changed, 144 insertions(+) > create mode 100644 > meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch > create mode 100644 meta-python/recipes-devtools/python/ > python3-checksec-py_0.7.5.bb > create mode 100644 meta-python/recipes-devtools/python/ > python3-icontract_2.6.6.bb > create mode 100644 meta-python/recipes-devtools/python/ > python3-pylddwrap_1.2.2.bb > > diff --git > a/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch > b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch > new file mode 100644 > index 0000000000..3a99ba33e3 > --- /dev/null > +++ > b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch > @@ -0,0 +1,81 @@ > +From b540967b87394d855c26375ac5a9a7265f265053 Mon Sep 17 00:00:00 2001 > +From: Maximilian Blenk <Maximilian.Blenk@bmw.de> > +Date: Fri, 2 Jul 2021 14:42:25 +0200 > +Subject: [PATCH] main: Add option to ignore symlinks > + > +When analyzing a complete rootfs (which might not be the rootfs of the > +analyzing system) symlinks within that rootfs might be broken. In > +particular absolute symlinks. However, if by chance such a symlink > +currently points to a valid binary in your system, this binary pointed > +to is analyzed. This commit adds the possibility to ignore symlinks to > +files (symlinks to dirs are already ignored by default). This allows to > +solve the issue described above, and if the whole rootfs is analyzed > +there shouldn't be a loss of information (because all the binaries will > +be analyzed anyway). Additionally, this also saves some time when > +performing the analysis. > + > +Upstream-Status: Submitted [ > https://github.com/Wenzel/checksec.py/pull/106] > +--- > + checksec/__main__.py | 12 +++++++----- > + 1 file changed, 7 insertions(+), 5 deletions(-) > + > +diff --git a/checksec/__main__.py b/checksec/__main__.py > +index a14862f..931d850 100644 > +--- a/checksec/__main__.py > ++++ b/checksec/__main__.py > +@@ -8,6 +8,7 @@ Options: > + -w WORKERS --workers=WORKERS Specify the number of process pool > workers [default: 4] > + -j --json Display results as JSON > + -s LIBC --set-libc=LIBC Specify LIBC library to use to check > for fortify scores (ELF) > ++ -i --ignore-symlinks Ignore symlinks to files > + -d --debug Enable debug output > + -h --help Display this message > + """ > +@@ -27,18 +28,18 @@ from .pe import PEChecksecData, PESecurity, is_pe > + from .utils import lief_set_logging > + > + > +-def walk_filepath_list(filepath_list: List[Path], recursive: bool = > False) -> Iterator[Path]: > ++def walk_filepath_list(filepath_list: List[Path], recursive: bool = > False, ignore_symlinks: bool = False) -> Iterator[Path]: > + for path in filepath_list: > + if path.is_dir() and not path.is_symlink(): > + try: > + if recursive: > + for f in os.scandir(path): > +- yield from walk_filepath_list([Path(f)], > recursive) > ++ yield from walk_filepath_list([Path(f)], > recursive, ignore_symlinks) > + else: > + yield from (Path(f) for f in os.scandir(path)) > + except OSError: > + continue > +- elif path.is_file(): > ++ elif path.is_file() and (not ignore_symlinks or not > path.is_symlink()): > + yield path > + > + > +@@ -75,6 +76,7 @@ def main(args): > + json = args["--json"] > + recursive = args["--recursive"] > + libc_path = args["--set-libc"] > ++ ignore_symlinks = args["--ignore-symlinks"] > + > + # logging > + formatter = "%(asctime)s %(levelname)s:%(name)s:%(message)s" > +@@ -110,7 +112,7 @@ def main(args): > + # we need to consume the iterator once to get the total > + # for the progress bar > + check_output.enumerating_tasks_start() > +- count = sum(1 for i in walk_filepath_list(filepath_list, > recursive)) > ++ count = sum(1 for i in walk_filepath_list(filepath_list, > recursive, ignore_symlinks)) > + check_output.enumerating_tasks_stop(count) > + with ProcessPoolExecutor( > + max_workers=workers, initializer=worker_initializer, > initargs=(libc_path,) > +@@ -119,7 +121,7 @@ def main(args): > + check_output.processing_tasks_start() > + future_to_checksec = { > + pool.submit(checksec_file, filepath): filepath > +- for filepath in > walk_filepath_list(filepath_list, recursive) > ++ for filepath in > walk_filepath_list(filepath_list, recursive, ignore_symlinks) > + } > + for future in as_completed(future_to_checksec): > + filepath = future_to_checksec[future] > diff --git a/meta-python/recipes-devtools/python/ > python3-checksec-py_0.7.5.bb b/meta-python/recipes-devtools/python/ > python3-checksec-py_0.7.5.bb > new file mode 100644 > index 0000000000..82ef304849 > --- /dev/null > +++ b/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb > @@ -0,0 +1,23 @@ > +SUMMARY = "Recipe to embedded the Python PiP Package checksec_py" > +HOMEPAGE = "https://pypi.org/project/checksec_py" > +LICENSE = "GPL-3.0-only" > +LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464" > + > +PR = "r0" > + > +inherit pypi python_poetry_core > +PYPI_PACKAGE = "checksec_py" > +SRC_URI[sha256sum] = > "892854f95d17a76d8f45a5c0cc597b9f1bebced3fffb9c7205d0baaf5eace886" > + > +SRC_URI += " \ > + file://0001-main-Add-option-to-ignore-symlinks.patch \ > +" > + > +RDEPENDS:${PN} += " \ > + python3-docopt \ > + python3-lief \ > + python3-pylddwrap \ > + python3-rich \ > +" > + > +BBCLASSEXTEND = "native nativesdk" > diff --git a/meta-python/recipes-devtools/python/ > python3-icontract_2.6.6.bb b/meta-python/recipes-devtools/python/ > python3-icontract_2.6.6.bb > new file mode 100644 > index 0000000000..5075a1a6a1 > --- /dev/null > +++ b/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb > @@ -0,0 +1,14 @@ > +SUMMARY = "Recipe to embedded the Python PiP Package icontract" > +HOMEPAGE = "https://pypi.org/project/icontract" > +LICENSE = "MIT" > +LIC_FILES_CHKSUM = > "file://LICENSE.txt;md5=1d4a9b1f6b84bedf7a38843931e0dd57" > + > +PR = "r0" > + > +inherit pypi setuptools3 > +PYPI_PACKAGE = "icontract" > +SRC_URI[sha256sum] = > "c1fd55c7709ef18a2ee64313fe863be2668b53060828fcca3525051160c92691" > + > +RDEPENDS:${PN} += "python3-asttokens" > + > +BBCLASSEXTEND = "native" > diff --git a/meta-python/recipes-devtools/python/ > python3-pylddwrap_1.2.2.bb b/meta-python/recipes-devtools/python/ > python3-pylddwrap_1.2.2.bb > new file mode 100644 > index 0000000000..045ccb9f1e > --- /dev/null > +++ b/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb > @@ -0,0 +1,26 @@ > +SUMMARY = "Recipe to embedded the Python PiP Package pylddwrap" > +HOMEPAGE = "https://pypi.org/project/pylddwrap" > +LICENSE = "MIT" > +LIC_FILES_CHKSUM = "file://LICENSE;md5=48fd6c978d39a38b3a04f45a1456d0fa" > + > +inherit pypi setuptools3 > +PYPI_PACKAGE = "pylddwrap" > +SRC_URI[sha256sum] = > "a70437fea7bca647c0e98161e1006ef49970267999c571b499760f1c43c6ba10" > + > +PR = "r0" > + > +RDEPENDS:${PN} += "python3-icontract" > + > +BBCLASSEXTEND = "native" > + > +do_install:append() { > + # similarly to > https://gitlab.com/akuster/meta-security/-/commit/0fd8e0f8cae612010bafecbff77ed9bb6f647a2d#4e154e295e639fd6c298ca644c75291eb99e0a57_0_16 > + # but delete it from prefix and delete requirements.txt as well. > + # ERROR: QA Issue: python3-pylddwrap: Files/directories were > installed but not shipped in any package: > + # /usr/README.rst > + # /usr/requirements.txt > + # /usr/LICENSE > + # Please set FILES such that these items are packaged. Alternatively > if they are unneeded, avoid installing them or delete them within > do_install. > + # python3-pylddwrap: 3 installed and not shipped files. > [installed-vs-shipped] > + rm -f ${D}${prefix}/README.rst ${D}${prefix}/requirements.txt > ${D}${prefix}/LICENSE > +} > > -=-=-=-=-=-=-=-=-=-=-=- > Links: You receive all messages sent to this group. > View/Reply Online (#121658): > https://lists.openembedded.org/g/openembedded-devel/message/121658 > Mute This Topic: https://lists.openembedded.org/mt/116281662/1997914 > Group Owner: openembedded-devel+owner@lists.openembedded.org > Unsubscribe: https://lists.openembedded.org/g/openembedded-devel/unsub [ > raj.khem@gmail.com] > -=-=-=-=-=-=-=-=-=-=-=- > >
diff --git a/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch new file mode 100644 index 0000000000..3a99ba33e3 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-checksec-py/0001-main-Add-option-to-ignore-symlinks.patch @@ -0,0 +1,81 @@ +From b540967b87394d855c26375ac5a9a7265f265053 Mon Sep 17 00:00:00 2001 +From: Maximilian Blenk <Maximilian.Blenk@bmw.de> +Date: Fri, 2 Jul 2021 14:42:25 +0200 +Subject: [PATCH] main: Add option to ignore symlinks + +When analyzing a complete rootfs (which might not be the rootfs of the +analyzing system) symlinks within that rootfs might be broken. In +particular absolute symlinks. However, if by chance such a symlink +currently points to a valid binary in your system, this binary pointed +to is analyzed. This commit adds the possibility to ignore symlinks to +files (symlinks to dirs are already ignored by default). This allows to +solve the issue described above, and if the whole rootfs is analyzed +there shouldn't be a loss of information (because all the binaries will +be analyzed anyway). Additionally, this also saves some time when +performing the analysis. + +Upstream-Status: Submitted [https://github.com/Wenzel/checksec.py/pull/106] +--- + checksec/__main__.py | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/checksec/__main__.py b/checksec/__main__.py +index a14862f..931d850 100644 +--- a/checksec/__main__.py ++++ b/checksec/__main__.py +@@ -8,6 +8,7 @@ Options: + -w WORKERS --workers=WORKERS Specify the number of process pool workers [default: 4] + -j --json Display results as JSON + -s LIBC --set-libc=LIBC Specify LIBC library to use to check for fortify scores (ELF) ++ -i --ignore-symlinks Ignore symlinks to files + -d --debug Enable debug output + -h --help Display this message + """ +@@ -27,18 +28,18 @@ from .pe import PEChecksecData, PESecurity, is_pe + from .utils import lief_set_logging + + +-def walk_filepath_list(filepath_list: List[Path], recursive: bool = False) -> Iterator[Path]: ++def walk_filepath_list(filepath_list: List[Path], recursive: bool = False, ignore_symlinks: bool = False) -> Iterator[Path]: + for path in filepath_list: + if path.is_dir() and not path.is_symlink(): + try: + if recursive: + for f in os.scandir(path): +- yield from walk_filepath_list([Path(f)], recursive) ++ yield from walk_filepath_list([Path(f)], recursive, ignore_symlinks) + else: + yield from (Path(f) for f in os.scandir(path)) + except OSError: + continue +- elif path.is_file(): ++ elif path.is_file() and (not ignore_symlinks or not path.is_symlink()): + yield path + + +@@ -75,6 +76,7 @@ def main(args): + json = args["--json"] + recursive = args["--recursive"] + libc_path = args["--set-libc"] ++ ignore_symlinks = args["--ignore-symlinks"] + + # logging + formatter = "%(asctime)s %(levelname)s:%(name)s:%(message)s" +@@ -110,7 +112,7 @@ def main(args): + # we need to consume the iterator once to get the total + # for the progress bar + check_output.enumerating_tasks_start() +- count = sum(1 for i in walk_filepath_list(filepath_list, recursive)) ++ count = sum(1 for i in walk_filepath_list(filepath_list, recursive, ignore_symlinks)) + check_output.enumerating_tasks_stop(count) + with ProcessPoolExecutor( + max_workers=workers, initializer=worker_initializer, initargs=(libc_path,) +@@ -119,7 +121,7 @@ def main(args): + check_output.processing_tasks_start() + future_to_checksec = { + pool.submit(checksec_file, filepath): filepath +- for filepath in walk_filepath_list(filepath_list, recursive) ++ for filepath in walk_filepath_list(filepath_list, recursive, ignore_symlinks) + } + for future in as_completed(future_to_checksec): + filepath = future_to_checksec[future] diff --git a/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb b/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb new file mode 100644 index 0000000000..82ef304849 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-checksec-py_0.7.5.bb @@ -0,0 +1,23 @@ +SUMMARY = "Recipe to embedded the Python PiP Package checksec_py" +HOMEPAGE = "https://pypi.org/project/checksec_py" +LICENSE = "GPL-3.0-only" +LIC_FILES_CHKSUM = "file://LICENSE;md5=1ebbd3e34237af26da5dc08a4e440464" + +PR = "r0" + +inherit pypi python_poetry_core +PYPI_PACKAGE = "checksec_py" +SRC_URI[sha256sum] = "892854f95d17a76d8f45a5c0cc597b9f1bebced3fffb9c7205d0baaf5eace886" + +SRC_URI += " \ + file://0001-main-Add-option-to-ignore-symlinks.patch \ +" + +RDEPENDS:${PN} += " \ + python3-docopt \ + python3-lief \ + python3-pylddwrap \ + python3-rich \ +" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb b/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb new file mode 100644 index 0000000000..5075a1a6a1 --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-icontract_2.6.6.bb @@ -0,0 +1,14 @@ +SUMMARY = "Recipe to embedded the Python PiP Package icontract" +HOMEPAGE = "https://pypi.org/project/icontract" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE.txt;md5=1d4a9b1f6b84bedf7a38843931e0dd57" + +PR = "r0" + +inherit pypi setuptools3 +PYPI_PACKAGE = "icontract" +SRC_URI[sha256sum] = "c1fd55c7709ef18a2ee64313fe863be2668b53060828fcca3525051160c92691" + +RDEPENDS:${PN} += "python3-asttokens" + +BBCLASSEXTEND = "native" diff --git a/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb b/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb new file mode 100644 index 0000000000..045ccb9f1e --- /dev/null +++ b/meta-python/recipes-devtools/python/python3-pylddwrap_1.2.2.bb @@ -0,0 +1,26 @@ +SUMMARY = "Recipe to embedded the Python PiP Package pylddwrap" +HOMEPAGE = "https://pypi.org/project/pylddwrap" +LICENSE = "MIT" +LIC_FILES_CHKSUM = "file://LICENSE;md5=48fd6c978d39a38b3a04f45a1456d0fa" + +inherit pypi setuptools3 +PYPI_PACKAGE = "pylddwrap" +SRC_URI[sha256sum] = "a70437fea7bca647c0e98161e1006ef49970267999c571b499760f1c43c6ba10" + +PR = "r0" + +RDEPENDS:${PN} += "python3-icontract" + +BBCLASSEXTEND = "native" + +do_install:append() { + # similarly to https://gitlab.com/akuster/meta-security/-/commit/0fd8e0f8cae612010bafecbff77ed9bb6f647a2d#4e154e295e639fd6c298ca644c75291eb99e0a57_0_16 + # but delete it from prefix and delete requirements.txt as well. + # ERROR: QA Issue: python3-pylddwrap: Files/directories were installed but not shipped in any package: + # /usr/README.rst + # /usr/requirements.txt + # /usr/LICENSE + # Please set FILES such that these items are packaged. Alternatively if they are unneeded, avoid installing them or delete them within do_install. + # python3-pylddwrap: 3 installed and not shipped files. [installed-vs-shipped] + rm -f ${D}${prefix}/README.rst ${D}${prefix}/requirements.txt ${D}${prefix}/LICENSE +}