[OE-core] [PATCH] archiver: avoid empty incfile in ar_recipe

do_ar_recipe fails on perf recipe on line: include ${@bb.utils.contains('PACKAGECONFIG', 'scripting', 'perf-perl.inc', '', d)} 1. "${...}" part expands into empty string 2. bb.utils.which() takes empty string and returns first directory name from bbpath 3. shutil.copy() fails on copying

Re: [OE-core] ✗ patchtest: failure for curl: fix for CVE-2018-16839/CVE-2018-16840/CVE-2018-16842

On Fri Nov02 2018 @ 06:48, Changqing Li wrote: I have add CVE tag in the patch file, is this test result incorrect? My guess is it was fooled by (well, "incorrect") "CVE--" lines. Even thouhg it is followed by the (correct) "CVE: CVE--" in your CVE patches 43

Re: [OE-core] [PATCH v3 1/3] cve-report: add scripts to generate CVE reports

On Mon Oct29 2018 @ 23:29, akuster808 wrote: Grygorii, I was good to see you at OEDeM. Thanks Armin. I have some feedback. On 10/10/18 9:25 AM, grygorii tertychnyi via Openembedded-core wrote: cvert-foss - generate CVE report for the list of packages. Analyze the whole image

[OE-core] [PATCH] curl: extend CVE_PRODUCT

There are both "curl" and "libcurl" CPEs in NVD. All "curl" CVEs are now missed in the reports. Hence, switch "CVE_PRODUCT" to a space separated list. It is useful for recipes generating several packages, that have different product names in NVD. Signed-off-by: grygorii tertychnyi ---

Re: [OE-core] [PATCH v3] lib/oe/utils: add eol to format_pkg_list()

akuster808 writes: > Grygorii, > > > On 10/10/2018 09:26 AM, grygorii tertychnyi via Openembedded-core wrote: >> Append '\n' to the non-empty formatted string before return. If you >> write it to the (manifest) file, it will ensure file ends with a newline. >&

[OE-core] [PATCH v3] lib/oe/utils: add eol to format_pkg_list()

Append '\n' to the non-empty formatted string before return. If you write it to the (manifest) file, it will ensure file ends with a newline. Many GNU utilities have problems processing the last line of a file if it is not '\n' terminated. E.g. if the last line is not terminated by a newline

[OE-core] [PATCH v3 2/3] cvert-kernel - generate CVE report for the Linux kernel

NVD entries for the Linux kernel are almost always outdated. For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065 is shown as matched for "versions up to (including) 4.15.7", however the patch 57ebd808a97d has been back ported for 4.14. By default, it checks NVD Resource entries for the

[OE-core] [PATCH v3 3/3] cve-report.bbclass: add class

Implements "report_cve" and "report_patched" tasks. "report_patched" prepares image manifest with patched CVE info. "report_cve" runs cvert-* scripts to generate kernel and package CVE reports. You can configure it to set report filenames, reuse NVD feeds, stop after manifest generation and

[OE-core] [PATCH v3 1/3] cve-report: add scripts to generate CVE reports

cvert-foss - generate CVE report for the list of packages. Analyze the whole image manifest to align with the complex CPE configurations. cvert-update - update NVD feeds and store CVE structues dump. CVE dump is a pickled representation of the cve_struct dictionary. cvert.py - python

[OE-core] [PATCH v2] lib/oe/utils: add eol to format_pkg_list()

Append '\n' to the non-empty formatted string before return. If you write it to the (manifest) file, it will ensure file ends with a newline. Many GNU utilities have problems processing the last line of a file if it is not '\n' terminated. E.g. if the last line is not terminated by a newline

[OE-core] [PATCH] lib/oe/utils: add eol to format_pkg_list()

Append '\n' to the formatted string before return. If you write it to the (manifest) file, it will ensure file ends with a newline. Many GNU utilities have problems processing the last line of a file if it is not '\n' terminated. E.g. if the last line is not terminated by a newline character,

[OE-core] [PATCH v2 2/2] cve-report.bbclass: add class

Implements "report_cve" and "report_patched" tasks. "report_patched" prepares image manifest with patched CVE info. "report_cve" runs cvert-* scripts to generate kernel and package CVE reports. You can configure it to set report filenames, reuse NVD feeds, stop after manifest generation and

[OE-core] [PATCH v2 1/2] cve-report: add scripts to generate CVE reports

cvert-kernel - generate CVE report for the Linux kernel. NVD entries for the Linux kernel is almost always outdated. For example, https://nvd.nist.gov/vuln/detail/CVE-2018-1065 is shown as matched for "versions up to (including) 4.15.7", however the patch 57ebd808a97d has been back ported

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

On 08/06/2018 09:56 AM, mikko.rap...@bmw.de wrote: On Fri, Aug 03, 2018 at 10:37:05PM +, Grygorii Tertychnyi (gtertych) via Openembedded-core wrote: cvert-kernel - generate CVE report for the Linux kernel. NVD entries for the Linux kernel is almost always outdated. For example,

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

On 08/05/2018 05:52 AM, Victor Kamensky wrote: On Sat, 4 Aug 2018, Alexander Kanavin wrote: How reliable is NVD database for such automated scans? Previously, we have repeatedly concluded that it should not be trusted, and proper patching of vulnerabilities must involve humans looking at

Re: [OE-core] [PATCH 1/2] cve-report: add scripts to generate CVE reports

On 08/04/2018 05:16 PM, akuster808 wrote: On 08/03/2018 03:37 PM, Grygorii Tertychnyi (gtertych) via Openembedded-core wrote: cvert-kernel - generate CVE report for the Linux kernel. NVD entries for the Linux kernel is almost always outdated. For example,