All of lore.kernel.org
 help / color / mirror / Atom feed
* [RFC][dunfell][PATCH] add CVE_PRODUCT for docker, containerd, runc
@ 2021-04-27 18:10 Ralph Siemsen
  2021-04-28  2:51 ` [meta-virtualization] " Bruce Ashfield
  0 siblings, 1 reply; 2+ messages in thread
From: Ralph Siemsen @ 2021-04-27 18:10 UTC (permalink / raw)
  To: meta-virtualization; +Cc: Ralph Siemsen

This is more of an RFC than an actual review request. Currently, the
yocto CVE checker fails to report CVEs in docker, due to mismatch of the
package names (eg "docker-moby" versus just "docker" in NVD).

So set CVE_PRODUCT in each recipe to match up the names. I have only
done this for docker, containerd and runc. Perhaps there are more
components needing similar treatment.

Possible TODOs include:
* rebase/update this to master, and test it there
* split into separate commits, one per component
---
 recipes-containers/containerd/containerd-docker_git.bb         | 2 ++
 recipes-containers/containerd/containerd-opencontainers_git.bb | 2 ++
 recipes-containers/docker/docker-ce_git.bb                     | 2 ++
 recipes-containers/docker/docker-moby.bb                       | 2 ++
 recipes-containers/runc/runc-docker_git.bb                     | 2 ++
 recipes-containers/runc/runc-opencontainers_git.bb             | 2 ++
 6 files changed, 12 insertions(+)

diff --git a/recipes-containers/containerd/containerd-docker_git.bb b/recipes-containers/containerd/containerd-docker_git.bb
index b18a9bb..2a3cd34 100644
--- a/recipes-containers/containerd/containerd-docker_git.bb
+++ b/recipes-containers/containerd/containerd-docker_git.bb
@@ -12,3 +12,5 @@ PROVIDES += "virtual/containerd"
 RPROVIDES_${PN} = "virtual/containerd"
 
 DEPENDS += "btrfs-tools"
+
+CVE_PRODUCT = "containerd"
diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
index 347eae5..2bcff1e 100644
--- a/recipes-containers/containerd/containerd-opencontainers_git.bb
+++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
@@ -14,3 +14,5 @@ EXTRA_OEMAKE += "GODEBUG=1"
 
 PROVIDES += "virtual/containerd"
 RPROVIDES_${PN} = "virtual/containerd"
+
+CVE_PRODUCT = "containerd"
diff --git a/recipes-containers/docker/docker-ce_git.bb b/recipes-containers/docker/docker-ce_git.bb
index 14182d1..adffcec 100644
--- a/recipes-containers/docker/docker-ce_git.bb
+++ b/recipes-containers/docker/docker-ce_git.bb
@@ -129,3 +129,5 @@ FILES_${PN} += "${systemd_unitdir}/system/* ${sysconfdir}/docker"
 
 FILES_${PN}-contrib += "${datadir}/docker/check-config.sh"
 RDEPENDS_${PN}-contrib += "bash"
+
+CVE_PRODUCT = "docker"
diff --git a/recipes-containers/docker/docker-moby.bb b/recipes-containers/docker/docker-moby.bb
index 762a785..600603f 100644
--- a/recipes-containers/docker/docker-moby.bb
+++ b/recipes-containers/docker/docker-moby.bb
@@ -148,3 +148,5 @@ FILES_${PN} += "${systemd_unitdir}/system/* ${sysconfdir}/docker"
 
 FILES_${PN}-contrib += "${datadir}/docker/check-config.sh"
 RDEPENDS_${PN}-contrib += "bash"
+
+CVE_PRODUCT = "docker"
diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb
index 8d810d0..3684366 100644
--- a/recipes-containers/runc/runc-docker_git.bb
+++ b/recipes-containers/runc/runc-docker_git.bb
@@ -11,3 +11,5 @@ SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \
           "
 
 RUNC_VERSION = "1.0.0-rc8"
+
+CVE_PRODUCT = "runc"
diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb
index 3a7e7aa..a1271f6 100644
--- a/recipes-containers/runc/runc-opencontainers_git.bb
+++ b/recipes-containers/runc/runc-opencontainers_git.bb
@@ -7,3 +7,5 @@ SRC_URI = " \
     file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \
     "
 RUNC_VERSION = "1.0.0-rc8"
+
+CVE_PRODUCT = "runc"
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [meta-virtualization] [RFC][dunfell][PATCH] add CVE_PRODUCT for docker, containerd, runc
  2021-04-27 18:10 [RFC][dunfell][PATCH] add CVE_PRODUCT for docker, containerd, runc Ralph Siemsen
@ 2021-04-28  2:51 ` Bruce Ashfield
  0 siblings, 0 replies; 2+ messages in thread
From: Bruce Ashfield @ 2021-04-28  2:51 UTC (permalink / raw)
  To: Ralph Siemsen; +Cc: meta-virtualization

On Tue, Apr 27, 2021 at 2:10 PM Ralph Siemsen <ralph.siemsen@linaro.org> wrote:
>
> This is more of an RFC than an actual review request. Currently, the
> yocto CVE checker fails to report CVEs in docker, due to mismatch of the
> package names (eg "docker-moby" versus just "docker" in NVD).
>
> So set CVE_PRODUCT in each recipe to match up the names. I have only
> done this for docker, containerd and runc. Perhaps there are more
> components needing similar treatment.

There likely are more components that need this, in particular where I used
to have support for docker variants, but we don't need to solve the entire
problem now .. just starting is enough.

It's easy enough to port this to master, only that runc version being caught
in the context might make it fail to apply .. and that's an easy fix.

>
> Possible TODOs include:
> * rebase/update this to master, and test it there
> * split into separate commits, one per component

I'd suggest the split into the three, and go ahead and do the change on
master. I'll carry it back to the released branches and pickup dunfell.

The testing is pretty simple, so I'll make sure master is ok and you've
already tested on dunfell, so that is enough.

Bruce

> ---
>  recipes-containers/containerd/containerd-docker_git.bb         | 2 ++
>  recipes-containers/containerd/containerd-opencontainers_git.bb | 2 ++
>  recipes-containers/docker/docker-ce_git.bb                     | 2 ++
>  recipes-containers/docker/docker-moby.bb                       | 2 ++
>  recipes-containers/runc/runc-docker_git.bb                     | 2 ++
>  recipes-containers/runc/runc-opencontainers_git.bb             | 2 ++
>  6 files changed, 12 insertions(+)
>
> diff --git a/recipes-containers/containerd/containerd-docker_git.bb b/recipes-containers/containerd/containerd-docker_git.bb
> index b18a9bb..2a3cd34 100644
> --- a/recipes-containers/containerd/containerd-docker_git.bb
> +++ b/recipes-containers/containerd/containerd-docker_git.bb
> @@ -12,3 +12,5 @@ PROVIDES += "virtual/containerd"
>  RPROVIDES_${PN} = "virtual/containerd"
>
>  DEPENDS += "btrfs-tools"
> +
> +CVE_PRODUCT = "containerd"
> diff --git a/recipes-containers/containerd/containerd-opencontainers_git.bb b/recipes-containers/containerd/containerd-opencontainers_git.bb
> index 347eae5..2bcff1e 100644
> --- a/recipes-containers/containerd/containerd-opencontainers_git.bb
> +++ b/recipes-containers/containerd/containerd-opencontainers_git.bb
> @@ -14,3 +14,5 @@ EXTRA_OEMAKE += "GODEBUG=1"
>
>  PROVIDES += "virtual/containerd"
>  RPROVIDES_${PN} = "virtual/containerd"
> +
> +CVE_PRODUCT = "containerd"
> diff --git a/recipes-containers/docker/docker-ce_git.bb b/recipes-containers/docker/docker-ce_git.bb
> index 14182d1..adffcec 100644
> --- a/recipes-containers/docker/docker-ce_git.bb
> +++ b/recipes-containers/docker/docker-ce_git.bb
> @@ -129,3 +129,5 @@ FILES_${PN} += "${systemd_unitdir}/system/* ${sysconfdir}/docker"
>
>  FILES_${PN}-contrib += "${datadir}/docker/check-config.sh"
>  RDEPENDS_${PN}-contrib += "bash"
> +
> +CVE_PRODUCT = "docker"
> diff --git a/recipes-containers/docker/docker-moby.bb b/recipes-containers/docker/docker-moby.bb
> index 762a785..600603f 100644
> --- a/recipes-containers/docker/docker-moby.bb
> +++ b/recipes-containers/docker/docker-moby.bb
> @@ -148,3 +148,5 @@ FILES_${PN} += "${systemd_unitdir}/system/* ${sysconfdir}/docker"
>
>  FILES_${PN}-contrib += "${datadir}/docker/check-config.sh"
>  RDEPENDS_${PN}-contrib += "bash"
> +
> +CVE_PRODUCT = "docker"
> diff --git a/recipes-containers/runc/runc-docker_git.bb b/recipes-containers/runc/runc-docker_git.bb
> index 8d810d0..3684366 100644
> --- a/recipes-containers/runc/runc-docker_git.bb
> +++ b/recipes-containers/runc/runc-docker_git.bb
> @@ -11,3 +11,5 @@ SRC_URI = "git://github.com/opencontainers/runc;nobranch=1;name=runc-docker \
>            "
>
>  RUNC_VERSION = "1.0.0-rc8"
> +
> +CVE_PRODUCT = "runc"
> diff --git a/recipes-containers/runc/runc-opencontainers_git.bb b/recipes-containers/runc/runc-opencontainers_git.bb
> index 3a7e7aa..a1271f6 100644
> --- a/recipes-containers/runc/runc-opencontainers_git.bb
> +++ b/recipes-containers/runc/runc-opencontainers_git.bb
> @@ -7,3 +7,5 @@ SRC_URI = " \
>      file://0001-Only-allow-proc-mount-if-it-is-procfs.patch \
>      "
>  RUNC_VERSION = "1.0.0-rc8"
> +
> +CVE_PRODUCT = "runc"
> --
> 2.17.1
>
>
> 
>


-- 
- Thou shalt not follow the NULL pointer, for chaos and madness await
thee at its end
- "Use the force Harry" - Gandalf, Star Trek II

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-04-28  2:51 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-27 18:10 [RFC][dunfell][PATCH] add CVE_PRODUCT for docker, containerd, runc Ralph Siemsen
2021-04-28  2:51 ` [meta-virtualization] " Bruce Ashfield

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.