On Thu, Jul 20, 2017 at 04:22:49PM +0300, Mikko Rapeli wrote:
> LICENSE can be used in various checks after builds. Reading license data
> from buildhistory is better than trying to parse recipes in a source tree.
>
> CVE_PRODUCT can be used by scripts to e.g. check if it matches to the
> CVE product names in CVE/NVD database.
>
> It the two are combined, a CVE product name check can for example ignore
> recipes with CLOSED license.
>
> Note about sstate caching: recipe and package buildhistory data is
> regenarated only when the recipe is rebuild from sources. New fields
> like LICENSE and CVE_PRODUCT in buildhistory will be deployed only after
> the recipes are recompiled.
>
> Example:
>
> $ bitbake -c cleanall busybox && bitbake busybox
> $ egrep "LICENSE|CVE_PRODUCT"
> buildhistory/packages/i586-poky-linux/busybox/busybox/latest
> LICENSE = GPLv2 & bzip2
> CVE_PRODUCT = busybox
Are there some problems with this approach? Is CVE_PRODUCT too much?
I find this much better than trying to parse recipes for the data, and I like
that history data of these variables across builds/releases is available.
-Mikko
> Signed-off-by: Mikko Rapeli <mikko.rap...@bmw.de>
> ---
> meta/classes/buildhistory.bbclass | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)
>
> diff --git a/meta/classes/buildhistory.bbclass
> b/meta/classes/buildhistory.bbclass
> index 81784ee..cc3b144 100644
> --- a/meta/classes/buildhistory.bbclass
> +++ b/meta/classes/buildhistory.bbclass
> @@ -92,6 +92,8 @@ python buildhistory_emit_pkghistory() {
> self.packages = ""
> self.srcrev = ""
> self.layer = ""
> + self.license = ""
> + self.cve_product = ""
>
>
> class PackageInfo:
> @@ -105,6 +107,8 @@ python buildhistory_emit_pkghistory() {
> self.pkge = ""
> self.pkgv = ""
> self.pkgr = ""
> + self.license = ""
> + self.cve_product = ""
> self.size = 0
> self.depends = ""
> self.rprovides = ""
> @@ -141,6 +145,10 @@ python buildhistory_emit_pkghistory() {
> pkginfo.pkgv = value
> elif name == "PKGR":
> pkginfo.pkgr = value
> + elif name == "LICENSE":
> + pkginfo.license = value
> + elif name == "CVE_PRODUCT":
> + pkginfo.cve_product = value
> elif name == "RPROVIDES":
> pkginfo.rprovides = value
> elif name == "RDEPENDS":
> @@ -193,6 +201,9 @@ python buildhistory_emit_pkghistory() {
> pv = d.getVar('PV')
> pr = d.getVar('PR')
> layer = bb.utils.get_file_layer(d.getVar('FILE', True), d)
> + license = d.getVar('LICENSE') or ''
> + # If recipe does not define CVE_PRODUCT, the default is pn
> + cve_product = d.getVar('CVE_PRODUCT') or pn
>
> pkgdata_dir = d.getVar('PKGDATA_DIR')
> packages = ""
> @@ -233,6 +244,8 @@ python buildhistory_emit_pkghistory() {
> rcpinfo.depends = sortlist(oe.utils.squashspaces(d.getVar('DEPENDS') or
> ""))
> rcpinfo.packages = packages
> rcpinfo.layer = layer
> + rcpinfo.license = license
> + rcpinfo.cve_product = cve_product
> write_recipehistory(rcpinfo, d)
>
> pkgdest = d.getVar('PKGDEST')
> @@ -249,6 +262,8 @@ python buildhistory_emit_pkghistory() {
> pkge = pkgdata.get('PKGE', '0')
> pkgv = pkgdata['PKGV']
> pkgr = pkgdata['PKGR']
> + pkg_license = d.getVar('LICENSE_%s' % (pkg,), True) or license
> + pkg_cve_product = d.getVar('CVE_PRODUCT_%s' % (pkg,), True) or
> cve_product
> #
> # Find out what the last version was
> # Make sure the version did not decrease
> @@ -272,6 +287,8 @@ python buildhistory_emit_pkghistory() {
> pkginfo.pkge = pkge
> pkginfo.pkgv = pkgv
> pkginfo.pkgr = pkgr
> + pkginfo.license = pkg_license
> + pkginfo.cve_product = pkg_cve_product
> pkginfo.rprovides =
> sortpkglist(oe.utils.squashspaces(pkgdata.get('RPROVIDES', "")))
> pkginfo.rdepends =
> sortpkglist(oe.utils.squashspaces(pkgdata.get('RDEPENDS', "")))
> pkginfo.rrecommends =
> sortpkglist(oe.utils.squashspaces(pkgdata.get('RRECOMMENDS', "")))
> @@ -347,6 +364,8 @@ def write_recipehistory(rcpinfo, d):
> f.write(u"DEPENDS = %s\n" % rcpinfo.depends)
> f.write(u"PACKAGES = %s\n" % rcpinfo.packages)
> f.write(u"LAYER = %s\n" % rcpinfo.layer)
> + f.write(u"LICENSE = %s\n" % rcpinfo.license)
> + f.write(u"CVE_PRODUCT = %s\n" % rcpinfo.cve_product)
>
> write_latest_srcrev(d, pkghistdir)
>
> @@ -374,6 +393,8 @@ def write_pkghistory(pkginfo, d):
> f.write(u"PKGV = %s\n" % pkginfo.pkgv)
> if pkginfo.pkgr != pkginfo.pr:
> f.write(u"PKGR = %s\n" % pkginfo.pkgr)
> + f.write(u"LICENSE = %s\n" % pkginfo.license)
> + f.write(u"CVE_PRODUCT = %s\n" % pkginfo.cve_product)
> f.write(u"RPROVIDES = %s\n" % pkginfo.rprovides)
> f.write(u"RDEPENDS = %s\n" % pkginfo.rdepends)
> f.write(u"RRECOMMENDS = %s\n" % pkginfo.rrecommends)
> --
> 1.9.1
--
_______________________________________________
Openembedded-core mailing list
Openembedded-core@lists.openembedded.org
http://lists.openembedded.org/mailman/listinfo/openembedded-core
