MIRRORS/yocto-autobuilder-helper
1
0
Fork 0
mirror of git://git.yoctoproject.org/yocto-autobuilder-helper.git synced 2025-07-19 20:59:02 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

run-patchmetrics: Add very basic cve-check functionality

Browse Source 
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Richard Purdie 2022-05-17 17:00:59 +01:00
parent 5428ba491b
commit ca67ed751e
3 changed files with 51 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
config.json
View File

@ -928,8 +928,9 @@
}, },
"metrics" : { "metrics" : {
"NEEDREPOS" : ["poky"], "NEEDREPOS" : ["poky"],
"extravars" : ["INHERIT += 'cve-check'"],
"step1" : { "step1" : {
"EXTRACMDS" : ["../../yocto-autobuilder-helper/scripts/run-patchmetrics ../ ../meta/ ${HELPERRESULTSDIR}/../../patchmetrics"] "EXTRACMDS" : ["../../yocto-autobuilder-helper/scripts/run-patchmetrics ../ ../meta/ ${HELPERRESULTSDIR}/../../patchmetrics ."]
} }
}, },
"meta-mingw" : { "meta-mingw" : {

29
scripts/cve-report.py Executable file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env python3
import os, sys
import json
jsonfile = sys.argv[1]
ignored_recipes = ("linux-yocto", "db", "db-native")
with open(jsonfile) as f:
cvedata = json.load(f)
cves = dict()
for recipe in cvedata['package']:
if recipe['name'] in ignored_recipes:
continue
if 'issue' not in recipe:
continue
for i in recipe['issue']:
if i['status'] == "Unpatched":
if i["id"] in cves:
cves[i["id"]] += ":" + recipe['name']
else:
cves[i["id"]] = recipe['name']
print("Found %d unpatched CVEs" % len(cves))
for cve in sorted(cves.keys()):
print("%s: %s https://web.nvd.nist.gov/view/vuln/detail?vulnId=%s *" % (cve, cves[cve], cve))

20
scripts/run-patchmetrics
View File

@ -5,7 +5,14 @@
PARENTDIR=`realpath $1` PARENTDIR=`realpath $1`
TARGETDIR=`realpath $2` TARGETDIR=`realpath $2`
RESULTSDIR=`realpath -m $3` RESULTSDIR=`realpath -m $3`
BUILDDIR=`realpath $4`
OURDIR=`dirname $0`
TIMESTAMP=`date +"%s"`
#
# Patch Metrics
#
git clone ssh://git@push.yoctoproject.org/yocto-metrics $PARENTDIR/yocto-metrics git clone ssh://git@push.yoctoproject.org/yocto-metrics $PARENTDIR/yocto-metrics
$PARENTDIR/scripts/contrib/patchreview.py $TARGETDIR -j $PARENTDIR/yocto-metrics/patch-status.json $PARENTDIR/scripts/contrib/patchreview.py $TARGETDIR -j $PARENTDIR/yocto-metrics/patch-status.json
git -C $PARENTDIR/yocto-metrics commit -asm "Autobuilder adding new patch stats" git -C $PARENTDIR/yocto-metrics commit -asm "Autobuilder adding new patch stats"
@ -18,3 +25,16 @@ fi
cp $PARENTDIR/yocto-metrics/patch-status.json $RESULTSDIR cp $PARENTDIR/yocto-metrics/patch-status.json $RESULTSDIR
cp $PARENTDIR/yocto-metrics/patch-status/* $RESULTSDIR cp $PARENTDIR/yocto-metrics/patch-status/* $RESULTSDIR
#
# CVE Checks
#
bitbake world --runall cve_check -R conf/distro/include/cve-extra-exclusions.inc
mkdir -p $PARENTDIR/yocto-metrics/cve-check/
cp tmp/log/cve/cve-summary.json $PARENTDIR/yocto-metrics/cve-check-$TIMESTAMP.json
git -C $PARENTDIR/yocto-metrics add cve-check-$TIMESTAMP.json
git -C $PARENTDIR/yocto-metrics commit -asm "Autobuilder adding new CVE data"
git -C $PARENTDIR/yocto-metrics push
$OURDIR/cve-report.py tmp/log/cve/cve-summary.json > $RESULTSDIR/cve-status.txt