On Tue, Apr 27, 2021 at 2:10 PM Ralph Siemsen <[email protected]> wrote:
>
> This is more of an RFC than an actual review request. Currently, the
> yocto CVE checker fails to report CVEs in docker, due to mismatch of the
> package names (eg "docker-moby" versus just "docker" in NVD).
>
> So set CVE_PRODUCT in each recipe to match up the names. I have only
> done this for docker, containerd and runc. Perhaps there are more
> components needing similar treatment.
There likely are more components that need this, in particular where I used
to have support for docker variants, but we don't need to solve the entire
problem now .. just starting is enough.
It's easy enough to port this to master, only that runc version being caught
in the context might make it fail to apply .. and that's an easy fix.
>
> Possible TODOs include:
> * rebase/update this to master, and test it there
> * split into separate commits, one per component
I'd suggest the split into the three, and go ahead and do the change on
master. I'll carry it back to the released branches and pickup dunfell.
The testing is pretty simple, so I'll make sure master is ok and you've
already tested on dunfell, so that is enough.
Bruce
> ---
> recipes-containers/containerd/containerd-docker_git.bb | 2 ++
> recipes-containers/containerd/containerd-opencontainers_git.bb | 2 ++
> recipes-containers/docker/docker-ce_git.bb | 2 ++
> recipes-containers/docker/docker-moby.bb | 2 ++
> recipes-containers/runc/runc-docker_git.bb | 2 ++
> recipes-containers/runc/runc-opencontainers_git.bb | 2 ++
> 6 files changed, 12 insertions(+)
>
> diff --git a/recipes-containers/containerd/containerd-docker_git.bb
> b/recipes-containers/containerd/containerd-docker_git.bb
> index b18a9bb..2a3cd34 100644
> --- a/recipes-containers/containerd/containerd-docker_git.bb
> +++ b/recipes-containers/containerd/containerd-docker_git.bb
> @@ -12,3 +12,5 @@ PROVIDES += "virtual/containerd"
> RPROVIDES_${PN} = "virtual/containerd"
>
> DEPENDS += "btrfs-tools"
> +
> +CVE_PRODUCT = "containerd"
> diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb
> b/recipes-containers/containerd/containerd-opencontainers_git.bb
> index 347eae5..2bcff1e 100644
> --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> @@ -14,3 +14,5 @@ EXTRA_OEMAKE += "GODEBUG=1"
>
> PROVIDES += "virtual/containerd"
> RPROVIDES_${PN} = "virtual/containerd"
> +
> +CVE_PRODUCT = "containerd"
> diff --git a/recipes-containers/docker/docker-ce_git.bb
> b/recipes-containers/docker/docker-ce_git.bb
> index 14182d1..adffcec 100644
> --- a/recipes-containers/docker/docker-ce_git.bb
> +++ b/recipes-containers/docker/docker-ce_git.bb
> @@ -129,3 +129,5 @@ FILES_${PN} += "${systemd_unitdir}/system/*
> ${sysconfdir}/docker"
>
> FILES_${PN}-contrib += "${datadir}/docker/check-config.sh"
> RDEPENDS_${PN}-contrib += "bash"
> +
> +CVE_PRODUCT = "docker"
> diff --git a/recipes-containers/docker/docker-moby.bb
> b/recipes-containers/docker/docker-moby.bb
> index 762a785..600603f 100644
> --- a/recipes-containers/docker/docker-moby.bb
> +++ b/recipes-containers/docker/docker-moby.bb
> @@ -148,3 +148,5 @@ FILES_${PN} += "${systemd_unitdir}/system/*
> ${sysconfdir}/docker"
>
> FILES_${PN}-contrib += "${datadir}/docker/check-config.sh"
> RDEPENDS_${PN}-contrib += "bash"
> +
> +CVE_PRODUCT = "docker"
> diff --git a/recipes-containers/runc/runc-docker_git.bb
> b/recipes-containers/runc/runc-docker_git.bb
> index 8d810d0..3684366 100644
> --- a/recipes-containers/runc/runc-docker_git.bb
> +++ b/recipes-containers/runc/runc-docker_git.bb
> @@ -11,3 +11,5 @@ SRC_URI =
> "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \
> "
>
> RUNC_VERSION = "1.0.0-rc8"
> +
> +CVE_PRODUCT = "runc"
> diff --git a/recipes-containers/runc/runc-opencontainers_git.bb
> b/recipes-containers/runc/runc-opencontainers_git.bb
> index 3a7e7aa..a1271f6 100644
> --- a/recipes-containers/runc/runc-opencontainers_git.bb
> +++ b/recipes-containers/runc/runc-opencontainers_git.bb
> @@ -7,3 +7,5 @@ SRC_URI = " \
> file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \
> "
> RUNC_VERSION = "1.0.0-rc8"
> +
> +CVE_PRODUCT = "runc"
> --
> 2.17.1
>
>
>
>
--
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#6471):
https://lists.yoctoproject.org/g/meta-virtualization/message/6471
Mute This Topic: https://lists.yoctoproject.org/mt/82410597/21656
Group Owner: [email protected]
Unsubscribe: https://lists.yoctoproject.org/g/meta-virtualization/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
