| Message ID | 20250416142859.909037-2-daniel.turull@ericsson.com |
|---|---|
| State | New |
| Headers | show |
| Series | Check compiled files to filter kernel CVEs | expand |
Hello, this approach will not work. DL_DIR can be shared across all (parallel) builds (also to multiple machines via NFS) so the symlinks would be overwriting each other. Also AUTOREV is not suitable for recipes in core as it makes bitbake to access network on each recipe parsing (so even when the class is not active). Ideally this should have format like NVD/FKIE feeds where update timestamp is used to determine if update is needed or not. The data needs to be copied to folder within the build. Peter > -----Original Message----- > From: daniel.turull@ericsson.com <daniel.turull@ericsson.com> > Sent: Wednesday, April 16, 2025 16:29 > To: openembedded-core@lists.openembedded.org > Cc: rybczynska@gmail.com; steve@sakoman.com; Marko, Peter (FT D EU SK > BFS1) <Peter.Marko@siemens.com>; richard.purdie@linuxfoundation.org; > ross.burton@arm.com; Daniel Turull <daniel.turull@ericsson.com> > Subject: [PATCH 1/2] linux-vulns: fetch kernel.org CNA info > > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 42 +++++++++++++++++++++++ > 2 files changed, 43 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb > > diff --git a/meta/conf/distro/include/maintainers.inc > b/meta/conf/distro/include/maintainers.inc > index 8065287c17..ec427fe6a4 100644 > --- a/meta/conf/distro/include/maintainers.inc > +++ b/meta/conf/distro/include/maintainers.inc > @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned > <unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned > <unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador > <otavio.salvador@ossystems.com.br>" > RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield > <bruce.ashfield@gmail.com>" > +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned > <unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield > <bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield > <bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield > <bruce.ashfield@gmail.com>" > diff --git a/meta/recipes-core/meta/linux-vulns_git.bb b/meta/recipes- > core/meta/linux-vulns_git.bb > new file mode 100644 > index 0000000000..158790f082 > --- /dev/null > +++ b/meta/recipes-core/meta/linux-vulns_git.bb > @@ -0,0 +1,42 @@ > +SUMMARY = "CVE information from kernel.org" > +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved > \ > +and assigned to the Linux kernel project." > +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" > +LICENSE = "GPL-2.0-only & cve-tou" > +LIC_FILES_CHKSUM = "file://LICENSES/GPL-2.0- > only.txt;md5=c89d4ad08368966d8df5a90ea96bebe4\ > + file://LICENSES/cve- > tou.txt;md5=0d1f8ff7666c210e0b0404fd9d7e6703" > +SECTION = "base" > + > +SRC_URI = > "git://git.kernel.org/pub/scm/linux/security/vulns;branch=master;protocol=https" > +inherit native > + > +SRCREV="${AUTOREV}" > +PV = "1.0-git-${SRCREV}" > + > +S = "${WORKDIR}/git" > + > +KERNEL_CNA_REPO ??= "${DL_DIR}/CVE_CHECK/vulns" > + > +python do_unpack:append(){ > + # Make symbolic link so it is easy to find > + import os > + source_path = d.getVar("S") > + link_path = d.getVar("KERNEL_CNA_REPO") > + if os.path.exists(link_path): > + os.remove(link_path) > + bb.utils.mkdirhier(os.path.dirname(link_path)) > + os.symlink(source_path, link_path) > +} > + > +deltask do_patch > +deltask do_configure > +deltask do_compile > +deltask do_install > +deltask do_cve_check > +deltask do_populate_sysroot > +deltask do_runtime_spdx > +deltask do_create_spdx > +deltask do_populate_lic > +do_fetch[nostamp] = "1" > + > +EXCLUDE_FROM_WORLD = "1"
Thanks for the reply Peter, I'll look into have a similar approach as the NVD/FKIE feeds and submit a second version I have also noticed that the autorev doesn't work towards premirrors. Best regards, Daniel -----Original Message----- From: Marko, Peter <Peter.Marko@siemens.com> Sent: Thursday, 17 April 2025 10:20 To: Daniel Turull <daniel.turull@ericsson.com>; openembedded-core@lists.openembedded.org Cc: rybczynska@gmail.com; steve@sakoman.com; richard.purdie@linuxfoundation.org; ross.burton@arm.com Subject: RE: [PATCH 1/2] linux-vulns: fetch kernel.org CNA info [You don't often get email from peter.marko@siemens.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] Hello, this approach will not work. DL_DIR can be shared across all (parallel) builds (also to multiple machines via NFS) so the symlinks would be overwriting each other. Also AUTOREV is not suitable for recipes in core as it makes bitbake to access network on each recipe parsing (so even when the class is not active). Ideally this should have format like NVD/FKIE feeds where update timestamp is used to determine if update is needed or not. The data needs to be copied to folder within the build. Peter > -----Original Message----- > From: daniel.turull@ericsson.com <daniel.turull@ericsson.com> > Sent: Wednesday, April 16, 2025 16:29 > To: openembedded-core@lists.openembedded.org > Cc: rybczynska@gmail.com; steve@sakoman.com; Marko, Peter (FT D EU SK > BFS1) <Peter.Marko@siemens.com>; richard.purdie@linuxfoundation.org; > ross.burton@arm.com; Daniel Turull <daniel.turull@ericsson.com> > Subject: [PATCH 1/2] linux-vulns: fetch kernel.org CNA info > > From: Daniel Turull <daniel.turull@ericsson.com> > > Add CVE data source for kernel.org. > > It includes more information than the one provided by NVD. > > Signed-off-by: Daniel Turull <daniel.turull@ericsson.com> > --- > meta/conf/distro/include/maintainers.inc | 1 + > meta/recipes-core/meta/linux-vulns_git.bb | 42 +++++++++++++++++++++++ > 2 files changed, 43 insertions(+) > create mode 100644 meta/recipes-core/meta/linux-vulns_git.bb > > diff --git a/meta/conf/distro/include/maintainers.inc > b/meta/conf/distro/include/maintainers.inc > index 8065287c17..ec427fe6a4 100644 > --- a/meta/conf/distro/include/maintainers.inc > +++ b/meta/conf/distro/include/maintainers.inc > @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned > <unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned > <unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador > <otavio.salvador@ossystems.com.br>" > RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield > <bruce.ashfield@gmail.com>" > +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned > <unassigned@yoctoproject.org>" > RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield > <bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield > <bruce.ashfield@gmail.com>" > RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield > <bruce.ashfield@gmail.com>" > diff --git a/meta/recipes-core/meta/linux-vulns_git.bb b/meta/recipes- > core/meta/linux-vulns_git.bb new file mode 100644 index > 0000000000..158790f082 > --- /dev/null > +++ b/meta/recipes-core/meta/linux-vulns_git.bb > @@ -0,0 +1,42 @@ > +SUMMARY = "CVE information from kernel.org" > +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers > +reserved > \ > +and assigned to the Linux kernel project." > +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" > +LICENSE = "GPL-2.0-only & cve-tou" > +LIC_FILES_CHKSUM = "file://LICENSES/GPL-2.0- > only.txt;md5=c89d4ad08368966d8df5a90ea96bebe4\ > + file://LICENSES/cve- > tou.txt;md5=0d1f8ff7666c210e0b0404fd9d7e6703" > +SECTION = "base" > + > +SRC_URI = > "git://git.kernel.org/pub/scm/linux/security/vulns;branch=master;protocol=https" > +inherit native > + > +SRCREV="${AUTOREV}" > +PV = "1.0-git-${SRCREV}" > + > +S = "${WORKDIR}/git" > + > +KERNEL_CNA_REPO ??= "${DL_DIR}/CVE_CHECK/vulns" > + > +python do_unpack:append(){ > + # Make symbolic link so it is easy to find > + import os > + source_path = d.getVar("S") > + link_path = d.getVar("KERNEL_CNA_REPO") > + if os.path.exists(link_path): > + os.remove(link_path) > + bb.utils.mkdirhier(os.path.dirname(link_path)) > + os.symlink(source_path, link_path) } > + > +deltask do_patch > +deltask do_configure > +deltask do_compile > +deltask do_install > +deltask do_cve_check > +deltask do_populate_sysroot > +deltask do_runtime_spdx > +deltask do_create_spdx > +deltask do_populate_lic > +do_fetch[nostamp] = "1" > + > +EXCLUDE_FROM_WORLD = "1"
diff --git a/meta/conf/distro/include/maintainers.inc b/meta/conf/distro/include/maintainers.inc index 8065287c17..ec427fe6a4 100644 --- a/meta/conf/distro/include/maintainers.inc +++ b/meta/conf/distro/include/maintainers.inc @@ -468,6 +468,7 @@ RECIPE_MAINTAINER:pn-lighttpd = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-linux-dummy = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-linux-firmware = "Otavio Salvador <otavio.salvador@ossystems.com.br>" RECIPE_MAINTAINER:pn-linux-libc-headers = "Bruce Ashfield <bruce.ashfield@gmail.com>" +RECIPE_MAINTAINER:pn-linux-vulns = "Unassigned <unassigned@yoctoproject.org>" RECIPE_MAINTAINER:pn-linux-yocto = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-linux-yocto-dev = "Bruce Ashfield <bruce.ashfield@gmail.com>" RECIPE_MAINTAINER:pn-linux-yocto-rt = "Bruce Ashfield <bruce.ashfield@gmail.com>" diff --git a/meta/recipes-core/meta/linux-vulns_git.bb b/meta/recipes-core/meta/linux-vulns_git.bb new file mode 100644 index 0000000000..158790f082 --- /dev/null +++ b/meta/recipes-core/meta/linux-vulns_git.bb @@ -0,0 +1,42 @@ +SUMMARY = "CVE information from kernel.org" +DESCRIPTION = "Repo for tracking and maintaining the CVE identifiers reserved \ +and assigned to the Linux kernel project." +HOMEPAGE = "https://git.kernel.org/pub/scm/linux/security/vulns.git/about/" +LICENSE = "GPL-2.0-only & cve-tou" +LIC_FILES_CHKSUM = "file://LICENSES/GPL-2.0-only.txt;md5=c89d4ad08368966d8df5a90ea96bebe4\ + file://LICENSES/cve-tou.txt;md5=0d1f8ff7666c210e0b0404fd9d7e6703" +SECTION = "base" + +SRC_URI = "git://git.kernel.org/pub/scm/linux/security/vulns;branch=master;protocol=https" +inherit native + +SRCREV="${AUTOREV}" +PV = "1.0-git-${SRCREV}" + +S = "${WORKDIR}/git" + +KERNEL_CNA_REPO ??= "${DL_DIR}/CVE_CHECK/vulns" + +python do_unpack:append(){ + # Make symbolic link so it is easy to find + import os + source_path = d.getVar("S") + link_path = d.getVar("KERNEL_CNA_REPO") + if os.path.exists(link_path): + os.remove(link_path) + bb.utils.mkdirhier(os.path.dirname(link_path)) + os.symlink(source_path, link_path) +} + +deltask do_patch +deltask do_configure +deltask do_compile +deltask do_install +deltask do_cve_check +deltask do_populate_sysroot +deltask do_runtime_spdx +deltask do_create_spdx +deltask do_populate_lic +do_fetch[nostamp] = "1" + +EXCLUDE_FROM_WORLD = "1"