Re: [meta-security][PATCH] isafw.bbclass: update task dependency on cve-update-db-native

Darcy Watkins



I am resending this from my regular email client because I think that my original submission using git sendmail was messed up in my GIT config so it didn’t make it to the list.  (I did send an email using git sendmail to Armin).


We need this change to meta-security to be compatible with the referenced change made in poky / OE-core.  Otherwise there is an error as I reported weeks back.  I believe that this patch fixes it.  I have used it in both master branch and in dunfell.


We also need this to be back ported to all the same branches of meta-security to correspond to all the branches on poky to which the 33efd9351702e08a53e6512e235f947e4f9e914f commit was back ported.  This includes dunfell.


It is easy to find in a poky branch by grepping for do_populate_cve_db.


From a different perspective, there could also be a case to revert the original changes as I notice that populating the CVE database is not necessarily something that we would want to be part of someone running a fetch all operation for a target image, because the fetch for the CVE database would likely be run again later at the time of building the image.  This could be a matter of discussion (if not already discussed).  But I can work with it either way.









Darcy Watkins ::  Senior Staff Engineer, Firmware



Direct  +1 604 233 7989   ::  Fax  +1 604 231 1109  ::  Main  +1 604 231 1100

13811 Wireless Way  :: Richmond, BC Canada V6V 3A4


dwatkins@... ::


From: Darcy Watkins <dwatkins@...>
Date: Wednesday, March 9, 2022 at 6:19 PM
To: yocto@... <yocto@...>
Cc: Darcy Watkins <darcy@...>, Darcy Watkins <dwatkins@...>
Subject: [meta-security][PATCH] isafw.bbclass: update task dependency on cve-update-db-native

From: Darcy Watkins <darcy@...>

poky commit: 33efd9351702e08a53e6512e235f947e4f9e914f
(or OE-Core commit: f5f97d33a1703d75b9fd9760f2c7767081538e00)
had renamed the do_populate_cve_db task in cve-update-db-native
to do_fetch.

Need to update the do_build task dependency accordingly.

Signed-off-by: Darcy Watkins <dwatkins@...>
 meta-security-isafw/classes/isafw.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta-security-isafw/classes/isafw.bbclass b/meta-security-isafw/classes/isafw.bbclass
index da6bf76..4d39fc7 100644
--- a/meta-security-isafw/classes/isafw.bbclass
+++ b/meta-security-isafw/classes/isafw.bbclass
@@ -105,7 +105,7 @@ python process_reports_handler() {
     os.environ["PATH"] = savedenv["PATH"]
-do_build[depends] += "cve-update-db-native:do_populate_cve_db ca-certificates-native:do_populate_sysroot"
+do_build[depends] += "cve-update-db-native:do_fetch ca-certificates-native:do_populate_sysroot"
 do_build[depends] += "python3-lxml-native:do_populate_sysroot"
 # These tasks are intended to be called directly by the user (e.g. bitbake -c)

Join to automatically receive all group messages.