From: Jan Kiszka <jan.kiszka@siemens.com>
To: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
Cc: isar-users@googlegroups.com
Subject: Re: [debsecan] meta/classes: export dpkg status file for debsecan
Date: Mon, 5 Oct 2020 08:06:04 +0200 [thread overview]
Message-ID: <c5c02c4a-e826-5e52-0b45-5fcd358b785c@siemens.com> (raw)
In-Reply-To: <20201001050635.2880259-2-daniel.sangorrin@toshiba.co.jp>
On 01.10.20 07:06, Daniel Sangorrin wrote:
> Although the currently exported manifest has enough
> information for scanning vulnerabilities, the tool
> debsecan depends on the /var/lib/dpkg/status file
> format. This patch adds a feature to export such file.
>
> All rootfs'es export the file by default and with
> the same file name syntax as the manifests, except
> for the file extension which is ".dpkg_status"
> instead of ".manifest".
>
> Remove the feature with:
> ROOTFS_FEATURES_remove = "export-dpkg-status"
>
> Signed-off-by: Daniel Sangorrin <daniel.sangorrin@toshiba.co.jp>
> ---
> meta/classes/image.bbclass | 3 ++-
> meta/classes/rootfs.bbclass | 8 ++++++++
> meta/recipes-devtools/buildchroot/buildchroot.inc | 3 ++-
> meta/recipes-devtools/sdkchroot/sdkchroot.bb | 3 ++-
> 4 files changed, 14 insertions(+), 3 deletions(-)
>
> diff --git a/meta/classes/image.bbclass b/meta/classes/image.bbclass
> index a296cc0..8e350a3 100644
> --- a/meta/classes/image.bbclass
> +++ b/meta/classes/image.bbclass
> @@ -63,9 +63,10 @@ image_do_mounts() {
> }
>
> ROOTFSDIR = "${IMAGE_ROOTFS}"
> -ROOTFS_FEATURES += "clean-package-cache finalize-rootfs generate-manifest"
> +ROOTFS_FEATURES += "clean-package-cache finalize-rootfs generate-manifest export-dpkg-status"
> ROOTFS_PACKAGES += "${IMAGE_PREINSTALL} ${IMAGE_INSTALL}"
> ROOTFS_MANIFEST_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}"
> +ROOTFS_DPKGSTATUS_DEPLOY_DIR ?= "${DEPLOY_DIR_IMAGE}"
>
> inherit rootfs
> inherit image-sdk-extension
> diff --git a/meta/classes/rootfs.bbclass b/meta/classes/rootfs.bbclass
> index afec1cb..bd73ee6 100644
> --- a/meta/classes/rootfs.bbclass
> +++ b/meta/classes/rootfs.bbclass
> @@ -11,6 +11,7 @@ ROOTFS_PACKAGES ?= ""
> # available features are:
> # 'clean-package-cache' - delete package cache from rootfs
> # 'generate-manifest' - generate a package manifest of the rootfs into ${ROOTFS_MANIFEST_DEPLOY_DIR}
> +# 'export-dpkg-status' - exports /var/lib/dpkg/status file to ${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
> # 'finalize-rootfs' - delete files needed to chroot into the rootfs
> ROOTFS_FEATURES ?= ""
>
> @@ -201,6 +202,13 @@ rootfs_generate_manifest () {
> ${ROOTFS_MANIFEST_DEPLOY_DIR}/"${PF}".manifest
> }
>
> +ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'export-dpkg-status', 'rootfs_export_dpkg_status', '', d)}"
> +rootfs_export_dpkg_status() {
> + mkdir -p ${ROOTFS_DPKGSTATUS_DEPLOY_DIR}
> + cp '${ROOTFSDIR}'/var/lib/dpkg/status \
> + '${ROOTFS_DPKGSTATUS_DEPLOY_DIR}'/'${PF}'.dpkg_status
> +}
> +
> ROOTFS_POSTPROCESS_COMMAND += "${@bb.utils.contains('ROOTFS_FEATURES', 'finalize-rootfs', 'rootfs_postprocess_finalize', '', d)}"
> rootfs_postprocess_finalize() {
> sudo -s <<'EOSUDO'
> diff --git a/meta/recipes-devtools/buildchroot/buildchroot.inc b/meta/recipes-devtools/buildchroot/buildchroot.inc
> index b4d7b76..e9c2cfe 100644
> --- a/meta/recipes-devtools/buildchroot/buildchroot.inc
> +++ b/meta/recipes-devtools/buildchroot/buildchroot.inc
> @@ -20,7 +20,8 @@ ROOTFSDIR = "${BUILDCHROOT_DIR}"
> ROOTFS_PACKAGES = "${BUILDCHROOT_PREINSTALL}"
> ROOTFS_CLEAN_FILES = ""
> ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}"
> -ROOTFS_FEATURES += "generate-manifest"
> +ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_BUILDCHROOT}"
> +ROOTFS_FEATURES += "generate-manifest export-dpkg-status"
>
> BUILDCHROOT_PREINSTALL_COMMON = " \
> make \
> diff --git a/meta/recipes-devtools/sdkchroot/sdkchroot.bb b/meta/recipes-devtools/sdkchroot/sdkchroot.bb
> index 467e682..796fefa 100644
> --- a/meta/recipes-devtools/sdkchroot/sdkchroot.bb
> +++ b/meta/recipes-devtools/sdkchroot/sdkchroot.bb
> @@ -22,8 +22,9 @@ ROOTFS_ARCH = "${HOST_ARCH}"
> ROOTFS_DISTRO = "${HOST_DISTRO}"
> ROOTFSDIR = "${S}"
> ROOTFS_PACKAGES = "${SDKCHROOT_PREINSTALL} ${TOOLCHAIN}"
> -ROOTFS_FEATURES += "clean-package-cache generate-manifest"
> +ROOTFS_FEATURES += "clean-package-cache generate-manifest export-dpkg-status"
> ROOTFS_MANIFEST_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}"
> +ROOTFS_DPKGSTATUS_DEPLOY_DIR = "${DEPLOY_DIR_SDKCHROOT}"
>
> python() {
> if d.getVar("HOST_ARCH") not in ['i386', 'amd64']:
>
Looks good to me!
Jan
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
next prev parent reply other threads:[~2020-10-05 6:06 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-10-01 5:06 [debsecan] export dpkg status " Daniel Sangorrin
2020-10-01 5:06 ` [debsecan] meta/classes: export dpkg status file " Daniel Sangorrin
2020-10-05 6:06 ` Jan Kiszka [this message]
2020-10-05 15:21 ` Baurzhan Ismagulov
2020-11-26 17:18 ` Anton Mikanovich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c5c02c4a-e826-5e52-0b45-5fcd358b785c@siemens.com \
--to=jan.kiszka@siemens.com \
--cc=daniel.sangorrin@toshiba.co.jp \
--cc=isar-users@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox