[PATCH 0/3] Fix cve-check (for recipe sysroots)

[PATCH 0/3] Fix cve-check (for recipe sysroots)

[Jussi Kukkonen]

Recipe sysroots broke cve-check in several places, this patch set
should get it running again.

The CA cert fix is a workaround really: Native libcurl is broken
and looks for CA cert bundle in the wrong place.

Note that the NVD CVE database is flaky: I have serious problems
getting populate_cve_db to succeed during mornings in Europe as the
xml files and their metadata does not match for hours. I've reported
this to NVD.

I mentioned error output improvements in email  but did not implement
as that requires more upstream changes: I'll talk to the maintainer
about them.


  Jussi

The following changes since commit e758547db9048d4aa1c1415d6af8072f519fae24:

  nss: Fix nss-native so the checksum doesn't change with BUILD_ARCH (2017-02-09 10:52:03 +0000)

are available in the git repository at:

  git://git.yoctoproject.org/poky-contrib jku/cve-check
  http://git.yoctoproject.org/cgit.cgi/poky-contrib/log/?h=jku/cve-check

Jussi Kukkonen (3):
  cve-check.bbclass: Fix dependencies
  cve-check-tool: Fixes for recipe sysroots
  cve-check-tool: Use CA cert bundle in correct sysroot

 meta/classes/cve-check.bbclass                     |   2 +-
 .../cve-check-tool/cve-check-tool_5.6.4.bb         |   7 +-
 ...ow-overriding-default-CA-certificate-file.patch | 215 +++++++++++++++++++++
 3 files changed, 221 insertions(+), 3 deletions(-)
 create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch

-- 
2.1.4

[PATCH 1/3] cve-check.bbclass: Fix dependencies

[Jussi Kukkonen]

With recipe-specific sysroots the cve_check task must depend on
cve-check-tool-native:do_populate_sysroot to get the cve-check-tool
binary into the recipe sysroot.

A normal DEPENDS isn't used to avoid cyclic dependencies.

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 meta/classes/cve-check.bbclass | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/classes/cve-check.bbclass b/meta/classes/cve-check.bbclass
index aad0573..0e4294f 100644
--- a/meta/classes/cve-check.bbclass
+++ b/meta/classes/cve-check.bbclass
@@ -62,7 +62,7 @@ python do_cve_check () {
 }
 
 addtask cve_check after do_unpack before do_build
-do_cve_check[depends] = "cve-check-tool-native:do_populate_cve_db"
+do_cve_check[depends] = "cve-check-tool-native:do_populate_sysroot cve-check-tool-native:do_populate_cve_db"
 do_cve_check[nostamp] = "1"
 
 python cve_check_cleanup () {
-- 
2.1.4

[PATCH 2/3] cve-check-tool: Fixes for recipe sysroots

[Jussi Kukkonen]

* Use --enable-relative-plugins so cve-check-tool looks for
  loadable modules relative to binary location instead of
  hard-coding a wrong sysroot location
* do_populate_cve_db() assumes that the binary cve-check-update is in
  the sysroot. Ensure that this is true by adding a task dependency

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index 6e35421..c78af67 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -22,7 +22,7 @@ RDEPENDS_${PN} = "ca-certificates"
 
 inherit pkgconfig autotools
 
-EXTRA_OECONF = "--disable-coverage"
+EXTRA_OECONF = "--disable-coverage --enable-relative-plugins"
 CFLAGS_append = " -Wno-error=pedantic"
 
 do_populate_cve_db() {
@@ -50,6 +50,7 @@ do_populate_cve_db() {
 }
 
 addtask populate_cve_db after do_populate_sysroot
+do_populate_cve_db[depends] = "cve-check-tool-native:do_populate_sysroot"
 do_populate_cve_db[nostamp] = "1"
 do_populate_cve_db[progress] = "percent"
 
-- 
2.1.4

[PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot

[Jussi Kukkonen]

Native libcurl looks for CA certs in the wrong place by
default.
* Add patch that allows overriding the default CA certificate
  location. Patch is originally from meta-security-isafw.
* Use the new --cacert to set the correct CA bundle path

Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
---
 .../cve-check-tool/cve-check-tool_5.6.4.bb         |   4 +-
 ...ow-overriding-default-CA-certificate-file.patch | 215 +++++++++++++++++++++
 2 files changed, 218 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch

diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
index c78af67..fcd3182 100644
--- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
+++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
@@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3c34974bc0be3a03ed6"
 SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v${PV}/${BP}.tar.xz \
            file://check-for-malloc_trim-before-using-it.patch \
            file://0001-print-progress-in-percent-when-downloading-CVE-db.patch \
+           file://0001-curl-allow-overriding-default-CA-certificate-file.patch \
           "
 
 SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
@@ -39,7 +40,8 @@ do_populate_cve_db() {
     [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
 
     bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
-    if cve-check-update -d "$cve_dir" ; then
+    # --cacert works around curl-native not finding the CA bundle
+    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-certificates.crt -d "$cve_dir" ; then
         printf "CVE database was updated on %s UTC\n\n" "$(LANG=C date --utc +'%F %T')" > "$cve_file"
     else
         bbwarn "Error in executing cve-check-update"
diff --git a/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
new file mode 100644
index 0000000..3d8ebd1
--- /dev/null
+++ b/meta/recipes-devtools/cve-check-tool/files/0001-curl-allow-overriding-default-CA-certificate-file.patch
@@ -0,0 +1,215 @@
+From 825a9969dea052b02ba868bdf39e676349f10dce Mon Sep 17 00:00:00 2001
+From: Jussi Kukkonen <jussi.kukkonen@intel.com>
+Date: Thu, 9 Feb 2017 14:51:28 +0200
+Subject: [PATCH] curl: allow overriding default CA certificate file
+
+Similar to curl, --cacert can now be used in cve-check-tool and
+cve-check-update to override the default CA certificate file. Useful
+in cases where the system default is unsuitable (for example,
+out-dated) or broken (as in OE's current native libcurl, which embeds
+a path string from one build host and then uses it on another although
+the right path may have become something different).
+
+Upstream-Status: Submitted [https://github.com/ikeydoherty/cve-check-tool/pull/45]
+
+Signed-off-by: Patrick Ohly <patrick.ohly@intel.com>
+
+
+Took Patrick Ohlys original patch from meta-security-isafw, rebased
+on top of other patches.
+
+Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
+---
+ src/library/cve-check-tool.h |  1 +
+ src/library/fetch.c          | 10 +++++++++-
+ src/library/fetch.h          |  3 ++-
+ src/main.c                   |  5 ++++-
+ src/update-main.c            |  4 +++-
+ src/update.c                 | 12 +++++++-----
+ src/update.h                 |  2 +-
+ 7 files changed, 27 insertions(+), 10 deletions(-)
+
+diff --git a/src/library/cve-check-tool.h b/src/library/cve-check-tool.h
+index e4bb5b1..f89eade 100644
+--- a/src/library/cve-check-tool.h
++++ b/src/library/cve-check-tool.h
+@@ -43,6 +43,7 @@ typedef struct CveCheckTool {
+     bool bugs;                          /**<Whether bug tracking is enabled */
+     GHashTable *mapping;                /**<CVE Mapping */
+     const char *output_file;            /**<Output file, if any */
++    const char *cacert_file;            /**<Non-default SSL certificate file, if any */
+ } CveCheckTool;
+ 
+ /**
+diff --git a/src/library/fetch.c b/src/library/fetch.c
+index 0fe6d76..8f998c3 100644
+--- a/src/library/fetch.c
++++ b/src/library/fetch.c
+@@ -60,7 +60,8 @@ static int progress_callback_new(void *ptr, curl_off_t dltotal, curl_off_t dlnow
+ }
+ 
+ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
+-                      unsigned int start_percent, unsigned int end_percent)
++                      unsigned int start_percent, unsigned int end_percent,
++                      const char *cacert_file)
+ {
+         FetchStatus ret = FETCH_STATUS_FAIL;
+         CURLcode res;
+@@ -74,6 +75,13 @@ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
+                 return ret;
+         }
+ 
++        if (cacert_file) {
++                res = curl_easy_setopt(curl, CURLOPT_CAINFO, cacert_file);
++                if (res != CURLE_OK) {
++                        goto bail;
++                }
++        }
++
+         if (stat(target, &st) == 0) {
+                 res = curl_easy_setopt(curl, CURLOPT_TIMECONDITION, CURL_TIMECOND_IFMODSINCE);
+                 if (res != CURLE_OK) {
+diff --git a/src/library/fetch.h b/src/library/fetch.h
+index 4cce5d1..836c7d7 100644
+--- a/src/library/fetch.h
++++ b/src/library/fetch.h
+@@ -29,7 +29,8 @@ typedef enum {
+  * @return A FetchStatus, indicating the operation taken
+  */
+ FetchStatus fetch_uri(const char *uri, const char *target, bool verbose,
+-                      unsigned int this_percent, unsigned int next_percent);
++                      unsigned int this_percent, unsigned int next_percent,
++                      const char *cacert_file);
+ 
+ /**
+  * Attempt to extract the given gzipped file
+diff --git a/src/main.c b/src/main.c
+index 8e6f158..ae69d47 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -280,6 +280,7 @@ static bool csv_mode = false;
+ static char *modified_stamp = NULL;
+ static gchar *mapping_file = NULL;
+ static gchar *output_file = NULL;
++static gchar *cacert_file = NULL;
+ 
+ static GOptionEntry _entries[] = {
+         { "not-patched", 'n', 0, G_OPTION_ARG_NONE, &hide_patched, "Hide patched/addressed CVEs", NULL },
+@@ -294,6 +295,7 @@ static GOptionEntry _entries[] = {
+         { "csv", 'c', 0, G_OPTION_ARG_NONE, &csv_mode, "Output CSV formatted data only", NULL },
+         { "mapping", 'M', 0, G_OPTION_ARG_STRING, &mapping_file, "Path to a mapping file", NULL},
+         { "output-file", 'o', 0, G_OPTION_ARG_STRING, &output_file, "Path to the output file (output plugin specific)", NULL},
++        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
+         { .short_name = 0 }
+ };
+ 
+@@ -492,6 +494,7 @@ int main(int argc, char **argv)
+ 
+         quiet = csv_mode || !no_html;
+         self->output_file = output_file;
++        self->cacert_file = cacert_file;
+ 
+         if (!csv_mode && self->output_file) {
+                 quiet = false;
+@@ -530,7 +533,7 @@ int main(int argc, char **argv)
+                 if (status) {
+                         fprintf(stderr, "Update of db forced\n");
+                         cve_db_unlock();
+-                        if (!update_db(quiet, db_path->str)) {
++                        if (!update_db(quiet, db_path->str, self->cacert_file)) {
+                                 fprintf(stderr, "DB update failure\n");
+                                 goto cleanup;
+                         }
+diff --git a/src/update-main.c b/src/update-main.c
+index 2379cfa..c52d9d0 100644
+--- a/src/update-main.c
++++ b/src/update-main.c
+@@ -43,11 +43,13 @@ the Free Software Foundation; either version 2 of the License, or\n\
+ static gchar *nvds = NULL;
+ static bool _show_version = false;
+ static bool _quiet = false;
++static const char *_cacert_file = NULL;
+ 
+ static GOptionEntry _entries[] = {
+         { "nvd-dir", 'd', 0, G_OPTION_ARG_STRING, &nvds, "NVD directory in filesystem", NULL },
+         { "version", 'v', 0, G_OPTION_ARG_NONE, &_show_version, "Show version", NULL },
+         { "quiet", 'q', 0, G_OPTION_ARG_NONE, &_quiet, "Run silently", NULL },
++        { "cacert", 'C', 0, G_OPTION_ARG_STRING, &_cacert_file, "Path to the combined SSL certificates file (system default is used if not set)", NULL},
+         { .short_name = 0 }
+ };
+ 
+@@ -88,7 +90,7 @@ int main(int argc, char **argv)
+                 goto end;
+         }
+ 
+-        if (update_db(_quiet, db_path->str)) {
++        if (update_db(_quiet, db_path->str, _cacert_file)) {
+                 ret = EXIT_SUCCESS;
+         } else {
+                 fprintf(stderr, "Failed to update database\n");
+diff --git a/src/update.c b/src/update.c
+index 070560a..8cb4a39 100644
+--- a/src/update.c
++++ b/src/update.c
+@@ -267,7 +267,8 @@ static inline void update_end(int fd, const char *update_fname, bool ok)
+ 
+ static int do_fetch_update(int year, const char *db_dir, CveDB *cve_db,
+                            bool db_exist, bool verbose,
+-                           unsigned int this_percent, unsigned int next_percent)
++                           unsigned int this_percent, unsigned int next_percent,
++                           const char *cacert_file)
+ {
+         const char nvd_uri[] = URI_PREFIX;
+         autofree(cve_string) *uri_meta = NULL;
+@@ -331,14 +332,14 @@ refetch:
+         }
+ 
+         /* Fetch NVD META file */
+-        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent);
++        st = fetch_uri(uri_meta->str, nvdcve_meta->str, verbose, this_percent, this_percent, cacert_file);
+         if (st == FETCH_STATUS_FAIL) {
+                 fprintf(stderr, "Failed to fetch %s\n", uri_meta->str);
+                 return -1;
+         }
+ 
+         /* Fetch NVD XML file */
+-        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent);
++        st = fetch_uri(uri_data_gz->str, nvdcve_data_gz->str, verbose, this_percent, next_percent, cacert_file);
+         switch (st) {
+         case FETCH_STATUS_FAIL:
+                 fprintf(stderr, "Failed to fetch %s\n", uri_data_gz->str);
+@@ -391,7 +392,7 @@ refetch:
+         return 0;
+ }
+ 
+-bool update_db(bool quiet, const char *db_file)
++bool update_db(bool quiet, const char *db_file, const char *cacert_file)
+ {
+         autofree(char) *db_dir = NULL;
+         autofree(CveDB) *cve_db = NULL;
+@@ -466,7 +467,8 @@ bool update_db(bool quiet, const char *db_file)
+                 if (!quiet)
+                         fprintf(stderr, "completed: %u%%\r", start_percent);
+                 rc = do_fetch_update(y, db_dir, cve_db, db_exist, !quiet,
+-                                     start_percent, end_percent);
++                                     start_percent, end_percent,
++                                     cacert_file);
+                 switch (rc) {
+                 case 0:
+                         if (!quiet)
+diff --git a/src/update.h b/src/update.h
+index b8e9911..ceea0c3 100644
+--- a/src/update.h
++++ b/src/update.h
+@@ -15,7 +15,7 @@ cve_string *get_db_path(const char *path);
+ 
+ int update_required(const char *db_file);
+ 
+-bool update_db(bool quiet, const char *db_file);
++bool update_db(bool quiet, const char *db_file, const char *cacert_file);
+ 
+ 
+ /*
+-- 
+2.1.4
+
-- 
2.1.4

native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

[Patrick Ohly]

On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
> Native libcurl looks for CA certs in the wrong place by
> default.
> * Add patch that allows overriding the default CA certificate
>   location. Patch is originally from meta-security-isafw.
> * Use the new --cacert to set the correct CA bundle path
> 
> Signed-off-by: Jussi Kukkonen <jussi.kukkonen@intel.com>
> ---
>  .../cve-check-tool/cve-check-tool_5.6.4.bb         |   4 +-
>  ...ow-overriding-default-CA-certificate-file.patch | 215
> +++++++++++++++++++++
>  2 files changed, 218 insertions(+), 1 deletion(-)
>  create mode 100644 meta/recipes-devtools/cve-check-tool/files/0001-
> curl-allow-overriding-default-CA-certificate-file.patch
> 
> diff --git a/meta/recipes-devtools/cve-check-tool/cve-check-
> tool_5.6.4.bb b/meta/recipes-devtools/cve-check-tool/cve-check-
> tool_5.6.4.bb
> index c78af67..fcd3182 100644
> --- a/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> +++ b/meta/recipes-devtools/cve-check-tool/cve-check-tool_5.6.4.bb
> @@ -9,6 +9,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=e8c1458438ead3
> c34974bc0be3a03ed6"
>  SRC_URI = "https://github.com/ikeydoherty/${BPN}/releases/download/v
> ${PV}/${BP}.tar.xz \
>             file://check-for-malloc_trim-before-using-it.patch \
>             file://0001-print-progress-in-percent-when-downloading-
> CVE-db.patch \
> +           file://0001-curl-allow-overriding-default-CA-certificate-
> file.patch \
>            "
>  
>  SRC_URI[md5sum] = "c5f4247140fc9be3bf41491d31a34155"
> @@ -39,7 +40,8 @@ do_populate_cve_db() {
>      [ -z "${cve_file}" ] && cve_file="${TMPDIR}/cve_check"
>  
>      bbdebug 2 "Updating cve-check-tool database located in $cve_dir"
> -    if cve-check-update -d "$cve_dir" ; then
> +    # --cacert works around curl-native not finding the CA bundle
> +    if cve-check-update --cacert ${sysconfdir}/ssl/certs/ca-
> certificates.crt -d "$cve_dir" ; then

I went back to this patch to see how the problem was solved, because I
am facing it again elsewhere. Now that I think about it again, I'm
starting to wonder which SSL certificates the native tools really
should trust. Tools like Python or  wget are taken from the host, which
means they use the host defaults for SSL. That native tools built with
bitbake then try to use ca-certificates-native looks inconsistent to
me.

There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 open
about some aspect of this, but it doesn't actually address the
underlying question about what the right behavior should be. It's based
on the assumption that libcurl-native should always use ca-
certificates-native.

Thoughts anyone?

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

[Otavio Salvador]

On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly <patrick.ohly@intel.com> wrote:
> On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
> There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883 open
> about some aspect of this, but it doesn't actually address the
> underlying question about what the right behavior should be. It's based
> on the assumption that libcurl-native should always use ca-
> certificates-native.
>
> Thoughts anyone?

I agree it should use ca-certificates-native for all native; it allows
for self-signed internal certificates to be added for internal
development.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

Re: native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

[Patrick Ohly]

On Tue, 2017-11-21 at 10:06 -0200, Otavio Salvador wrote:
> On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly <patrick.ohly@intel.com
> > wrote:
> > On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
> > There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883
> > open
> > about some aspect of this, but it doesn't actually address the
> > underlying question about what the right behavior should be. It's
> > based
> > on the assumption that libcurl-native should always use ca-
> > certificates-native.
> > 
> > Thoughts anyone?
> 
> I agree it should use ca-certificates-native for all native; it
> allows for self-signed internal certificates to be added for internal
> development.

But that's not what bitbake itself uses. Are you saying that bitbake
fetchers etc. should also use whatever certificates are configured for
ca-certificates-native? That leads to a chicken-and-egg problem.

A solution where custom certificates need to be configured in two
different places (system for bitbake, ca-certificates-native for some
other tools) sounds sub-optimal to me.

-- 
Best Regards, Patrick Ohly

The content of this message is my personal opinion only and although
I am an employee of Intel, the statements I make here in no way
represent Intel's position on the issue, nor am I authorized to speak
on behalf of Intel on this matter.

Re: native CA cert bundles (was: Re: [PATCH 3/3] cve-check-tool: Use CA cert bundle in correct sysroot)

[Otavio Salvador]

On Tue, Nov 21, 2017 at 10:21 AM, Patrick Ohly <patrick.ohly@intel.com> wrote:
> On Tue, 2017-11-21 at 10:06 -0200, Otavio Salvador wrote:
>> On Tue, Nov 21, 2017 at 6:04 AM, Patrick Ohly <patrick.ohly@intel.com
>> > wrote:
>> > On Thu, 2017-02-09 at 21:38 +0200, Jussi Kukkonen wrote:
>> > There is https://bugzilla.yoctoproject.org/show_bug.cgi?id=9883
>> > open
>> > about some aspect of this, but it doesn't actually address the
>> > underlying question about what the right behavior should be. It's
>> > based
>> > on the assumption that libcurl-native should always use ca-
>> > certificates-native.
>> >
>> > Thoughts anyone?
>>
>> I agree it should use ca-certificates-native for all native; it
>> allows for self-signed internal certificates to be added for internal
>> development.
>
> But that's not what bitbake itself uses. Are you saying that bitbake
> fetchers etc. should also use whatever certificates are configured for
> ca-certificates-native? That leads to a chicken-and-egg problem.
>
> A solution where custom certificates need to be configured in two
> different places (system for bitbake, ca-certificates-native for some
> other tools) sounds sub-optimal to me.

I know and we could override it to a place.

We ended doing it ourselves:
https://github.com/updatehub/meta-updatehub/commit/e9c34faddb6a59d560147798b37ac6a0e3fa57bf

but this is not generic.

-- 
Otavio Salvador                             O.S. Systems
http://www.ossystems.com.br        http://code.ossystems.com.br
Mobile: +55 (53) 9981-7854            Mobile: +1 (347) 903-9750

✗ patchtest: failure for Fix cve-check (for recipe sysroots)

[Patchwork]

== Series Details ==

Series: Fix cve-check (for recipe sysroots)
Revision: 1
URL   : https://patchwork.openembedded.org/series/5241/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Patch            [3/3] cve-check-tool: Use CA cert bundle in correct sysroot
 Issue             Missing or incorrectly formatted CVE tag in commit message [test_cve_presence_in_commit_message] 
  Suggested fix    Include a "CVE-xxxx-xxxx" tag in the commit message



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: ✗ patchtest: failure for Fix cve-check (for recipe sysroots)

[Leonardo Sandoval]

This is a false positive, your series is fine.

The presence of CVE tags on the commit message area must only be done if 
the CVE tag is present on the commit subject, not the whole payload.


On 02/09/2017 01:59 PM, Patchwork wrote:
> == Series Details ==
>
> Series: Fix cve-check (for recipe sysroots)
> Revision: 1
> URL   : https://patchwork.openembedded.org/series/5241/
> State : failure
>
> == Summary ==
>
>
> Thank you for submitting this patch series to OpenEmbedded Core. This is
> an automated response. Several tests have been executed on the proposed
> series by patchtest resulting in the following failures:
>
>
>
> * Patch            [3/3] cve-check-tool: Use CA cert bundle in correct sysroot
>   Issue             Missing or incorrectly formatted CVE tag in commit message [test_cve_presence_in_commit_message]
>    Suggested fix    Include a "CVE-xxxx-xxxx" tag in the commit message
>
>
>
> If you believe any of these test results are incorrect, please reply to the
> mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
> Otherwise we would appreciate you correcting the issues and submitting a new
> version of the patchset if applicable. Please ensure you add/increment the
> version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
> [PATCH v3] -> ...).
>
> ---
> Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
> Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe
>

Re: [PATCH 0/3] Fix cve-check (for recipe sysroots)

[Alexander Kanavin]

On 02/09/2017 09:38 PM, Jussi Kukkonen wrote:

> I mentioned error output improvements in email  but did not implement
> as that requires more upstream changes: I'll talk to the maintainer
> about them.

Isn't it so that the upstream maintainer has abandoned this tool (and 
the Big Rewrite of it too)? Then we need to find an alternative 
approach, or roll our own.

Alex

Re: [PATCH 0/3] Fix cve-check (for recipe sysroots)

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 626 bytes --]

On 10 February 2017 at 11:55, Alexander Kanavin <
alexander.kanavin@linux.intel.com> wrote:

> I mentioned error output improvements in email  but did not implement
>> as that requires more upstream changes: I'll talk to the maintainer
>> about them.
>>
>
> Isn't it so that the upstream maintainer has abandoned this tool (and the
> Big Rewrite of it too)? Then we need to find an alternative approach, or
> roll our own.
>

Abandoned may be a strong word, but I'm not sure how much development is
being done.  I do plan on looking at this and dedicating some actual
engineering time towards it soon.

Ross

[-- Attachment #2: Type: text/html, Size: 1135 bytes --]

Re: [PATCH 0/3] Fix cve-check (for recipe sysroots)

[Alexander Kanavin]

On 02/10/2017 03:04 PM, Burton, Ross wrote:

> Abandoned may be a strong word, but I'm not sure how much development is
> being done.  I do plan on looking at this and dedicating some actual
> engineering time towards it soon.

https://github.com/ikeydoherty/cve-check-tool/commits/master
Last commit on Sep 1 2016.

https://github.com/ikeydoherty/cve-check-tool/commits/rewrite-snapshot
Last commit on Aug 8 2016.

Same story with open issues and pull requests: no activity in months.


Alex