diff mbox series

[2/2] CI/cve.yml: add a CVE-checking Kas fragment

Message ID 20240126164341.2846181-2-ross.burton@arm.com
State New
Headers show
Series [1/2] CI: support extra kas files from environment | expand

Commit Message

Ross Burton Jan. 26, 2024, 4:43 p.m. UTC 
From: Ross Burton <ross.burton@arm.com>

Add a Kas fragment to enable the CVE checker.  Disable warnings by
default but show them for the layers in meta-arm, because we only care
about meta-arm issues in this CI.

Explicitly hide kernel warnings as the kernel typically has tens of open
CVEs, and if we're carrying a kernel explicitly then it's typically an
interim kernel between releases.

Signed-off-by: Ross Burton <ross.burton@arm.com>
---
 ci/cve.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 ci/cve.yml
diff mbox series

Patch

diff --git a/ci/cve.yml b/ci/cve.yml
new file mode 100644
index 00000000..381f8557
--- /dev/null
+++ b/ci/cve.yml
@@ -0,0 +1,16 @@ 
+header:
+  version: 14
+
+local_conf_header:
+  cve: |
+    INHERIT += "cve-check"
+
+    # Just show the warnings for our layers
+    CVE_CHECK_SHOW_WARNINGS = "0"
+    CVE_CHECK_SHOW_WARNINGS:layer-arm-toolchain = "1"
+    CVE_CHECK_SHOW_WARNINGS:layer-meta-arm = "1"
+    CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-bsp = "1"
+    CVE_CHECK_SHOW_WARNINGS:layer-meta-arm-systemready = "1"
+
+    # Ignore the kernel, we sometime carry kernels in meta-arm
+    CVE_CHECK_SHOW_WARNINGS:pn-linux-yocto = "0"