[PATCH 1/2] cve-check.bbclass: add layer to cve log

[PATCH 1/2] cve-check.bbclass: add layer to cve log

[akuster]

Lets include whcih layer a package belongs to and
add it to the cve logs

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/classes/cve-check.bbclass | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index ed86403b6bc..061af7a2760 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -335,6 +335,9 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
     """
 
     cve_file = d.getVar("CVE_CHECK_LOG")
+    fdir_name  = d.getVar("FILE_DIRNAME")
+    layer = fdir_name.split("/")[-3]
+
     nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
     write_string = ""
     unpatched_cves = []
@@ -344,6 +347,7 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
         is_patched = cve in patched
         if is_patched and (d.getVar("CVE_CHECK_REPORT_PATCHED") != "1"):
             continue
+        write_string += "LAYER: %s\n" % layer
         write_string += "PACKAGE NAME: %s\n" % d.getVar("PN")
         write_string += "PACKAGE VERSION: %s%s\n" % (d.getVar("EXTENDPE"), d.getVar("PV"))
         write_string += "CVE: %s\n" % cve
-- 
2.25.1

[PATCH 2/2] cve-check: add include/exclude layers

[akuster]

There are times when exluding or including a layer
may be desired. This provide the framwork for that via
two variables. The default is all layers in bblayers.

CVE_CHECK_LAYER_INCLUDELIST
CVE_CHECK_LAYER_EXCLUDELIST

Signed-off-by: Armin Kuster <akuster808@gmail.com>
---
 meta/classes/cve-check.bbclass | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index 061af7a2760..112ee3379d3 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -53,6 +53,13 @@ CVE_CHECK_PN_WHITELIST ?= ""
 #
 CVE_CHECK_WHITELIST ?= ""
 
+# Layers to be excluded
+CVE_CHECK_LAYER_EXCLUDELIST ??= ""
+
+# Layers to be included 
+CVE_CHECK_LAYER_INCLUDELIST ??= ""
+
+
 # set to "alphabetical" for version using single alphabetical character as increament release
 CVE_VERSION_SUFFIX ??= ""
 
@@ -334,10 +341,20 @@ def cve_write_data(d, patched, unpatched, whitelisted, cve_data):
     CVE manifest if enabled.
     """
 
+
     cve_file = d.getVar("CVE_CHECK_LOG")
     fdir_name  = d.getVar("FILE_DIRNAME")
     layer = fdir_name.split("/")[-3]
 
+    include_layers = d.getVar("CVE_CHECK_LAYER_INCLUDELIST").split()
+    exclude_layers = d.getVar("CVE_CHECK_LAYER_EXCLUDELIST").split()
+
+    if exclude_layers and layer in exclude_layers:
+        return
+
+    if include_layers and layer not in include_layers:
+        return
+
     nvd_link = "https://web.nvd.nist.gov/view/vuln/detail?vulnId="
     write_string = ""
     unpatched_cves = []
-- 
2.25.1

Re: [OE-core] [PATCH 2/2] cve-check: add include/exclude layers

[Richard Purdie]

On Mon, 2021-02-08 at 05:51 +0000, akuster wrote:
> There are times when exluding or including a layer
> may be desired. This provide the framwork for that via
> two variables. The default is all layers in bblayers.
> 
> CVE_CHECK_LAYER_INCLUDELIST
> CVE_CHECK_LAYER_EXCLUDELIST

Do we need to document these?

Cheers,

Richard

Re: [OE-core] [PATCH 2/2] cve-check: add include/exclude layers

[akuster]

On 2/8/21 2:16 AM, Richard Purdie wrote:
> On Mon, 2021-02-08 at 05:51 +0000, akuster wrote:
>> There are times when exluding or including a layer
>> may be desired. This provide the framwork for that via
>> two variables. The default is all layers in bblayers.
>>
>> CVE_CHECK_LAYER_INCLUDELIST
>> CVE_CHECK_LAYER_EXCLUDELIST
> Do we need to document these?
Yes if and when the patches are accepted.  By doc do you mean the
manuals or documentation.conf?

- armin
>
> Cheers,
>
> Richard
>

Re: [OE-core] [PATCH 2/2] cve-check: add include/exclude layers

[Richard Purdie]

On Mon, 2021-02-08 at 07:55 -0800, akuster808 wrote:
> 
> On 2/8/21 2:16 AM, Richard Purdie wrote:
> > On Mon, 2021-02-08 at 05:51 +0000, akuster wrote:
> > > There are times when exluding or including a layer
> > > may be desired. This provide the framwork for that via
> > > two variables. The default is all layers in bblayers.
> > > 
> > > CVE_CHECK_LAYER_INCLUDELIST
> > > CVE_CHECK_LAYER_EXCLUDELIST
> > Do we need to document these?
> Yes if and when the patches are accepted.  By doc do you mean the
> manuals or documentation.conf?

I was thinking the of the manuals but both may make sense. The patch is
in so looking forward to the docs updated, thanks! :)

Cheers,

Richard