Re: [OE-core] [PATCH 0/3] Add initial capability to check CVEs for recipes

Thu, 25 Feb 2016 04:42:05 -0800 

On Thu, Feb 25, 2016 at 01:14:21PM +0100, Mikko Rapeli wrote:
> On Wed, Feb 24, 2016 at 03:27:05PM +0000, mariano.lo...@linux.intel.com wrote:
> > From: Mariano Lopez <mariano.lo...@linux.intel.com>
> > 
> > This series add the cve-check-tool recipe, a tool used to identify
> > potentially vulnerable software through version matching. It will
> > check if a vulnerability has been addressed by a patch.
> > 
> > Also add the new cve-check class that will add a task for all recipes
> > to check for CVEs using cve-check-tool. This tool can be used by recipe,
> > image (will generate an image report in deploy dir), and with "world"
> > and "universe"
> > 
> > To run it just inherit the class and enter:
> > 
> > bitbake -c cve_check <recipe>
> 
> I tried these on yocto/dizzy but:
> 
> ERROR: Task do_cve_check in 
> /home/builder/src/base/poky/meta/recipes-core/busybox/busybox_1.22.1.bb 
> depends upon non-existent task do_populate_cve_db in 
> virtual:native:/home/builder/src/base/poky/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.bb
> 
> Is there some simple way to make this work there too?
> 
> For testing purposes I tried this only with busybox:
> 
> $ cat busybox_%.bbappend 
> inherit cve-check
> 
> The cve-check-tool itself needed a few native backports/fixes:
> 
> diff --git a/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb 
> b/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
> index 9df81cb..b98d991 100644
> --- a/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
> +++ b/meta/recipes-gnome/hicolor-icon-theme/hicolor-icon-theme_0.13.bb
> @@ -21,3 +21,5 @@ FILES_${PN} += "${datadir}/icons"
>  do_install_append () {
>       install -m 0644 ${WORKDIR}/index.theme ${D}/${datadir}/icons/hicolor
>  }
> +
> +BBCLASSEXTEND = "native"
> diff --git a/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb 
> b/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
> index ce00709..26f8f7f 100644
> --- a/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
> +++ b/meta/recipes-gnome/json-glib/json-glib_1.0.0.bb
> @@ -18,3 +18,5 @@ SRC_URI[archive.sha256sum] = 
> "dbf558d2da989ab84a27e4e13daa51ceaa97eb959c2c2f8097
>  inherit gnome gettext lib_package
>  
>  EXTRA_OECONF = "--disable-introspection"
> +
> +BBCLASSEXTEND = "native"

Sorry, I guess this is needed to enable the class properly:

$ grep cve-check conf/local.conf
INHERIT += "cve-check"

but there are some other backports needed in python modules...

-Mikko
-- 
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core

Reply via email to