[debsecan] export dpkg status for debsecan

[debsecan] export dpkg status for debsecan

[Daniel Sangorrin]

Hello,

This patch causes rootfs builds to export the /var/lib/dpkg/status
file, which is required for debsecan to scan vulnerabilities. It is
very similar to what generate-manifest does already, it is just
that debsecan needs this file format.

I have tested it by building [isar-cip-core](https://gitlab.com/cip-project/cip-core/isar-cip-core)
QEMU images and it works fine, however I couldn't (didn't know how to) test SDK creation because
we are not using that feature yet.

[debsecan] meta/classes: export dpkg status file for debsecan

Thanks,
Daniel

[debsecan] meta/classes: export dpkg status file for debsecan

[Daniel Sangorrin]

Although the currently exported manifest has enough
information for scanning vulnerabilities, the tool
debsecan depends on the /var/lib/dpkg/status file
format. This patch adds a feature to export such file.

All rootfs'es export the file by default and with
the same file name syntax as the manifests, except
for the file extension which is ".dpkg_status"
instead of ".manifest".

Remove the feature with:
  ROOTFS_FEATURES_remove = "export-dpkg-status"

Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
---
 meta/classes/image.bbclass                        | 3 ++-
 meta/classes/rootfs.bbclass                       | 8 ++++++++
 meta/recipes-devtools/buildchroot/buildchroot.inc | 3 ++-
 meta/recipes-devtools/sdkchroot/sdkchroot.bb      | 3 ++-
 4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index a296cc0..8e350a3 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -63,9 +63,10 @@ image_do_mounts() {
 }
 
 ROOTFSDIR = "${IMAGE_ROOTFS}"
-ROOTFS_FEATURES += "clean-package-cache finalize-rootfs generate-manifest"
+ROOTFS_FEATURES += "clean-package-cache finalize-rootfs generate-manifest export-dpkg-status"
 ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
 ROOTFS_MANIFEST_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}"
+ROOTFS_DPKGSTATUS_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}"
 
 inherit rootfs
 inherit image-sdk-extension
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index afec1cb..bd73ee6 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -11,6 +11,7 @@ ROOTFS_PACKAGES ?= ""
 # available features are:
 # 'clean-package-cache' - delete package cache from rootfs
 # 'generate-manifest' - generate a package manifest of the rootfs into ${ROOTFS_MANIFEST_DEPLOY_DIR}
+# 'export-dpkg-status' - exports /var/lib/dpkg/status file to ${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
 # 'finalize-rootfs' - delete files needed to chroot into the rootfs
 ROOTFS_FEATURES ?= ""
 
@@ -201,6 +202,13 @@ rootfs_generate_manifest () {
         ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".manifest
 }
 
+ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'export-dpkg-status', 'rootfs_export_dpkg_status', '', d)}"
+rootfs_export_dpkg_status() {
+    mkdir -p ${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
+    cp '${ROOTFSDIR}'/var/lib/dpkg/status \
+       '${ROOTFS_DPKGSTATUS_DEPLOY_DIR}'/'${PF}'.dpkg_status
+}
+
 ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'finalize-rootfs', 'rootfs_postprocess_finalize', '', d)}"
 rootfs_postprocess_finalize() {
     sudo -s <<'EOSUDO'
diff --git a/meta/recipes-devtools/buildchroot/buildchroot.inc b/meta/recipes-devtools/buildchroot/buildchroot.inc
index b4d7b76..e9c2cfe 100644
--- a/meta/recipes-devtools/buildchroot/buildchroot.inc
+++ b/meta/recipes-devtools/buildchroot/buildchroot.inc
@@ -20,7 +20,8 @@ ROOTFSDIR = "${BUILDCHROOT_DIR}"
 ROOTFS_PACKAGES = "${BUILDCHROOT_PREINSTALL}"
 ROOTFS_CLEAN_FILES = ""
 ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}"
-ROOTFS_FEATURES += "generate-manifest"
+ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}"
+ROOTFS_FEATURES += "generate-manifest export-dpkg-status"
 
 BUILDCHROOT_PREINSTALL_COMMON = " \
     make \
diff --git a/meta/recipes-devtools/sdkchroot/sdkchroot.bb b/meta/recipes-devtools/sdkchroot/sdkchroot.bb
index 467e682..796fefa 100644
--- a/meta/recipes-devtools/sdkchroot/sdkchroot.bb
+++ b/meta/recipes-devtools/sdkchroot/sdkchroot.bb
@@ -22,8 +22,9 @@ ROOTFS_ARCH = "${HOST_ARCH}"
 ROOTFS_DISTRO = "${HOST_DISTRO}"
 ROOTFSDIR = "${S}"
 ROOTFS_PACKAGES = "${SDKCHROOT_PREINSTALL} ${TOOLCHAIN}"
-ROOTFS_FEATURES += "clean-package-cache generate-manifest"
+ROOTFS_FEATURES += "clean-package-cache generate-manifest export-dpkg-status"
 ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}"
+ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}"
 
 python() {
     if d.getVar("HOST_ARCH") not in ['i386', 'amd64']:
-- 
2.25.1

Re: [debsecan] meta/classes: export dpkg status file for debsecan

[Jan Kiszka]

On 01.10.20 07:06, Daniel Sangorrin wrote:
> Although the currently exported manifest has enough
> information for scanning vulnerabilities, the tool
> debsecan depends on the /var/lib/dpkg/status file
> format. This patch adds a feature to export such file.
> 
> All rootfs'es export the file by default and with
> the same file name syntax as the manifests, except
> for the file extension which is ".dpkg_status"
> instead of ".manifest".
> 
> Remove the feature with:
>   ROOTFS_FEATURES_remove = "export-dpkg-status"
> 
> Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
> ---
>  meta/classes/image.bbclass                        | 3 ++-
>  meta/classes/rootfs.bbclass                       | 8 ++++++++
>  meta/recipes-devtools/buildchroot/buildchroot.inc | 3 ++-
>  meta/recipes-devtools/sdkchroot/sdkchroot.bb      | 3 ++-
>  4 files changed, 14 insertions(+), 3 deletions(-)
> 
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index a296cc0..8e350a3 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -63,9 +63,10 @@ image_do_mounts() {
>  }
>  
>  ROOTFSDIR = "${IMAGE_ROOTFS}"
> -ROOTFS_FEATURES += "clean-package-cache finalize-rootfs generate-manifest"
> +ROOTFS_FEATURES += "clean-package-cache finalize-rootfs generate-manifest export-dpkg-status"
>  ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
>  ROOTFS_MANIFEST_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}"
> +ROOTFS_DPKGSTATUS_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}"
>  
>  inherit rootfs
>  inherit image-sdk-extension
> diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
> index afec1cb..bd73ee6 100644
> --- a/meta/classes/rootfs.bbclass
> +++ b/meta/classes/rootfs.bbclass
> @@ -11,6 +11,7 @@ ROOTFS_PACKAGES ?= ""
>  # available features are:
>  # 'clean-package-cache' - delete package cache from rootfs
>  # 'generate-manifest' - generate a package manifest of the rootfs into ${ROOTFS_MANIFEST_DEPLOY_DIR}
> +# 'export-dpkg-status' - exports /var/lib/dpkg/status file to ${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
>  # 'finalize-rootfs' - delete files needed to chroot into the rootfs
>  ROOTFS_FEATURES ?= ""
>  
> @@ -201,6 +202,13 @@ rootfs_generate_manifest () {
>          ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".manifest
>  }
>  
> +ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'export-dpkg-status', 'rootfs_export_dpkg_status', '', d)}"
> +rootfs_export_dpkg_status() {
> +    mkdir -p ${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
> +    cp '${ROOTFSDIR}'/var/lib/dpkg/status \
> +       '${ROOTFS_DPKGSTATUS_DEPLOY_DIR}'/'${PF}'.dpkg_status
> +}
> +
>  ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'finalize-rootfs', 'rootfs_postprocess_finalize', '', d)}"
>  rootfs_postprocess_finalize() {
>      sudo -s <<'EOSUDO'
> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.inc b/meta/recipes-devtools/buildchroot/buildchroot.inc
> index b4d7b76..e9c2cfe 100644
> --- a/meta/recipes-devtools/buildchroot/buildchroot.inc
> +++ b/meta/recipes-devtools/buildchroot/buildchroot.inc
> @@ -20,7 +20,8 @@ ROOTFSDIR = "${BUILDCHROOT_DIR}"
>  ROOTFS_PACKAGES = "${BUILDCHROOT_PREINSTALL}"
>  ROOTFS_CLEAN_FILES = ""
>  ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}"
> -ROOTFS_FEATURES += "generate-manifest"
> +ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}"
> +ROOTFS_FEATURES += "generate-manifest export-dpkg-status"
>  
>  BUILDCHROOT_PREINSTALL_COMMON = " \
>      make \
> diff --git a/meta/recipes-devtools/sdkchroot/sdkchroot.bb b/meta/recipes-devtools/sdkchroot/sdkchroot.bb
> index 467e682..796fefa 100644
> --- a/meta/recipes-devtools/sdkchroot/sdkchroot.bb
> +++ b/meta/recipes-devtools/sdkchroot/sdkchroot.bb
> @@ -22,8 +22,9 @@ ROOTFS_ARCH = "${HOST_ARCH}"
>  ROOTFS_DISTRO = "${HOST_DISTRO}"
>  ROOTFSDIR = "${S}"
>  ROOTFS_PACKAGES = "${SDKCHROOT_PREINSTALL} ${TOOLCHAIN}"
> -ROOTFS_FEATURES += "clean-package-cache generate-manifest"
> +ROOTFS_FEATURES += "clean-package-cache generate-manifest export-dpkg-status"
>  ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}"
> +ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}"
>  
>  python() {
>      if d.getVar("HOST_ARCH") not in ['i386', 'amd64']:
> 

Looks good to me!

Jan

-- 
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux

Re: [debsecan] meta/classes: export dpkg status file for debsecan

[Baurzhan Ismagulov]

Hello Daniel,

On Thu, Oct 01, 2020 at 02:06:35PM +0900, Daniel Sangorrin wrote:
> Although the currently exported manifest has enough
> information for scanning vulnerabilities, the tool
> debsecan depends on the /var/lib/dpkg/status file
> format. This patch adds a feature to export such file.
> 
> All rootfs'es export the file by default and with
> the same file name syntax as the manifests, except
> for the file extension which is ".dpkg_status"
> instead of ".manifest".
> 
> Remove the feature with:
>   ROOTFS_FEATURES_remove = "export-dpkg-status"

Looks good to me, either. Please let me apply a couple of series from the list,
then we'll have to rebase this.

With kind regards,
Baurzhan.

Re: [debsecan] meta/classes: export dpkg status file for debsecan

[Anton Mikanovich]

01.10.2020 08:06, Daniel Sangorrin wrote:
> Although the currently exported manifest has enough
> information for scanning vulnerabilities, the tool
> debsecan depends on the /var/lib/dpkg/status file
> format. This patch adds a feature to export such file.
>
> All rootfs'es export the file by default and with
> the same file name syntax as the manifests, except
> for the file extension which is ".dpkg_status"
> instead of ".manifest".
>
> Remove the feature with:
>    ROOTFS_FEATURES_remove = "export-dpkg-status"
>
> Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>

Rebased and applied on next, thanks.
Result is below.

 From d3914aeebc5dcd020b85898ffde8f0b7abf2ccaa Mon Sep 17 00:00:00 2001
From: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
Date: Thu, 1 Oct 2020 14:06:35 +0900
Subject: [debsecan] meta/classes: export dpkg status file for debsecan

Although the currently exported manifest has enough
information for scanning vulnerabilities, the tool
debsecan depends on the /var/lib/dpkg/status file
format. This patch adds a feature to export such file.

All rootfs'es export the file by default and with
the same file name syntax as the manifests, except
for the file extension which is ".dpkg_status"
instead of ".manifest".

Remove the feature with:
   ROOTFS_FEATURES_remove = "export-dpkg-status"

Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
---
  meta/classes/image.bbclass                        | 3 ++-
  meta/classes/rootfs.bbclass                       | 8 ++++++++
  meta/recipes-devtools/buildchroot/buildchroot.inc | 3 ++-
  meta/recipes-devtools/sdkchroot/sdkchroot.bb      | 3 ++-
  4 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
index a296cc0..8e350a3 100644
--- a/meta/classes/image.bbclass
+++ b/meta/classes/image.bbclass
@@ -63,9 +63,10 @@ image_do_mounts() {
  }

  ROOTFSDIR = "${IMAGE_ROOTFS}"
-ROOTFS_FEATURES += "clean-package-cache finalize-rootfs generate-manifest"
+ROOTFS_FEATURES += "clean-package-cache finalize-rootfs 
generate-manifest export-dpkg-status"
  ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
  ROOTFS_MANIFEST_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}"
+ROOTFS_DPKGSTATUS_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}"

  inherit rootfs
  inherit image-sdk-extension
diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
index 44b78a9..5b63ae7 100644
--- a/meta/classes/rootfs.bbclass
+++ b/meta/classes/rootfs.bbclass
@@ -11,6 +11,7 @@ ROOTFS_PACKAGES ?= ""
  # available features are:
  # 'clean-package-cache' - delete package cache from rootfs
  # 'generate-manifest' - generate a package manifest of the rootfs into 
${ROOTFS_MANIFEST_DEPLOY_DIR}
+# 'export-dpkg-status' - exports /var/lib/dpkg/status file to 
${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
  # 'finalize-rootfs' - delete files needed to chroot into the rootfs
  ROOTFS_FEATURES ?= ""

@@ -201,6 +202,13 @@ rootfs_generate_manifest () {
          ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".manifest
  }

+ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 
'export-dpkg-status', 'rootfs_export_dpkg_status', '', d)}"
+rootfs_export_dpkg_status() {
+    mkdir -p ${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
+    cp '${ROOTFSDIR}'/var/lib/dpkg/status \
+       '${ROOTFS_DPKGSTATUS_DEPLOY_DIR}'/'${PF}'.dpkg_status
+}
+
  ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 
'finalize-rootfs', 'rootfs_postprocess_finalize', '', d)}"
  rootfs_postprocess_finalize() {
      sudo -s <<'EOSUDO'
diff --git a/meta/recipes-devtools/buildchroot/buildchroot.inc 
b/meta/recipes-devtools/buildchroot/buildchroot.inc
index 835968d..5a2befb 100644
--- a/meta/recipes-devtools/buildchroot/buildchroot.inc
+++ b/meta/recipes-devtools/buildchroot/buildchroot.inc
@@ -20,7 +20,8 @@ ROOTFSDIR = "${BUILDCHROOT_DIR}"
  ROOTFS_PACKAGES = "${BUILDCHROOT_PREINSTALL}"
  ROOTFS_CLEAN_FILES = ""
  ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}"
-ROOTFS_FEATURES += "generate-manifest"
+ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}"
+ROOTFS_FEATURES += "generate-manifest export-dpkg-status"

  BUILDCHROOT_COMPAT_PREINSTALL_compat-arch = " \
      libc6:${COMPAT_DISTRO_ARCH} \
diff --git a/meta/recipes-devtools/sdkchroot/sdkchroot.bb 
b/meta/recipes-devtools/sdkchroot/sdkchroot.bb
index 893b287..d7a848e 100644
--- a/meta/recipes-devtools/sdkchroot/sdkchroot.bb
+++ b/meta/recipes-devtools/sdkchroot/sdkchroot.bb
@@ -31,8 +31,9 @@ ROOTFS_ARCH = "${HOST_ARCH}"
  ROOTFS_DISTRO = "${HOST_DISTRO}"
  ROOTFSDIR = "${S}"
  ROOTFS_PACKAGES = "${SDK_PREINSTALL} ${SDK_INSTALL} ${TOOLCHAIN}"
-ROOTFS_FEATURES += "clean-package-cache generate-manifest"
+ROOTFS_FEATURES += "clean-package-cache generate-manifest 
export-dpkg-status"
  ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}"
+ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}"

  python() {
      if d.getVar("HOST_ARCH") not in ['i386', 'amd64']:
--
2.20.1


-- 
Anton Mikanovich
Promwad Ltd.
External service provider of ilbers GmbH
Maria-Merian-Str. 8
85521 Ottobrunn, Germany
+49 (89) 122 67 24-0
Commercial register Munich, HRB 214197
General Manager: Baurzhan Ismagulov